International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] An ideal multi-secret sharing scheme based on minimal privileged coalitions , by Yun Song , Zhihui Li

  How to construct an ideal multi-secret sharing scheme for general access structures is difficult. In this paper, we solve an open problem proposed by Spiez et al.recently [Finite Fields and

Their Application, 2011(17) 329-342], namely to design an algorithm of privileged coalitions of any length if such coalitions exist. Furthermore, in terms of privileged coalitions, we show that most of the existing multi-secret sharing schemes based on Shamir threshold secret sharing are not perfect by analyzing Yang et al.\'s scheme and Pang et al.\'s scheme. Finally, based on the algorithm mentioned above, we devise an ideal multi-secret sharing scheme for families of access structures, which possesses more vivid authorized sets than

that of the threshold scheme.

19:17 [Pub][ePrint] Faster index calculus for the medium prime case. Application to a 1175-bit finite field, by Antoine Joux

  Many index calculus algorithms generate multiplicative relations

between smoothness basis elements by using a process called {\\it

Sieving}. This process allows to filter potential candidate

relations very quickly, without spending too much time to consider bad

candidates. However, from an asymptotic point of view, there is not

much difference between sieving and straightforward testing of

candidates. The reason is that even when sieving, some small amount

time is spend for each bad candidates. Thus, asymptotically, the total

number of candidates contributes to the complexity.

In this paper, we introduce a new technique: {\\it Pinpointing}, which

allows us to construct multiplicate relations much faster, thus

reducing the asymptotic complexity of relations\'

construction. Unfortunately, we only know how to implement this

technique for finite fields which contain a medium-sized

subfield. When applicable, this method improves the asymptotic

complexity of the index calculus algorithm in the cases where the sieving

phase dominates. In practice, it gives a very interesting boost to the

performance of state-of-the-art algorithms. We illustrate the

feasability of the method with a discrete logarithm record in a

medium prime finite field of total size 1175~bits.

19:17 [Pub][ePrint] On the (In)security of Fischlin\'s Paradigm, by Prabhanjan Ananth and Raghav Bhaskar and Vipul Goyal and Vanishree Rao

  The Fiat-Shamir paradigm was proposed as a way to remove interaction from 3-round proof of knowledge protocols and derive secure signature schemes. This generic transformation leads to very efficient schemes and has thus grown quite popular. However, this transformation is proven secure only in the random oracle model. In FOCS 2003, Goldwasser and Kalai showed that this transformation is provably insecure in the standard model by presenting a counterexample of a 3-round protocol, the Fiat-Shamir transformation of which is (although provably secure in the random oracle model) insecure in the standard model, thus showing that the random oracle is uninstantiable. In particular, for every hash function that is used to replace the random oracle, the resulting signature scheme is existentially forgeable. This result was shown by relying on the non-black-box techniques of Barak (FOCS 2001).

An alternative to the Fiat-Shamir paradigm was proposed by Fischlin in Crypto 2005. Fischlin\\rq{}s transformation can be applied to any so called 3-round ``Fiat-Shamir proof of knowledge\\rq{}\\rq{} and can be used to derive non-interactive zero-knowledge proofs of knowledge as well as signature schemes. An attractive property of this transformation is that it provides online extractability (i.e., the extractor works without having to rewind the prover). Fischlin remarks that in comparison to the Fiat-Shamir transformation, his construction tries to ``decouple the hash function from the protocol flow\" and hence, the counterexample in the work of Goldwaaser and Kalai does not seem to carry over to this setting.

In this work, we show a counterexample to the Fischlin\'s transformation. In particular, we construct a 3-round Fiat-Shamir proof of knowledge (on which Fischlin\'s transformation is applicable), and then, present an adversary against both - the soundness of the resulting non-interactive zero-knowledge, as well as the unforegeability of the resulting signature scheme. Our attacks are successful except with negligible probability for any hash function, that is used to instantiate the random oracle, provided that there is an apriori (polynomial) bound on the running time of the hash function. By choosing the right bound, secure instantiation of Fischlin transformation with most practical cryptographic hash functions can be ruled out.

The techniques used in our work are quite unrelated to the ones used in the work of Goldwasser and Kalai. Our primary technique is to bind the protocol flow with the hash function if the code of the hash function is available. We believe that our ideas are of independent interest and maybe applicable in other related settings.

19:17 [Pub][ePrint] Hardness Preserving Reductions via Cuckoo Hashing, by Itay Berman and Iftach Haitner and Ilan Komargodski and Moni Naor

  A common method for increasing the usability and uplifting the security of pseudorandom function families (PRFs) is to ``hash\" the inputs into a smaller domain before applying the PRF. This approach, known as ``Levin\'s trick\", is used to achieve ``PRF domain extension\" (using a short, e.g., fixed, input length PRF to get a variable-length PRF), and more recently to transform non-adaptive PRFs to adaptive ones. Such reductions, however, are vulnerable to a ``birthday attack\": after $\\sqrt{|\\mathcal U|}$ queries to the resulting PRF, where $\\mathcal U$ being the hash function range, a collision (i.e., two distinct inputs have the same hash value) happens with high probability. As a consequence, the resulting PRF is insecure against an attacker making this number of queries.

