International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] On the Pitfalls of using Arbiter-PUFs as Building Blocks, by Georg T. Becker

  Physical Unclonable Functions (PUFs) have emerged as a promising solution for securing resource-constrained embedded devices such as RFID-tokens. PUFs use the inherent physical differences of every chip to either securely authenticate the chip or generate cryptographic keys without the need of non-volatile memory. Securing non-volatile memory and cryptographic algorithms against hardware attacks is very costly and hence PUFs are believed to be a good alternative to traditional cryptographic algorithms and key generation on constrained embedded devices.

However, PUFs have shown to be vulnerable to model building attacks if the attacker has access to challenge and response pairs. In these model building attacks, machine learning is used to determine the internal parameters of the PUF to build an accurate software model. Nevertheless, PUFs are still a promising building block and several protocols and designs have been proposed that are believed to be resistant against machine learning attacks. In this paper we take a closer look at a two such protocols, one based on reverse fuzzy extractors[15] and one based on pattern matching [15,17]. We show that it is possible to attack these protocols using machine learning despite the fact that an attacker does not have access to direct challenge and response pairs. The introduced attacks demonstrate that even highly obfuscated responses or helper data can be used to attack PUF protocols.

Hence, our work shows that even protocols in which it would be computationally infeasible to compute enough challenge and response pairs for a direct machine learning attack can be attacked using machine learning.

12:17 [Forum] [2014 Reports] Re: 2014/377 by Boaz123

  Hi, I think that this is not exactly obfuscation: To my understanding, obfuscation is a reversible permutation, because its actually 1-1 mapping. The process of logic synthesis proposed in the publication is inherently not reversible, because it involves a loss of information. The only way to reverse it is to go through all possible inputs and record the associated outputs, which is similar to brute force attack From: 2014-07-07 09:25:43 (UTC)

09:17 [Pub][ePrint] Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model, by Susan Hohenberger and Venkata Koppula and Brent Waters

  We study the adaptive security of constrained PRFs in the standard model. We initiate our exploration with puncturable PRFs. A puncturable PRF family is a special class of constrained PRFs, where the constrained key is associated with an element $x\'$ in the input domain. The key allows evaluation at all points $x\\neq x\'$.

We show how to build puncturable PRFs with adaptive security proofs in the standard model that involve only polynomial loss to the underlying assumptions. Prior work had either super-polynomial loss or applied the random oracle heuristic. Our construction uses indistinguishability obfuscation and DDH-hard algebraic groups of composite order.

09:17 [Pub][ePrint] Constrained Pseudorandom Functions: Verifiable and Delegatable, by Nishanth Chandran and Srinivasan Raghuraman and Dhinakaran Vinayagamurthy

  Constrained pseudorandom functions (introduced independently by Boneh and Waters (CCS 2013), Boyle, Goldwasser, and Ivan (PKC 2014), and Kiayias, Papadopoulos, Triandopoulos, and Zacharias (CCS 2013)), are pseudorandom functions (PRFs) that allow the owner of the secret key $k$ to compute a constrained key $k_f$, such that anyone who possesses $k_f$ can compute the output of the PRF on any input $x$ such that $f(x) = 1$ for some predicate $f$. The security requirement of constrained PRFs state that the PRF output must still look indistinguishable from random for any $x$ such that $f(x) = 0$.

Boneh and Waters show how to construct constrained PRFs for the class of bit-fixing as well as circuit predicates. They explicitly left open the question of constructing constrained PRFs that are delegatable - i.e., constrained PRFs where the owner of $k_f$ can compute a constrained key

$k_{f\'}$ for a further restrictive predicate $f\'$. Boyle, Goldwasser, and Ivan left open the question of constructing constrained PRFs that are also verifiable. Verifiable random functions (VRFs), introduced by Micali, Rabin, and Vadhan (FOCS 1999), are PRFs that allow the owner of the

secret key $k$ to prove, for any input $x$, that $y$ indeed is the output of the PRF on $x$; the security requirement of VRFs state that the PRF output must still look indistinguishable from random, for any $x$ for which a proof is not given.

In this work, we solve both the above open questions by constructing constrained pseudorandom functions that are simultaneously verifiable and delegatable.

09:17 [Pub][ePrint] Fully Secure and Fast Signing from Obfuscation, by Kim Ramchen and Brent Waters

  In this work we explore new techniques for building short signatures

from obfuscation. Our goals are twofold. First, we would like to

achieve short signatures with adaptive security proofs. Second, we

would like to build signatures with fast signing, ideally

significantly faster than comparable signatures that are not based on

obfuscation. The goal here is to create an \"imbalanced\" scheme where

signing is fast at the expense of slower verification.

We develop new methods for achieving short and fully secure

obfuscation-derived signatures. Our base signature scheme is built

from punctured programming and makes a novel use of the \"prefix

technique\" to guess a signature. We find that our initial scheme has

slower performance than comparable algorithms (e.g. EC-DSA). We find

that the underlying reason is that the underlying PRG is called

l^2 times for security parameter l.

