International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:17 [Pub][ePrint] Glitches and Static Power Hand in Hand, by Amir Moradi and Oliver Mischke

  Several masking schemes to protect cryptographic implementations against side-channel attacks have been proposed. A few considered the glitches, and provided security proofs in presence of such inherent phenomena happening in logic circuits. One which is based on multi-party computation protocols and utilizes Shamir\'s secret sharing scheme was presented at CHES 2011. It aims at providing security for hardware implementations - mainly of AES - against those sophisticated side-channel attacks that also take glitches into account. One part of this article deals with the practical issues and relevance of the aforementioned masking scheme. We first provide a guideline on how to implement the scheme for the simplest settings, and address some pitfalls in the scheme which prevent it to be practically realized. Solving the problems and constructing an exemplary design of the scheme, we provide practical side-channel evaluations based on a 65nm-technology Virtex-5 FPGA. We still observe univariate side-channel leakage, which is not expected according to the proven security of the scheme. We believe that the leakage is due to a combination of static power consumption and glitches in the circuit which is observed for the first time in practice. Dependency of static power consumption of nano-scale devices on processed data - which was warned before to be problematic - becomes now critical. Our result does not invalidate the given security proof of the scheme itself, but instead shows that the underlying model to obtain the proofs no longer fits to the reality. This is true not only for the scheme showcased here, but also for most other known masking schemes. As a result, due to the still ongoing technology shrinkage most of the available data-randomizing side-channel countermeasures will not be able to completely prevent univariate side-channel leakage of hardware implementations. Our work shows that new models must be created under which the security of new schemes can be proven considering leakages through both dynamic and static power consumption.

06:17 [Pub][ePrint] Sender Equivocable Encryption Schemes Secure against Chosen-Ciphertext Attacks Revisited, by Zhengan Huang and Shengli Liu and Baodong Qin

  The first sender equivocable encryption scheme secure against chosen-ciphertext attack (NC-CCA) was proposed by Fehr et al. in Eurocrypt 2010. The scheme was also secure against selective opening chosen-ciphertext attack (SO-CCA), since NC-CCA security implies SO-CCA security.

The NC-CCA security proof of the scheme relies on security against substitution attack of a new primitive, ``cross-authentication code\'\'. However, the security of cross-authentication code can not guarantee anything when all the keys used in the code are exposed. The key observation is that in the NC-CCA game, the randomness used in the generation of the challenge ciphertext is exposed to the adversary. This random information can be used to recover all the keys involved in cross-authentication code, and forge a ciphertext (like a substitution attack of cross-authentication code) that is different from but related to the challenge ciphertext. And the response of decryption oracle leaks information. This leaked information is employed by an attack to spoil the NC-CCA security proof of the sender equivocable encryption scheme encrypting multi-bits. We also propose a new scheme encrypting single-bit plaintext, free of cross-authentication code, and prove its NC-CCA security.

06:17 [Pub][ePrint] Semantically Secure Functional Encryption, Revisited, by Manuel Barbosa and Pooya Farshim

  Functional encryption (FE) is a powerful cryptographic primitive that generalizes many asymmetric encryption systems proposed in recent years. Syntax and security definitions for general FE were recently proposed by Boneh, Sahai, and Waters (BSW) (TCC 2011) and independently by O\'Neill (ePrint 2010/556). In this paper we revisit these definitions, identify a number of shortcomings in them, and propose a new definitional approach that overcomes these limitations. Our definitions display good compositionality properties and allow us to obtain new feasibility and impossibility results for adaptive token extraction attack scenarios that shed further light on the potential reach of general FE for practical applications. The main contributions of the paper are the following:

- We show that the BSW definition of semantic security fails to reject intuitively insecure FE schemes where a ciphertext leaks more about an encrypted message than that which can be recovered from an image under the supported functionality. Our definition (as O\'Neill\'s) does not suffer from this problem.

- We introduce an orthogonal notion of {\\em setup security} that rejects all FE schemes where the master secret key may give unwanted power to the TA, allowing the recovery of extra information from images under the supported functionality. We prove FE schemes supporting {\\em all-or-nothing} functionalities are intrinsically setup-secure and further show that many well-known functionalities {\\em are} all-or-nothing.

