International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] FFT-Based Key Recovery for the Integral Attack, by Yosuke Todo

  The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose two new techniques for the integral attack, the FFT technique and the key concealment technique. The FFT technique is useful for the integral attack with enormous chosen plaintexts. As the previous result using FFT, Collard et al. showed a new technique which reduces the complexity for the linear attack. In this paper, we review the result of Collard et al. to estimate the complexity in detail, and we show the complexity can be estimated from the number of times using the addition of integers. Moreover, we show that attacks using FFT can be applied to the integral attack. As applications, we show integral attacks against AES and CLEFIA. For AES, we show that 6-round AES can be attacked with about $2^{51.7} additions. For CLEFIA, we show that 12-round CLEFIA can be attacked with about $2^{86.9}$ additions.

15:17 [Pub][ePrint] AES-Based Authenticated Encryption Modes in Parallel High-Performance Software, by Andrey Bogdanov and Martin M. Lauridsen and Elmar Tischhauser

  Authenticated encryption (AE) has recently gained renewed interest due to the ongoing CAESAR competition. This paper deals with the performance of block cipher modes of operation for AE in parallel software. We consider the example of the AES on Intel\'s new Haswell microarchitecture that has improved intructions for AES rounds and finite field multiplication.

As opposed to most previous high-performance software implementations of operation modes -- that have considered the encryption of single messages -- we propose to process multiple messages in parallel. We demonstrate that this message scheduling is of significant advantage for most modes. As a baseline for longer messages, the performance of AES-CBC encryption on a single core increases by factor 6.8 when adopting this approach.

For the first time, we report optimized AES-NI implementations of the novel AE modes OTR, McOE-G, COBRA, and POET -- both with single and multiple messages. For almost all AE modes considered, we obtain a consistent speed-up when processing multiple messages in parallel. Notably, among the nonce-based modes, AES-CCM gets by factor 3.5 faster and its performance is about 1.2 cpb which is close to that of AES-GCM (the latter, however, possessing classes of weak keys), with AES-OCB3 still performing at only 0.69 cpb. Among the nonce-misuse resistant modes, AES-McOE-G receives a speed-up by factor 4 and its performance is about 1.44 cpb, which is faster than AES-COBRA with its 1.55 cpb but slower than AES-COPA with 1.29 cpb.

07:04 [Job][New] Ph.D. student in Quantum Cryptography, University of and CWI Amsterdam, the Netherlands, Europe

  The Institute for Logic, Language & Computation (ILLC) at the University of Amsterdam, and the Centrum Wiskunde & Informatica (CWI) are looking for a PhD candidate in the area of quantum cryptography under the supervision of Dr. Christian Schaffner.

The aim of the PhD project is to develop new quantum-cryptographic protocols (beyond the task of key distribution) and explore their possibilities and limitations. An example of an active research topic is position-based quantum cryptography. Another aspect is to investigate the security of classical cryptographic schemes against quantum adversaries (post-quantum cryptography).

Full-time appointment is on a temporary basis for a period of four years. For the first two years the PhD candidate will be appointed at the ILLC, University of Amsterdam, initially for a period of 18 months and then, on positive evaluation, for a further six months. During the final two years, the PhD candidate will be employed by the Centrum Wiskunde and Informatica (CWI). On the basis of a full-time appointment (38 hours per week), the gross monthly salary amounts to €2,083 during the first year, rising to €2,664 during the fourth year.


  • A Master\\\'s degree with excellent grades in computer science, mathematics or physics with outstanding results or a comparable degree;

  • candidates with a strong background in cryptography or quantum information processing are preferred;

  • good academic writing and presentation skills;

  • good social and organisational skills.

Preferred starting date is 1 September 2014 (or earlier if possible).

21:17 [Pub][ePrint] Proving the TLS Handshake Secure (as it is), by Karthikeyan Bhargavan and Cédric Fournet and Markulf Kohlweiss and Alfredo Pironti and Pierre-Yves Strub and Santiago Zanella-Béguelin

  The TLS protocol features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now well-understood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS. We experimentally confirm that all mainstream implementations of TLS share key materials between many different algorithms, some of them of dubious strength. We outline new attacks we found in their handling of session resumption and renegotiation, stressing the need to model multiple related instances of the handshake.

We systematically study the provable security of the TLS handshake, as

it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. miTLS inter-operates with mainstream browsers and servers for many protocol versions, configurations, and ciphersuites; and it provides application-level, provable security for some.

We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms, and key derivation algorithms used by the TLS handshake. By necessity, our definitions are stronger than those expected with simple modern protocols.

To validate our model of key encapsulation, we prove that RSA

ciphersuites satisfy the security assumption needed for our proof of

the handshake. Specifically, we formalize the use of PKCS#1v1.5 encryption in TLS, including recommended countermeasures against Bleichenbacher attacks, and build a 3,000-line EasyCrypt proof of its security against replayable chosen-ciphertext attacks under the assumption that ciphertexts are hard to re-randomize.

Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and resumption, treated as a detailed 3,600-line executable model.

We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. We also describe its refinement to account for the whole reference implementation, based on automated verification tools.

