IACR News
If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.
Here you can see all recent updates to the IACR webpage. These updates are also available:
26 June 2018
Krzysztof Pietrzak
      We construct a verifable delay function (or unique publicly verifiable proof of sequential work) 
by showing how the Rivest-Shamir-Wagner time-lock puzzle can be made publicly verifiable. 
Concretely, we give a statistically sound public-coin protocol to prove that a tuple $(N,x,T,y)$ satisfies $y=x^{2^T}\pmod N$ where the prover doesn't know the factorization of $N$ and its running time is dominated by solving the puzzle, that is, compute $x^{2^T}$, which is conjectured to require $T$ sequential squarings.
The motivation for this work comes from the Chia blockchain design, which uses a VDF as a key ingredient. For typical parameters, our proofs are of size around $10KB$ and verification cost around three RSA exponentiations.
  Concretely, we give a statistically sound public-coin protocol to prove that a tuple $(N,x,T,y)$ satisfies $y=x^{2^T}\pmod N$ where the prover doesn't know the factorization of $N$ and its running time is dominated by solving the puzzle, that is, compute $x^{2^T}$, which is conjectured to require $T$ sequential squarings.
The motivation for this work comes from the Chia blockchain design, which uses a VDF as a key ingredient. For typical parameters, our proofs are of size around $10KB$ and verification cost around three RSA exponentiations.
Sergiu Carpov, Oana Stan
      Homomorphic encryption schemes allow to perform computations over encrypted data.
In schemes based on RLWE assumption the plaintext data is a ring polynomial.
In many use cases of homomorphic encryption only the degree-0 coefficient of this polynomial is used to encrypt data.
In this context any computation on encrypted data can be performed.
It is trickier to perform generic computations when more than one coefficient per ciphertext is used.
In this paper we introduce a method to efficiently evaluate low-degree multivariate polynomials over encrypted data. The main idea is to encode several messages in the coefficients of a plaintext space polynomial. Using ring homomorphism operations and multiplications between ciphertexts, we compute multivariate monomials up to a given degree. Afterwards, using ciphertext additions we evaluate the input multivariate polynomial. We perform extensive experimentations of the proposed evaluation method. As example, evaluating an arbitrary multivariate degree-3 polynomial with 100 variables over Boolean space takes under 13 seconds.
  In this paper we introduce a method to efficiently evaluate low-degree multivariate polynomials over encrypted data. The main idea is to encode several messages in the coefficients of a plaintext space polynomial. Using ring homomorphism operations and multiplications between ciphertexts, we compute multivariate monomials up to a given degree. Afterwards, using ciphertext additions we evaluate the input multivariate polynomial. We perform extensive experimentations of the proposed evaluation method. As example, evaluating an arbitrary multivariate degree-3 polynomial with 100 variables over Boolean space takes under 13 seconds.
25 June 2018
      Dear IACR members,
This year holds again great promise for cryptology research with the ongoing interest in blockchain technology and cryptocurrencies. As a sign of this, the word "crypto" has received a new interpretation in newspapers, by the public, and by your favorite search engine: Crypto no longer stands first for the conference that we have held in Santa Barbara since 1981.
This message contains information about recent some developments in IACR. The Board of Directors held a virtual meeting back in March (using Zoom teleconference!) and an in-person meeting at Eurocrypt in Tel-Aviv.
Crypto 2018
The Crypto 2018 conference will accommodate seven "workshops" or affiliated events, taking place from Friday to Sunday before the main conference. Registrations are flowing in at a steady pace. Together with the general chair Tal Rabin, I urge you to register and book your trips early.
https://crypto.iacr.org/2018/
The cutoff date for discounted early registration is July 5th!
Task force on diversity
The IACR has established a task force on diversity, whose goal is to:
a) support women attending IACR events;
b) promote and support IACR and other events that advance diversity (defined broadly);
c) improve diversity, especially representation of women and people from Asia, within IACR governance.
This is a community effort. Tal Rabin and Douglas Stebila are leading the task force and are looking forward to receiving your help, suggestions, and comments.
Code of Conduct for IACR events
The IACR has adopted a code of conduct for its conferences. All events of the IACR must refer to this code of conduct, which starts as follows:
