International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

03:17 [Pub][ePrint] A New Encryption Standard of Ukraine: The Kalyna Block Cipher, by Roman Oliynykov and Ivan Gorbenko and Oleksandr Kazymyrov and Victor Ruzhentsev and Oleksandr Kuznetsov and Yurii Gorbenko and Oleksan

  The Kalyna block cipher was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine in 2015. Main requirements for Kalyna were both high security level and high performance of software implementation on general-purpose 64-bit CPUs. The cipher has SPN-based (Rijndael-like) structure with increased MDS matrix size, a new set of four different S-boxes, pre- and postwhitening using modulo 2^{64} addition and a new construction of the key schedule. Kalyna supports block size and key length of 128, 256 and 512 bits (key length can be either equal or double of the block size). On the time of this paper publishing, no more effective cryptanalytic attacks than exhaustive search are known. In this paper we present the adapted English translated specification of Kalyna as it is given in the national standard of Ukraine.

03:17 [Pub][ePrint] Secure Execution Architecture based on PUF-driven Instruction Level Code Encryption, by Stephan Kleber and Florian Unterstein and Matthias Matousek and Frank Kargl and Frank Slomka and Matthias Hiller

  A persistent problem with program execution, despite numerous mitigation attempts, is its inherent vulnerability to the injection of malicious code. Equally unsolved is the susceptibility of firmware to reverse engineering, which undermines the manufacturer\'s code confidentiality. We propose an approach that solves both kinds of security problems employing instruction-level code encryption combined with the use of a physical unclonable function (PUF). Our novel Secure Execution PUF-based Processor (SEPP) architecture is designed to minimize the attack surface, as well as performance impact, and requires no significant changes to the development process. This is possible based on a tight integration of a PUF directly into the processor\'s instruction pipeline. Furthermore, cloud scenarios and distributed embedded systems alike inherently depend on remote execution; our approach supports this, as the secure execution environment needs not to be locally available at the developers site. We implemented an FPGA-based prototype based on the OpenRISC Reference Platform. To assess our results, we performed a security analysis of the processor and evaluated the performance impact of the encryption. We show that the attack surface is significantly reduced compared to previous approaches while the performance penalty is at a reasonable factor of about 1.5.

03:17 [Pub][ePrint] Modelling ciphersuite and version negotiation in the TLS protocol, by Benjamin Dowling and Douglas Stebila

  Real-world cryptographic protocols such as the widely used Transport Layer Security (TLS) protocol support many different combinations of cryptographic algorithms (called ciphersuites) and simultaneously support different versions. Recent advances in provable security have shown that most modern TLS ciphersuites are secure authenticated and confidential channel establishment (ACCE) protocols, but these analyses generally focus on single ciphersuites in isolation. In this paper we extend the ACCE model to cover protocols with many different sub-protocols, capturing both multiple ciphersuites and multiple versions, and define a security notion for secure negotiation of the optimal sub-protocol. We give a generic theorem that shows how secure negotiation follows, with some additional conditions, from the authentication property of secure ACCE protocols. Using this framework, we analyse the security of ciphersuite and three variants of version negotiation in TLS, including a recently proposed mechanism for detecting fallback attacks.

21:17 [Pub][ePrint] Security Analysis of Niu et al. Authentication and Ownership Management Protocol, by Nasour Bagheri, Masoumeh Safkhani and Hoda Jannati

  Over the past decade, besides authentication, ownership

management protocols have been suggested to transfer or

delegate the ownership of RFID tagged items. Recently, Niu et

al. have proposed an authentication and ownership management

protocol based on 16-bit pseudo random number generators and

exclusive-or operations which both can be easily implemented on

low-cost RFID passive tags in EPC global Class-1 Generation-2

standard. They claim that their protocol offers location and data

privacy and also resists against desynchronization attack. In this

paper, we analyze the security of their proposed authentication

and ownership management protocol and show that the protocol

is vulnerable to secret disclosure and desynchronization attacks.

The complexity of most of the attacks are only two runs of the

protocol and the success probability of the attacks are almost 1.

21:17 [Pub][ePrint] The leaking battery A privacy analysis of the HTML5 Battery Status API, by Lukasz Olejnik and Gunes Acar and Claude Castelluccia and Claudia Diaz

  We highlight the privacy risks associated with the HTML5 Battery Status API. We put special focus on its implementation in the Firefox browser. Our study shows that websites can discover the capacity of users\' batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals. Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier. The fingerprintable surface of the API could be drastically reduced without any loss in the API\'s functionality by reducing the precision of the readings. We propose minor modifications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed.

