International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:40 [PhD][Update] Mehmet Sabir Kiraz: Secure and Fair Two-Party Computation

  Name: Mehmet Sabir Kiraz
Topic: Secure and Fair Two-Party Computation
Category:cryptographic protocols

Description: Consider several parties that do not trust each other, yet they wish to correctly compute some common function of their local inputs while keeping these inputs private. This problem is known as “Secure Multi-Party Computation”, and was introduced by Andrew Yao in 1982. Secure multi-party computations have some real world examples like electronic auctions, electronic voting or Fingerprinting. In this thesis we consider the case where there are only two parties involved. This is known as “Secure Two-Party Computation”. If there is a trusted third party called Carol, then the problem is pretty straightforward. The participating parties could hand their inputs in Carol who can compute the common function correctly and could return the outputs to the corresponding parties. The goal is to achieve (almost) the same result when there is no trusted third party. Cryptographic protocols are designed in order to solve these kinds of problems. These protocols are analyzed within an appropriate model in which the behavior of parties is structured. The basic level is called the Semi-Honest Model where parties are assumed to follow the protocol specification, but later can derive additional information based on the messages which have been received so far. A more realistic model is the so-called Malicious Model. The common approach is to First analyze a protocol in the semi-honest model and then later extend it into the malicious model. Any cryptographic protocol for secure two-party computation must satisfy the following security requirements: correctness, privacy and fairness. It must guarantee the correctness of the result while preserving the privacy of the parties’ inputs, even if one of the parties is malicious and behaves arbitrarily throughout the protocol. It must also guarantee fairness. This roughly means that whenever a party aborts the protocol prematurely, he or she should not have any advantage over the other party in discovering the o[...]

16:39 [PhD][New] Zubair Naqvi: Security using Cryptographic Systems in Banks

  Name: Zubair Naqvi
Topic: Security using Cryptographic Systems in Banks
Category: public-key cryptography

Description: In this thesis, we describe how security is implemented in the banking systems using the art of cryptography and analyse the security of distributed computations. Since a computational process is always inseparable from physical phenomena thatmake it observable,simplified mathematical models,such as finite automata and Turingmachines have their limitations. Namely,\r\nsome artifacts that are observable in theoretical models might not be present or\r\nmeaningful in practice. Therefore, we must make a constant conscious effort to\r\nassure that theoretical models adequately represent the reality.[...]

16:39 [PhD][New] George Summers: Cryptographic Systems

  Name: George Summers
Topic: Cryptographic Systems
Category: (no category)

16:38 [PhD][New]


16:37 [PhD][New] Josep Balasch: Implementation Aspects of Security and Privacy in Embedded Design

  Name: Josep Balasch
Topic: Implementation Aspects of Security and Privacy in Embedded Design
Category: implementation

Description: Embedded devices are nowadays largely represented across the compute continuum. From mobile phones to smart cards and RFID tags, digital devices are becoming increasingly ubiquitous, mobile and integrated with their environment. This gradual shift towards pervasive computing envisions many benefits in sectors as diverse as financial, entertainment, health care, information access, or automotive. Along with these possibilities however, there are also inherent risks to be addressed. It is in this context that this dissertation is situated. It provides contributions to the security of embedded devices and the privacy of the humans interacting with them.\r\n\r\nThe first part of the thesis is devoted to physical security. Many existing and future applications have built-in security capabilities which rely on keeping cryptographic keys secret. Typical examples include payment tokens, digital identity documents, or access control cards. As these devices operate in hostile environments, they need protection against physical attacks. Among these, side channel attacks and fault attacks represent two of the major threats in the security of embedded devices. \r\n\r\nOur contributions in this area encompass three different but related aspects. First, we provide an in-depth analysis of vulnerabilities that lead to physical attacks. In particular, we characterize the effects of fault injections based on setup-time violations on a low-end microcontroller. Second, we show how physical attacks are still a prominent threat for secure devices by successfully attacking a widely used family of secure memories. And third, we devise and thoroughly evaluate a high-level mitigation against side channel attacks. More specifically, we employ the inner product construction to design a masking-based countermeasure implementable at any order. \r\n\r\nThe second part of the thesis deals with privacy aspects. Systems such as location-based services, health-care monitoring, or smart homes rely on [...]

09:17 [Pub][ePrint] Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups, by Jean-Charles Faugère and Ayoub Otmani and Ludovic Perret and Frédéric de Portzamparc and Jean-Pierre Tillich

  The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For

instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes.

We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold:

the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D¨ur). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.

09:17 [Pub][ePrint] Optimizing Information Set Decoding Algorithms to Attack Cyclosymmetric MDPC Codes, by Ray Perlner

  The most important drawback to code-based cryptography has historically been its large key sizes. Recently, several promising approaches have been proposed to reduce keysizes. In particular, significant keysize reduction has been achieved by using structured, but non-algebraic codes, such as quasi-cyclic (QC) Moderate Density Parity Check (MDPC) codes. Biasi et al. propose further reducing the keysizes of code-based schemes using cyclosymmetric (CS) codes. Biasi et al analyze the complexity of attacking their scheme against standard information-set-decoding attacks. However, the research presented here shows that information set decoding algorithms can be modified, by choosing the columns of the information set in a way that takes advantage of the added symmetry. The result is an attack that significantly reduces the security of the proposed CS-MDPC schemes to the point that they no longer offer an advantage in keysize over QC-MDPC schemes of the same security level.