The IACR is committed to providing an experience free of harassment and discrimination in its events, respecting the dignity of every participant. Participants who violate this code may be sanctioned and/or expelled from the event, at the discretion of the General Chair(s). Serious incidents may be referred to the IACR Ethics Committee for further possible action.
You can find the full text in the General Chair guidelines, section 8.10, on the website under:
https://www.iacr.org/docs/minutes/
For supporting this on behalf of the Board, the role of a Code-of-Conduct Liaison has been created. This is a person participating as observer in the Board. The Board has appointed Tal Rabin to this role.
IACR Schools in Cryptology
Cryptology Schools typically provide multiple days of intensive learning and constitute an efficient way to provide high-quality training for graduate students, as well as for professionals. The IACR sponsors such schools with financial contributions. The next schools in 2018 are:
Symmetric Proof Techniques
July 29-August 3, 2018, Bertinoro, Italy.
https://spotniq.school/
School on Modern Cryptography
July 30-August 3, 2018, Buenos Aires, Argentina.
http://www.dc.uba.ar/events/eci/2018/cursos
If you are interested to organize an IACR Cryptology School, please apply by June 30. More information is available on the website at https://iacr.org/schools/
To find out more about your IACR and the discussions of the Board of Directors, read the minutes of meeting at https://www.iacr.org/docs/minutes/
Best regards,
Christian Cachin
IACR President
  This year holds again great promise for cryptology research with the ongoing interest in blockchain technology and cryptocurrencies. As a sign of this, the word "crypto" has received a new interpretation in newspapers, by the public, and by your favorite search engine: Crypto no longer stands first for the conference that we have held in Santa Barbara since 1981.
This message contains information about recent some developments in IACR. The Board of Directors held a virtual meeting back in March (using Zoom teleconference!) and an in-person meeting at Eurocrypt in Tel-Aviv.
Crypto 2018
The Crypto 2018 conference will accommodate seven "workshops" or affiliated events, taking place from Friday to Sunday before the main conference. Registrations are flowing in at a steady pace. Together with the general chair Tal Rabin, I urge you to register and book your trips early.
https://crypto.iacr.org/2018/
The cutoff date for discounted early registration is July 5th!
Task force on diversity
The IACR has established a task force on diversity, whose goal is to:
a) support women attending IACR events;
b) promote and support IACR and other events that advance diversity (defined broadly);
c) improve diversity, especially representation of women and people from Asia, within IACR governance.
This is a community effort. Tal Rabin and Douglas Stebila are leading the task force and are looking forward to receiving your help, suggestions, and comments.
Code of Conduct for IACR events
The IACR has adopted a code of conduct for its conferences. All events of the IACR must refer to this code of conduct, which starts as follows:
The IACR is committed to providing an experience free of harassment and discrimination in its events, respecting the dignity of every participant. Participants who violate this code may be sanctioned and/or expelled from the event, at the discretion of the General Chair(s). Serious incidents may be referred to the IACR Ethics Committee for further possible action.
You can find the full text in the General Chair guidelines, section 8.10, on the website under:
https://www.iacr.org/docs/minutes/
For supporting this on behalf of the Board, the role of a Code-of-Conduct Liaison has been created. This is a person participating as observer in the Board. The Board has appointed Tal Rabin to this role.
IACR Schools in Cryptology
Cryptology Schools typically provide multiple days of intensive learning and constitute an efficient way to provide high-quality training for graduate students, as well as for professionals. The IACR sponsors such schools with financial contributions. The next schools in 2018 are:
Symmetric Proof Techniques
July 29-August 3, 2018, Bertinoro, Italy.
https://spotniq.school/
School on Modern Cryptography
July 30-August 3, 2018, Buenos Aires, Argentina.
http://www.dc.uba.ar/events/eci/2018/cursos
If you are interested to organize an IACR Cryptology School, please apply by June 30. More information is available on the website at https://iacr.org/schools/
To find out more about your IACR and the discussions of the Board of Directors, read the minutes of meeting at https://www.iacr.org/docs/minutes/
Best regards,
Christian Cachin
IACR President
Rabat, Morocco, 22 April - 24 April 2019
      Event date: 22 April to 24 April 2019
          
