International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

04:17 [Pub][ePrint] Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack, by Yuval Yarom and Naomi Benger

  We illustrate a vulnerability introduced to elliptic curve cryptographic protocols when implemented using a function of the OpenSSL cryptographic library. For the given implementation using an elliptic curve E over a binary field with a point G \\in E, our attack recovers the majority of the bits of a scalar k when kG is computed using the OpenSSL implementation of the Montgomery ladder. For the Elliptic Curve Digital Signature Algorithm (ECDSA) the scalar k is intended to remain secret. Our attack recovers the scalar k and thus the secret key of the signer and would therefore allow unlimited forgeries. This is possible from snooping on only one signing process and requires computation of less than one second on a quad core desktop when the scalar k (and secret key) is around 571 bits.

04:17 [Pub][ePrint] Unrestricted Identity-Based Aggregate Signcryption in the Standard Model from Multilinear Maps, by Hao Wang

  Signcryption is a relatively new cryptographic technique that is supposed to fulfill the functionalities of digital signature and encryption in a single logical step and can effectively decrease the computational costs and communication overheads in comparison with the traditional signature-then-encryption schemes, and aggregate signcryption scheme allows individual signcryption ciphertexts intended for the same recipient to be aggregated into a single (shorter) combined ciphertext without losing any of the security guarantees. In this paper, we present a new identity-based aggregate signcryption scheme using multilinear maps. To the best of my knowledge, our new scheme is the first identity-based aggregate signcryption scheme that admits unrestricted aggregation.

04:17 [Pub][ePrint] FPGA-Based High Performance AES-GCM Using Efficient Karatsuba Ofman Algorithm , by Karim M. Abdellatif, R. Chotin-Avot, and H. Mehrez

  AES-GCM has been utilized in various security applications. It consists of two components: an Advanced Encryption Standard (AES) engine and a Galois Hash (GHASH) core. The performance of the system is determined by the GHASH architecture because of the inherent computation feedback. This paper introduces a modification for the pipelined Karatsuba Ofman Algorithm (KOA)-based GHASH. In particular, the computation feedback is removed by analyzing the complexity of the computation process. The proposed GHASH core is evaluated with three different implementations of AES ( BRAMs-based SubBytes, composite field-based SubBytes, and LUT-based SubBytes). The presented AES-GCM architectures are implemented using Xilinx Virtex5 FPGAs. Our comparison to previous work reveals that our architectures are more performance-efficient (Thr. /Slices).

04:17 [Pub][ePrint] Statistical Concurrent Non-Malleable Zero Knowledge, by Claudio Orlandi and Rafail Ostrovsky and Vanishree Rao and Amit Sahai and Ivan Visconti

  The notion of Zero Knowledge introduced by Goldwasser, Micali, and Rackoff in STOC 1985 is fundamental in Cryptography. Motivated by conceptual and practical reasons, this notion has been explored under stronger definitions. We will consider the following two main strengthened notions.

-- Statistical Zero Knowledge: here the zero-knowledge property will last forever, even in case in future the adversary will have unlimited power.

-- Concurrent Non-Malleable Zero Knowledge: here the zero-knowledge property is combined with non-transferability and the adversary fails in mounting a concurrent man-in-the-middle attack aiming at transferring zero-knowledge proofs/arguments.

Besides the well-known importance of both notions, it is still unknown whether one can design a zero-knowledge protocol that satisfies both notions simultaneously.

In this work we shed light on this question in a very strong sense. We show a {\\em statistical concurrent non-malleable} zero-knowledge argument system for NP with a {\\em black-box} simulator-extractor.

04:17 [Pub][ePrint] How to Securely Release Unverified Plaintext in Authenticated Encryption, by Elena Andreeva and Andrey Bogdanov and Atul Luykx and Bart Mennink and Nicky Mouha and Kan Yasuda

  We consider the case where an authenticated encryption scheme outputs the decrypted plaintext before successful verification. This scenario raises many security issues, and is highlighted in the upcoming CAESAR competition. It arises for example when devices have insufficient memory to store the entire plaintext, or when the decrypted plaintext needs to be processed early due to real-time requirements. Firstly, we formalize the releasing unverified plaintext (RUP) setting. To achieve privacy in this setting, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if there exists a plaintext extractor for every adversary. The plaintext extractor does not know the secret key, but tries to fool the adversary by mimicking the decryption oracle. The release of unverified plaintext then becomes harmless, because it is infeasible to distinguish between answers from the real decryption oracle and from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting (PA1 and PA2), and show implications and separations between PA1, PA2, and existing notions. To achieve integrity of the ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These security notions are then used to make a classification of symmetric-key schemes in the RUP setting. We analyze existing authenticated encryption schemes in this setting, and provide solutions to fix insecure schemes.

