International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:58 [PhD][New] Hadi Soleimany: Studies in Lightweight Cryptography

  Name: Hadi Soleimany
Topic: Studies in Lightweight Cryptography
Category: secret-key cryptography

Description: The decreasing size of devices is one of the most significant changes in telecommunication and information technologies. This change has been accompanied by a dramatic reduction in the cost of computing devices. The dawning era of ubiquitous computing has opened the door to extensive new applications. Ubiquitous computing has found its way into products thanks to the improvements in the underlying enabling technologies. Considerable developments in constraint devices such as RFID tags facilitate novel services and bring embedded computing devices to our everyday environments. The changes that lie ahead will eventually make pervasive computing devices an integral part of our world.\r\nThe growing prevalence of pervasive computing devices has created a significant need for the consideration of security issues. However, security cannot be considered independently, but instead, should be evaluated alongside related issues such as performance and cost. In particular, there are several limitations facing the design of appropriate ciphers for extremely constrained environments. In response to this challenge, several lightweight ciphers have been designed during the last years. The purpose of this dissertation is to evaluate the security of the emerging lightweight block ciphers.\r\n\r\nThis dissertation develops cryptanalytic methods for determining the exact security level of some inventive and unconventional lightweight block ciphers. The work studies zerocorrelation linear cryptanalysis by introducing the Matrix method to facilitate the finding of zero-correlation linear approximations. As applications, we perform zero-correlation cryptanalysis on the 22-round LBlock and TWINE. We also perform simulations on a small variant of LBlock and present the first experimental results to support the theoretical model of the multidimensional zero-correlation linear cryptanalysis method. In addition, we provide a new perspective on slide cryptanalysis and reflection cryptanalysis [...]

12:57 [PhD][Update] Filipe Beato: Private Information Sharing in Online communities

  Name: Filipe Beato
Topic: Private Information Sharing in Online communities
Category:cryptographic protocols

12:56 [PhD][New] Juraj Šarinay: Cryptographic Hash Functions in Groups and Provable Properties

  Name: Juraj Šarinay
Topic: Cryptographic Hash Functions in Groups and Provable Properties
Category: (no category)


We consider several “provably secure” hash functions that compute simple sums in a well chosen group (G, ?). Security properties of such functions provably translate in a natural way to computational problems in G\r\nthat are simple to define and possibly also hard to solve. Given k disjoint lists Li of group elements, the k-sum problem asks for gi ? Li such that\r\ng1 ? g2 ? . . . ? gk = 1G. Hardness of the problem in the respective groups follows from some “standard” assumptions used in public-key cryptology such\r\nas hardness of integer factoring, discrete logarithms, lattice reduction and syndrome decoding. We point out evidence that the k-sum problem may even be harder than the above problems.


Two hash functions based on the group k-sum problem, SWIFFTX and FSB, were submitted to NIST as candidates for the future SHA-3 standard. Both submissions were supported by some sort of a security proof. We show\r\nthat the assessment of security levels provided in the proposals is not related to the proofs included. The main claims on security are supported exclusively\r\nby considerations about available attacks. By introducing “second-order” bounds on bounds on security, we expose the limits of such an approach to\r\nprovable security.


A problem with the way security is quantified does not necessarily mean a problem with security itself. Although FSB does have a history of failures,\r\nrecent versions of the two above functions have resisted cryptanalytic efforts well. This evidence, as well as the several connections to more standard\r\nproblems, suggests that the k-sum problem in some groups may be considered hard on its own and possibly lead to provable bounds on security. Complexity of the non-trivial tree algorithm is becoming a standard tool for measuring the associated hardness.


We propose modifications to the multiplicative Very Smooth Hash and derive security from multiplicative k-sums in contra[...]