  Frigate Bay, St. Kitts, 18 February - 22 February 2019
      Event date: 18 February to 22 February 2019
Submission deadline: 18 September 2018
Notification: 14 November 2018
  Submission deadline: 18 September 2018
Notification: 14 November 2018
22 June 2018
Mihir Bellare, Joseph Jaeger, Julia Len
      The MD transform that underlies the MD and SHA families iterates a compression function $\mathsf{h}$ to get a hash function $\mathsf{H}$. The question we ask is, what property X of $\mathsf{h}$ guarantees collision resistance (CR) of $\mathsf{H}$? The classical answer is that X itself be CR. We show that weaker conditions X, in particular forms of what we call constrained-CR, suffice. This reduces demands on compression functions, to the benefit of security, and also, forensically, explains why collision-finding attacks on compression functions have not, historically, lead to immediate breaks of the corresponding hash functions. We obtain our results via a definitional framework called RS security, and a parameterized treatment of MD, that also serve to unify prior work and variants of the transform.
          
  Gergei Bana, Rohit Chadha, Ajay Kumar Eeralla
      We analyze the FOO electronic voting protocol in the provable secu- rity model using the technique of Computationally Complete Symbolic Attacker (CCSA). The protocol uses commitments, blind signatures and anonymous chan- nels to achieve vote privacy. Unlike the Dolev-Yao analyses of the protocol, we assume neither perfect cryptography nor existence of perfectly anonymous chan- nels. Our analysis reveals new attacks on vote privacy, including an attack that arises due to the inadequacy of the blindness property of blind signatures and not due to a specific implementation of anonymous channels. With additional assumptions and modifications, we were able to show that the protocol satisfies vote privacy. Our techniques demonstrate effectiveness of the CCSA technique for both attack detection and verification.
          
  Benjamin Wesolowski
      We construct an efficiently verifiable slow-timed hash function. A slow-timed hash function is a hash function with the guarantee that its evaluation requires to run a given number of sequential steps, but the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment. To construct a slow-timed hash function, we actually build a trapdoor slow-timed hash function.
A trapdoor slow-timed hash function is essentially a slow-timed hash function which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup), we obtain a simple slow-timed hash function.
          
  Sergiu Carpov, Malika Izabachène, Victor Mollimard
      In this paper, we propose a new technique to perform several
homomorphic operations in one bootstrapping call over a multi-value plaintext space.
Our construction relies on the FHEW-based gate bootstrapping: we
analyze its structure and propose a strategy we call multi-value
bootstrapping which allows to bootstrap an arbitrary function in an efficient way. 
   
The security of our scheme relies on the LWE assumption over the torus. 
We give three applications: 
the first one is the efficient evaluation of an arbitrary boolean function
(LUT), the second one is the optimization of the circuit bootstrapping
from (Asiacrypt'2017) which allows to compose circuits in a leveled mode, the third one is the homomorphic evaluation of a
neural network where the linear part is evaluated using a
generalization of the key-switching procedure and the non-linear part is evaluated with our multi-value bootstrapping.
We have implemented the proposed method and were able to evaluate arbitrary 6-to-6 LUTs under 1.2 seconds. Our implementation is based on the TFHE library but can be easily integrated into other homomorphic libraries based on the same structure, such as FHEW (Eurocrypt'2015). The number of LUT outputs does not influence the execution time by a lot, e.g. evaluation of additional 128 outputs on the same 6 input bits takes only 0.05 more seconds.
  We have implemented the proposed method and were able to evaluate arbitrary 6-to-6 LUTs under 1.2 seconds. Our implementation is based on the TFHE library but can be easily integrated into other homomorphic libraries based on the same structure, such as FHEW (Eurocrypt'2015). The number of LUT outputs does not influence the execution time by a lot, e.g. evaluation of additional 128 outputs on the same 6 input bits takes only 0.05 more seconds.
Cache-Attacks on the ARM TrustZone implementations of AES-256 and AES-256-GCM via GPU-based analysis
Ben Lapid, Avishai Wool
      The ARM TrustZone is a security extension which is used in recent Samsung flagship smartphones to create a Trusted Execution Environment (TEE) called a Secure World, which runs secure processes (Trustlets). The Samsung TEE includes cryptographic key storage and functions inside the Keymaster trustlet.
The secret key used by the Keymaster trustlet is derived by a hardware device and is inaccessible to the Android OS. However, the ARM32 AES implementation used by the Keymaster is vulnerable to side channel cache-attacks.
The Keymaster trustlet uses AES-256 in GCM mode, which makes mounting a cache attack against this target much harder. In this paper we show that it is possible to perform a successful cache attack against this AES implementation, in AES-256/GCM mode, using widely available hardware. Using a laptop's GPU to parallelize the analysis, we are able to extract a raw AES-256 key with 7 minutes of measurements and under a minute of analysis time and an AES-256/GCM key with 40 minutes of measurements and 30 minutes of analysis.
          