To address this issue we construct a more efficient scheme by adapting the Goldreich-Goldwasser-Micali [GGM86] construction to form the basis for a new puncturable PRF. This puncturable PRF accepts

variable-length inputs and has the property that evaluations on all

prefixes of a message can be efficiently pipelined. Calls to the

puncturable PRF by the signing algorithm therefore make fewer

invocations of the underlying PRG, resulting in reduced signing


We evaluate our puncturable PRF based signature schemes using a

variety of cryptographic candidates for the underlying PRG. We show

that the resulting performance on message signing is competitive with

that of widely deployed signature schemes.

09:17 [Pub][ePrint] Constructing hyper-bent functions from Boolean functions with the Walsh spectrum taking the same value twice, by Chunming Tang and Yanfeng Q

  Hyper-bent functions as a subclass of bent functions attract much interest and it is elusive to completely characterize hyper-bent functions. Most of known hyper-bent functions are Boolean functions with Dillon exponents and they are often characterized by special values of Kloosterman sums.

In this paper, we present a method for characterizing hyper-bent functions

with Dillon exponents. A class of hyper-bent functions with Dillon exponents

over $\\mathbb{F}_{2^{2m}}$ can be characterized by

a Boolean function over $\\mathbb{F}_{2^m}$, whose Walsh spectrum takes the same value twice.

Further, we show several classes of

hyper-bent functions with Dillon exponents characterized by

Kloosterman sum identities and the Walsh

spectra of some common Boolean functions.

09:17 [Pub][ePrint] Differential Analysis on Block Cipher PRIDE, by Jingyuan Zhao and Xiaoyun Wang and Meiqin Wang and Xiaoyang Dong

  The lightweight block cipher PRIDE designed by Albrecht et al., appears in CRYPTO 2014. The designers claim that their method of constructing linear layer is good both in security and efficiency. In this paper, we find 16 different 2-round iterative characteristics utilizing the weaknesses of S-box and linear layer, construct several 15-round differentials. Based on one of the differentials, we launch differential attack on 18-round PRIDE. The data, time and memory complexity are $2^{60}$, $2^{66}$ and $2^{64}$, respectively.

09:17 [Pub][ePrint] Curve41417: Karatsuba revisited, by Daniel J. Bernstein and Chitchanok Chuengsatiansup and Tanja Lange

  This paper introduces constant-time ARM Cortex-A8 ECDH software that

(1) is faster than the fastest ECDH option in the latest version of OpenSSL but

(2) achieves a security level above 2^200 using a prime above 2^400.

For comparison, this OpenSSL ECDH option is not constant-time and has a security level of only 2^80.

The new speeds are achieved in a quite different way

from typical prime-field ECC software:

they rely on a synergy between Karatsuba\'s method

and choices of radix smaller than the CPU word size.

09:17 [Pub][ePrint] Good is Not Good Enough: Deriving Optimal Distinguishers from Communication Theory, by Annelie Heuser and Olivier Rioul and Sylvain Guilley

  We find mathematically optimal side-channel distinguishers by looking at the side-channel as a communication channel. Our methodology can be adapted to any given scenario (device, signal-to-noise ratio, noise distribution, leakage model, etc.). When the model is known and the noise is Gaussian, the optimal distinguisher outperforms CPA and covariance. However, we show that CPA is optimal when the model is only known on a proportional scale. For non-Gaussian noise, we obtain different optimal distinguishers, one for each noise distribution. When the model is imperfectly known, we consider the scenario of a weighted sum of the sensitive variable bits where the weights are unknown and drawn from a normal law. In this case, our optimal distinguisher performs better than the classical linear regression analysis.

18:17 [Pub][ePrint] Cryptography from Compression Functions: The UCE Bridge to the ROM, by Mihir Bellare and Viet Tung Hoang and Sriram Keelveedhi

  This paper suggests and explores the use of UCE security for the task of

turning VIL-ROM schemes into FIL-ROM ones. The benefits we offer over

indifferentiability, the current leading method for this task, are the ability

to handle multi-stage games and greater efficiency. The paradigm consists of

(1) Showing that a VIL UCE function can instantiate the VIL RO in the scheme,

and (2) Constructing the VIL UCE function given a FIL random oracle. The main

technical contributions of the paper are domain extension transforms that

implement the second step. Leveraging known results for the first step we

automatically obtain FIL-ROM constructions for several primitives whose

security notions are underlain by multi-stage games. Our first domain extender

exploits indifferentiability, showing that although the latter does not work

directly for multi-stage games it can be used indirectly, through UCE, as a

tool for this end. Our second domain extender targets performance. It is

parallelizable and shown through implementation to provide significant

performance gains over indifferentiable domain extenders.

18:17 [Pub][ePrint] Realizing Pico: Finally No More Passwords!, by Jens Hermans and Roel Peeters

  In 2011 Stajano proposed Pico, a secure and easy-to-use alternative for passwords. Among the many proposals in this category, Pico stands out by being creative and convincing. However, the description as published leaves some details unspecified, and to the best of our knowledge the complete system has not yet been tested. This work presents detailed specifications and future-proof security protocols for Pico. Moreover, we present the first robust and efficient Pico implementation. Our implementation allows to further mature the Pico concept and can be used for large scale usability evaluations at negligible cost.