21:17 [Pub][ePrint] Generalised tally-based decoders for traitor tracing and group testing, by Boris Skoric and Wouter de Groot

  We propose a new type of score function for Tardos traitor tracing codes. It is related to the recently introduced tally-based score function, but it utilizes more of the information available to the decoder. It does this by keeping track of sequences of symbols in the distributed codewords instead of looking at columns of the code matrix individually.

We derive our new class of score functions from a Neyman-Pearson hypothesis test and illustrate its performance with simulation results.

Finally we derive a score function for (medical) group testing applications.

21:17 [Pub][ePrint] An Authentication Code over Galois Rings with Optimal Impersonation and Substitution Probabilities, by Juan Carlos Ku-Cauich Guillermo Morales-Luna Horacio Tapia-Recillas

  A new systematic authentication scheme based on the Gray map

over Galois rings is introduced. The Gray map determines an isometry between

the Galois ring and a vector space over a Galois eld. The introduced code

attains optimal impersonation and substitution probabilities.

21:17 [Pub][ePrint] Construction of Arithmetic Secret Sharing Schemes by Using Torsion Limits, by Seher Tutdere and Osmanbey Uzunkol

  Recent results of Cascudo, Cramer, and Xing on the construction of arithmetic secret sharing schemes are improved by using some new bounds on the torsion limits of algebraic function fields. Furthermore, new bounds on the torsion limits of certain towers of function fields are given.

21:17 [Pub][ePrint] Statistical Concurrent Non-malleable Zero-knowledge from One-way Functions, by Susumu Kiyoshima

  Concurrent non-malleable zero-knowledge (CNMZK) protocols are zero-knowledge protocols that are secure even against adversaries that interact with multiple provers and verifiers simultaneously. Recently, the first statistical CNMZK argument for NP was constructed under the DDH assumption (Orlandi el al., TCC\'14).

In this paper, we construct a statistical CNMZK argument for NP assuming only the existence of one-way functions. The security is proven via black-box simulation, and the round complexity is poly(n). Under the existence of collision-resistant hash functions, the round complexity can be reduced to w(log n), which is known to be essentially optimal for black-box concurrent zero-knowledge protocols.

21:17 [Pub][ePrint] Who watches the watchmen? : Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms, by Sarani Bhattacharya, Debdeep Mukhopadhyay

  Asymmetric-key cryptographic algorithms when implemented

on systems with branch predictors, are subjected

to side-channel attacks

exploiting the deterministic branch

predictor behavior due to their key-dependent input sequences. We show that branch predictors can also

leak information through the hardware

performance monitors which are

accessible by an adversary at the

user-privilege level. This paper presents

an iterative attack which target the

key-bits of 1024 bit RSA, where in

offline phase, the system\'s underlying

branch predictor is approximated

by a theoretical predictor in literature.

Subsimulations are performed

to classify the message-space into

distinct partitions based on the event

branch misprediction and the target key

bit value. In online phase, we ascertain

the secret key bit using branch mispredictions

obtained from the hardware performance

monitors which reflect the information of branch

miss due to the underlying predictor hardware.

We theoretically prove that the probability

of success of the attack is equivalent to the accurate

modelling of the theoretical predictor to the underlying system predictor. Experimentations reveal that the

success-rate increases with message-count and reaches such a significant value so as to consider side-channel

from the performance counters as a real threat

to RSA-like ciphers due

to the underlying branch predictors and

needs to be considered for developing secured-systems.

21:17 [Pub][ePrint] Random Digit Representation of Integers, by Nicolas Méloni and M. Anwar Hasan

  Modular exponentiation is core to today\'s main stream

public key cryptographic systems. In this article, we generalize the

classical fractional $w$NAF method for modular exponentiation -- the

classical method uses a digit set of the form $\\{1,3,\\dots,m\\}$

which is extended here to any set of odd integers of the form

$\\{1,d_2,\\dots, d_n\\}$. We give a formula for the average density of

non-zero terms in this new representation and discuss its asymptotic

behavior when those digits are randomly chosen from a given set. We

also propose a specific method for the precomputation phase of the

exponentiation algorithm.