International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

22:17 [Pub][ePrint] Key-Indistinguishable Message Authentication Codes, by Joel Alwen and Martin Hirt and Ueli Maurer and Arpita Patra and Pavel Raykov

  While standard message authentication codes (MACs) guarantee authenticity of messages, they do not, in general, guarantee the anonymity of the sender and recipient. For example it may be easy for an observer to determine whether or not two authenticated messages were sent by the same party even without any information about the secret key used. However preserving any uncertainty an attacker may have about the identities of honest parties engaged in authenticated communication is an important goal of many cryptographic applications. For example this is stated as an explicit goal of modern cellphone authentication protocols~\\cite{3GPP} and RFID based authentication systems\\cite{Vaudenay10}.

In this work we introduce and construct a new fundamental cryptographic primitive called \\emph{key indistinguishable} (KI) MACs. These can be used to realize many of the most important higher-level applications requiring some form of anonymity and authenticity~\\cite{AHMPR14}. We show that much (though not all) of the modular MAC construction framework of~\\cite{DodisKPW12} gives rise to several variants of KI MACs. On the one hand, we show that KI MACs can be built from hash proof systems and certain weak PRFs allowing us to base security on such assumption as DDH, CDH and LWE. Next we show that the two direct constructions from the LPN assumption of~\\cite{DodisKPW12} are KI, resulting in particularly efficient constructions based on structured assumptions. On the other hand, we also give a very simple and efficient construction based on a PRF which allows us to base KI MACs on some ideal primitives such as an ideal compression function (using HMAC) or block-cipher (using say CBC-MAC). In particular, by using our PRF construction, many real-world implementations of MACs can be easily and cheaply modified to obtain a KI MAC. Finally we show that the transformations of~\\cite{DodisKPW12} for increasing the domain size of a MAC as well as for strengthening the type of unforgeability it provides also preserve (or even strengthen) the type of KI enjoyed by the MAC. All together these results provide a wide range of assumptions and construction paths for building various flavors of this new primitive.

22:17 [Pub][ePrint] MJH: A Faster Alternative to MDC-2, by Jooyoung Lee and Martijn Stam

  In this paper, we introduce a new class of double-block-length hash functions. Using the ideal cipher model, we prove that these hash functions, dubbed \\MJH, are asymptotically collision resistant up to $O(2^{n(1-\\epsilon)})$ query complexity for any $\\epsilon>0$ in the iteration, where $n$ is the block size of the underlying blockcipher.

When based on $n$-bit key blockciphers, our construction, being of rate 1/2, provides better provable security than MDC-2, the only known construction of a rate-1/2 double-length hash function based on an $n$-bit key blockcipher with non-trivial provable security.

Moreover, since key scheduling is performed only once per message block for MJH, our proposal significantly outperforms MDC-2 in efficiency.

When based on a $2n$-bit key blockcipher, we can use the extra $n$ bits of key to increase the amount of payload accordingly. Thus we get a rate-1 hash function that is much faster than existing proposals, such as Tandem-DM with comparable provable security. The proceedings version of this paper appeared in CT-RSA 2011.

22:17 [Pub][ePrint] Diffusion Programmable Device : The device to prevent reverse engineering, by Mitsuru Shiozaki, Ryohei Hori and Takeshi Fujino

  The secret information, which is embedded in integrated circuit (IC) devices such as a smart card, has the risk of theft by reverse engineering (RE). The circuit design of IC can be stolen by the RE, and the counterfeit can be illegally fabricated. Therefore, the secure IC device requires the circuit architecture protected from the RE attacks. This paper proposes the diffusion programmable device (DPD) architecture as a countermeasure against the RE. A look-up table circuit based on the DPD can generate desired logic function without changing the layout except diffusion layer. And, the logic function can be programmed by assigning the N-type or P-type dopant to a part of active region. A test chip using the DPD-LUT was prototyped with a 180nm CMOS technology. And, operations of vaious logic functions such as AND, OR, XOR and XNOR were confirmed through experiments.

20:12 [Job][New] PhD Position in Lattice-Based Cryptography, Technische Universität Darmstadt, Germany, Middle-Europe

  The group for Cryptography and Computer Algebra at the Technische Universität Darmstadt chaired by Prof. Dr. Johannes Buchmann is looking for a Ph.D. student. Candidates should have a superior Master\\\'s degree in mathematics, computer science, or related disciplines.

The opportunity to work in the area of cryptography --- more precisely, in lattice-based cryptography --- is given to the prospective Ph.D. student. Any prior experience in lattice-based cryprography is certainly an asset.

19:17 [Pub][ePrint] Improved Slender-set Linear Cryptanalysis, by Guo-Qiang Liu and Chen-Hui Jin and Chuan-Da Qi

  In 2013, Borghoff \\emph{et al}. introduced a slender-set linear

cryptanalysis on PRESENT-like ciphers with key-dependent secret

S-boxes. In this paper, we propose an improved slender-set linear

attack to PRESENT-like ciphers with secret S-boxes. We investigate

three new cryptanalytic techniques, and use them to recover the

secret S-boxes efficiently. Our first new idea is that we propose a

new technique to support consistency of partitions of the input to

the secret S-boxes. Our second new technique is that we present a

more efficient method to recover the coordinate functions of secret

S-boxes based on more information than that of Borghoff\'s attack.

