International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Tornado Attack on RC4 with Applications to WEP \\& WPA, by Pouyan Sepehrdad and Petr Susil and Serge Vaudenay and Martin Vuagnoux

  In this paper, we construct several tools for building and manipulating pools of biases in the analysis of RC4. We report extremely fast and optimized active and passive attacks against IEEE 802.11 wireless communication protocol WEP and a key recovery and a distinguishing attack against WPA. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimization of all the former known attacks and methodologies against RC4 stream cipher in WEP and WPA modes. We support all our claims on WEP by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attack improves its success probability drastically. Our active attack, based on ARP injection, requires 22500 packets to gain success probability of 50\\% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3\\% success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37500), which is a huge improvement. Deploying a similar theory, we also describe several attacks on WPA. Firstly, we describe a distinguisher for WPA with complexity 2^{42} and advantage 0.5 which uses 2^{42} packets. Then, based on several partial temporary key recovery attacks, we recover the full 128-bit temporary key of WPA by using 2^{42} packets. It works with complexity 2^{96}. So far, this is the best key recovery attack against WPA. We believe that our analysis brings on further insight to the security of RC4.

09:17 [Pub][ePrint] A comprehensive analysis of game-based ballot privacy definitions, by David Bernhard and Veronique Cortier and David Galindo and Olivier Pereira and Bogdan Warinschi

  We critically survey game-based security definitions for the privacy of voting schemes. In addition to known limitations, we unveil several previously unnoticed shortcomings. Surprisingly, the conclusion of our study is that none of the existing definitions is satisfactory: they either provide only weak guarantees, or can be applied only to a limited class of schemes, or both.

Based on our findings, we propose a new game-based definition of privacy which we call BPRIV. We also identify a new property which we call {\\em strong consistency}, needed to express that tallying does not leak sensitive information. We validate our security notions by showing that BPRIV, strong consistency and strong correctness for a voting scheme imply its security in a simulation-based sense. This result also yields a proof technique for proving entropy-based notions of privacy which offer the strongest security guarantees but are hard

to prove directly: first prove your scheme BPRIV, strongly consistent and strongly correct,

then study the entropy-based privacy of the result function of the election, which is a much easier task.

09:17 [Pub][ePrint] Cryptanalysis of Three Certificate-Based Authenticated Key Agreement Protocols and a Secure Construction, by Yang Lu, Quanling Zhang, Jiguo Li

  Certificate-based cryptography is a new public-key cryptographic paradigm that has very appealing features, namely it simplifies the certificate management problem in traditional public key cryptography while eliminating the key escrow problem in identity-based cryptography. So far, three authenticated key agreement (AKA) protocols in the setting of certificate-based cryptography have been proposed in the literature. Unfortunately, none of them are secure under the public key replacement (PKR) attack. In this paper, we first present a security model for certificate-based AKA protocols that covers the PKR attacks. We then explore the existing three certificate-based AKA protocols and show the concrete attacks against them respectively. To overcome the weaknesses in these protocols, we propose a new certificate-based AKA protocol and prove its security strictly in the random oracle model. Performance comparison shows that the proposed protocol outperforms all the previous certificate-based AKA protocols.

16:16 [Event][New] FPS 2015: 8th International Symposium on Foundations & Practice of Security

  Submission: 14 June 2015
Notification: 17 August 2015
From October 26 to October 28
Location: Clermont-Ferrand, France
More Information:

16:15 [Event][New] PQCrypto 2016: The Seventh International Conference on Post-Quantum Cryptography

  Submission: 7 October 2015
Notification: 20 November 2015
From February 24 to February 26
Location: Fukuoka, Japan
More Information:

20:35 [Job][New] One Postdoc and one PhD studentship, University of Strathclyde, UK

  Applications are invited for a Research Associate (postdoc) position and a PhD studentship.

You will work on the project “Practical Data-intensive Secure Computation: a Data Structural Approach”. This is a 4-year grant funded by the EPSRC. The aim of the project is to investigate how data structures can be used as an efficiency and scalability booster in the context of secure computation. You will design novel cryptographic data structures and associated protocols for efficient secure computation, as well as apply them in domains such as cloud computing and data mining in order to solve real-world security/privacy problems. The project has particular emphasis on putting theory into practice. There will be opportunities to collaborate with industrial research labs and other leading universities.

The RA position (Ref: 15884):

Application Closing Date: Friday, 1 May 2015

The candidate must have:

* a PhD (or equivalent) in a relevant area;

* a strong background in cryptography/security;

* good programming skills (C++/Java, parallel/GPU computing experience is a plus).

* good communication and time management skills.

Experience/knowledge in one or more of the following areas would be desirable but not essential: computer networks, operating systems, databases, statistics and data mining.

