International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Impact of ANSI X9.24-1:2009 Key Check Value on ISO/IEC 9797-1:2011 MACs, by Tetsu Iwata and Lei Wang

  ANSI X9.24-1:2009 specifies the key check value, which is used to verify the integrity of the blockcipher key. This value is defined as the most significant bits of the ciphertext of the zero block, and is assumed to be publicly known data for verification. ISO/IEC 9797-1:2011 illustrates a total of ten CBC MACs, where one of these MACs, the basic CBC MAC, is widely known to be insecure. In this paper, we consider the remaining nine CBC MACs and derive the quantitative security impact of using the key check value. We first show attacks against five MACs by taking advantage of the knowledge of the key check value. We then prove that the analysis is tight, in a concrete security paradigm. For the remaining four MACs, we prove that the standard birthday bound still holds even with the presence of the key check value. As a result, we obtain a complete characterization of the impact of using ANSI X9.24-1 key check value with the ISO/IEC 9797-1 MACs.

21:17 [Pub][ePrint] SETUP in Secret Sharing Schemes, by Ruxandra F. Olimid

  Secret sharing schemes split a secret into multiple shares that are usually distributed to distinct participants with the goal that only authorized subsets of participants can recover it. We show that SETUP (Secretly Embedded Trapdoor with Universal Protection) attack can be embedded in schemes that employ enough randomness to give the attacker an overwhelming advantage to access the secret. In case of ideal schemes, a coalition of a few participants (within at least one is the attacker) can succeed the attack, while in case of non-ideal schemes the attacker knowledge can be enough to reveal the secret. We exemplify the proposed attack against Shamir\'s threshold scheme, as being the most well-known and used secret sharing scheme. Finally, we consider some prevention techniques against the attack.

21:17 [Pub][ePrint] Oblivious Data Structures, by Xiao Wang and Kartik Nayak and Chang Liu and Elaine Shi and Emil Stefanov and Yan Huang

  We are among the first to systematically investigate (memory-trace) oblivious data structures. We propose a framework for constructing a variety of oblivious data structures, achieving asymptotic performance gains in comparison with generic Oblivious RAM (ORAM). We evaluate the performance of our oblivious data structures in terms of their bandwidth over- heads, and also when applied to a secure computation setting. Finally, we leverage our new framework to design an efficient oblivious memory allocator which is particularly useful due to the community\'s recent efforts in compiling programs targeting ORAM-capable secure processors.

12:42 [Event][New] ProvSec 2014: The Eighth International Conference on Provable Security

  Submission: 20 June 2014
Notification: 23 July 2014
From October 9 to October 10
Location: Hong Kong, Hong Kong
More Information:

12:42 [Event][New] ARES 2014: The Ninth International Conference on Availability, Reliability and Securi

  Submission: 19 March 2014
Notification: 19 May 2014
From September 8 to September 12
Location: Fribourg, Switzerland
More Information:

10:17 [Pub][ePrint] Improving throughput of RC4 algorithm using multithreading techniques in multicore processors, by T.D.B Weerasinghe

  RC4 is the most widely used stream cipher around. So, it is important that it runs cost effectively, with minimum encryption time. In other words, it should give higher throughput. In this paper, a mechanism is proposed to improve the throughput of RC4 algorithm in multicore processors using multithreading. The proposed mechanism does not parallelize RC4, instead it introduces a way that multithreading can be used in encryption when the plaintext is in the form of a text file. In this particular research, the source codes were written in Java (JDK version: 1.6.0_21) in Windows environments. Experiments to analyze the throughput were done separately in an IntelĀ® P4 machine (O/S: Windows XP), Core 2 Duo machine (O/S: Windows XP) and Core i3 machine (O/S: Windows 7).

Outcome of the research: Higher throughput of RC4 algorithm can be achieved in multicores when using the proposed mechanism in this research. Effective use of multithreading in encryption can be achieved in multicores using this technique.

10:17 [Pub][ePrint] A Framework and Compact Constructions for Non-monotonic Attribute-Based Encryption, by Shota Yamada, Nuttapong Attrapadung, Goichiro Hanaoka, and Noboru Kunihiro

  In this paper, we propose new non-monotonic attribute-based encryption schemes with compact parameters.

The first three schemes are key-policy attribute-based encryption (KP-ABE) and the fourth scheme is ciphertext-policy attribute-based encryption (CP-ABE) scheme.


\\item Our first scheme has very compact ciphertexts. The ciphertext overhead only consists of two group elements and this is the shortest in the literature.

Compared to the scheme by Attrapadung et al. (PKC2011), which is the best scheme in terms of the ciphertext overhead, our scheme shortens ciphertext overhead by $33\\%$.

The scheme also reduces the size of the master public key to about half.