  Debayan Das, Mayukh Nath, Baibhab Chatterjee, Santosh Ghosh, Shreyas Sen
      The threat of side-channels is becoming increasingly prominent for resource-constrained internet-connected devices. While numerous power side-channel countermeasures have been proposed, a promising approach to protect the non-invasive electromagnetic side-channel attacks has been relatively scarce. Today's availability of high-resolution electromagnetic (EM) probes mandates the need for a low-overhead solution to protect EM side-channel analysis (SCA) attacks. This work, for the first time, performs a white-box analysis to root-cause the origin of the EM leakage from an integrated circuit. System-level EM simulations with Intel 32 nm CMOS technology interconnect stack reveals that the EM leakage from metals above layer 8 can be detected by an external non-invasive attacker with the commercially available EM probes. This work proposes a two-stage solution to eliminate the critical signal radiation from the higher-level metal layers. Firstly, we propose routing the entire cryptographic core using the local lower-level metal layers, whose leakage cannot be picked up by an external attacker. Then, the entire crypto IP is embedded within a signature attenuation hardware (SAH) which in turn suppresses the critical encryption signature and finally connects to the highly radiating top-level metal layers. We utilize the Attenuated Signature Noise Injection (ASNI) circuit, which was recently proposed as a low-overhead generic power SCA countermeasure, in order to encapsulate the cryptographic core with local low-level metal routing, and thereby significantly suppress the critical signatures even before it reaches to the higher metals. System-level implementation of the ASNI circuit with local lower-level metal layers in TSMC 65 nm CMOS technology, with an AES-128 core (as an example cryptographic engine) operating at 40 MHz, shows that the system remains secure against EM SCA attack even after $1 M$ encryptions, with $67\%$ power efficiency compared to the unprotected AES.
          
  Mor Weiss, Daniel Wichs
      Oblivious RAM (ORAM), introduced by Goldreich and Ostrovsky (JACM 1996), can be used to read and write to memory in a way that hides which locations are being accessed. The best known ORAM schemes have an $O(\log n)$ overhead per access, where $n$ is the data size. The work of Goldreich and Ostrovsky gave a lower bound showing that this is optimal for ORAM schemes that operate in a ``balls and bins'' model, where memory blocks can only be shuffled between different locations but not manipulated otherwise. The lower bound even extends to weaker settings such as offline ORAM, where all of the accesses to be performed need to be specified ahead of time, and read-only ORAM, which only allows reads but not writes. But can we get lower bounds for general ORAM, beyond ``balls and bins''?
The work of Boyle and Naor (ITCS '16) shows that this is unlikely in the offline setting. In particular, they construct an offline ORAM with $o(\log n)$ overhead assuming the existence of small sorting circuits. Although we do not have instantiations of the latter, ruling them out would require proving new circuit lower bounds. On the other hand, the recent work of Larsen and Nielsen (CRYPTO '18) shows that there indeed is an $\Omega(\log n)$ lower bound for general online ORAM.
This still leaves the question open for online read-only ORAM or for read/write ORAM where we want very small overhead for the read operations. In this work, we show that a lower bound in these settings is also unlikely. In particular, our main result is a construction of online ORAM where reads (but not writes) have an $o(\log n)$ overhead, assuming the existence of small sorting circuits as well as very good locally decodable codes (LDCs). Although we do not have instantiations of either of these with the required parameters, ruling them out is beyond current lower bounds.
  The work of Boyle and Naor (ITCS '16) shows that this is unlikely in the offline setting. In particular, they construct an offline ORAM with $o(\log n)$ overhead assuming the existence of small sorting circuits. Although we do not have instantiations of the latter, ruling them out would require proving new circuit lower bounds. On the other hand, the recent work of Larsen and Nielsen (CRYPTO '18) shows that there indeed is an $\Omega(\log n)$ lower bound for general online ORAM.
This still leaves the question open for online read-only ORAM or for read/write ORAM where we want very small overhead for the read operations. In this work, we show that a lower bound in these settings is also unlikely. In particular, our main result is a construction of online ORAM where reads (but not writes) have an $o(\log n)$ overhead, assuming the existence of small sorting circuits as well as very good locally decodable codes (LDCs). Although we do not have instantiations of either of these with the required parameters, ruling them out is beyond current lower bounds.
Reynier Antonio de la Cruz Jiménez
      Substitution Boxes (S-Boxes) are crucial components in the design of many symmetric ciphers. The security of these ciphers against linear, differential, algebraic cryptanalyses and side-channel attacks is then strongly dependent on the choice of the S-Boxes. To construct S-Boxes having good resistive properties both towards classical cryptanalysis as well side-channel attacks is not a trivial task. In this article we propose new methods for generating S-Boxes with strong cryptographic
properties and therefore study the resilience of such S-Boxes against side-channel attacks in terms of its theoretical metrics and masking possibility.
          