00:17 [Pub][ePrint] Cryptanalysis of GGH Map, by Yupu Hu and Huiwen Jia

  Multilinear map is a novel primitive which has many cryptographic applications, and GGH map is a major candidate of multilinear maps. GGH map has two classes of applications, which are respectively applications for public tools of encoding and hidden tools of encoding. In this paper we show that applications of GGH map for public tools of encoding are not secure. We present an efficient attack on GGH map, aiming at multi-party key exchange (MPKE) and the instance of witness encryption (WE) based on the hardness of 3-exact cover problem. First, for the secret of each user, we obtain an equivalent secret, which is the sum of original secret and a noise. The noise is an element of the specific principal ideal, but its size is not small. To do so, we use weak-DL attack presented by authors of GGH map. Second, we use special modular operations, which we call modified encoding/decoding, to filter the decoded noise much smaller. Such filtering is enough to break MPKE. Moreover, such filtering negates K-GMDDH assumption, which is the security basis of an ABE. The procedure almost breaks away from those lattice attacks and looks like an ordinary algebra. The key point is our special tools for modular operations. Finally, we break the instance of WE based on the hardness of 3-exact cover problem. To do so, we not only use modified encoding/decoding, but also (1) introduce and solve \"combined 3-exact cover problem\", which is a problem never hard to be solved; and (2) compute Hermite normal form of the specific principal ideal. The attack on the instance of WE is under an assumption, which seems at least nonnegligible.

00:17 [Pub][ePrint] Boosting OMD for Almost Free Authentication of Associated Data, by Reza Reyhanitabar and Serge Vaudenay and Damian Vizár

  We propose \\emph{pure} OMD (p-OMD) as a new variant of the Offset Merkle-Damg{\\aa}rd (OMD) authenticated encryption scheme. Our new scheme inherits all desirable security features of OMD while having a more compact structure and providing higher efficiency. The original OMD scheme, as submitted to the CAESAR competition, couples a single pass of a variant of the Merkle-Damg{\\aa}rd (MD) iteration with the counter-based XOR MAC algorithm to provide privacy and authenticity. Our improved p-OMD scheme dispenses with the XOR MAC algorithm and is \\emph{purely} based on the MD iteration; hence, the name ``pure\'\' OMD. To process a message of $\\ell$ blocks and associated data of $a$ blocks, OMD needs $\\ell+a+2$ calls to the compression function while p-OMD only requires $\\max\\left\\{\\ell, a\\right\\}+2$ calls. Therefore, for a typical case where $\\ell \\geq a$, p-OMD makes just $\\ell+2$ calls to the compression function; that is, associated data is processed almost freely compared to OMD. We prove the security of p-OMD under the same standard assumption (pseudo-randomness of the compression function) as made in OMD; moreover, the security bound for p-OMD is the same as that of OMD, showing that the modifications made to boost the performance are without any loss of security.

00:17 [Pub][ePrint] The Design Space of Lightweight Cryptography, by Nicky Mouha

  For constrained devices, standard cryptographic algorithms can be too big, too slow or too energy-consuming. The area of lightweight cryptography studies new algorithms to overcome these problems. In this paper, we will focus on symmetric-key encryption, authentication and hashing. Instead of providing a full overview of this area of research, we will highlight three interesting topics. Firstly, we will explore the generic security of lightweight constructions. In particular, we will discuss considerations for key, block and tag sizes, and explore the topic of instantiating a pseudorandom permutation (PRP) with a non-ideal block cipher construction. This is inspired by the increasing prevalence of lightweight designs that are not secure against related-key attacks, such as PRINCE, PRIDE or Chaskey. Secondly, we explore the efficiency of cryptographic primitives. In particular, we investigate the impact on efficiency when the input size of a primitive doubles. Lastly, we provide some considerations for cryptographic design. We observe that applications do not always use cryptographic algorithms as they were intended, which negatively impacts the security and/or efficiency of the resulting implementations.

00:17 [Pub][ePrint] Communication-Optimal Proactive Secret Sharing for Dynamic Groups, by Joshua Baron and Karim El Defrawy and Joshua Lampkins and Rafail Ostrovsky

  Proactive secret sharing (PSS) schemes are designed for settings where long-term confidentiality of secrets has to be guaranteed, specifically, when all participating parties may eventually be corrupted. PSS schemes periodically refresh secrets and reset corrupted parties to an uncorrupted state; in PSS the corruption threshold $t$ is replaced with a corruption rate which cannot be violated. In dynamic proactive secret sharing (DPSS) the number of parties can vary during the course of execution. DPSS is ideal when the set of participating parties changes over the lifetime of the secret or where removal of parties is necessary if they become severely corrupted. This paper presents the first DPSS schemes with optimal amortized, $O(1)$, per-secret communication compared to $O(n^4)$ or $\\exp(n)$ in number of parties, $n$, required by existing schemes. We present perfectly and statistically secure schemes with near-optimal threshold in each case. We also describe how to construct a communication-efficient dynamic proactively-secure multiparty computation (DPMPC) protocol which achieves the same thresholds.

