International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

07:17 [Pub][ePrint] On the security margin of MAC striping, by Thomas Eisenbarth and Aaron Meyerowitz and Rainer Steinwandt

  MAC striping has been suggested as a technique to authenticate encrypted payloads using short tags. For an idealized MAC scheme, the probability of a selective forgery has been estimated as $\\binom{\\ell+m}{m}^{-1}\\cdot 2^{-m}$, when utilizing MAC striping with $\\ell$-bit payloads and $m$-bit tags. We show that this estimate is too optimistic. For $m\\le\\ell$ and any payload, we achieve a selective forgery with probability $\\ge \\binom{\\ell+m}{m}^{-1}$, and usually many orders of magnitude more than that.

07:17 [Pub][ePrint] Structural Evaluation by Generalized Integral Property, by Yosuke Todo

  In this paper, we show structural cryptanalyses against two popular networks, i.e., the Feistel Network and the Substitute-Permutation Network (SPN). Our cryptanalyses are distinguishing attacks by an improved integral distinguisher. The integral distinguisher is one of the most powerful attacks against block ciphers, and it is usually constructed by evaluating the propagation characteristic of integral properties, e.g., the ALL or BALANCE property. However, the integral property does not derive useful distinguishers against block ciphers with non-bijective functions and bit-oriented structures. Moreover, since the integral property does not clearly exploit the algebraic degree of block ciphers, it tends not to construct useful distinguishers against block ciphers with low-degree functions. In this paper, we propose a new property called {\\it the division property}, which is the generalization of the integral property. It can effectively construct the integral distinguisher even if the block cipher has non-bijective functions, bit-oriented structures, and low-degree functions. From viewpoints of the attackable number of rounds or chosen plaintexts, the division property can construct better distinguishers than previous methods. Although our attack is a generic attack, it can improve several integral distinguishers against specific cryptographic primitives. For instance, it can reduce the required number of chosen plaintexts for the 10-round distinguisher on Keccak-f from $2^{1025}$ to $2^{515}$. For the Feistel cipher, it theoretically proves that Simon 32, 48, 64, 96, and 128 have 9-, 11-, 11-, 13-, and 13-round integral distinguishers, respectively.

07:17 [Pub][ePrint] Related-Key Forgeries for Prøst-OTR, by Christoph Dobraunig and Maria Eichlseder and Florian Mendel

  We present a forgery attack on Prøst-OTR in a related-key setting. Prøst is a family of authenticated encryption algorithms proposed as candidates in the currently ongoing CAESAR competition, and Prøst-OTR is one of the three variants of the Prøst design. The attack exploits how the Prøst permutation is used in an Even-Mansour construction in the Feistel-based OTR mode of operation. Given the ciphertext and tag for any two messages under two related keys K and K + Delta with related nonces, we can forge the ciphertext and tag for a modified message under K. If we can query ciphertexts for chosen messages under K + Delta, we can achieve almost universal forgery for K. The computational complexity is negligible.

06:26 [Job][New] Research Fellows (2 Openings), Cyber Security Researchers of Waikato (CROW), University of Waikato

  2 Research Fellow Openings, Department of Computer Science, Faculty of Computing and Mathematical Sciences

We have two fixed-term positions available to be a part of an exciting new MBIE-funded Cyber Security STRATUS (Security Technologies Returning Accountability, Transparency and User-centric Services to the Cloud) project, led by the Faculty’s CROW (Cyber Security Researchers of Waikato) Research Group (

STRATUS will deliver a platform of user-empowering cloud security software, human capability and technical resources easily accessible by a broad range of NZ industry and government organisations.

You will have a PhD in Computer Science or a related field in an active area of research and will have demonstrated the ability to sustain a successful quality research programme. You will be expected to enhance the Department’s research environment, technology commercialisation process, and to produce high quality research and publications in computer security and Cloud computing as a part of this externally funded programme.

In addition to the requirements above, preference will be given to those with experience in data provenance, network security, digital forensics, linked data visualisation, data mining, applied cryptography and/or related areas.

Current salary range for Research Fellows is NZ$67,477 to $82,383 per year.

Fixed-term for three years.

Closing date: 6 March 2015 (NZ time) Vacancy number: 350045

For more information and to apply, visit

10:17 [Pub][ePrint] Key Recovery Attack against an NTRU-type Somewhat Homomorphic Encryption Scheme, by Massimo Chenal, Qiang Tang

  In this note, we present our key recovery attacks against NTRU-type somewhat homomorphic encryption schemes.

10:17 [Pub][ePrint] On the Disadvantages of Pairing-based Cryptography, by Zhengjun Cao and Lihua Liu

  Pairing-based cryptography (PBC) has many elegant properties. It is claimed that PBC can offer a desired security level with smaller parameters as the general elliptic curve cryptography (ECC). In the note, we remark that this view is misleading. Suppose that an elliptic curve $E$ is defined over the field $\\mathbb{F}_q$. Then ECC is working with elements which are defined over $\\mathbb{F}_q$. But PBC is working with the functions and elements defined over $\\mathbb{F}_{q^k}$, where $k$ is the \\emph{embedding degree}.

