International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

17:43 [News] IACR Response to Australia's Defence Trade Controls Act


Dear IACR members,

The Australian government has recently enacted its Defence Trade Controls Act (DTCA) which places export controls on cryptographic technologies. As it contains no exemption for ordinary research & teaching, the act apparently criminalizes the scholarly activities of our Australian colleagues.

The IACR has drafted a petition in response to this legislation ( If you are an IACR member, we encourage you to add your signature. With enough support, we hope to contribute to an improvement to the situation in Australia.

As this is the first petition hosted by the IACR, we welcome your feedback. Please send comments to

00:17 [Forum] [2015 Reports] Re: 2015/650 It looks like not secure by movax

  Hello Roman Oliynykov and others, I have double checked my concerns, and I have to confess that you are right, and I was wrong. Indeed, the linear transformation is not per-word, as it seemed to me from the brief look, but per-column. However, how did you create your S-boxes? From: 2015-05-07 21:41:08 (UTC)

18:17 [Pub][ePrint] Secure Multi-Party Shuffling, by Mahnush Movahedi and Jared Saia and Mahdi Zamani

  In secure multi-party shuffling, multiple parties, each holding an input, want to agree on a random permutation of their inputs while keeping the permutation secret. This problem is important as a primitive in many privacy-preserving applications such as anonymous communication, location-based services, and electronic voting.

Known techniques for solving this problem suffer from poor scalability, load-balancing issues, trusted party assumptions, and/or weak security guarantees.

In this paper, we propose an unconditionally-secure protocol for multi-party shuffling that scales well with the number of parties and is load-balanced. In particular, we require each party to send only a polylogarithmic number of bits and perform a polylogarithmic number of operations while incurring only a logarithmic round complexity. We show security under universal composability against up to about n/3 fully-malicious parties. We also provide simulation results showing that our protocol improves significantly over previous work. For example, for one million parties, when compared to the state of the art, our protocol reduces the communication and computation costs by at least three orders of magnitude and slightly decreases the number of communication rounds.

18:17 [Pub][ePrint] Communication Complexity of Conditional Disclosure of Secrets and Attribute-Based Encryption., by Romain Gay and Iordanis Kerenidis and Hoeteck Wee

  We initiate a systematic treatment of the communication complexity of conditional disclosure of

secrets (CDS), where two parties want to disclose a secret to a third party if and only if their respective inputs

satisfy some predicate. We present a general upper bound and the first non-trivial lower bounds for conditional

disclosure of secrets. Moreover, we achieve tight lower bounds for many interesting setting of parameters for

CDS with linear reconstruction, the latter being a requirement in the application to attribute-based encryption.

In particular, our lower bounds explain the trade-off between ciphertext and secret key sizes of several existing

attribute-based encryption schemes based on the dual system methodology.

18:17 [Pub][ePrint] Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-guessing Techniques, by Huaifeng Chen and Xiaoyun Wang

  \\textsc{Simon} is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts\' attention and varity of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on.

In this paper, we give improved linear attack on all versions of \\textsc{Simon} with dynamic key-guessing techniques, which was proposed to improve the differential attack on \\textsc{Simon} recently.

By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function accroding the property of AND operation, we can guess different subkeys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step.

As a result, 23-round \\textsc{Simon}32/64, 24-round \\textsc{Simon}48/72, 25-round \\textsc{Simon}48/96, 30-round \\textsc{Simon}64/96, 31-round \\textsc{Simon}64/128, 37-round \\textsc{Simon}96/96, 38-round \\textsc{Simon}96/144, 49-round \\textsc{Simon}128/128, 51-round \\textsc{Simon}128/192 and 53-round \\textsc{Simon}128/256 can be attacked.

The linear attacks on most versions of \\textsc{Simon} are the best attacks among all cryptanalysis results on these variants known up to now. However, this does not shake the security of \\textsc{Simon} family with full rounds.

18:17 [Pub][ePrint] De Bruijn Sequences from Nonlinear Feedback Shift Registers, by Ming Li and Dongdai Lin

  We continue the research in \\cite{jans1991} to construct de Bruijn sequences from feedback shift registers (FSRs) that contains only very short cycles. Firstly, we suggest another way to define the representative of a cycle. Compared with the definition in \\cite{jans1991}, this definition can greatly improve the performance of the cycle joining algorithm. Then we construct a large class of nonlinear FSRs that contains only very short cycles. The length of the cycles in these $n$-stage FSRs are less than $2n$. Based on these FSRs, $O(2^{\\frac{n}{2}-\\mathrm{log} n})$ de Bruijn sequences of order $n$ are constructed. To generate the next bit in the de Bruijn sequence from the current state, it requires only $2n$ bits of storage and less than $2n$ FSR shifts.