In this work we show how to go beyond the birthday attack barrier, by replacing the above simple hashing approach with a variant of cuckoo hashing --- a hashing paradigm typically used for resolving hash collisions in a table, by using two hash functions and two tables, and cleverly assigning each element into one of the two tables. We use this approach to obtain: (i) A domain extension method that requires just two calls to the original PRF, can withstand as many queries as the original domain size and has a distinguishing probability that is exponentially small in the non cryptographic work. (ii) A security-preserving reduction from non-adaptive to adaptive PRFs.

19:17 [Pub][ePrint] Two Exponentiation Algorithms Resistant to Cross-correlation Power Analysis and to Other Known Attacks, by Yaacov Belenky, Zeev Geyzel, Michael Kara-Ivanov and Avraham Entelis

  In order to prevent the SPA (Simple Power Analysis) attack against modular exponentiation algorithms, a multiply-always implementation is generally used. Witteman et al. introduced in \\cite{WI} a new cross-correlation power analysis attack against the multiply-always implementation. We suggest two new algorithms, resistant to this attack and also to other known attacks.

The first algorithm is an alternative approach to exponentiation algorithms used in cryptography, which usually receive as an input some representation (e.g. binary) of the exponent. In our approach both the exponent and the result are functions (not necessarily easily invertible) of the exponentiation algorithm input. We show that this approach can have a good performance and that it is also resistant to several known attacks, especially to the cross-correlation power analysis. It is particularly relevant for cryptographic schemes in which the private exponent can be chosen arbitrarily.

Another exponentiation algorithm that we present here may be preferable for use with RSA in certain settings. It is resistant to the cross-correlation power analysis attack, C safe error attack, and other attacks; although it involves squaring operations.

16:51 [Job][New] 6-month Internship on Baseband Modem security, Intel Corporation, Hillsboro, Oregon, USA

  Description and Responsibilities:

Embedded platforms comprising SoCs, i.e., Tablets and Smartphones, have become important players in the products offered by Intel. One of the key component of SoC-based platforms is the baseband processor. The goal of this internship is to investigate the threats posed to/by baseband to a phone platform. In this position, you will be a member of the Security Center of Excellence (SeCoE) in the Intel Architecture Group to identify security vulnerabilities in the architecture, design and implementation of future SoC-based products. During this internship, your responsibilities will include but not be limited to:

- Performing the threat analysis of a current baseband processor,

- Driving the investigation of Intel baseband software and hardware for evaluating their security features,

- Researching literature from conferences (e.g.; BlackHat, PacSec) and technical forums to find out relevant attacks.

You will also be developing software and/or hardware solutions to hack the platform.


You must be currently enrolled in a Ph.D or a Master\\\'s degree program in Computer Science, Computer Engineering or Electrical Engineering or equivalent discipline with knowledge of computer security, applied cryptography, computer architecture, hardware design (SystemVerilog or VHDL) and programming (C, Assembly). Demonstrable results in academic projects involving the above areas are essential. Exposure to security threat analysis and knowledge of existing attacks on security of System-on-chip (SoC) based platforms (For example, smartphones) would be highly desirable. Experience with hacking hardware (programming FPGAs, Flash chips etc) will be a plus. Behavioral skills include: solid analytical skills, willingness to tackle complex problems, attention to detail, self-driven, excellent written and verbal communication skills.

16:48 [Event][New] ACNS 2013: 11th International Conference on Applied Cryptography and Network Security

  Submission: 1 February 2013
Notification: 10 April 2013
From June 25 to June 28
Location: Banff, Alberta, Canada
More Information:

16:47 [Event][New] AReS 2013: Eighth International Conference on Availability, Reliability and Security

  Submission: 1 March 2013
Notification: 1 May 2013
From September 2 to September 6
Location: Regensburg, Germany
More Information:

16:47 [Event][New] IWSEC2013: The 8th International Workshop on Security

  Submission: 13 May 2013
Notification: 12 July 2013
From November 18 to November 20
Location: Okinawa, Japan
More Information:

16:46 [Job][New] Post?Doc, Electronic Health Information Laboratory, CHEO Research Institute, Canada, North America

  The Electronic Health Information Laboratory (EHIL) at the Children\\\'s Hospital of Eastern Ontario (CHEO) Research Institute is looking for a Post?Doctoral Fellow responsible for research and development of secure multi?party computation and privacy preserving protocols for applications in the area of health information and medical research.

Candidates should have a Ph.D. in Computer Science, Computer Engineering, Mathematics, Engineering, or a related field, and a strong research track record with journal or conference publications in secure computation and/or privacy preserving statistics and data?mining.

19:17 [Pub][ePrint] Further results on the distinctness of binary sequences derived from primitive sequences modulo square-free odd integers, by Qun-Xiong Zheng and Wen-Feng Qi

  This paper studies the distinctness of primitive sequences over Z/(M) modulo 2, where M is an odd integer that is composite and square-free, and Z/(M) is the integer residue ring modulo M. A new sufficient condition is given for ensuring that primitive sequences generated by a primitive polynomial f(x) over Z/(M) are pairwise distinct modulo 2. Such result improves a recent result obtained in our previous paper [27] and consequently the set of primitive sequences over Z/(M) that can be proven to be distinct modulo 2 is greatly enlarged.