International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:31 [Event][New] IoTPTS 2015: ASIACCS Workshop on IoT Privacy, Trust, and Security

  Submission: 7 January 2015
Notification: 31 January 2015
From April 14 to April 14
Location: Singapore, Singapore
More Information:

21:17 [Pub][ePrint] Crypto-analyses on \"secure and efficient privacy-preserving public auditing scheme for cloud storage\", by Yalin Chen and Jue-Sam Chou*

  Recently, Worku et al. pointed out that the work \"privacy-preserving public auditing for data storage security in cloud computing\" proposed by Wang et al. is insecure and their second work \"privacy- preserving public auditing for secure cloud the storage\" is inefficient. Thus, they offered a secure and efficient-privacy public auditing scheme for cloud storage. They claimed that their system is provably secure in the random oracle model and the operation is effective. However, after crypto-analysis, we found that the scheme cannot reach the security goal, it has the existential forgery attack. We, therefore, alter it to incorporate the desired privacy preserving requirement, which is very significant in a privacy-preserving public auditing protocol for cloud storage.

18:17 [Pub][ePrint] A comprehensive empirical comparison of parallel ListSieve and GaussSieve, by Artur Mariano and Ozgur Dagdelen and Christian Bischof

  The security of lattice-based cryptosystems is determined by

the performance of practical implementations of, among others, algo-

rithms for the Shortest Vector Problem (SVP).

In this paper, we conduct a comprehensive, empirical comparison of two

SVP-solvers: ListSieve and GaussSieve. We also propose a practical par-

allel implementation of ListSieve, which achieves super-linear speedups

on multi-core CPUs, with efficiency levels as high as 183%. By compar-

ing our implementation with a parallel implementation of GaussSieve, we

show that ListSieve can, in fact, outperform GaussSieve for a large num-

ber of threads, thus answering a question that was still open to this day.

18:17 [Pub][ePrint] Cryptanalysis on `Robust Biometrics-Based Authentication Scheme for Multi-server Environment\', by Vanga Odelu and Ashok Kumar Das and Adrijit Goswami

  Authentication plays an important role in an open network environment in order to authenticate two communication parties among each other. Authentication protocols should protect the sensitive information against a malicious adversary by providing a variety of services, such as authentication, user credentials\' privacy, user revocation and re-registration, when the smart card is lost/stolen or the private key of a user or a server is revealed. Unfortunately, most of the existing multi-server authentication schemes proposed in the literature do not support the fundamental security property such as the revocation and re-registration with same identity. Recently, in 2014, He and Wang proposed a robust and efficient multi-server authentication scheme using biometrics-based smart card and elliptic curve cryptography (ECC). In this paper, we analyze the He-Wang\'s scheme and show that He-Wang\'s scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. In addition, we show that their scheme does not provide strong user\'s anonymity. Furthermore, He-Wang\'s scheme cannot support the revocation and re-registration property. Apart from these, He-Wang\'s scheme has some design flaws, such as wrong password login and its consequences, and wrong password update during password change phase.

18:17 [Pub][ePrint] Wire-Tap Codes as Side-Channel Countermeasure - an FPGA-based experiment, by Amir Moradi

  In order to provide security against side-channel attacks a masking scheme which makes use of wire-tap codes has recently been proposed. The scheme benefits from the features of binary linear codes, and its application to AES has been presented in the seminal article. In this work - with respect to the underlying scheme - we re-iterate the fundamental operations of the AES cipher in a hopefully more understandable terminology. Considering an FPGA platform we address the challenges each AES operation incurs in terms of implementation complexity. We show different scenarios on how to realize the SubBytes operation as the most critical issue is to deal with the large S-boxes encoded by the underlying scheme. Constructing various designs to actualize a full AES-128 encryption engine of the scheme, we provide practical side-channel evaluations based on traces collected from a Spartan-6 FPGA platform. As a result, we show that - despite nice features of the scheme - with respect to its area and power overhead its advantages are very marginal unless its fault-detection ability is also being employed.

18:17 [Pub][ePrint] How to Split a Secret into Unknown Shares, by Ruxandra F. Olimid

  Grigoriev and Shpilrain recently considered secret sharing systems for which nobody (including the dealer) knows the share of a particular party and introduced a construction for the special case of all-or-nothing schemes. We extend their work and propose two threshold secret sharing schemes that satisfy this property.