The security of PBC depends directly on the intractable level of either elliptic curve discrete log problem (ECDLP) in the group $E(\\mathbb{F}_q)$ or discrete log problem (DLP) in the group $\\mathbb{F}_{q^k}^*$. That means PBC protocols have to work in a running environment with parameters of 1024 bits so as to offer 80 bits security level. The shortcoming makes PBC lose its competitive advantages significantly.

10:17 [Pub][ePrint] On the behaviors of affine equivalent Sboxes regarding differential and linear attacks, by Anne Canteaut and Joëlle Roué

  This paper investigates the effect of affine transformations of the Sbox on the maximal expected differential probability MEDP and linear potential MELP over two rounds of a substitution-permutation network, when the diffusion layer is linear over the finite field defined by the Sbox alphabet. It is mainly motivated by the fact that the 2-round MEDP and MELP of the AES both increase when the AES Sbox is replaced by the inversion in $GF(2^8)$. Most notably, we give new upper bounds on these two quantities which are not invariant under affine equivalence. Moreover, within a given equivalence class, these new bounds are maximal when the considered Sbox is an involution. These results point out that different Sboxes within the same affine equivalence class may lead to different two-round MEDP and MELP. In particular, we exhibit some examples where the basis chosen for defining the isomorphism between $GF(2)^m$ and $GF(2^m)$ affects these values.

For Sboxes with some particular properties, including all Sboxes of the form $A(x^s)$ as in the AES, we also derive some lower and upper bounds for the 2-round MEDP and MELP which hold for any MDS linear layer.

10:17 [Pub][ePrint] Practical Compact E-Cash with Arbitrary Wallet Size, by Patrick Märtens

  Compact e-cash schemes allow users to withdraw a wallet containing $K$ coins and to spend each coin unlinkably. We present the first compact e-cash scheme with arbitrary wallet size $k \\leq K$ while the spending protocol is of constant time and space complexity.

Known compact e-cash schemes are constructed from either verifiable random functions or bounded accumulators. We use both building blocks to construct the new scheme which is secure under the $q$-SDH, the $y$-DDHI and the SXDH assumptions in the random oracle


10:17 [Pub][ePrint] Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives, by David Derler and Christian Hanser and Daniel Slamanig

  Cryptographic accumulators allow to accumulate a finite set of values into a single succinct accumulator. For every accumulated value, one can efficiently compute a witness, which certifies its membership in the accumulator. However, it is computationally infeasible to find a witness for any non-accumulated value. Since their introduction, various accumulator schemes for numerous practical applications and with different features have been proposed. Unfortunately, to date there is no unifying model capturing all existing features. Such a model can turn out to be valuable as it allows to use accumulators in a black-box fashion.

To this end, we propose a unified formal model for (randomized) cryptographic accumulators which covers static and dynamic accumulators, their universal features and includes the notions of undeniability and indistinguishability. Additionally, we provide an exhaustive classification of all existing schemes. In doing so, it turns out that most accumulators are distinguishable. Fortunately, a simple, light-weight generic transformation allows to make many existing dynamic accumulator schemes indistinguishable. As this transformation, however, comes at the cost of reduced collision freeness, we additionally propose the first indistinguishable scheme that does not suffer from this shortcoming. Finally, we employ our unified model for presenting a black-box construction of commitments from indistinguishable accumulators as well as a black-box construction of indistinguishable, undeniable universal accumulators from zero-knowledge sets. Latter yields the first universal accumulator construction that provides indistinguishability.

10:17 [Pub][ePrint] Structural Weaknesses in the Open Smart Grid Protocol, by Klaus Kursawe and Christiane Peters

  The Open Smart Grid Protocol (OSGP) is currently deployed in various European countries in large-scale Smart Metering projects. The protocol was developed by the OSGP Alliance and published as a standard by the European Telecommunications Standards Institute (ETSI).

We identify several security issues in the OSG Protocol, primarily the use of a weak digest function and the way the protocol utilizes the RC4 algorithm for encryption. A straight-forward oracle attack triggers the leakage of key material of the digest function. We outline how an attacker can make use of the simple protocol structure to send maliciously altered messages with valid authentication tags to the meters.

The results of our analysis have been made available to the manufacturer the beginning of 2014, and mitigation strategies have been discussed with the vendor and utilities.

13:13 [Job][New] Research scientist & post-doc, Advanced Digital Sciences Center, Singapore

  We are actively seeking competent researchers for the project \"A Cyber-Physical Approach to Securing Urban Transportation Systems\" - Future cities will increasingly be smart, providing an environment where people\'s everyday lives are supported by various cyber-physical infrastructures including urban transportation systems. ADSC will develop new security technologies for urban transportation systems and make fundamental breakthroughs in cyber security research through collaboration with Singapore\'s Institute for Infocomm Research (I2R), Singapore University of Technology and Design (SUTD), and industry partners.