International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

07:17 [Pub][ePrint] A Comprehensive Comparison of Shannon Entropy and Smooth Renyi Entropy, by Maciej Skorski

  We provide a new result that links two crucial entropy notions: Shannon entropy $\\mathrm{H}_1$ and collision entropy $\\mathrm{H}_2$. Our formula gives the \\emph{worst possible} amount of collision entropy in a probability distribution, when its Shannon entropy is fixed.

Our results and techniques used in the proof immediately imply

many quantitatively tight separations between Shannon and smooth Renyi entropy, which were previously known as qualitative statements or one-sided bounds. In particular, we precisely calculate the number of bits that can be extracted from a Shannon entropy source, and calculate how far from the uniform distribution is a distribution with the given amount Shannon entropy. To illustrate our results we provide clear numerical examples.

In the typical situation, when the gap between Shannon entropy of a distribution and its length is bigger than $1$, the length of the extracted sequence is very small, even if we allow the randomness quality to be poor. In the case of almost full entropy, where the gap is close to $0$, the $\\ell_2$-distance to uniform is roughly of the same order as the gap. Therefore, it is actually not possible to decide the strong quality of supposed true randomness, {efficiently and at extremely high confidence level} , by means of Shannon entropy estimators, like Maurer\'s Universal Test or others.

Our approach involves convex optimization techniques, applied to characterize worst case distributions, and the use of the Lambert $W$ function, by which we resolve equations coming from Shannon entropy constraints. We believe that it may be of independent interests and useful in studying Shannon entropy with constraints elsewhere.

07:17 [Pub][ePrint] Attacks on Secure Ownership Transfer for Multi-Tag Multi-Owner Passive RFID Environments, by Jorge Munilla and Mike Burmester and Albert Peinado

  Sundaresan et al proposed recently a novel ownership transfer protocol for multi-tag multi-owner RFID environments that complies with the EPC Class1 Generation2 standard. The authors claim that this provides individual-owner privacy and prevents tracking attacks. In this paper we show that this protocol falls short of its security objectives. We describe attacks that allow: a) an eavesdropper to trace a tag, b) the previous owner to obtain the private information that the tag shares with the new owner, and c) an adversary that has access to the data stored on a tag to link this tag to previous interrogations (forward-secrecy). We then analyze the security proof and show that while the first two cases can be solved with a more careful design, for lightweight RFID applications strong privacy remains an open problem.

07:17 [Pub][ePrint] Privacy-Preserving Face Recognition with Outsourced Computation, by Can Xiang and Chunming Tang

  Face recognition is one of the most important biometrics pattern recognitions, which has been widely applied in a variety of enterprise, civilian and law enforcement. The privacy of biometrics data raises important concerns, in particular if computations over biometric data is performed at untrusted servers. In previous work of privacy-preserving face recognition, in order to protect individuals\' privacy, face recognition is performed over encrypted face images. However, these results increase the computation cost of the client and the face database owners, which may enable face recognition cannot be efficiently executed. Consequently, it would be desirable to reduce computation over sensitive biometric data in such environments. Currently, no secure techniques for outsourcing face biometric recognition is readily available. In this paper, we propose a privacy-preserving face recognition protocol with outsourced computation for the first time, which efficiently protects individuals\' privacy. Our protocol substantially improves the previous works in terms of the online computation cost by outsourcing large computation task to a cloud server who has large computing power. In particular, the overall online computation cost of the client and the database owner in our protocol is at most 1/2 of the corresponding protocol in the state of the art algorithms. In addition, the client requires the decryption operations with only $O(1)$ independent of $M$, where $M$ is the size of the face database. Furthermore, the client can verify the correction of the recognition result.

07:17 [Pub][ePrint] Jackpot Stealing Information From Large Caches via Huge Pages, by Gorka Irazoqui and Thomas Eisenbarth and Berk Sunar

  The cloud computing infrastructure relies on virtualized servers that provide isolation across guest OS\'s through sandboxing. This isolation was demonstrated to be imperfect in past work whichexploited hardware level information leakages to gain access to sensitive information across co-locatedvirtual machines (VMs). In response virtualization companies and cloud services providers have disabled features such as deduplication to prevent such attacks.