  Christina Boura, Anne Canteaut, Jérémy Jean, Valentin Suder
      In this work, we discuss two notions of differential equivalence on Sboxes.
First, we introduce the notion of DDT-equivalence which applies to vectorial Boolean functions that share the same difference distribution table (DDT).
Next, we compare this notion to what we call the $\gamma$-equivalence, applying to vectorial Boolean functions whose DDTs have the same support.
We discuss the relation between these two equivalence notions, demonstrate that the number of DDT- or $\gamma$-equivalent functions is invariant under EA- and CCZ-equivalence and provide an algorithm for computing the DDT-equivalence and the $\gamma$-equivalence classes of a given function.
We study the sizes of these classes for some families of Sboxes.
Finally, we prove a result that shows that the rows of the DDT of an APN permutation are pairwise distinct.
          
  Dario Fiore, Elena Pagnin
      Multi-Key Homomorphic Signatures (MKHS) 
enable clients in a system to sign and upload messages to an untrusted server. 
At any later point in time, the server can perform a computation $C$
on data provided by $t$ different clients, and 
return the output $y$ and a short signature $\sigma{C, y}$
vouching for the correctness 
of $y$ as the output of the function $f$ on the signed data.
Interestingly, MKHS enable verifiers to check the validity of the signature
using solely the public keys of the signers whose messages were used in the computation.
Moreover, the signatures $\sigma{C, y}$ are succinct,
namely their size depends at most linearly in the number of clients, 
and only logarithmically in the total number of inputs of $C$.  
Existing MKHS are constructed based either on standard assumptions over lattices
(Fiore et al., ASIACRYPT'16),
or on non-falsifiable assumptions (SNARKs) (Lai et al., ePrint'16).
In this paper, we investigate connections between 
single-key and multi-key homomorphic signatures. 
We propose a generic compiler, called \matrioska, which turns any (sufficiently expressive)
single-key homomorphic signature scheme into a multi-key scheme.
Matrioska establishes a formal connection between these two
primitives 
and is the first alternative to the only known construction
under standard falsifiable assumptions.
Our result relies on a novel technique that exploits the homomorphic property of a single-key HS scheme 
to compress an arbitrary number of signatures from $t$ different users into only $t$ signatures.
          
  Prabhanjan Ananth, Aayush Jain, Dakshita Khurana, Amit Sahai
      The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. All known approaches to constructing iO rely on d-linear maps which allow the encoding of elements from a large domain, evaluating degree d polynomials on them, and testing if the output is zero. While secure bilinear maps are well established in cryptographic literature, the security of candidates for $d>2$ is poorly understood.
We propose a new approach to constructing iO for general circuits. Unlike all previously known realizations of iO, we avoid the use of d-linear maps of degree $d\ge 3$.
At the heart of our approach is the assumption that a new weak pseudorandom object exists, that we call a perturbation resilient generator ($\Delta\mathsf{RG}$). Informally, a $\Delta\mathsf{RG}$ maps n integers to m integers, and has the property that for any sufficiently short vector $a\in \mathbb{Z}^m$, all efficient adversaries must fail to distinguish the distributions $\Delta\mathsf{RG}(s)$ and $(\Delta\mathsf{RG}(s)+a)$, with at least some probability that is inverse polynomial in the security parameter. We require that the $\Delta\mathsf{RG}$ be computable by degree-2 polynomials over Z. We use techniques building upon the Dense Model Theorem to deal with adversaries that have nontrivial but non-overwhelming distinguishing advantage.
As a result, we obtain iO for general circuits assuming:
- Subexponentially secure LWE
- Bilinear Maps
- $(1-1/poly(\lambda))$-secure 3-block-local PRGs
- $1/poly(\lambda)$-secure $\Delta\mathsf{RG}$s
  We propose a new approach to constructing iO for general circuits. Unlike all previously known realizations of iO, we avoid the use of d-linear maps of degree $d\ge 3$.
At the heart of our approach is the assumption that a new weak pseudorandom object exists, that we call a perturbation resilient generator ($\Delta\mathsf{RG}$). Informally, a $\Delta\mathsf{RG}$ maps n integers to m integers, and has the property that for any sufficiently short vector $a\in \mathbb{Z}^m$, all efficient adversaries must fail to distinguish the distributions $\Delta\mathsf{RG}(s)$ and $(\Delta\mathsf{RG}(s)+a)$, with at least some probability that is inverse polynomial in the security parameter. We require that the $\Delta\mathsf{RG}$ be computable by degree-2 polynomials over Z. We use techniques building upon the Dense Model Theorem to deal with adversaries that have nontrivial but non-overwhelming distinguishing advantage.
As a result, we obtain iO for general circuits assuming:
- Subexponentially secure LWE
- Bilinear Maps
- $(1-1/poly(\lambda))$-secure 3-block-local PRGs
- $1/poly(\lambda)$-secure $\Delta\mathsf{RG}$s
Daniel P. Martin, Marco Martinoli
      In recent years key rank has become an important aspect of side-channel analysis, enabling an evaluation lab to analyse the security of a device after a side-channel attack. In particular, it enables the lab to do so when the enumeration effort would be beyond their computing power. Due to its importance there has been a host of work investigating key rank over the last few years. In this work we build upon the existing literature to make progress on understanding various properties of key rank. We begin by showing when two different "scoring methods" will provide the same rank. This has been implicitly used by various algorithms in the past but here it is shown for a large class of functions. We conclude by giving the computational complexity of key rank. This implies that it is unlikely for, considerably, better algorithms to exist.
          
