International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Hierarchical Identity-Based (Lossy) Trapdoor Functions, by Alex Escala and Javier Herranz and Benoit Libert and Carla Rafols

  Lossy trapdoor functions, introduced by Peikert and Waters (STOC\'08), have received a lot of attention in the last years, because of their wide range of applications in theoretical cryptography. The notion has been recently extended to the identity-based setting by Bellare \\textit{et al.} (Eurocrypt\'12). We provide one more step in this direction, by considering the notion of hierarchical identity-based (lossy) trapdoor functions (HIB-TDFs). Hierarchical identity-based cryptography has proved very useful both for practical applications and to establish theoretical relations with other cryptographic primitives.

The notion of security for IB-TDFs put forward by Bellare \\textit{et al.} easily extends to the hierarchical scenario, but an (H)IB-TDF secure in this sense is not known to generically imply other related primitives with security against adaptive-id adversaries, not even IND-ID-CPA secure encryption. Our first contribution is to define a new security property for (H)IB-TDFs. We show that functions satisfying this property imply secure cryptographic primitives in the adaptive identity-based setting: these include encryption schemes with semantic security under chosen-plaintext attacks, deterministic encryption schemes, and (non-adaptive) hedged encryption schemes that maintain some security when messages are encrypted using randomness of poor quality. We emphasize that some of these primitives were unrealized in the (H)IB setting previous to this work.

As a second contribution, we describe the first pairing-based HIB-TDF realization. This is also the first example of hierarchical trapdoor function based on traditional number theoretic assumptions: so far, constructions were only known under lattice assumptions. Our HIB-TDF construction is based on techniques that differ from those of Bellare {\\it et al.} in that it uses a

hierarchical predicate encryption scheme as a key ingredient. The resulting HIB-TDF is proved to satisfy the new security definition, against either selective or, for hierarchies of constant depth, adaptive adversaries. In either case, we only need the underlying predicate encryption system to be selectively secure.

15:17 [Pub][ePrint] Scalable Deniable Group Key Establishment, by Kashi Neupane and Rainer Steinwandt and Adriana Suarez Corona

  The popular Katz-Yung compiler from CRYPTO 2003 can be used to transform unauthenticated group key establishment protocols into authenticated ones. In this paper we present a modication of Katz and Yung\'s construction which maintains the round complexity of their compiler, but for \"typical\" unauthenticated group key establishments adds authentication in such a way that deniability is achieved as well. As an application, a deniable authenticated group key establishment with three rounds of communication can be constructed.

15:17 [Pub][ePrint] On pseudorandomization of information-theoretically secure schemes without hardness assumptions, by Koji Nuida

  A recent work by Nuida and Hanaoka (in ICITS 2009) provided a proof technique for security of information-theoretically secure cryptographic schemes in which the random input tape is implemented by a pseudorandom generator (PRG). In this paper, we revisit their proof technique and generalize it by introducing some trade-off factor, which involves the original proof technique as a special case and provides a room of improvement of the preceding result. Secondly, we consider two issues of the preceding result; one is the requirement of some hardness assumption in their proof; another is the gap between non-uniform and uniform computational models appearing when transferring from the exact security formulation adopted in the preceding result to the usual asymptotic security. We point out that these two issues can be resolved by using a PRG proposed by Impagliazzo, Nisan and Wigderson (in STOC 1994) against memory-bounded distinguishers, instead of usual PRGs against time-bounded distinguishers. We also give a precise formulation of a computational model explained by Impagliazzo et al., and by using this, perform a numerical comparison showing that, despite the significant advantage of removing hardness assumptions, our result is still better than, or at least competitive to, the preceding result from quantitative viewpoints. The results of this paper would suggest a new motivation to use PRGs against distinguishers with computational constraints other than time complexity in practical situations rather than just theoretical works.

15:17 [Pub][ePrint] Succinct Malleable NIZKs and an Application to Compact Shuffles, by Melissa Chase and Markulf Kohlweiss and Anna Lysyanskaya and Sarah Meiklejohn

  Depending on the application, malleability in cryptography can be viewed as either a flaw or -- especially if sufficiently understood and restricted -- a feature. In this vein, Chase, Kohlweiss, Lysyanskaya, and Meiklejohn recently defined malleable zero-knowledge proofs, and showed how to control the set of allowable transformations on proofs. As an application, they construct the first compact verifiable shuffle, in which one such controlled-malleable proof suffices to prove the correctness of an entire multi-step shuffle.

Despite these initial steps, a number of natural open problems remain: (1) their construction of controlled-malleable proofs relies on the inherent malleability of Groth Sahai proofs and is thus not based on generic primitives; (2) the classes of allowable transformations they can support are somewhat restrictive; and (3) their construction of a compactly verifiable shuffle has proof size O(N^2 + L) (where N is the number of votes and L is the number of mix authorities), whereas in theory such a proof could be of size O(N + L).