09:17 [Pub][ePrint] Graph-theoretic design and analysis of key predistribution schemes, by Michelle Kendall and Keith M. Martin

  Key predistribution schemes for resource-constrained networks are methods for allocating symmetric keys to devices in such a way as to provide an efficient trade-off between key storage, connectivity and resilience. While there have been many suggested constructions for key predistribution schemes, a general understanding of the design principles on which to base such constructions is somewhat lacking. Indeed even the tools from which to develop such an understanding are currently limited, which results in many relatively ad hoc proposals in the research literature.

It has been suggested that a large edge-expansion coefficient in the key graph is desirable for efficient key predistribution schemes. However, attempts to create key predistribution schemes from known expander graph constructions have only provided an extreme in the trade-off between connectivity and resilience: namely, they provide perfect resilience at the expense of substantially lower connectivity than can be achieved with the same key storage.

Our contribution is two-fold. First, we prove that many existing key predistribution schemes produce key graphs with good expansion.

This provides further support and justification for their use, and confirms the validity of expansion as a sound design principle. Second, we propose the use of incidence graphs and concurrence graphs as tools to represent, design and analyse key predistribution schemes. We show that these tools can lead to helpful insights and new constructions.

09:17 [Pub][ePrint] Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits, by Dan Boneh and Craig Gentry and Sergey Gorbunov and Shai Halevi and Valeria Nikolaenko and Gil Segev and Vinod

  We construct the first (key-policy) attribute-based encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fan-in gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit {\\em plus} an additive $\\mathsf{poly}(\\secp,d)$ bits, where $\\secp$ is the security parameter and $d$ is the circuit depth. Save the additive $\\mathsf{poly}(\\secp,d)$ factor, this is the best one could hope for. All previous constructions incurred a {\\em multiplicative} $\\mathsf{poly}(\\secp)$ blowup. As another application, we obtain (single key secure) functional encryption with short secret keys.

We construct our attribute-based system using a mechanism we call {\\em fully key-homomorphic encryption} which is a public-key system that lets anyone translate a ciphertext encrypted under a public-key~$\\vx$ into a ciphertext encrypted under the public-key~$(f(\\vx),f)$ of the same plaintext, for any efficiently computable~$f$. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem.

We also present a second (key-policy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector~$\\vx$ is the size of $\\vx$ plus $\\mathsf{poly}(\\secp,d)$ additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, {\\em plus} a $\\mathsf{poly}(\\secp,d)$ factor.

09:17 [Pub][ePrint] Making and Breaking Leakage Simulators, by Jake Longo Galea and Daniel Martin and Elisabeth Oswald and Daniel Page and Martijn Stam

  Recently, Standaert et al. (Crypto\'13) advocated the notion of simulatable leakage

as a means to connect theoretical leakage resilience to practice.

They argued that using simulators based on actual physical devices, the

assumptions underlying their proofs of side channel resistance

become empirically `verifiable\' as evaluation labs can scrutinise the indistinguishability

of the simulator by actually `playing\' the games that involve real versus simulated leakage.

Standaert \\emph{et al.} proposed a concrete, block cipher based instantiation of a leakage

resilient pseudorandom generator. They provided a high level definition of a simulator based

on splicing two partial traces, and included detailed reasoning why their simulator (for AES-128) would resist state-of-the-art side channel attacks.

We exhibit a distinguisher against their simulator, thereby falsifying their hypothesis.

We demonstrate the efficacy of our distinguishing technique by experimental validation

using concrete implementations of the Standaert \\emph{et al.} simulator on several different platforms.

Our successful analysis is based on `tracking\' consistency (and likewise spotting simulator

inconsistencies) in leakage traces by means of cross correlation.

By taking the cross correlation between trace points, we can estimate real-or-simulated based either on a single key that is used multiple times, or based on multiple runs of

Standaert\'s \\emph{et al.} security game with varying keys each used only once.

Since the game hybridizes (in the number of keys used), the latter implies that theoretically

our distinguisher already wins when a single key is used with a single trace of side channel leakage!

Finally, we propose several alternative simulators, based on splitting traces at points of low intrinsic cross-correlation, which are more promising w.r.t.~the cross-correlation distinguisher. Unfortunately, these new simulators come with significant caveats, and we conclude that the most natural way of producing simulated leakage is by using the underlying construction `as is\' (but with a random key).

Provided the actual implementation has a low signal-to-noise ratio, we believe it practically infeasible to distinguish between real and simulated traces: when only a few very noisy leakages are made available to an attacker, signal processing techniques that rely on having sufficient observations are not applicable.

10:16 [Job][New] Lecturer (Assistant/Associate Professor equivalent), University of Bristol, United Kingdom of Greater Britan and Norther Ireland, EU

  Four positions in Computer Science

  • Two in any area of CS

  • One in theory and algorithms

  • One in HCI

You will have demonstrated that you are on track to become an outstanding researcher, carrying out innovative research to complement that currently being pursued in the Department. You will have already achieved international recognition and have a significant number of high quality publications in top venues. Our strategy is to grow our research portfolio and you will be expected to take a major role in achieving that goal.

In addition, you will be expected to take an active role in providing high quality and innovative teaching in areas of Computer Science according to your experience. We are looking to enhance our teaching in core computer science; both theoretical aspects (such as formal methods, complexity, information theory, theory of programming languages, automated theorem proving/protocol analysis), as well as engineering aspects (such as programming languages, operating systems, distributed computing and software engineering). Interest in developing innovative ways of integrating teaching and research, and linking our teaching with the general computing industry, is particularly welcomed. The Department operates a reduced teaching load policy for new staff to enable their research activities to be established.

Please include in your CV and covering letter two one page statements; One on your research plans and how they will impact on the research profile of the Department and one on the contributions that you can make to teaching in the Department, especially in respect of innovation in delivery and content.