International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-06-03
21:17 [Pub][ePrint] A Public Shuffle without Private Permutations, by Myungsun Kim and Jinsu Kim and Jung Hee Cheon

  In TCC 2007, Adida and Wikstr\\\"{o}m proposed a novel approach to

shuffle, called a public shuffle,

in which a shuffler can perform shuffle publicly without needing information kept secret.

Their scheme uses an encrypted permutation matrix to shuffle

ciphertexts publicly.

This approach significantly reduces the cost of constructing a mix-net

to verifiable joint decryption. Though their method is successful in making

shuffle to be a public operation, their scheme

still requires that some trusted parties should choose a permutation

to be encrypted and construct zero-knowledge proofs on the

well-formedness of this permutation.

In this paper, we propose a method to construct a public shuffle

without relying on permutations and randomizers generated privately: Given an

$n$-tuple of ciphertext $(c_1,\\dots,c_n)$, our shuffle algorithm

computes $f_i(c_1,\\dots,c_n)$ for $i=1,\\dots,\\ell$ where each

$f_i(x_1,\\dots,x_n)$ is a symmetric polynomial in $x_1,\\dots,x_n$.

Depending on the symmetric polynomials we use, we propose two concrete constructions.

One is to use ring homomorphic encryption with constant ciphertext

complexity and the other is to use simple ElGamal encryption with

linear ciphertext complexity in the number of senders. Both

constructions are free of zero-knowledge proofs and publicly

verifiable.



21:17 [Pub][ePrint] On instance separation in the UC-framework, by István Vajda

  The UC approach of Canetti offers the advantage of stand-alone analysis while keeping security guaranties for arbitrary complex environment. When we implement by this approach first we have to ensure secure instance separation and based on this condition, we are allowed to carry out a stand-alone analysis. In this report we propose three issues related to instance separation in UC-context:

We consider the problem of universal composability in cases, when we cannot assume independence of instances. Next we formalize the interleaving attack and a related security notion. In time-aware protocols time-based separation of instances is one of the standard implementation techniques. We propose an event-driven clock model towards purely symbolic analysis of time-aware protocols.



21:17 [Pub][ePrint] On The Distribution of Linear Biases: Three Instructive Examples, by Mohamed Ahmed Abdelraheem and Martin Aagren and Peter Beelen and Gregor Leander

  Despite the fact that we evidently have very good block ciphers at hand today, some fundamental questions on their security are still unsolved. One such fundamental problem is to precisely assess the security of a given block cipher with respect to linear cryptanalysis. In by far most of the cases we have to make (clearly wrong) assumptions, e.g., assume independent round-keys. Besides being unsatisfactory from a scientific perspective, the lack of fundamental understanding might have an impact on the performance of the ciphers we use. As we do not understand the security sufficiently enough, we often tend to embed a security margin -- from an efficiency perspective nothing else than wasted performance. The aim of this paper is to stimulate research on these foundations of block ciphers. We do this by presenting three examples of ciphers that behave differently to what is normally assumed. Thus, on the one hand these examples serve as counter examples to common beliefs and on the other hand serve as a guideline for future work.



21:17 [Pub][ePrint] Actively Secure Two-Party Evaluation of any Quantum Operation, by Frédéric Dupuis and Jesper Buus Nielsen and Louis Salvail

  We provide the first two-party protocol allowing Alice and Bob to evaluate privately even against active adversaries any completely positive, trace-preserving map given as a quantum circuit upon their joint quantum input state. Our protocol leaks no more to any active adversary than an ideal functionality for the map, provided Alice and Bob have the cryptographic resources for active secure two-party classical computation.



15:06 [Conf][Crypto] Crypto 2012 list of accepted papers

  The list of accepted papers has been posted on the CRYPTO 2012 website.
http://www.iacr.org/conferences/crypto2012/acceptedpapers-2012.html




2012-06-01
13:45 [Event][New] FPS 2012: 5th International Symposium on Foundations & Practice of Security

  Submission: 1 July 2012
Notification: 20 August 2012
From October 25 to October 26
Location: Montreal, Canada
More Information: http://conferences.telecom-bretagne.eu/fps2012/




2012-05-30
02:23 [Conf][Crypto] Crypto 2012 online registration is open

  Crypto 2012 online registration is now open.