04:17 [Pub][ePrint] Calculating Cryptographic Degree of an S-Box, by Prasanna Raghaw Mishra

  In this paper we propose an efficient technique to compute algebraic degree of an S-box (minimum of algebraic degrees of its component functions). Using our technique we have calculated algebraic degree of a $26\\times 64$ S-box.

04:17 [Pub][ePrint] Untappable communication channels over optical fibers from quantum-optical noise, by Geraldo A. Barbosa and Jeroen van de Graaf

  Coherent light, as produced by lasers, gives rise to an intrinsic noise, known as quantum noise, optical noise or shot noise. AlphaEta is a protocol which exploits this physical phenomenon to obtain secure data encryption or key distribution over a fiber-optic channel

in the presence of an eavesdropper. In this paper we focus on the cryptographic aspects of AlphaEta and its variants. Moreover, we propose a new protocol for which we can provide a rigorous proof

that the eavesdropper obtains neglible information. In comparison to single-photon quantum cryptography, AlphaEta provide much higher throughputs combined with a well-known technology.

16:17 [Pub][ePrint] On the Phase Space of Block-Hiding Strategies, by Assaf Shomer

  We calculate the probability of success of block-hiding mining strategies in bitcoin-like networks.

These strategies involve building a secret branch of the block-tree and publishing it opportunistically, aiming to replace the top of the main branch and rip the reward associated with the secretly mined blocks. We identify two types of block-hiding strategies and chart the parameter space where those are more beneficial than the standard mining strategy described in Nakamoto\'s paper.

Our analysis suggests a generalization of the notion of the relative hashing power as a measure for a miner\'s influence on the network. Block-hiding strategies are beneficial only when this measure of influence exceeds a certain threshold.

04:17 [Pub][ePrint] Oblivious Radix Sort: An Efficient Sorting Algorithm for Practical Secure Multi-party Computation, by Koki Hamada and Dai Ikarashi and Koji Chida and Katsumi Takahashi

  We propose a simple and efficient sorting algorithm for secure multi-party computation (MPC). The algorithm is designed to be efficient when the number of parties and the size of the underlying field are small. For a constant number of parties and a field with a constant size, the algorithm has $O(\\gm\\log\\gm)$ communication complexity, which is asymptotically the same as the best previous algorithm but achieves $O(1)$ round complexity, where $\\gm$ is the number of items. The algorithm is constructed with the help of a new technique called ``shuffle-and-reveal.\'\' This technique can be seen as an analogue of the frequently used technique of ``add random number and reveal.\'\' The feasibility of our algorithm is demonstrated by an implementation on an MPC scheme based on Shamir\'s secret-sharing scheme with three parties and corruption tolerance of $1$. Our implementation sorts 1 million 32-bit word secret-shared values in 197 seconds.

04:17 [Pub][ePrint] New Way to Construct Cryptographic Hash Function, by WANGYong

  In this paper, a new way to construct cryptographic hash function is given. The cryptographic hash function is generalized to uncertain function which has various specific function forms. When computing hash value, the specific form of the function is determined by the message, but the codebreaker cannot know the message, and hence cannot know the specific form of random function. This provides a new kind of one-wayness, the one-wayness of the specific function makes the breaking of hash is very difficult because in most cryptographic analysis of hash function, the function should be known and fixed. As fixed function is just a special case of uncertain function, when the function is uncertain, we obviously have more choices and can choose more secure function.


04:17 [Pub][ePrint] FORSAKES: A Forward-Secure Authenticated Key Exchange Protocol Based on Symmetric Key-Evolving Schemes, by Mohammad Sadeq Dousti and Rasool Jalili

  This paper suggests a model and a definition for forward-secure authenticated key exchange (AKE) protocols, which can be satisfied without depending on the Diffie-Hellman assumption. Protocols conforming to our model can be highly efficient, since they do not require the resource-intensive modular exponentiations of the Diffie-Hellman protocol. The basic idea is to use key-evolving schemes (KES), where the long-term keys of the system get updated regularly and irreversibly. We also introduce a protocol, called FORSAKES, and prove rigorously that it is a forward-secure AKE protocol in our model. FORSAKES is a very efficient protocol, and can be implemented by merely using hash functions.