18:17 [Pub][ePrint] Square Span Programs with Applications to Succinct NIZK Arguments, by George Danezis and Cedric Fournet and Jens Groth and Markulf Kohlweiss

  We propose a new characterization of NP using square span programs

(SSPs). We first characterize NP as affine map constraints on small

vectors. We then relate this characterization to SSPs, which are

similar but simpler than Quadratic Span Programs (QSPs) and

Quadratic Arithmetic Programs (QAPs) since they use a single series

of polynomials rather than 2 or 3.

We use SSPs to construct succinct non-interactive zero-knowledge

arguments of knowledge. For performance, our proof system is

defined over Type III bilinear groups; proofs consist of just 4

group elements, verified in just 6 pairings. Concretely, using the

Pinocchio libraries, we estimate that proofs will consist of 160

bytes verified in less than 6 ms.

18:17 [Pub][ePrint] Bivariate Polynomials Modulo Composites and their Applications, by Dan Boneh and Henry Corrigan-Gibbs

  We investigate the hardness of finding solutions to bivariate polynomial congruences modulo RSA composites. We establish necessary conditions for a bivariate polynomial to be one-way, second preimage resistant, and collision resistant based on arithmetic properties of the polynomial. From these conditions we deduce a new computational assumption that implies an efficient algebraic collision-resistant hash function. We explore the assumption and relate it to known computational problems. The assumption leads to (i) a new statistically hiding commitment scheme that composes well with Pedersen commitments, (ii) a conceptually simple cryptographic accumulator, and (iii) an efficient chameleon hash function.

18:17 [Pub][ePrint] Adaptively Secure Constrained Pseudorandom Functions, by Dennis Hofheinz and Akshay Kamath and Venkata Koppula and Brent Waters

  A constrained pseudo random function (PRF) behaves like a standard PRF, but with the

added feature that the (master) secret key holder, having secret key K, can produce a constrained key, K_f, that allows for the evaluation of the PRF on a subset of the domain as determined by a predicate function f within some family F. While previous constructions gave constrained PRFs for poly-sized circuits, all reductions for such functionality were based in the selective model of security where an attacker declares which point he is attacking before seeing any constrained keys.

In this paper we give new constrained PRF constructions for circuits that have polynomial reductions to indistinguishability obfuscation in the random oracle model. Our solution is constructed from two recently emerged primitives: an adaptively secure Attribute-Based

Encryption (ABE) for circuits and a Universal Parameters as introduced by Hofheinz et al.

Both primitives are constructible from indistinguishability obfuscation (iO)

(and injective pseudorandom generators) with only polynomial loss.

18:17 [Pub][ePrint] On Shor\'s Factoring Algorithm with More Registers and the Problem to Certify Quantum Computers, by Zhengjun Cao and Zhenfu Cao

  Shor\'s factoring algorithm uses two quantum registers. By introducing more registers we show that the measured numbers in these registers which are of the same pre-measurement state, should be equal if the original Shor\'s complexity argument is sound. This contradicts the argument that the second register has $r$ possible measured values.

There is an anonymous comment which argues that the states in these registers are entangled. If so, the entanglement involving many quantum registers can not be interpreted by the mechanism of EPR pairs and the like. In view of this peculiar entanglement has not yet been mentioned and investigated, we think the claim that the Shor\'s algorithm runs in polynomial time needs more physical verifications. We also discuss the problem to certify quantum computers.

18:17 [Pub][ePrint] Differential Cryptanalysis of SipHash, by Christoph Dobraunig and Florian Mendel and Martin Schläffer

  SipHash is an ARX based message authentication code developed by Aumasson and Bernstein. SipHash was designed to be fast on short messages. Already, a lot of implementations and applications for SipHash exist, whereas the cryptanalysis of SipHash lacks behind. In this paper, we provide the first published third-party cryptanalysis of SipHash regarding differential cryptanalysis. We use existing automatic tools to find differential characteristics for SipHash. To improve the quality of the results, we propose several extensions for these tools to find differential characteristics. For instance, to get a good probability estimation for differential characteristics in SipHash, we generalize the concepts presented by Mouha et al. and Velichkov et al. to calculate the probability of ARX functions. Our results are a characteristic for SipHash-2-4 with a probability of $2^{-236.3}$ and a distinguisher for the Finalization of SipHash-2-4 with practical complexity. Even though our results do not pose any threat to the security of SipHash-2-4, they significantly improve the results of the designers and give new insights in the security of SipHash-2-4.