International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] Non-Interactive Cryptography in the RAM Model of Computation, by Daniel Apon and Xiong Fan and Jonathan Katz and Feng-Hao Liu and Elaine Shi and Hong-Sheng Zhou

  Using recently developed techniques for program obfuscation, we show several constructions of non-interactive cryptosystems in the random-access machine (RAM) model of computation that are asymptotically more efficient than what would be obtained using generic RAM-to-circuit compilation. In particular, let $T$ denote the running time and $n$ the memory size of a RAM program. We show that using differing-inputs obfuscation, functional encryption for arbitrary RAM programs can be achieved with evaluation time $\\tilde{O}(T+n)$.

Additionally, we provide a number of RAM-model constructions assuming

the stronger notion of virtual black-box (VBB) obfuscation. We view these as initial feasibility results and leave instantiating similar protocols from weaker assumptions for future work. Specifically, using VBB obfuscation we show how to construct RAM-model functional encryption with function privacy, fully homomorphic encryption, and stateful, privacy-preserving verifiable computation in the memory-delegation model.

16:17 [Pub][ePrint] Honey Encryption: Security Beyond the Brute-Force Bound, by Ari Juels and Thomas Ristenpart

  We introduce {\\em honey encryption} (HE), a simple, general approach to encrypting messages using low min-entropy keys such as passwords. HE is designed to produce a ciphertext which, when decrypted with any of a number of {\\em incorrect} keys, yields plausible-looking but bogus plaintexts called {\\em honey messages}. A key benefit of HE is that it provides security in cases where too little entropy is available to withstand brute-force attacks that try every key; in this sense, HE provides security beyond conventional brute-force bounds. HE can also provide a hedge against partial disclosure of high min-entropy keys.

HE significantly improves security in a number of practical settings. To showcase this improvement, we build concrete HE schemes for password-based encryption of RSA secret keys and credit card numbers. The key challenges are development of appropriate instances of a new type of randomized message encoding scheme called a {\\em distribution-transforming encoder} (DTE), and analyses of the expected maximum loading of bins in various kinds of balls-and-bins games.

01:17 [Pub][ePrint] On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications, by Nikolaos Karapanos and Srdjan Capkun

  In this paper we consider TLS MITM attacks in the context of web applications, where the attacker\'s goal is to impersonate the user to the legitimate server, and thus gain access to the user\'s online account. We describe in detail why the recently proposed TLS Channel ID-based client authentication, as well as client web authentication in general, cannot fully prevent such attacks.

We then leverage TLS Channel ID-based authentication and combine it with the concept of sender invariance to create a novel mechanism that we call SISCA: Server Invariance with Strong Client Authentication. SISCA resists user impersonation via TLS MITM attacks even if the attacker has obtained the private key of the legitimate server. We analyze our proposal and show how it can be integrated in today\'s web infrastructure.

22:17 [Pub][ePrint] The Multiple Number Field Sieve for Medium and High Characteristic Finite Fields, by Razvan Barbulescu and Cécile Pierrot

  In this paper, we study the discrete logarithm problem in medium and

high characteristic finite fields. We propose a variant of the Number Field Sieve (NFS) based on numerous number fields. Our improved algorithm computes discrete logarithms in $\\mathbb{F}_{p^n}$ for the whole range of applicability of NFS and lowers the asymptotic complexity from $L_{p^n}(1/3, (128/9)^{1/3})$ to $L_{p^n}(1/3, (2^{13} /3^6)^{1/3})$ in the medium characteristic case, and from $L_{p^n} (1/3, (64/9)^{1/3})$ to $L_{p^n}(1/3,((92 + 26\\sqrt{13})/27))^{1/3})$ in the high characteristic case.

22:17 [Pub][ePrint] Outsourcing Private RAM Computation, by Craig Gentry and Shai Halevi and Mariana Raykova and Daniel Wichs

  We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client\'s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server\'s work is only proportional to the run-time of the computation on a random access machine (RAM), rather than its potentially much larger circuit size. Furthermore, our solutions are non-interactive and have the structure of reusable garbled RAM programs, addressing an open question of Lu and Ostrovsky (Eurocrypt 2013). We also construct schemes for an augmented variant of the above scenario, where the client can initially outsource a large private and persistent database to the server, and later outsource arbitrary program executions with read/write access to this database.

Our solutions are built from non-reusable garbled RAM in conjunction with new types of reusable garbled circuits that are more efficient than prior solutions but only satisfy weaker security. For the basic setting without a persistent database, we can instantiate the required reusable garbled circuits using indistinguishability obfuscation. For the more complex setting with a persistent database we need stronger notions of obfuscation. Our basic solution also requires the client to perform a one-time preprocessing step to garble a program at the cost of its RAM run-time, and we can avoid this cost using stronger notions of obfuscation. It remains an open problem to instantiate these new types of reusable garbled circuits under weaker assumptions, possibly avoiding obfuscation altogether.

22:17 [Pub][ePrint] Millions of Millionaires: Multiparty Computation in Large Networks, by Mahdi Zamani and Mahnush Movahedi and Jared Saia

  We describe a general Multi-Party Computation (MPC) protocol for arithmetic circuits that is secure against a static malicious adversary corrupting up to a 1/10 fraction of the parties. The protocol requires each party to send an average of soft-O(m/n) bits, and compute soft-O(m/n) operations in a network of size n, where m is the size of circuit. This is achieved by increasing latency from constant to O(d) , where d is the depth of the circuit. Our protocol has a setup phase that is independent of the circuit and relies on Threshold Fully Homomorphic Encryption (TFHE). The setup requires each party to send soft-O(k^2) messages and compute soft-O(k^2) operations, where k is the security parameter. We provide results from microbenchmarks conducted over a sorting network showing that our protocol may be practical for deployment in large networks. For example, we consider a network of size 2^25 (over 33 million), where each party has an input item of size 20 bytes. To securely sort the items, our protocol requires each party on average to send only 5 kilobytes per item sorted.