18:17 [Pub][ePrint] The Fallacy of Composition of Oblivious RAM and Searchable Encryption, by Muhammad Naveed

  Oblivious RAM (ORAM) is a tool proposed to hide access pattern leakage, and there has been a lot of progress in the efficiency of ORAM schemes; however, less attention has been paid to study the applicability of ORAM for cloud applications such as symmetric searchable encryption (SSE). Although, searchable encryption is one of the motivations for ORAM research, no in-depth study of the applicability of ORAM to searchable encryption exists as of June 2015. In this work, we initiate the formal study of using ORAM to reduce the access pattern leakage in searchable encryption.

We propose four new leakage classes and develop a systematic methodology to study the applicability of ORAM to SSE. We develop a worst-case communication baseline for SSE. We show that completely eliminating leakage in SSE is impossible. We propose single keyword schemes for our leakage classes and show that either they perform worse than streaming the entire outsourced data (for a large fraction of queries) or they do not provide meaningful reduction in leakage. We present detailed evaluation using the Enron email corpus and the complete English Wikipedia corpus.

18:17 [Pub][ePrint] GMU Hardware API for Authenticated Ciphers, by Ekawat Homsirikamol and William Diehl and Ahmed Ferozpuri and Farnoud Farahmand and Malik Umar Sharif and Kris Gaj

  In this paper, we propose a universal hardware API for authenticated ciphers, which can be used in any future implementations of authenticated ciphers submitted to the CAESAR competition. A common interface and communication protocol would help in reducing any potential biases, and would make the comparison in hardware more reliable and fair. By design, our proposed API is equally suitable for hardware implementations of authenticated ciphers developed manually (at the register-transfer level), and those obtained using high-level synthesis tools. Our implementation of the proposed interface and communication protocol includes universal, open-source pre processing and post-processing units, common for all CAESAR candidates. Apart from the full documentation, examples, and the source code of the pre-processing and post-processing units, we are making available in public domain a) a universal testbench to verify the functionality of any CAESAR candidate implemented using the GMU hardware API, b) a Python script used to automatically generate test vectors for this testbench, c) VHDL wrappers used to determine the maximum clock frequency

and the resource utilization of all implementations, and d) RTL VHDL source codes of high-speed implementations of AES and the Keccak Permutation F. We hope that the existence of these resources will substantially reduce the time necessary to develop hardware implementations of all CAESAR candidates for the purpose of evaluation, comparison, and future deployment in real products.

18:17 [Pub][ePrint] Smart Security Management in Secure Devices, by Bruno Robisson, Michel Agoyan, Patrick Soquet, S\\\'ebastien Le Henaff, Franck Wajsb\\\"urt, Pirouz Bazargan-Sabet, Guillaume Phan

  Among other threats, secure components are subjected to physical attacks whose aim is to recover the secret information they store. Most of the work carried out to protect these components generally consists in developing protections (or countermeasures) taken one by one. But this ``countermeasure-centered\'\' approach drastically decreases the performance of the chip in terms of power, speed and availability. In order to overcome this limitation, we propose a complementary approach: smart dynamic management of the whole set of countermeasures embedded in the component. Two main specifications for such management are required in a real world application (for example, a conditional access system for Pay-TV): it has to provide capabilities for the chip to distinguish between attacks and normal use cases (without the help of a human being and in a robust but versatile way); it also has to be based on mechanisms which dynamically find a trade-off between security and performance.

In this article, a prototype which enables such security management is described. The solution is based on a double-processor architecture: one processor embeds a representative set of countermeasures (and mechanisms to define their parameters) and executes the application code. The second processor, on the same chip, applies a given security strategy, but without requesting sensitive data from the first processor. The chosen strategy is based on fuzzy logic reasoning to enable the designer to describe, using a fairly simple formalism, both the attack paths and the normal use cases. A proof of concept has been proposed for the smart card part of a conditional access for Pay-TV, but it could easily be fine-tuned for other applications.

18:17 [Pub][ePrint] Privacy-preserving Frequent Itemset Mining for Sparse and Dense Data, by Peeter Laud and Alisa Pankova

  Frequent itemset mining is a task that can in turn be used for other purposes such as associative rule mining. One problem is that the data may be sensitive, and its owner may refuse to give it for analysis in plaintext. There exist many privacy-preserving solutions for frequent itemset mining, but in any case enhancing the privacy inevitably spoils the efficiency. Leaking some less sensitive information such as data density might improve the efficiency. In this paper, we devise an approach that works better for sparse matrices and compare it to the related work that uses similar security requirements on similar secure multiparty computation platform.