- We extend the equivalence result of O\'Neill between indistinguishability and semantic security to restricted {\\em adaptive} token extraction attacks (the standard notion of security for, e.g., IBEs and ABEs). We establish that this equivalence holds for the large class of all-or-nothing functionalities. Conversely, we show that the proof technique used to establish this equivalence cannot be applied to schemes supporting a one-way function.

- We show that the notable {\\em inner-product} functionality introduced by Katz, Sahai, and Waters (EUROCRYPT 2008) can be used to encode a one-way function under the small integer solution problem, and hence natural approaches to prove its (restricted) adaptive security fail. This complements the equivalence result of O\'Neill for the non-adaptive case, and leaves open the question of proving the semantic security of existing inner-product encryption schemes.

06:17 [Pub][ePrint] Efficient Signatures of Knowledge and DAA in the Standard Model, by David Bernhard and Georg Fuchsbauer and Essam Ghadafi

  Direct Anonymous Attestation (DAA) is one of the most complex cryptographic protocols deployed in practice.

It allows an embedded secure processor known as a Trusted Platform Module (TPM) to attest to the configuration of its host computer without violating the owner\'s privacy.

DAA has been standardized by the Trusted Computing Group.

The security of the DAA standard and all existing schemes is analyzed in the random oracle model.

We provide the first constructions of DAA in the standard model, that is, without relying on random oracles.

As a building block for our schemes, we construct the first efficient standard-model signatures of knowledge, which have many applications beyond DAA.

05:12 [Job][New] Assistant Professor in Cryptology and Information Security, JAIST, Japan


Japan Advanced Institute of Science and Technology (JAIST) invites applicants to a five-year term assistant professor position in SCHOOL OF INFORMATION SCIENCE. The appointee is expected to start her/his academic and educational activities in JAIST on April 1st, 2013.

A primary objective of this position is to promote international research and development activities in Cryptology and Information Security, where candidates have to be highly competent in conducting research work.

Applicants have to hold Ph.D degree, and be qualified for high scientific activities through participating in international research initiatives. The salary is automatically decided depending on your experiences and age (Typical example of annual income is about 4,000,000 to 5,000,000 yen per year (including tax)). Security group in JAIST can research by making full use of the advanced parallel computer system.

20:55 [Event][New] HASP'12: Workshop on Hardware and Architectural Support for Security and Privac

  Submission: 7 October 2012
Notification: 21 October 2012
From December 2 to December 2
Location: Vancouver, Canada
More Information:

07:59 [Event][New] IEEE ICIT 2013: Special Session on Security and Coding Aspects of Longrange RFID

  Submission: 8 September 2012
Notification: 1 November 2012
From February 25 to February 27
Location: Cape Town, South Africa
More Information:

07:59 [Event][New] ACSW-AISC: Australasian Information Security Conference

  Submission: 27 August 2012
Notification: 8 October 2012
From January 29 to February 1
Location: Adelaide, Australia
More Information:

07:58 [Job][New] Post-doc, University of Auckland, New Zealand

  Topic: Lattice-based cryptography

Supervisor: Prof. Steven Galbraith

Duration: Approx 18-24 months

Salary: Approx NZ$ 55,000-70,000 (US$ 44K-56K) depending on the experience of the candidate and other factors

Start date: Preferably between November 2012-March 2013

Application process:

There is no formal application process. If you are interested in learning more about the position then please send a copy of your CV by email to s.galbraith (at) , preferably before September 8, 2012.

Project Details:

The project will be on the security and implementation of lattice-based cryptosystems. The specific topic of the research will depend on the technical skills and experience of the successful candidate. Some possible projects might include:

  • development and analysis of algorithms for lattice problems

  • development and security analysis of lattice-based cryptosystems

  • efficient software and/or hardware implementation of lattice systems

The successful applicant will have (or be very near to completion) a PhD in mathematics/computer science/engineering and a research track record in at least one of the following areas:

  • theoretical cryptography

  • computational number theory and lattices

  • software/hardware implementation of cryptographic systems.

About the University of Auckland:

The University of Auckland is New Zealand\'s leading university and is the highest ranked New Zealand university in the major rankings of world universities.