  Nir Bitansky, Huijia Lin
      We introduce a new notion of one-message zero-knowledge (1ZK) arguments that satisfy a weak soundness guarantee  the number of false statements that a polynomial-time non-uniform adversary can convince the verifier to accept is not much larger than the size of its non-uniform advice. The zero-knowledge guarantee is given by a simulator that runs in (mildly) super-polynomial time.
We construct such 1ZK arguments based on the notion of multi-collision-resistant keyless hash functions, recently introduced by Bitansky, Kalai, and Paneth (STOC 2018). Relying on the constructed 1ZK arguments, subexponentially-secure time-lock puzzles, and other standard assumptions, we construct one-message fully-concurrent non-malleable commitments. This is the first construction that is based on assumptions that do not already incorporate non-malleability, as well as the first based on (subexponentially) falsifiable assumptions.
  We construct such 1ZK arguments based on the notion of multi-collision-resistant keyless hash functions, recently introduced by Bitansky, Kalai, and Paneth (STOC 2018). Relying on the constructed 1ZK arguments, subexponentially-secure time-lock puzzles, and other standard assumptions, we construct one-message fully-concurrent non-malleable commitments. This is the first construction that is based on assumptions that do not already incorporate non-malleability, as well as the first based on (subexponentially) falsifiable assumptions.
Tim Ruffing, Sri Aravinda Thyagarajan, Viktoria Ronge, Dominique Schröder
      Zerocoin (Miers et. al, IEEE S&P13), designed as an extension to Bitcoin and similar cryptocurrencies, was the first anonymous cryptocurrency proposal which supports large anonymity sets. We identify a cryptographic denial-of-spending attack on the original Zerocoin protocol and a second Zerocoin protocol (Groth and Kohlweiss, EUROCRYPT15), which enables a network attacker to destroy money of honest users. The attack leads to real-world vulnerabilities in multiple cryptocurrencies, which rely on implementations of the original Zerocoin protocol. 
The existence of the attack does not contradict the formal security analyses of the two Zerocoin protocols but exposes the lack of an important missing property in the security model of Zerocoin. While the security definitions model that the attacker should not be able to create money out of thin air or steal money from honest users, it does not model that the attacker cannot destroy money of honest users. Fortunately, there are simple fixes for the security model and for both protocols.
  The existence of the attack does not contradict the formal security analyses of the two Zerocoin protocols but exposes the lack of an important missing property in the security model of Zerocoin. While the security definitions model that the attacker should not be able to create money out of thin air or steal money from honest users, it does not model that the attacker cannot destroy money of honest users. Fortunately, there are simple fixes for the security model and for both protocols.
Ebo van der Laan, Erik Poll, Joost Rijneveld, Joeri de Ruiter, Peter Schwabe, Jan Verschuren
      The current Java Card platform does not seem to allow for fast implementations of hash-based signature schemes. While the underlying implementation of the cryptographic primitives provided by the API can be fast, thanks to implementations in native code or in hardware, the cumulative overhead of the many separate API calls results in prohibitive performance for many common applications. In this work, we present an implementation of XMSS$^{MT}$ on the current Java Card platform, and make suggestions how to improve this platform in future versions.
          
  