\\item Our second scheme is proven secure under the decisional bilinear Diffie-Hellman (DBDH) assumption, which is one of the most standard assumptions in bilinear groups. Compared to the non-monotonic KP-ABE scheme from the same assumption by Ostrovsky et al. (ACM-CCS\'07), our scheme achieves more compact parameters. The master public key and the ciphertext size is about the half that of their scheme.

\\item Our third scheme is the first non-monotonic KP-ABE scheme that can deal with unbounded size of set and access policies. That is, there is no restriction on the size of attribute sets and

the number of allowed repetition of the same attributes which appear in an access policy.

The master public key of our scheme is very compact: it consists of only constant number of group elements.

\\item Our fourth scheme is the first non-monotonic CP-ABE scheme that can deal with unbounded size of set and access policies. The master public key of the scheme consists of only constant number of group elements.


We construct our KP-ABE schemes in a modular manner.

We first introduce special type of predicate encryption that we call two-mode identity based broadcast encryption (TIBBE).

Then, we show that any TIBBE scheme that satisfies certain condition can be generically converted into non-monotonic KP-ABE scheme.

Finally, we construct efficient TIBBE schemes and apply this conversion to obtain the above new non-monotonic KP-ABE schemes.

22:17 [Pub][ePrint] Pragmatism vs. Elegance: comparing two approaches to Simple Power Attacks on AES, by Valentina Banciu and Elisabeth Oswald

  Simple side-channel attacks trade off data complexity (i.e. the number of side-channel observations needed for a successful attack) with computational complexity (i.e. the number of operations applied to the side-channel traces). In the specific example of Simple Power Analysis (SPA) attacks on the Advanced Encryption Standard (AES), two approaches can be found in the literature, one which is a pragmatic approach that involves basic techniques such as efficient enumeration of key candidates, and one that is seemingly more elegant and uses algebraic techniques. Both of these different techniques have been used in complementary settings: the pragmatic attacks were solely applied to the key schedule whereas the more elegant methods were only applied to the encryption rounds. In this article, we investigate how these methods compare in what we consider to be a more practical setting in which adversaries gain access to erroneous information about both key schedule and encryption rounds. We conclude that the pragmatic enumeration technique better copes with erroneous information which makes it more interesting in practice.

22:17 [Pub][ePrint] Verifiable Delegated Set Intersection Operations on Outsourced Encrypted Data, by Qingji Zheng and Shouhuai Xu

  We initiate the study of the following problem:

Suppose Alice and Bob would like to outsource their encrypted private data sets to the cloud, and they also want to conduct the set intersection operation on their plaintext data sets. The straightforward solution for them is to download their outsourced ciphertexts, decrypt the ciphertexts locally, and then execute a commodity two-party set intersection protocol. Unfortunately, this solution is not practical.

We therefore motivate and introduce the novel notion of {\\em Verifiable Delegated Set Intersection on outsourced encrypted data} (VDSI).

The basic idea is to delegate the set intersection operation to the cloud, while (i) not giving the decryption capability to the cloud,

and (ii) being able to hold the misbehaving cloud accountable.

We formalize security properties of VDSI and present a construction.

In our solution, the computational and communication costs on the users are linear to the size of the intersection set,

meaning that the efficiency is optimal up to a constant factor.

22:17 [Pub][ePrint] Optimal constructions for ID-based one-way-function key predistribution schemes realizing specified communication graphs, by Maura B. Paterson and Douglas R. Stinson

  We study a method for key predistribution in a network of $n$ users where pairwise keys are computed by hashing users\' IDs along with secret information that has been (pre)distributed to the network users by a trusted entity. A communication graph $G$ can be specified to indicate which pairs of users should be able to compute keys. We determine necessary and sufficient conditions for schemes of this type to be secure. We also consider the problem of minimizing the storage requirements of such a scheme; we are interested in the total storage as well as the maximum storage required by any user. Minimizing the total storage is NP-hard, whereas minimizing the maximum storage required by a user can be computed in polynomial time.

16:17 [Pub][ePrint] Analysis of a Modified RC4 Algorithm, by T.D.B Weerasinghe

  In this paper, analysis of a simply modified RC4 algorithm is presented. RC4 is the most widely used stream cipher and it is not considered as a cipher that is strong in security. Many alternatives have been proposed to improve RC4 key generation and pseudo random number generation but the thoughts behind this work is to try out a simple modification of RC4\'s PRGA, where we can mention like this:

Output = M XOR GeneratedKey XOR j

After having done the modification the modified algorithm is tested for its secrecy and performance and analyzed over the variable key length with respect to those of the original RC4. The results show that the modified algorithm is better than the original RC4 in the aspects of secrecy and performance.