International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation, by Shweta Agrawal and Vipul Goyal and Abhishek Jain and Manoj Prabhakaran and Am

  We consider the client-server setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easily motivated from an application standpoint. There are important special cases for which positive results are known - such as concurrent zero knowledge protocols - and it has been an open question explicitly asked, for instance, by Lindell [J. Cryptology\'08] - whether other natural functionalities such as Oblivious Transfer (OT) are possible in this setting.

In this work:

1. We resolve this open question by showing that unfortunately, even in this very limited concurrency setting, broad new impossibility results hold, ruling out not only OT, but in fact all nontrivial asymmetric functionalities. Our new negative results hold even if the inputs of all honest parties are fixed in advance, and the adversary receives no auxiliary information.

2. Along the way, we establish a new unconditional completeness result for asymmetric functionalities, where we characterize functionalities that are non-interactively complete secure against active adversaries. When we say that a functionality F is non-interactively complete, we mean that every other asymmetric functionality can be realized by parallel invocations of several copies of F, with no other communication in any direction. Our result subsumes a completeness result of Kilian [STOC\'00] that uses protocols which require additional interaction in both directions.

15:17 [Pub][ePrint] Resource-based Corruptions and the Combinatorics of Hidden Diversity, by Juan Garay and David Johnson and Aggelos Kiayias and Moti Yung

  In the setting of cryptographic protocols, the corruption of a party has traditionally been viewed as a simple, uniform and atomic operation, where the adversary decides to get control over a party and this party immediately gets corrupted. In this paper, motivated by the fact that different players may require different resources to get corrupted, we put forth the notion of {\\em resource-based corruptions}, where the adversary must invest some resources in order to do so.

If the adversary has full information about the system configuration then resource-based corruptions would provide no fundamental difference from the standard corruption model. However, in a resource ``anonymous\'\' setting, in the sense that such configuration is hidden from the adversary, much is to be gained in terms of efficiency and security.

We showcase the power of such {\\em hidden diversity} in the context of secure multiparty computation (MPC) with resource-based corruptions and prove that it can effectively be used to circumvent known impossibility results. Specifically, if $OPT$ is the corruption budget that violates the completeness of MPC (the case when half or more of the players are corrupted), we show that if hidden diversity is available, the completeness of MPC can be made to hold against an adversary with as much as a $B\\cdot OPT$ budget, for any constant $B>1$. This result requires a suitable choice of parameters (in terms of number of players and their hardness to corrupt), which we provide and further prove other tight variants of the result when the said choice is not available. Regarding efficiency gains, we show that hidden diversity can be used to force the corruption threshold to drop from 1/2 to 1/3, in turn allowing the use of much more efficient (information-theoretic) MPC protocols.

We achieve the above through a series of technical contributions:

o The modeling of the corruption process in the setting of cryptographic protocols through {\\em corruption oracles} as well as the introduction of a notion of reduction to relate such oracles;

o the abstraction of the corruption game as a combinatorial problem and its analysis; and, importantly,

o the formulation of the notion of {\\em inversion effort preserving} (IEP) functions which is a type of direct-sum property, and the property of {\\em hardness indistinguishability}. While hardness indistinguishability enables the dissociation of parties\' identities and the resources needed to corrupt them, IEP enables the discretization of adversarial work into corruption tokens,

all of which may be of independent interest.

05:31 [Event][New] CCH: 14th Cryptologic History Symposium

  Submission: 1 February 2013
Notification: 1 June 2013
From October 10 to October 11
Location: Laurel, Maryland, USA
More Information:

05:12 [Job][New] Senior Principal Engineer- Secure Hardware Design , Cryptography Research Inc. (CRI) San Francisco, California


• Serve as a highly visible industry expert on tamper-resistance and DPA countermeasures

• Design and implement DPA-resistant hardware blocks suitable for a variety of applications and device form factors

• Guide customers implementing DPA countermeasures and tamper resistance into their products and systems

• Consult with customers regarding their DPA-resistance certification needs

• Develop tools and training material around methodologies for DPA resistant hardware design

• Author whitepapers and technical papers related to tamper resistance, side-channel analysis and countermeasures

• Provide customer training on DPA


• 8+ years of experience in tamper resistant hardware design and at least 5 years of experience in developing DPA resistant hardware and products that use algorithms such as DES, 3DES, AES, RSA and ECC.

• Deep knowledge of the statistics of DPA, sources of information leakage in hardware and engineering tradeoffs between different countermeasure choices

• Experience with getting multiple products evaluated for DPA resistance at EAL 5+

• External recognition as an expert in the area of tamper resistance, side-channel analysis and countermeasures, via publications, industry panels, contributions to standards working groups, etc.

• Very high degree of skill with Verilog (or VHDL) and digital design

• In depth understanding of front-end ASIC design flows, including design, simulation, synthesis and timing analysis

• Hardware development experience in UNIX/Linux environments, and with shell/perl scripting

• Excellent interpersonal, presentation and documentation skills

• MS/Ph.D in Electrical Engineering

Pluses: Experience in the following areas

• Mixed mode and analog simulations for assessing DPA resistance at the design stage

• Develo

05:12 [Job][New] Senior Member Technical Staff II-Security Engineering, Cryptography Research Inc. (CRI) San Francisco,California

  Responsibilities for this position include:

• Using, enhancing and developing cutting edge analysis techniques to perform side-channel leakage assessments of customer products and prototypes across a wide range of form factors and algorithms

• Documenting and/or publishing innovations in side-channel analysis and staying current with analysis techniques developed by other researchers

• Incorporating new analysis techniques and tools into CRI’s DPA Workstation product

• DPA Training: Instruct existing and prospective DPA countermeasure licensees and DPA workstation customers on topics related to DPA

• Authoring whitepapers, training material and tutorials on side-channel analysis and countermeasures

Qualifications: Education, Experience, Skills, Etc.