In this work, we introduce a ne-grain cross-core cache attack that exploits access time variations on the last level cache. The attack exploits huge pages to work across VM boundaries without requiring

deduplication. No conguration changes on the victim OS are needed, making the attack quite viable. Furthermore, only machine co-location is required, while the target and victim OS can still reside on

diferent cores of the machine. Our new attack is a variation of the prime and probe cache attack whose applicability at the time is limited to L1 cache. In contrast, our attack works in the spirit of the flush and reload attack targeting the shared L3 cache instead. Indeed, by adjusting the huge page size our attack can be customized to work virtually at any cache level/size. We demonstrate the viability of the attack by targeting an OpenSSL1.0.1f implementation of AES. The attack recovers AES keys in the cross-VM setting on Xen 4.1 with deduplication disabled, being only slightly less ecient than the flush and reload attack. Given that huge pages are a standard feature enabled in the memory management unit of OS\'s and that besides co-location no additional assumptions are needed, the attack we present poses a signicant risk to existing cloud servers.

07:17 [Pub][ePrint] Key recovery attacks on Grain family using BSW sampling and certain weaknesses of the filtering function, by Y. Wei and E. Pasalic and F. Zhang and W. Wu

  A novel internal state recovery attack on the whole Grain family of ciphers is proposed in this work. It basically uses the ideas of BSW sampling along with employing a weak placement of the tap positions of the driving LFSRs. The currently best known complexity trade-offs are obtained, and due to the structure of Grain family these attacks are also key recovery attacks. It is shown that the internal state of Grain-v1 can be recovered with the time complexity of about $2^{66}$ operations using a memory of about $2^{58.91}$ bits, assuming availability of $2^{45}$ keystream sequences each of length $2^{49}$ bits generated for different initial values. Moreover, for Grain-128 or Grain-128a, the attack requires about $2^{105}$ operations using a memory of about $2^{82.59}$ bits, assuming availability of $2^{75}$ keystream sequences each of length $2^{76}$ bits generated for different initial values. These results further show that the whole Grain family, due to the choice of tap positions mainly, does not provide enough security margins against internal state recovery attacks. A simple modification of the selection of the tap positions, as a countermeasure against the attacks described here, is given.

07:17 [Pub][ePrint] A Chinese Remainder Theorem Approach to Bit-Parallel GF(2^n) Polynomial Basis Multipliers for Irreducible Trinomials, by Haining Fan

  We show that the step \"modulo the degree-n field generating irreducible polynomial\" in the classical definition of the GF(2^n) multiplication operation can be avoided. This leads to an alternative representation of the finite field multiplication operation. Combining this representation and the Chinese Remainder Theorem, we design bit-parallel GF(2^n) multipliers for irreducible trinomials u^n + u^k + 1 on GF(2). For some values of n, our architectures have the same time complexity as the fastest bit-parallel multipliers - the quadratic multipliers, but their space complexities are reduced. Take the special irreducible trinomial u^2k +u^k +1 for example, the space complexity of the proposed design is reduced by about 1/8, while the time complexity matches the best result. Our experimental results show that among the 539 values of n such that 4

22:17 [Forum] [IACR Publication Reform] 2014/728 Unpicking PLAID response - Nit-Picking PLAID by Graeme.Freedman

  See the following link for the Nit-Picking PLAID response to this Paper From: 2014-27-11 22:00:58 (UTC)

20:56 [Job][New] Security Engineer, ESCRYPT INC

  Your responsibilities:

You will consult our customers in the areas concerning embedded and automotive cyber security. The consulting includes, but is not limited to, security analysis of existing security applications, security concepts, architecture of security solutions, and design of secure systems. In addition, your task will be the adjustment and enhancement of existing embedded security solutions. Furthermore you will compile surveys and decision memos for new embedded security technologies and products. Depending on your background, you will also develop customized software for client projects in the area of embedded data security and engage in product development. You will assist sales meetings as a technical expert.

Your competencies and qualifications:

Bachelors Degree in Computer Science, Information Technology or Information Security. Masters Degree preferred

Experience in a position as Security Engineer, Security Consultant, or Information Security Analyst is beneficial, ideally with industry experience and special knowledge in one of the following fields: Cryptography, security, privacy, software development (C/C++ and Java), and embedded systems

Willingness to work in a flexible team; reliable; independent and thoughtful Customer oriented

Send us your application to jobs (at)

20:54 [Event][New] PHDays: Positive Hack Days

  Submission: 1 May 2015
From May 26 to May 27
Location: Moscow, Russia
More Information:

05:54 [Event][New] QCrypt 2015: The 5th International Conference on Quantum Cryptography

  Submission: 27 April 2015
Notification: 22 June 2015
From September 28 to October 2
Location: Tokyo, Japan
More Information:

16:07 [Event][New] CSF'15: 28th IEEE Computer Security Foundations Symposium

  Submission: 10 February 2015
Notification: 6 April 2015
From July 14 to July 17
Location: Verona, Italy
More Information: