International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:17 [Pub][ePrint] Towards Easy Leakage Certification, by François Durvaux and François-Xavier Standaert

  Side-channel attacks generally rely on the availability of good leakage models to extract sensitive information from cryptographic implementations. The recently introduced leakage certification tests aim to guarantee that this condition is fulfilled based on sound statistical arguments. They are important ingredients in the evaluation of leaking devices since they allow a good separation between engineering challenges (how to produce clean measurements) and cryptographic ones (how to exploit these measurements). In this paper, we propose an alternative leakage certification test that is significantly simpler to implement than the previous proposal from Eurocrypt 2014. This gain admittedly comes at the cost of a couple of heuristic (yet reasonable) assumptions on the leakage distribution. To confirm its relevance, we first show that it allows confirming previous results of leakage certification. We then put forward that it leads to additional and useful intuitions regarding the information losses caused by incorrect assumptions in leakage modeling.

12:17 [Pub][ePrint] Pairing Based Mutual Healing in Wireless Sensor Networks, by Sarita Agrawal and Jay Patel and Manik Lal Das

  In Wireless Sensor Networks(WSNs), a group of users communicating

on an unreliable wireless channel can use a group secret. For each session, group manager broadcasts a message containing some keying material, from which only the group members authorized in that session can extract the session key. If a member misses a broadcast message for key, it uses self healing to recover missing session key using most recent broadcast message. However, only self healing does not help if node needs to get most recent session key and have missed the corresponding broadcast. Through mutual healing, a node can request recent broadcast information from a neighboring node and then recover the required key using self-healing. In this paper, we propose a bi-linear pairing based self-healing scheme that reduces communication, storage and computation overhead in comparison to existing bi-linear pairing based self-healing schemes. Then, we discuss the mutual healing scheme that provides mutual authentication and key confirmation without disclosing the node locations to the adversary. The analysis with respect to active adversary shows a significant performance improvement for resource constrained sensor nodes along with the security features such as forward and backward secrecy, resilience against node collusion, node revocation and resistance to impersonation.

12:17 [Pub][ePrint] Tweaking Even-Mansour Ciphers, by Benoît Cogliati and Rodolphe Lampe and Yannick Seurin

  We study how to construct efficient tweakable block ciphers in the Random Permutation model, where all parties have access to public random permutation oracles. We propose a construction that combines, more efficiently than by mere black-box composition, the CLRW construction (which turns a traditional block cipher into a tweakable block cipher) of Landecker et al. (CRYPTO 2012) and the iterated Even-Mansour construction (which turns a tuple of public permutations into a traditional block cipher) that has received considerable attention since the work of Bogdanov et al. (EUROCRYPT 2012). More concretely, we introduce the (one-round) tweakable Even-Mansour (TEM) cipher, constructed from a single $n$-bit permutation $P$ and a uniform and almost XOR-universal family of hash functions $(H_k)$ from some tweak space to $\\{0,1\\}^n$, and defined as $(k,t,x)\\mapsto H_k(t)\\oplus P(H_k(t)\\oplus x)$, where $k$ is the key, $t$ is the tweak, and $x$ is the $n$-bit message, as well as its generalization obtained by cascading $r$ independently keyed rounds of this construction. Our main result is a security bound up to approximately $2^{2n/3}$ adversarial queries against adaptive chosen-plaintext and ciphertext distinguishers for the two-round TEM construction, using Patarin\'s H-coefficients technique. We also provide an analysis based on the coupling technique showing that asymptotically, as the number of rounds $r$ grows, the security provided by the $r$-round TEM construction approaches the information-theoretic bound of $2^n$ adversarial queries.

22:34 [Event][New] LightSec 2015: Workshop on Lightweight Cryptography for Security & Privacy

  Submission: 29 June 2015
Notification: 29 July 2015
From September 10 to September 11
Location: Bochum, Germany
More Information:

15:44 [Event][New] C&TC 2015: 5th Int. Symposium on Cloud and Trusted Computing

  Submission: 30 June 2015
Notification: 15 August 2015
From October 26 to October 28
Location: Rhodes, Greece
More Information:

03:32 [PhD][Update] Nishant Doshi: Investigating Approaches for Improving the Ciphertext Policy Attribute Based Encryption

  Name: Nishant Doshi
Topic: Investigating Approaches for Improving the Ciphertext Policy Attribute Based Encryption
Category:public-key cryptography


In Ciphertext Policy Attribute Based Encryption (CP-ABE), a secret key of the user as well as the ciphertext (CT) is defined based on the attributes. A user is able to decrypt the ciphertext if and only if the attributes within a policy of ciphertext are satisfied by the attributes of the secret key. If we increase the number of attributes in the policy of ciphertext than the size of final ciphertext will also increase and subsequently leads to communication overhead as well as computational overhead at the receiver side. Hence, it is desirable to ensure constant ciphertext length in CP-ABE. However, the existing schemes in constant CT length proposed so far achieve only a selective security model i.e. the attacker must announce the target access policy before seeing the public parameter. This leads to a weaker security model. Therefore, we propose the fully secure CP-ABE, which requires the attribute set of ciphertext to be a subset of user’s secret key.

One more limitation of the schemes in constant CT length proposed so far is that they are based on a single authority approach. To deal with a single point of failure in a such a scheme, we propose a multi-authority CP-ABE scheme, with the support for any arbitrary numbers of attribute authorities under a central authority.

Additionally in the CP-ABE scheme, the receiver’s anonymity is sacrificed as the access structure of the ciphertext reveals the same. The obvious solution to this problem is to hide ciphertext-policy (hidden access structure). However, although this solution uses reasonably computable decryption policies, it generates the ciphertext of a size that is at least, linearly varying with the number of attributes.

We investigate such issues and propose a novel approach to deal with constant ciphertext length. Thereafter we extend the same approach to provide support for the multi authorities and [...]

03:28 [PhD][New] Dai Yamamoto: Security Evaluation and Improvement of Physically Unclonable Functions

  Name: Dai Yamamoto
Topic: Security Evaluation and Improvement of Physically Unclonable Functions
Category: implementation

00:17 [Pub][ePrint] Spacecoin: A Cryptocurrency Based on Proofs of Space, by Sunoo Park and Krzysztof Pietrzak and Jo\\\"el Alwen and Georg Fuchsbauer and Peter Gazi

  We propose a decentralized cryptocurrency based on a block-chain ledger similar to that of Bitcoin, but where the extremely wasteful proofs of work are replaced by proofs of space, recently introduced by Dziembowski et al. (CRYPTO 2015). Instead of requiring that a majority of the computing power is controlled by honest miners (as in Bitcoin), our currency requires that honest miners dedicate more disk space than a potential adversary.

Once a miner has dedicated and initialized some space, participating in the mining process is very cheap. A new block is added to the chain every fixed period of time (say, every minute), and in every period a miner just has to make a small number of lookups to the stored space to check if she ``wins\", and thus can add the next block to the chain and get the mining reward. Because this check is cheap, proof-of-space-based currencies share some (but not all) issues with currencies based on ``proofs of stake\'\', like Peercoin. Concretely, a na\\\"ive solution that simply replaces proofs of work with proofs of space raises two main issues which we address:

\\emph{Grinding:} A miner who can add the next block has some degree of freedom in shaping how the chain looks, e.g. by trying out different sets of transactions to include in her block. The miner can try many possible choices until she finds one which results in a chain that allows her to also mine the next block, thus hijacking the chain forever while dedicating only a small amount of the space. We solve this problem fully by ``decoupling\" the hash chain from the transactions, so that there is nothing to grind. To bind the transactions back to the hash chain, we add an extra signature chain, which guarantees that past transactions cannot be altered once an honest miner adds a block. Our solution also gives a simple and novel way to solve the grinding problem in currencies based on proofs of stake.

\\emph{Mining multiple chains:} Since checking whether one can add a block is cheap, rational miners will not only try to extend the so-far-best chain, but also try other chains, in the hope that they can extend one of them which will ultimately catch up and overtake the currently-best chain. (In the context of proof-of-stake-based currencies this is known as the ``nothing-at-stake\" problem.) This not only gives rational miners a larger-than-expected reward (compared to what honest miners get), but also makes consensus very slow, if not impossible. Our solution to this problem is based on penalizing miners who try to work on more than one branch of the chain.

00:17 [Pub][ePrint] Power Analysis Attacks against IEEE 802.15.4 Nodes, by Colin O\'Flynn and Zhizhang Chen

  IEEE 802.15.4 is a wireless standard used by a variety of higher-level protocols, including many used in the Internet of Things (IoT). A number of system on a chip (SoC) devices that combine a radio transceiver with a microcontroller are available for use in IEEE 802.15.4 networks. IEEE 802.15.4 supports the use of AES-CCM* for encryption and authentication of messages, and a SoC normally includes an AES accelerator for this purpose. This work measures the leakage characteristics of the AES accelerator on the Atmel ATMega128RFA1, and then demonstrates how this allows recovery of the encryption key from nodes running an IEEE 802.15.4 stack. While this work demonstrates the attack on a specific SoC, the results are also applicable to similar wireless nodes and to protocols built on top of IEEE 802.15.4.

00:17 [Pub][ePrint] Practical Free-Start Collision Attacks on 76-step SHA-1, by Pierre Karpman and Thomas Peyrin and Marc Stevens

  In this paper we analyze the security of the compression function of SHA-1 against collision attacks, or equivalently free-start collisions on the hash function. While a lot of work has been dedicated to the analysis of SHA-1 in the past decade, this is the first time that free-start collisions have been considered for this function.

We exploit the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years. This results in particular in better differential paths than the ones used for hash function collisions so far.

Overall, our attack requires about $2^{50}$ evaluations of the compression function in order to compute a one-block free-start collision for a 76-step reduced version, which is so far the highest number of steps reached for a collision on the SHA-1 compression function. We have developed an efficient GPU framework for the highly branching code typical of a cryptanalytic collision attack and used it in an optimized implementation of our attack on recent GTX-970 GPUs.

We report that a single cheap US$350 GTX-970 is sufficient to find the collision in less than 5 days. This showcases how recent mainstream GPUs seem to be a good platform for expensive and even highly-branching cryptanalysis computations. Finally, our work should be taken as a reminder that cryptanalysis on SHA-1 continues to improve. This is yet another proof that the industry should quickly move away from using this function.

00:17 [Pub][ePrint] Reproducible Circularly-Secure Bit Encryption: Applications and Realizations, by Mohammad Hajiabadi, Bruce M. Kapron

  We give generic constructions of several fundamental cryptographic primitives based on a new encryption primitive that combines circular security for bit encryption with the so-called reproducibility property (Bellare et al. PKC 2003). At the heart of our constructions is a novel technique which gives a way of de-randomizing reproducible public-key bit-encryption schemes and also a way of reducing one-wayness conditions of a constructed trapdoor-function family (TDF) to circular security of the base scheme. The main primitives that we build from our encryption primitive include k-wise one-way TDFs (Rosen and Segev TCC 2009), CCA2-secure encryption and deterministic encryption. Our results demonstrate a new set of applications of circularly- secure encryption beyond fully-homomorphic encryption and symbolic soundness. Finally, we show the plausibility of our assumptions by showing that the DDH-based circularly-secure scheme of Boneh et al. (Crypto 2008) and the subgroup indistinguishability based scheme of Brakerski and Goldwasser are both reproducible.