The Mathematics Department is the strongest mathematics department in New Zealand and is situated on the main City Campus, located in the heart of Auckland.

The city of Auckland is a wonderful place to live, with a harbour setting, great sailing, mag

09:17 [Pub][ePrint] Succinct Arguments from Multi-Prover Interactive Proofs and their Efficiency Benefits, by Nir Bitansky and Alessandro Chiesa

  \\emph{Succinct arguments of knowledge} are computationally-sound proofs of knowledge for NP where the verifier\'s running time is independent of the time complexity $t$ of the nondeterministic NP machine $M$ that decides the given language.

Existing succinct argument constructions are, typically, based on techniques that combine cryptographic hashing and probabilistically-checkable proofs (PCPs). Yet, even when instantiating these constructions with state-of-the-art PCPs, the prover needs $\\Omega(t)$ space in order to run in quasilinear time (i.e., time $t \\poly(k)$), regardless of the space complexity $s$ of the machine $M$.

We say that a succinct argument is \\emph{complexity preserving} if the prover runs in time $t \\poly(k)$ and space $s \\poly(k)$ and the verifier runs in time $|x| \\poly(k)$ when proving and verifying that a $t$-time $s$-space random-access machine nondeterministically accepts an input $x$. Do complexity-preserving succinct arguments exist? To study this question, we investigate the alternative approach of constructing succinct arguments based on multi-prover interactive proofs (MIPs) and stronger cryptographic techniques:

(1) We construct a one-round succinct MIP of knowledge, where each prover runs in time $t \\polylog(t)$ and space $s \\polylog(t)$ and the verifier runs in time $|x| \\polylog(t)$.

(2) We show how to transform any one-round MIP protocol to a succinct four-message argument (with a single prover), while preserving the time and space efficiency of the original MIP protocol; using our MIP protocol, this transformation yields a complexity-preserving four-message succinct argument.

As a main tool for our transformation, we define and construct a \\emph{succinct multi-function commitment} that (a) allows the sender to commit to a vector of functions in time and space complexity that are essentially the same as those needed for a single evaluation of the functions, and (b) ensures that the receiver\'s running time is essentially independent of the function. The scheme is based on fully-homomorphic encryption (and no additional assumptions are needed for our succinct argument).

(3) In addition, we revisit the problem of \\emph{non-interactive} succinct arguments of knowledge (SNARKs), where known impossibilities prevent solutions based on black-box reductions to standard assumptions. We formulate a natural (but non-standard) variant of homomorphic encryption having a \\emph{homomorphism-extraction property}. We show that this primitive essentially allows to squash our interactive protocol, while again preserving time and space efficiency, thereby obtaining a complexity-preserving SNARK. We further show that this variant is, in fact, implied by the existence of (complexity-preserving) SNARKs.

09:17 [Pub][ePrint] Perfect Ambiguous Optimistic Fair Exchange, by Yang Wang and Man Ho Au and Willy Susilo

  Protocol for fair exchange of digital signatures is essential in many applications including contract signing, electronic commerce, or even peer-to-peer file sharing. In such a protocol, two parties, Alice and Bob, would like to exchange digital signatures on some messages in a fair way. It is known that a trusted arbitrator is necessary in the realization of such a protocol.

We identify that in some scenarios, it is required that prior to the completion of the protocol, no observer should be able to tell whether Alice and Bob are conducting such an exchange. Consider the following scenario in which Apple engages Intel in an exchange protocol to sign a contract that terminates their OEM agreement. The information would be of value to a third party (such as the stock broker, or other OEM companies). If the protocol transcript can serve as an evidence that such a communication is in progress, any observer of this communication, including the employees of both companies, would be tempted to capture the transcript and sell it to outsiders.

We introduce a new notion called \\emph{perfect ambiguous optimistic fair exchange} (PAOFE), which is particularly suitable to the above scenario. PAOFE fulfils all traditional requirements of cryptographic fair exchange of digital signatures and, in addition, guarantees that the communication transcript cannot be used as a proof to convince others that the protocol is in progress. Specifically, we formalize the notion of PAOFE and present a rigorous security model in the multi-user setting under the chosen-key attack. We also present a generic construction of PAOFE from existing cryptographic primitives and prove that our proposal is secure with respect to our definition in the standard model.