04:17 [Pub][ePrint] Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack, by Yuval Yarom and Naomi Benger

  We illustrate a vulnerability introduced to elliptic curve cryptographic protocols when implemented using a function of the OpenSSL cryptographic library. For the given implementation using an elliptic curve E over a binary field with a point G \\in E, our attack recovers the majority of the bits of a scalar k when kG is computed using the OpenSSL implementation of the Montgomery ladder. For the Elliptic Curve Digital Signature Algorithm (ECDSA) the scalar k is intended to remain secret. Our attack recovers the scalar k and thus the secret key of the signer and would therefore allow unlimited forgeries. This is possible from snooping on only one signing process and requires computation of less than one second on a quad core desktop when the scalar k (and secret key) is around 571 bits.

04:17 [Pub][ePrint] Unrestricted Identity-Based Aggregate Signcryption in the Standard Model from Multilinear Maps, by Hao Wang

  Signcryption is a relatively new cryptographic technique that is supposed to fulfill the functionalities of digital signature and encryption in a single logical step and can effectively decrease the computational costs and communication overheads in comparison with the traditional signature-then-encryption schemes, and aggregate signcryption scheme allows individual signcryption ciphertexts intended for the same recipient to be aggregated into a single (shorter) combined ciphertext without losing any of the security guarantees. In this paper, we present a new identity-based aggregate signcryption scheme using multilinear maps. To the best of my knowledge, our new scheme is the first identity-based aggregate signcryption scheme that admits unrestricted aggregation.

04:17 [Pub][ePrint] FPGA-Based High Performance AES-GCM Using Efficient Karatsuba Ofman Algorithm , by Karim M. Abdellatif, R. Chotin-Avot, and H. Mehrez

  AES-GCM has been utilized in various security applications. It consists of two components: an Advanced Encryption Standard (AES) engine and a Galois Hash (GHASH) core. The performance of the system is determined by the GHASH architecture because of the inherent computation feedback. This paper introduces a modification for the pipelined Karatsuba Ofman Algorithm (KOA)-based GHASH. In particular, the computation feedback is removed by analyzing the complexity of the computation process. The proposed GHASH core is evaluated with three different implementations of AES ( BRAMs-based SubBytes, composite field-based SubBytes, and LUT-based SubBytes). The presented AES-GCM architectures are implemented using Xilinx Virtex5 FPGAs. Our comparison to previous work reveals that our architectures are more performance-efficient (Thr. /Slices).

04:17 [Pub][ePrint] Statistical Concurrent Non-Malleable Zero Knowledge, by Claudio Orlandi and Rafail Ostrovsky and Vanishree Rao and Amit Sahai and Ivan Visconti

  The notion of Zero Knowledge introduced by Goldwasser, Micali, and Rackoff in STOC 1985 is fundamental in Cryptography. Motivated by conceptual and practical reasons, this notion has been explored under stronger definitions. We will consider the following two main strengthened notions.

-- Statistical Zero Knowledge: here the zero-knowledge property will last forever, even in case in future the adversary will have unlimited power.

-- Concurrent Non-Malleable Zero Knowledge: here the zero-knowledge property is combined with non-transferability and the adversary fails in mounting a concurrent man-in-the-middle attack aiming at transferring zero-knowledge proofs/arguments.

Besides the well-known importance of both notions, it is still unknown whether one can design a zero-knowledge protocol that satisfies both notions simultaneously.

In this work we shed light on this question in a very strong sense. We show a {\\em statistical concurrent non-malleable} zero-knowledge argument system for NP with a {\\em black-box} simulator-extractor.

04:17 [Pub][ePrint] How to Securely Release Unverified Plaintext in Authenticated Encryption, by Elena Andreeva and Andrey Bogdanov and Atul Luykx and Bart Mennink and Nicky Mouha and Kan Yasuda

  We consider the case where an authenticated encryption scheme outputs the decrypted plaintext before successful verification. This scenario raises many security issues, and is highlighted in the upcoming CAESAR competition. It arises for example when devices have insufficient memory to store the entire plaintext, or when the decrypted plaintext needs to be processed early due to real-time requirements. Firstly, we formalize the releasing unverified plaintext (RUP) setting. To achieve privacy in this setting, we propose using plaintext awareness (PA) along with IND-CPA. An authenticated encryption scheme is PA if there exists a plaintext extractor for every adversary. The plaintext extractor does not know the secret key, but tries to fool the adversary by mimicking the decryption oracle. The release of unverified plaintext then becomes harmless, because it is infeasible to distinguish between answers from the real decryption oracle and from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetric-key setting (PA1 and PA2), and show implications and separations between PA1, PA2, and existing notions. To achieve integrity of the ciphertexts, INT-CTXT in the RUP setting is required, which we refer to as INT-RUP. These security notions are then used to make a classification of symmetric-key schemes in the RUP setting. We analyze existing authenticated encryption schemes in this setting, and provide solutions to fix insecure schemes.