21:17 [Pub][ePrint] Impact of ANSI X9.24-1:2009 Key Check Value on ISO/IEC 9797-1:2011 MACs, by Tetsu Iwata and Lei Wang

  ANSI X9.24-1:2009 specifies the key check value, which is used to verify the integrity of the blockcipher key. This value is defined as the most significant bits of the ciphertext of the zero block, and is assumed to be publicly known data for verification. ISO/IEC 9797-1:2011 illustrates a total of ten CBC MACs, where one of these MACs, the basic CBC MAC, is widely known to be insecure. In this paper, we consider the remaining nine CBC MACs and derive the quantitative security impact of using the key check value. We first show attacks against five MACs by taking advantage of the knowledge of the key check value. We then prove that the analysis is tight, in a concrete security paradigm. For the remaining four MACs, we prove that the standard birthday bound still holds even with the presence of the key check value. As a result, we obtain a complete characterization of the impact of using ANSI X9.24-1 key check value with the ISO/IEC 9797-1 MACs.

21:17 [Pub][ePrint] SETUP in Secret Sharing Schemes, by Ruxandra F. Olimid

  Secret sharing schemes split a secret into multiple shares that are usually distributed to distinct participants with the goal that only authorized subsets of participants can recover it. We show that SETUP (Secretly Embedded Trapdoor with Universal Protection) attack can be embedded in schemes that employ enough randomness to give the attacker an overwhelming advantage to access the secret. In case of ideal schemes, a coalition of a few participants (within at least one is the attacker) can succeed the attack, while in case of non-ideal schemes the attacker knowledge can be enough to reveal the secret. We exemplify the proposed attack against Shamir\'s threshold scheme, as being the most well-known and used secret sharing scheme. Finally, we consider some prevention techniques against the attack.

21:17 [Pub][ePrint] Oblivious Data Structures, by Xiao Wang and Kartik Nayak and Chang Liu and Elaine Shi and Emil Stefanov and Yan Huang

  We are among the first to systematically investigate (memory-trace) oblivious data structures. We propose a framework for constructing a variety of oblivious data structures, achieving asymptotic performance gains in comparison with generic Oblivious RAM (ORAM). We evaluate the performance of our oblivious data structures in terms of their bandwidth over- heads, and also when applied to a secure computation setting. Finally, we leverage our new framework to design an efficient oblivious memory allocator which is particularly useful due to the community\'s recent efforts in compiling programs targeting ORAM-capable secure processors.

12:42 [Event][New] ProvSec 2014: The Eighth International Conference on Provable Security

  Submission: 20 June 2014
Notification: 23 July 2014
From October 9 to October 10
Location: Hong Kong, Hong Kong
More Information:

12:42 [Event][New] ARES 2014: The Ninth International Conference on Availability, Reliability and Securi

  Submission: 19 March 2014
Notification: 19 May 2014
From September 8 to September 12
Location: Fribourg, Switzerland
More Information:

10:17 [Pub][ePrint] Improving throughput of RC4 algorithm using multithreading techniques in multicore processors, by T.D.B Weerasinghe

  RC4 is the most widely used stream cipher around. So, it is important that it runs cost effectively, with minimum encryption time. In other words, it should give higher throughput. In this paper, a mechanism is proposed to improve the throughput of RC4 algorithm in multicore processors using multithreading. The proposed mechanism does not parallelize RC4, instead it introduces a way that multithreading can be used in encryption when the plaintext is in the form of a text file. In this particular research, the source codes were written in Java (JDK version: 1.6.0_21) in Windows environments. Experiments to analyze the throughput were done separately in an Intel® P4 machine (O/S: Windows XP), Core 2 Duo machine (O/S: Windows XP) and Core i3 machine (O/S: Windows 7).

Outcome of the research: Higher throughput of RC4 algorithm can be achieved in multicores when using the proposed mechanism in this research. Effective use of multithreading in encryption can be achieved in multicores using this technique.

10:17 [Pub][ePrint] A Framework and Compact Constructions for Non-monotonic Attribute-Based Encryption, by Shota Yamada, Nuttapong Attrapadung, Goichiro Hanaoka, and Noboru Kunihiro

  In this paper, we propose new non-monotonic attribute-based encryption schemes with compact parameters.

The first three schemes are key-policy attribute-based encryption (KP-ABE) and the fourth scheme is ciphertext-policy attribute-based encryption (CP-ABE) scheme.


\\item Our first scheme has very compact ciphertexts. The ciphertext overhead only consists of two group elements and this is the shortest in the literature.

Compared to the scheme by Attrapadung et al. (PKC2011), which is the best scheme in terms of the ciphertext overhead, our scheme shortens ciphertext overhead by $33\\%$.

The scheme also reduces the size of the master public key to about half.

\\item Our second scheme is proven secure under the decisional bilinear Diffie-Hellman (DBDH) assumption, which is one of the most standard assumptions in bilinear groups. Compared to the non-monotonic KP-ABE scheme from the same assumption by Ostrovsky et al. (ACM-CCS\'07), our scheme achieves more compact parameters. The master public key and the ciphertext size is about the half that of their scheme.

\\item Our third scheme is the first non-monotonic KP-ABE scheme that can deal with unbounded size of set and access policies. That is, there is no restriction on the size of attribute sets and

the number of allowed repetition of the same attributes which appear in an access policy.

The master public key of our scheme is very compact: it consists of only constant number of group elements.

\\item Our fourth scheme is the first non-monotonic CP-ABE scheme that can deal with unbounded size of set and access policies. The master public key of the scheme consists of only constant number of group elements.


We construct our KP-ABE schemes in a modular manner.

We first introduce special type of predicate encryption that we call two-mode identity based broadcast encryption (TIBBE).

Then, we show that any TIBBE scheme that satisfies certain condition can be generically converted into non-monotonic KP-ABE scheme.

Finally, we construct efficient TIBBE schemes and apply this conversion to obtain the above new non-monotonic KP-ABE schemes.