• MS/Ph.D in Electrical Engineering or Computer Science

• 3+ years experience in performing DPA on a range of real-world systems, form factors and algorithms, including experience with developing DPA test fixtures for embedded devices, setting up scopes and measurement apparatus, and applying signal processing and DPA techniques on the collected traces

• Exceptional C/C++ skills, working knowledge of Matlab or other signal processing tools, knowledge of multiple scripting languages

• Good written, oral and presentation skills – this position will require technical interactions with customers


• A strong record of scientific publications in the area of side-channel analysis and countermeasures and tamper resistance

• Experience with DPA-resistance certification

• Background in cryptography, tamper resistance (including fault analysis), signal processing or statistics

• Experience with embedded systems

06:17 [Pub][ePrint] Faster Pairing Computation on Jacobi quartic Curves with High-Degree Twists, by Liangze Li and Hongfeng Wu and Fan Zhang

  In this paper, we propose an elaborate geometric approach to explain the group law on Jacobi quartic curves which are seen as the intersection of two quadratic surfaces in space. Using the geometry

interpretation we construct the Miller function. Then we present explicit formulae for the addition and doubling steps in Miller\'s algorithm to compute Tate pairing on Jacobi quartic curves. Both the addition step and doubling step of our formulae for Tate pairing computation on Jacobi curves are faster than previously proposed ones.

Finally, we present efficient formulas for Jacobi quartic curves with twists of degree 4 or 6. For twists of degree 4, both the addition steps and doubling steps in our formulas are faster than the fastest result on Weierstrass curves. For twists of degree 6, the addition steps of our formulae are faster than the fastest result on Weierstrass curves.

15:17 [Pub][ePrint] Rotational cryptanalysis of round-reduced Keccak, by Pawel Morawiecki and Josef Pieprzyk and Marian Srebrny

  In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST\'s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-f[1600] permutation --- the main building block of Keccak hash function.

15:17 [Pub][ePrint] Constrained Search for a Class of Good S-Boxes with Improved DPA Resistivity, by Bodhisatwa Mazumdar and Debdeep Mukhopadhyay and Indranil Sengupta

  In FSE 2005, \\emph{transparency order} was proposed as a parameter

for the robustness of S-boxes to \\emph{Differential Power Analysis} (DPA):lower \\emph{transparency order} implying more resistance. However most cryptographically strong Boolean functions have been found to have high \\emph{transparency order}. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low \\emph{transparency order}, the total search space for $(n,n)$-bit Boolean functions being as large as $n2^{2^n}$. In this paper we characterize \\emph{transparency order} for various classes of Boolean functions by computing the upper and lower bounds of \\emph{transparency order} for both

even and odd numbers of variables. The transparency order is defined in terms of \\emph{diffusion} properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of S-box for which bias of probability of S-box output bit deviates from the value of 0.5. The \\emph{transparency order} is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of \\emph{propagation characteristics}, \\emph{autocorrelation

spectra} of the S-box function $F$ is a more qualifying candidate in deciding the characteristics of \\emph{transparency order}. The relations developed to characterize \\emph{transparency order} aid in our constrained random generation and search of a class of

balanced $8\\times8$ S-boxes with \\emph{transparency order} upper bounded by 7.8, \\emph{nonlinearity} in range $(104,110)$ and \\emph{absolute indicator values} of \\emph{GAC}

in range $(48,88)$.

15:17 [Pub][ePrint] New Non-Interactive Zero-Knowledge Subset Sum, Decision Knapsack And Range Arguments, by Helger Lipmaa and Bingsheng Zhang

  We propose two basic NIZK arguments, one for Hadamard product of two vectors, and another one for a shift of a vector. The first argument is based on the corresponding argument of Lipmaa (TCC 2012), but makes use of Fast Fourier Transform and Pippenger\'s multi-exponentiation algorithm to achieve quasilinear (as opposed quadratic) computational complexity. The shift argument seems to be novel.

Based on the new basic arguments, we propose a NIZK argument for subset sum. This seems to be the only known (direct) sublinear NIZK argument for some other NP-complete language than Circuit-SAT\\@. Moreover, it is significantly more efficient than the known sublinear Circuit-SAT arguments by Groth (Asiacrypt 2010) and Lipmaa. In addition, we show that the new arguments can be used to speed up the recent range argument by Chaabouni, Lipmaa and Zhang (FC 2012). Finally, we combine the subset sum argument and the range argument to propose a direct sublinear NIZK argument for another NP-complete language, decision knapsack.

15:17 [Pub][ePrint] Faster batch forgery identification, by Daniel J. Bernstein and Jeroen Doumen and Tanja Lange and Jan-Jaap Oosterwijk

  Batch signature verification detects whether a batch of signatures contains any forgeries. Batch forgery identification pinpoints the location of each forgery. Existing forgery-identification schemes vary in their strategies for selecting subbatches to verify (individual checks, binary search, combinatorial designs, etc.) and in their strategies for verifying subbatches. This paper exploits synergies between these two levels of strategies, reducing the cost of batch forgery identification for elliptic-curve signatures.

15:17 [Pub][ePrint] Dynamic Proofs of Retrievability via Oblivious RAM, by David Cash and Alptekin Kupcu and Daniel Wichs

  Proofs of retrievability allow a client to store her data on a remote server (``in the cloud\'\') and periodically execute an efficient audit protocol to check that all of the data is being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass.

Starting with the work of Juels and Kaliski (CCS \'07), all prior solutions to this problem crucially assume that the client data is static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to `lose\' any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient.

Overcoming this limitation was left as the main open problem by all prior works.

In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols is only polylogarithmic in the size of the client\'s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data lock are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.