00:17 [Pub][ePrint] Foundations of Reconfigurable PUFs (Full Version), by Jonas Schneider and Dominique Schröder

  A Physically Unclonable Function (PUF) can be seen as a source of randomness that can be challenged with a stimulus and responds in a way that is to some extent unpredictable. PUFs can be used to provide efficient solutions for common cryptographic primitives such as identification/authentication schemes, key storage, and hardware-entangled cryptography.

Moreover, Brzuska et al.~have recently shown, that PUFs can be used to construct UC secure protocols (CRYPTO 2011). Most PUF instantiations, however, only provide a static challenge/response space which limits their usefulness for practical instantiations. To overcome this limitation, Katzenbeisser et al. (CHES 2011) introduced Logically Reconfigurable PUFs (LR-PUFs), with the idea to introduce an ``update\'\' mechanism that changes the challenge/response behaviour without physically replacing or modifying the hardware.

In this work, we revisit LR-PUFs. We propose several new ways to characterize the unpredictability of LR-PUFs covering a broader class of realistic attacks and examine their relationship to each other.

In addition, we reconcile existing constructions with these new characterizations and show that they can withstand stronger adversaries than originally shown.

Since previous constructions are insecure with respect to our strongest unpredictability notion, we propose a secure construction which relies on the same assumptions and is almost as efficient as previous solutions.

00:17 [Pub][ePrint] Analysis of VAES3 (FF2), by Morris Dworkin and Ray Perlner

  The National Institute of Standards and Technology (NIST) specified three methods for format-preserving encryption (FPE) in Draft NIST Special Publication (SP) 800-38G, which was released for public comment in July, 2013. Each method was a mode of operation of the Advanced Encryption Standard (AES). One of the three modes, VAES3, was specified under the name FF2 in the NIST draft. This note describes a theoretical chosen-plaintext attack that shows the security strength of FF2 is less than 128 bits.

00:17 [Pub][ePrint] Black-Box Garbled RAM, by Sanjam Garg and Steve Lu and Rafail Ostrovsky

  Garbled RAM, introduced by Lu and Ostrovsky, enables the task of garbling a RAM (Random Access Machine) program directly, there by avoiding the inefficient process of first converting it into a circuit. Garbled RAM can be seen as a RAM analogue of Yao\'s garbled circuit construction, except that known realizations of Garbled RAM make non-black-box use of the underlying cryptographic primitives.

In this paper we remove this limitation and provide the first black-box construction of Garbled RAM with polylogarithmic overhead. Our scheme allows for garbling multiple RAM programs being executed on a persistent database and its security is based only on the existence of one-way functions. We also obtain the first secure RAM computation protocol that is both constant round and makes only black-box use of one-way functions in the OT-hybrid model.

00:17 [Pub][ePrint] Authenticated Key Exchange over Bitcoin, by Patrick McCorry and Siamak F. Shahandashti and Dylan Clarke and Feng Hao

  Bitcoin is designed to protect user anonymity (or pseudonymity) in a financial transaction, and has been increasingly adopted by major e-commerce websites such as Dell, Payal and Expedia. While the anonymity of Bitcoin transactions has been extensively studied, little attention has been paid to the security of post-transaction correspondence. In a commercial application, the merchant and the user often need to engage in follow-up correspondence after a Bitcoin transaction is completed, e.g., to acknowledge the receipt of payment, to confirm the billing address, to arrange the product delivery, to discuss refund and so on. Currently, such follow-up correspondence is typically done in plaintext via email with no guarantee on confidentiality. Obviously, leakage of sensitive data from the correspondence (e.g., billing address) can trivially compromise the anonymity of Bitcoin users. In this paper, we initiate the first study on how to realise end-to-end secure communication between Bitcoin users in a post-transaction scenario without requiring any trusted third party or additional authentication credentials. We first point out that none of the existing PKI-based or password-based AKE schemes are suitable for the purpose. Instead, our idea is to leverage the Bitcoin\'s append-only ledger as an additional layer of authentication between previously confirmed transactions. This naturally leads to a new category of AKE protocols that bootstrap trust entirely from the block chain. We call this new category ``Bitcoin-based AKE\'\' and present two concrete protocols: one is non-interactive with no forward secrecy, while the other is interactive with additional guarantee of forward secrecy. Finally, we present proof-of-concept prototypes for both protocols with experimental results to demonstrate their practical feasibility.