In this paper, we address these open problems by providing a generic construction of controlled- malleable proofs using succinct non-interactive arguments of knowledge, or SNARGs for short. Our construction has the advantage that we can support a very general class of transformations (as we no longer rely on the transformations that Groth-Sahai proofs can support), and that we can use it to obtain a proof of size O(N + L) for the compactly verifiable shuffle.

15:17 [Pub][ePrint] Compact Implementation and Performance Evaluation of Hash Functions in ATtiny Devices, by Josep Balasch and Baris Ege and Thomas Eisenbarth and Benoit Gérard and Zheng Gong and Tim Güneysu and Stefa

  The pervasive diffusion of electronic devices in security and privacy sensitive applications has boosted research in cryptography. In this context, the study of lightweight algorithms has been a very active direction over the last years. In general, symmetric cryptographic primitives are good candidates for low-cost implementations. For example, several previous works have investigated the performances of block ciphers on various platforms. Motivated by the recent SHA3 competition, this paper extends these studies to another family of cryptographic primitives, namely hash functions. We implemented different algorithms on an ATMEL AVR ATtiny45 8-bit microcontroller, and provide their performance evaluation using different figures. All the implementations were carried out with the goal of minimizing the code size and memory utilization, and evaluated using a common interface. As part of our contribution, we additionally decided to make all the corresponding source codes available on a web page, under an open-source license. We hope that this paper provides a good basis for researchers and embedded system designers who need to include more and more functionalities in next generation smart devices.

15:17 [Pub][ePrint] On the (Im)Plausibility of Constant-Round Public-Coin Straight-Line-Simulatable Zero-Knowledge Proofs, by Yi Deng and Juan Garay and San Ling and Huaxiong Wang and Moti Yung

  In 2001, a breakthrough result by Barak [FOCS 2001] showed how to

achieve public-coin zero-knowledge (ZK) arguments in constant rounds,

a feature known to be impossible using black-box simulation. In this

approach, the simulator makes use of the code of the malicious

verifier in computing the prover messages (albeit without

understanding it), and does not rewind the malicious verifier---and it

is hence called a \\emph{straight-line} simulator.

Since then, however, we have witnessed little progress on the basic

question whether Barak\'s technique can be extended to ZK {\\em proof}

systems. In this paper we make progress on this front, by providing

strong evidence that such an extension is far from likely.

Specifically, we show that for a natural class of constant-round

public-coin ZK proofs (which we call ``canonical,\'\' as all known

non-black-box ZK protocols fall in this category), a straight-line

simulator based on the known non-black-box technique for such a proof

system can actually be used to solve a seemingly unrelated problem,

namely, to figure out some non-trivial property of a verifier\'s

program, and {\\em without executing the targe code}, a problem

commonly viewed as notoriously hard.

A key tool in our reduction is an improved structure-preserving

version of the well-known Babai-Moran Speedup (derandomization)

Theorem, which essentially says that, for a constant-round public-coin

interactive proof system in which the verifier sends $m$ messages and

each of the prover messages is of length $p$, if the cheating

probability for an unbounded prover is $\\epsilon$, then there exist

$(p/O(\\log \\frac{1}{\\epsilon}))^m$ verifier random tapes such that the

cheating probability for the unbounded prover over these random tapes

is bounded away from 1---and this holds even when the prover knows

this small set of random tapes in advance. (In our setting, the

original Babai-Moran theorem yields a much larger size ($(O(p))^m$) of

such set of verifier random tapes.) In addition, we show that this is

tight with respect to round complexity, in the sense that there are

public-coin proof systems with a super-constant number of rounds for

which the prover\'s cheating probability is $1$, over any polynomial

number of verifier random tapes.

Finally, although the notion of straight-line simulation is

intuitively clear and has been used several times in the literature,

we are not aware of a formal definition of the process, perhaps due to

the fact that thoroughly defining (as well as enforcing) ``executing

the verifier only once\'\' does not appear to be straightforward. The

notion of {\\em generalized straight-line simulation} that we introduce

not only overcomes those obstacles, but enables us to expose the

limitations of the currently known non-black-box techniques.

15:17 [Pub][ePrint] On 3-share Threshold Implementations for 4-bit S-boxes, by Sebastian Kutzner and Phuong Ha Nguyen and Axel Poschmann and Huaxiong Wang

  One of the most promising lightweight hardware countermeasures against SCA attacks is the so-called Threshold Implementation (TI) countermeasure. In this work we resolve many of the remaining open issues towards it\'s applicability. In particular, our contribution is

three-fold: first we define which optimal (from a cryptographic point of view)

S-boxes can be implemented with a 3-share TI. Second, we

introduce two methodologies to efficiently implement

these S-boxes. Third, as an example, we successfully apply these

methodologies to PRESENT and are able to decrease the area requirements of its protected S-box

by 57\\%.