More information and online application form:

The PhD Studentship:

Full time, 3 years with a stipend + home fees. Students from outside of EU are eligible but need other funding sources to cover the difference between home fees and overseas fees.

Application Closing Date: until filled

Online Application Form:

The candidate must have:

* a first or upper second class honours degree, or a good master degree in a relevant area;

* good programming skills (C++/Java, parallel/

15:36 [Event][New] BCS 2015: 2nd Conference on Cryptography and Information Theory- BalkanCryptSec 2015

  Submission: 20 June 2015
Notification: 1 August 2015
From September 3 to September 4
Location: Koper, Slovenia
More Information:

12:17 [Pub][ePrint] Collision Attack on 4-branch, Type-2 GFN based Hash Functions using Sliced Biclique Cryptanalysis Technique, by Megha Agrawal and Donghoon Chang and Mohona Ghosh and Somitra Kumar Sanadhya

  In this work, we apply the sliced biclique cryptanalysis

technique to show 8-round collision attack on a hash function H

based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN).

This attack is generic and works on 4-branch, Type-2 GFN with any

parameters including the block size, type of round function, the number of S-boxes in each round and the number of SP layers inside the round function. We first construct a 8-round distinguisher on 4-branch, Type-2 GFN and then use this distinguisher to launch 8-round collision attack on compression functions based on Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) modes. The complexity of the attack on 128-bit compression function is 2^56. The attack can be directly translated to collision attack on MP and MMO based hash functions and pseudo-collision attack on Davies-Meyer (DM) based hash functions. When the round function F is instantiated with double SP layer, we show the first 8-round collision attack on 4-branch, Type-2 GFN with double SP layer based compression function. The previous best attack on this structure was a 6-round near collision attack shown by Sasaki at Indocrypt\'12. His attack cannot be used to generate full collisions on 6-rounds and hence our result can be regarded the best so far in literature on this structure.

12:17 [Pub][ePrint] Performance and Security Improvements for Tor: A Survey, by Mashael AlSabah and Ian Goldberg

  Tor [Dingledine et al. 2004] is the most widely used anonymity network today, serving millions of users on a daily basis using a growing number of volunteer-run routers. Since its deployment in 2003, there have been more than three dozen proposals that aim to improve its performance, security, and unobservability. Given the significance of this research area, our goal is to provide the reader with the state of current research directions and challenges in anonymous communication systems, focusing on the Tor network.We shed light on the design weaknesses and challenges facing the network and point out unresolved issues.

12:17 [Pub][ePrint] Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack, by Subhamoy Maitra and Santanu Sarkar and Anubhab Baksi and Pramit Dey

  Abstract. Design of secure light-weight stream ciphers is an important area in cryptographic hardware & embedded systems and a very recent design by Armknecht and Mikhalev (FSE 2015) has received serious attention that uses shorter internal state and still claims to resist the time-memory-data-tradeoff (TMDTO) attacks. An instantiation of this design paradigm is the stream cipher named Sprout with 80-bit secret key. In this paper we cryptanalyze the cipher and refute various claims. The designers claim that the secret key of Sprout can not be recovered efficiently from the complete state information using a guess and determine attack. However, in this paper, we show that it is possible with a few hundred bits in practical time. More importantly, from around 850 key-stream bits, complete knowledge of NFSR (40 bits) and a partial knowledge of LFSR (around one third, i.e., 14 bits); we can obtain all the secret key bits. This cryptanalyzes Sprout with 2^{54} attempts (considering constant time complexity required by the SAT solver in each attempt, which is around 1 minute in a laptop). This is less than the exhaustive key search. Further, we show how related ideas can be employed to mount a fault attack against Sprout that requires around 120 faults in random locations (20 faults, if the locations are known), whereas the designers claim that such a fault attack may not be possible. Our cryptanalytic results raise quite a few questions about this design paradigm in general that should be revisited with greater care.

12:17 [Pub][ePrint] Fast Revocation of Attribute-Based Credentials for Both Users and Verifiers, by Wouter Lueks and Gergely Alpár and Jaap-Henk Hoepman and Pim Vullers

  Attribute-based credentials allow a user to prove properties about herself anonymously. Revoking such credentials, which requires singling them out, is hard because it is at odds with anonymity. All revocation schemes proposed to date either sacrifice anonymity altogether, require the parties to be online, or put high load on the user or the verifier. As a result, these schemes are either too complicated for low-powered devices like smart cards or they do not scale. We propose a new revocation scheme that has a very low computational cost for users and verifiers, and does not require users to process updates. We trade only a limited, but well-defined, amount of anonymity to make the first practical revocation scheme that is efficient at large scales and fast enough for smart cards.