International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Scalable and private media consumption with Popcorn, by Trinabh Gupta and Natacha Crooks and Srinath Setty and Lorenzo Alvisi and Michael Walfish

  This paper describes the design, implementation, and experimental evaluation of Popcorn, a media content delivery system that comprehensively hides (even from the content distributor) what is consumed but not necessarily who is doing the consumption. The motivation for Popcorn is both principled and pragmatic: we want to provide provable privacy while still respecting the current commercial context. To instantiate Popcorn, we turn to a powerful primitive from cryptography: private information retrieval (PIR). However, the cost and structure of PIR, as it appears in the literature, present major obstacles to using PIR as the foundation for an Internet-scale service. Nevertheless, with careful system design, and by composing a series of novel refinements and optimizations that leverage the properties of PIR protocols as well as the properties of media streaming, we have produced a system that cheaply hides media consumption, scales to the size of Netflix\'s library (8,000 movies) and respects current controls on media dissemination. The per-request cost in Popcorn is less than three times the per-request cost in a baseline system that does not provide privacy.

21:17 [Pub][ePrint] Improved security proofs in lattice-based cryptography: using the R\\\'enyi divergence rather than the statistical distance, by Shi Bai and Adeline Langlois and Tancr{\\`e}de Lepoint and Damien Stehl\

  The R\\\'enyi divergence is a measure of closeness of two

probability distributions. We show that it can often be used as an alternative

to the statistical distance in security proofs for lattice-based

cryptography. Using the R\\\'enyi divergence is particularly suited

for security proofs of primitives in which the attacker is required

to solve a search problem (e.g., forging a signature). We show that

it may also be used in the case of distinguishing problems (e.g.,

semantic security of encryption schemes), when they enjoy a public

sampleability property. The techniques lead to security proofs for

schemes with smaller parameters, and sometimes to simpler security

proofs than the existing ones.

21:17 [Pub][ePrint] More Rounds, Less Security?, by Jian Guo and J\\\'{e}r\\\'{e}my Jean and Nicky Mouha and Ivica Nikoli\\\'{c}

  This paper focuses on a surprising class of cryptanalysis results for symmetric-key primitives: when the number of rounds of the primitive is increased, the complexity of the cryptanalysis result decreases. Our primary target will be primitives that consist of identical round functions, such as PBKDF1, the Unix password hashing algorithm, and the Chaskey MAC function. However, some of our results also apply to constructions with non-identical rounds, such as the PRIDE block cipher. Firstly, we construct distinguishers for which the data complexity decreases when the number of rounds is increased. They are based on two well-known observations: iterating a random permutation increases the expected number of fixed points, and iterating a random function decreases the expected number of image points. We explain that these effects also apply to components of cryptographic primitives, such as a round of a block cipher. Secondly, we introduce a class of key-recovery and preimage-finding techniques that correspond to exhaustive search, however on a smaller part (e.g. one round) of the primitive. As the time complexity of a cryptanalysis result is usually measured by the number of full-round evaluations of the primitive, increasing the number of rounds will lower the time complexity. None of the observations in this paper result in more than a small speed-up over exhaustive search. Therefore, for lightweight applications, implementation advantages may outweigh the presence of these observations.

21:17 [Pub][ePrint] Turning Online Ciphers Off, by Elena Andreeva and Guy Barwell and Dan Page and Martijn Stam

  CAESAR has caused a heated discussion regarding the merits of one-pass encryption and online ciphers. The latter is a keyed, length preserving function which outputs ciphertext blocks as soon as the respective plaintext block is received. The immediacy of an online cipher gives a clear performance advantage, yet it comes at a price. Since ciphertext blocks cannot depend on later plaintext blocks, diffusion and hence security is limited. We show how one can attain the best of both worlds by providing provably secure constructions,

achieving full cipher security, based on applying an online cipher and reordering blocks.

Explicitly, we show that with just two calls to the online cipher, security up to the birthday bound is both attainable and maximal. Moreover, we demonstrate that three calls to the online cipher suffice to obtain beyond birthday bound security, and (for suitably long messages) arbitrarily strong security. As part of our investigation, we extend an observation by Rogaway and Zhang, highlighting the close relationship between online ciphers and tweakable blockciphers with variable-length tweaks.

21:17 [Pub][ePrint] How to detect unauthorised usage of a key, by Jiangshan Yu and Mark Ryan and Cas Cremers

  Encryption is useful only if the decryption key has not been exposed to adversaries; in particular, it requires that the device performing the crypto operations is free of malware. We explore ways in which some security guarantees can be achieved even if an attacker has succeeded in obtaining access to all the keys in a device, e.g. by exploiting software vulnerabilities.

We develop a new protocol concept that allows the device owner to detect if another party is using the device\'s long-term key. We achieve this by making it necessary for uses of the key to be inserted in an append-only log, which the device owner can interrogate. We propose a multi-device messaging protocol that exploits our concept to allow users to detect unauthorised usage of their device keys. We prove the main properties of our protocol using the Tamarin prover.

The methods we introduce are not intended to replace existing methods used to keep keys safe (such as hardware devices or careful procedures). Rather, our methods provide a useful and effective additional layer of security.