Registration website --
http://www.iacr.org/conferences/crypto2012/registration-2012.html

Early registration deadline: July 8, 2012




2012-05-29
21:17 [Pub][ePrint] Quo Vadis Quaternion? Cryptanalysis of Rainbow over Non-Commutative Rings, by Enrico Thomae

  The Rainbow Signature Scheme is a non-trivial generalization of the well known Unbalanced Oil and Vinegar Signature Scheme (Eurocrypt \'99) minimizing the length of the signatures. Recently a new variant based on non-commutative rings, called NC-Rainbow, was introduced at CT-RSA 2012 to further minimize the secret key size.

We disprove the claim that NC-Rainbow is as secure as Rainbow in general and show how to reduce the complexity of MinRank attacks from 2^288 to 2^112 and of HighRank attacks from 2^128 to 2^96 for the proposed instantiation over the ring of Quaternions. We further reveal some facts about Quaternions that increase the complexity of the signing algorithm. We show that NC-Rainbow is just a special case of introducing further structure to the secret key in order to decrease the key size. As the results are comparable with the ones achieved by equivalent keys, which provably do not decrease security, and far worse than just using a PRNG, we recommend not to use NC-Rainbow.



21:17 [Pub][ePrint] Homomorphic Signature for Identity Authentication in Cloud Computing, by Zhiwei Wang, Guozi Sun and Danwei Chen

  In this paper, we introduce a new kind of homomorphic signature, which is suitable for identity authentication in cloud computing. User firstly gives his full signature (involves all his identity attributes) to the identity authentication server. During the valid period of his full signature, if the user wants to require a cloud service on a special identity (only involves part of identity attributes), he only needs to secretly send a $\\{0,1\\}^n$ vector to the identity authentication server. The identity authentication server who doesn\'t know the secret key can compute the partial signature on the special identity, and then signs it to the cloud server. We give a formal secure definition of this homomorphic signature, and construct a scheme from GHR signature. We prove that our scheme is secure under strong RSA assumption.



21:17 [Pub][ePrint] Passive Corruption in Statistical Multi-Party Computation, by Martin Hirt and Christoph Lucas and Ueli Maurer and Dominik Raub

  The goal of Multi-Party Computation (MPC) is to perform an arbitrary computation in a distributed, private, and fault-tolerant way. For this purpose, a fixed set of n parties runs a protocol that tolerates an adversary corrupting a subset of the parties, preserving certain security guarantees like correctness, secrecy, robustness, and fairness. Corruptions can be either passive or active: A passively corrupted party follows the protocol correctly, but the adversary learns the entire internal state of this party. An actively corrupted party is completely controlled by the adversary, and may deviate arbitrarily from the protocol. A mixed adversary may at the same time corrupt some parties actively and some additional parties passively.

In this work, we consider the statistical setting with mixed adversaries and study the exact consequences of active and passive corruptions on secrecy, correctness, robustness, and fairness separately (i.e., hybrid security). Clearly, the number of passive corruptions affects the thresholds for secrecy, while the number of active corruptions affects all thresholds. It turns out that in the statistical setting, the number of passive corruptions in particular also affects the threshold for correctness, i.e., in all protocols there are (tolerated) adversaries for which a single additional passive corruption is sufficient to break correctness. This is in contrast to both the perfect and the computational setting, where such an influence cannot be observed. Apparently, this effect arises from the use of information-theoretic signatures, which are part of most (if not all) statistical protocols.



21:17 [Pub][ePrint] Public-Key Cryptography from New Multivariate Quadratic Assumptions, by Yun-Ju Huang and Feng-Hao Liu and Bo-Yin Yang

  In this work, we study a new multivariate quadratic (MQ) assumption that can be used to construct public-key encryption schemes. In particular, we research in the following two directions:

We establish a precise \\emph{asymptotic} formulation of a family of hard MQ problems, and provide empirical evidence to confirm the hardness. %Since there are many practical solvers studied and implemented during the studies of algebraic attacks, we use

We construct public-key encryption schemes, and prove their security under the hardness assumption of this family. Also, we provide a new \\emph{perspective} to look at MQ systems that plays a key role to our design and proof of security.

As a consequence, we construct the \\emph{first} public-key encryption scheme that is \\emph{provably secure} under the MQ assumption.

Moreover, our public-key encryption scheme is efficient in the sense that it only needs a ciphertext length $L + \\poly(k)$ to encrypt a message $M\\in \\{0, 1 \\}^{L}$ for any un-prespecified polynomial $L$, where $k$ is the security parameter. This is essentially \\emph{optimal} since an additive overhead is the best we can hope for.