The third new technique is that we propose a method of constructing

all correct coordinate function of secret S-boxes by pruning search

algorithm. In particular, we implemented a successful linear attack

on the full round Maya in practice. In our experiments, the correct

S-box can be recovered with $2^{36}$ known plaintexts, $2^{18.9}$

time complexity and negligible memory complexity at a success rate

of 87.5\\%. Our attack is the improvement and sequel of Borghoff\'s

work on PRESENT-like cipher with secret S-boxes.

19:17 [Pub][ePrint] Dishonest Majority Multi-Party Computation for Binary Circuits, by Enrique Larraia and Emmanuela Orsini and Nigel P. Smart

  We extend the Tiny-OT two party protocol of Nielsen et al (CRYPTO 2012) to the case of $n$ parties in the dishonest majority setting. This is done by presenting a novel way of transferring pairwise authentications into global authentications. As a by product we obtain a more efficient manner of producing globally authenticated shares, which in turn leads to a more efficient two party protocol than that of Nielsen et al.

19:17 [Pub][ePrint] Actively Secure Private Function Evaluation, by Payman Mohassel and Saeed Sadeghian and Nigel P. Smart

  We propose the first general framework for designing actively secure private function evaluation (PFE), not based on universal circuits. Our framework is naturally divided into pre-processing and online stages and can be instantiated using any generic actively secure multiparty computation (MPC) protocol.

Our framework helps address the main open questions about efficiency of actively secure PFE. On the theoretical side, our framework yields the first actively secure PFE with linear complexity in the circuit size. On the practical side, we obtain the first actively secure PFE for arithmetic circuits with $O(g \\cdot \\log g)$ complexity where $g$ is the circuit size. The best previous construction (of practical interest) is based on an arithmetic universal circuit and has complexity $O(g^5)$.

We also introduce the first linear Zero-Knowledge proof of correctness of ``extended permutation\" of ciphertexts (a generalization of ZK proof of correct shuffles) which maybe of independent interest.

19:17 [Pub][ePrint] SHipher: Families of Block Ciphers based on SubSet-Sum Problem, by Xiali Hei and Binheng Song

  In this paper, we describe the families of block ciphers named SHipher. We show a symmetric encryption framework based on the SubSet-Sum problem. This framework can provide families of secure, flexible, and any-size block ciphers. We have extensively cryptanalyzed our encryption framework. We can easily control the computational cost by a key selection. Also, this framework offers excellent performance and it is flexible and general enough to admit a variety of implementations on different non-Abelian groups. In this paper, we provide one implementation using a group of matrices whose determinants are 1. This implementation accepts any block size satisfying 3l-1. If l=21, the block size is 62 bits, which suits for full spectrum of lightweight applications. While if $l=341$, the block size is 1022, which provides high security level up to resistant 2^{684} differential-attack effort and 2^{1022} brute-force attack effort.

19:17 [Pub][ePrint] Space-efficient, byte-wise incremental and perfectly private encryption schemes, by Kévin Atighehchi

  The problem raised by incremental encryption is the overhead due to the larger storage space required by the provision of random blocks together with the ciphered versions of a given document. Besides,

permitting variable-length modifications on the ciphertext leads to privacy preservation issues. In this paper we present incremental encryption schemes which are space-efficient, byte-wise incremental and which preserve perfect privacy in the sense that they hide the fact that an update operation has been performed on a ciphered document. For each scheme, the run time of updates performed turns out to be very efficient and we discuss the statistically adjustable trade-off between computational cost and storage space required by the produced ciphertexts.

19:17 [Pub][ePrint] Reducing the Overhead of Cloud MPC, by Ashish Choudhury and Arpita Patra and Nigel P. Smart

  We present a secure multi-party computation (MPC) protocol in the honest-majority setting, which aims to reduce the communication costs in the situation where there are a large number of parties (as in a cloud scenario). Our goal is to reduce the usage of point-to-point channels, so as to enable the cloud to be used for multiple different protocol executions. We assume that the number of adversarially controlled parties is relatively small, and that an adversary is unable to target the proactive corruption of a subset of the parties (technically we assume a static corruption model for simplicity). As well as enabling a cloud provider to run multiple MPC protocols, our protocol also has highly efficient theoretical communication costs as a general MPC protocol when compared with other protocols in the literature; in particular the communication cost, for circuits of a suitably large depth, is $\\Order(|\\Circuit| \\cdot \\kappa^7)$, for security parameter $\\kappa$~and circuit size $|\\Circuit|$.

19:17 [Pub][ePrint] Algorithms in HElib, by Shai Halevi and Victor Shoup

  HElib is a software library that implements homomorphic encryption (HE), specifically the Brakerski-Gentry-Vaikuntanathan (BGV) scheme, focusing on effective use of the Smart-Vercauteren ciphertext packing techniques and the Gentry-Halevi-Smart optimizations. The underlying cryptosystem serves as the equivalent of a \"hardware platform\" for HElib, in that it defines a set of operations that can be applied homomorphically, and specifies their cost. This \"platform\" is a SIMD environment (somewhat similar Intel SSE and the like), but with a unique cost metrics and parameters. In this report we describe some of the algorithms and optimization techniques that are used in HElib for data movement and simple linear algebra over this \"platform.\"