15:17 [Job][New] Lecturer, Royal Holloway, University of London

  Applications are invited for the post of Lecturer in the Information Security Group at Royal Holloway, University of London

Applications are invited from researchers whose interests are related to, or complement, current strengths of the ISG. We are particularly interested in applicants who will be able to interact with our research groups in cryptography and systems security. However, applications from strong candidates working in other cyber security fields will also be given serious consideration.

Applicants should have a Ph.D. in a relevant subject or equivalent, be a self-motivated researcher, and have a strong publication record. Applicants should be able to demonstrate an enthusiasm for teaching and communicating with diverse audiences, as well as show an awareness of contemporary issues relating to cyber security.

This is a full time and permanent post, available from 1st September, 2015, or as soon as possible thereafter. This post is based in Egham, Surrey, where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

15:17 [Event][New] ECC 2015: Summer school of the 19th Workshop on Elliptic Curve Cryptography

  From September 23 to September 25
Location: Bordeaux, France
More Information:

09:17 [Pub][ePrint] Time-release Protocol from Bitcoin and Witness Encryption for SAT, by Jia Liu and Flavio Garcia and Mark Ryan

  We propose a new time-release protocol based on the bitcoin protocol and witness encryption. We derive a ``public key\'\' from the bitcoin block chain for encryption. The decryption key are the unpredictable information in the future blocks (e.g., transactions, nonces)

that will be computed by the bitcoin network. We build this protocol by witness encryption and encrypt with the bitcoin proof-of-work constraints. The novelty of our protocol is that the decryption key will be automatically and publicly available in the bitcoin block chain when the time is due.

Witness encryption was originally proposed by Garg, Gentry, Sahai and Waters. It provides a means to encrypt to an instance, $x$, of an NP language and to decrypt by a witness $w$ that $x$ is in the language.

Encoding CNF-SAT in the existing witness encryption schemes generate poly(n*k) group elements in the ciphertext where n is the number of variables and k is the number of clauses of the CNF formula.

We design a new witness encryption for CNF-SAT which achieves ciphertext size of 2n+2k group elements. Our witness encryption is based on an intuitive reduction from SAT to Subset-Sum problem. Our scheme uses the framework of multilinear maps, but it is independent of the implementation details of multilinear maps.

21:17 [Pub][ePrint] A Provably Secure Group Signature Scheme from Code-Based Assumptions, by Martianus Frederic Ezerman and Hyung Tae Lee and San Ling and Khoa Nguyen and Huaxiong Wang

  We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than all of the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands ($\\approx 2^{24}$ users).

The feasibility of the scheme is supported by implementation results.

Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.

21:17 [Pub][ePrint] Trinocchio: Privacy-Friendly Outsourcing by Distributed Verifiable Computation, by Berry Schoenmakers, Meilof Veeningen, and Niels de Vreede

  Verifiable computation allows a client to outsource computations to a worker with a cryptographic proof of correctness of the result that can be verified faster than performing the computation. Recently, the Pinocchio system achieved faster verification than computation in practice for the first time. Unfortunately, Pinocchio and other efficient verifiable computation systems require the client to disclose the inputs to the worker, which is undesirable for sensitive inputs. To solve this problem, we propose Trinocchio: a system that distributes Pinocchio to three (or more) workers, that each individually do not learn which inputs they are computing on. Each worker essentially performs the work for a single Pinocchio proof; verification by the client remains the same. Moreover, we extend Trinocchio to enable joint computation with multiple mutually distrusting inputters and outputters and still very fast verification. We show the feasibility of our approach by analysing the performance of an implementation in two case studies.

21:17 [Pub][ePrint] Advanced Differential Cryptanalysis of Reduced-Round SIMON64/128 Using Large-Round Statistical Distinguishers, by Theodosis Mourouzis and Guangyan Song and Nicolas Courtois and Michalis Christofii

  Lightweight cryptography is a rapidly evolving area of research and it has great impact especially on the new computing environment called the Internet of Things (IoT) or the Smart Object networks (Holler et al., 2014), where lots of constrained devices are connected on the Internet and exchange information on a daily basis. Every year there are many new submissions of cryptographic primitives which are optimized towards both software and hardware implementation so that they can operate in devices which have limited resources of hardware and are subject to both power and energy consumption constraints. In 2013, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes and were designed to be optimized in hardware and software implementation respectively (Beaulieu et al., 2013). In this paper, we study the security of the 64-bit SIMON with 128-bit key against advanced forms of differential cryptanalysis using truncated differentials (Knudsen, 1995; Courtois et al., 2014a). We follow similar method as the one proposed in SECRYPT 2013 (Courtois and Mourouzis, 2013) in order to heuristically discover sets of differences that propagate with sufficiently good probability and allow us to combine them efficiently in order to construct large-round statistical distinguishers. We present a 22-round distinguisher which we use it in a depth-first key search approach to develop an attack against 24 and 26 rounds with complexity 2^{124.5} and 2^{126} SIMON encryptions respectively. Our methodology provides a framework for extending distinguishers to attacks to a larger number of rounds assuming truncated differential properties of relatively high probability were discovered.