Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via
To receive your credentials via mail again, please click here.
You can also access the full news archive.
In this paper, we show how to algorithmically secure any cryptographic functionality from continual split-state leakage and tampering attacks. A split-state attack on cryptographic hardware is one that targets separate parts of the hardware separately. Our construction does not require the hardware to have access to randomness. In contrast, prior work on protecting from continual combined leakage and tampering required true randomness for each update. Our construction is in the common reference string (CRS) model; the CRS must be hard-wired into the device. We note that prior negative results show that it is impossible to algorithmically secure a cryptographic functionality against a combination of arbitrary continual leakage and tampering attacks without true randomness; therefore restricting our attention to the split-state model is justified.
Our construction is simple and modular, and relies on a new construction, in the CRS model, of non-malleable codes with respect to split-state tampering functions, which may be of independent interest.
anonymous credentials. Our new notion in contrast is a convenient building block for anonymous
credential systems. The construction we propose is efficient: it requires just a few exponentiations in a prime-order group in which the decisional Diffie-Hellman problem is hard. Thus, for
the ﬁrst time, we give a provably secure construction of anonymous credentials that can work in
the elliptic group setting without bilinear pairings. In contrast, prior provably secure constructions were based on the RSA group or on groups with pairings, which made them prohibitively
inefficient for mobile devices, RFIDs and smartcards. The only prior efficient construction that
could work in such elliptic curve groups, due to Brands, does not have a proof of security.
A recently proposed masking method, based on secret sharing and multi-party computation methods, introduces a set of sufficient requirements for implementations to be provably resistant against first-order DPA with minimal assumptions on the hardware.
The original paper doesn\'t describe how to construct the Boolean functions that are to be used in the implementation. In this paper, we derive the functions for all invertible $3 \\times 3$, $4 \\times 4$ S-boxes and the $6 \\times 4$ DES S-boxes. Our methods and observations can also be used to accelerate the search for sharings of larger (e.g. $8 \\times 8$) S-boxes. Finally, we investigate the cost of such protection.
shuffle, called a public shuffle,
in which a shuffler can perform shuffle publicly without needing information kept secret.
Their scheme uses an encrypted permutation matrix to shuffle
This approach significantly reduces the cost of constructing a mix-net
to verifiable joint decryption. Though their method is successful in making
shuffle to be a public operation, their scheme
still requires that some trusted parties should choose a permutation
to be encrypted and construct zero-knowledge proofs on the
well-formedness of this permutation.
In this paper, we propose a method to construct a public shuffle
without relying on permutations and randomizers generated privately: Given an
$n$-tuple of ciphertext $(c_1,\\dots,c_n)$, our shuffle algorithm
computes $f_i(c_1,\\dots,c_n)$ for $i=1,\\dots,\\ell$ where each
$f_i(x_1,\\dots,x_n)$ is a symmetric polynomial in $x_1,\\dots,x_n$.
Depending on the symmetric polynomials we use, we propose two concrete constructions.
One is to use ring homomorphic encryption with constant ciphertext
complexity and the other is to use simple ElGamal encryption with
linear ciphertext complexity in the number of senders. Both
constructions are free of zero-knowledge proofs and publicly
We consider the problem of universal composability in cases, when we cannot assume independence of instances. Next we formalize the interleaving attack and a related security notion. In time-aware protocols time-based separation of instances is one of the standard implementation techniques. We propose an event-driven clock model towards purely symbolic analysis of time-aware protocols.