15:17 [Pub][ePrint] Enabling 3-share Threshold Implementations for any 4-bit S-box, by Sebastian Kutzner and Phuong Ha Nguyen and Axel Poschmann

  Threshold Implementation (TI) is an elegant and widely accepted countermeasure against

1-st order Differential Power Analysis (DPA) in Side Channel

Attacks. The 3-share TI is the most efficient version of TI,

but so far, it can only be applied to 50\\% of all 4-bit S-boxes.

In this paper, we study the limitations of decomposition and introduce factorization

to enable the 3-share TI for any optimal 4-bit

S-box. We propose an algorithm which can decompose any optimal 4-bit

S-box to quadratic vectorial boolean functions with a time complexity of $2^{19}$.

Furthermore, we use our new methodology in combination with decomposition to optimize ciphers utilizing many different

S-boxes, and,

to highlight the strength of our new methodology, we construct a 3-share Threshold Implementation of SERPENT which was believed to be not possible until now. Last, we show how to implemented all SERPENT S-boxes with only one mutual core.

15:17 [Pub][ePrint] Entangled Cloud Storage, by Giuseppe Ateniese and Özgür Dagdelen and Ivan Damgard and Daniele Venturi

  Entangled cloud storage enables a set of clients {P_i} to \"entangle\" their files {f_i} into a single clew c to be stored by a (potentially malicious) cloud provider S. The entanglement makes it impossible to modify or delete significant part of the clew without affecting all files in c. A clew keeps the files in it private but still lets each client P_i recover his own data by interacting with S; no cooperation from other clients is needed. At the same time, the cloud provider is

discouraged from altering or overwriting any significant part of c as this will imply that none of the clients can recover their files.

We provide theoretical foundations for entangled cloud storage, introducing the notion of an entangled encoding scheme that guarantees strong security requirements capturing the properties above. We also give a concrete construction based on privacy-preserving polynomial interpolation, along with protocols for using the encoding scheme in practice.

Protocols for cloud storage find application in the cloud setting, where clients store their files on a remote server and need to be ensured that the cloud provider will not delete their data illegitimately. Current solutions, e.g., based on Provable Data Possession and Proof of Retrievability, catch a malicious server \"after-the-fact\", meaning that the server needs to be challenged regularly to provide evidence that the clients\' files are stored at a given time.

Entangled storage makes all clients equal and with the same rights: It makes it financially inconvenient for a cloud provider to alter specific files and exclude certain \"average\" customers, since doing so would undermine all customers in the system, even those considered \"important\" and, thus, profitable. Therefore, entangled storage schemes offer security \"before-the-fact\".

15:17 [Pub][ePrint] Constant-Overhead Secure Computation for Boolean Circuits in the Preprocessing Model, by Ivan Damgard and Sarah Zakarias

  We present a protocol for securely computing a Boolean circuit $C$ in presence of a dishonest and malicious majority. The protocol is unconditionally secure, assuming access to a preprocessing functionality that is not given the inputs to compute on. For a large number of players the work done by each player is the same as the work needed to compute the circuit in the clear, up to a constant factor. Our protocol is the first to obtain these properties for Boolean circuits. On the technical side, we develop new homomorphic authentication schemes based on asymptotically good codes with an additional multiplication property. We also show a new algorithm for verifying the product of Boolean matrices in quadratic time with exponentially small error probability, where previous methods would only give a constant error.

15:17 [Pub][ePrint] Commitments and Efficient Zero-Knowledge Proofs from Hard Learning Problems, by Abhishek Jain and Stephan Krenn and Krzysztof Pietrzak and Aris Tentes

  We construct a perfectly binding string commitment scheme whose security is based on the learning parity with noise ($\\LPN$) assumption, or equivalently, the hardness of decoding random linear codes. Our scheme not only allows for a simple and efficient zero-knowledge proof of knowledge for committed values (essentially a $\\Sigma$-protocol), but also for such proofs showing any kind of relation amongst committed values, i.e. proving that messages $\\vm_0,\\ldots,\\vm_u$, are such that $\\vm_0=C(\\vm_1,\\ldots,\\vm_u)$ for any circuit $C$.

To get soundness which is exponentially small in a security parameter $t$, and when the zero-knowledge property relies on the LPN problem with secrets of length $\\ell$, our $3$ round protocol has communication complexity $\\bigO(t|C|\\ell\\log(\\ell))$ and computational complexity of $\\bigO(t|C|\\ell)$ bit operations. The hidden constants are small, and the computation consists mostly of computing inner products of bit-vectors.