International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] An Accurate Probabilistic Reliability Model for Silicon PUFs, by Roel Maes

  The power of an accurate model for describing a physical process or designing a physical system is beyond doubt. The currently used reliability model for physically unclonable functions (PUFs) assumes an equally likely error for every evaluation of every PUF response bit. This limits an accurate description since experiments show that certain responses are more error-prone than others, but this fixed error rate model only captures average case behavior. We introduce a new PUF reliability model taking this observed heterogeneous nature of PUF cells into account. An extensive experimental validation demonstrates that the new predicted distributions describe the empirically observed data statistics almost perfectly, even considering sensitivity to operational temperature. This allows studying PUF reliability behavior in full detail, including average and worst case probabilities, and is an invaluable tool for designing more efficient and better adapted PUFs and PUF-based systems.

15:17 [Pub][ePrint] An Algebraic Framework for Diffie-Hellman Assumptions, by Alex Escala and Gottfried Herold and Eike Kiltz and Carla R\\`afols and Jorge Villar

  We put forward a new algebraic framework to generalize and

analyze Diffie-Hellman like Decisional Assumptions which allows

us to argue about security and applications by considering only algebraic properties.

Our $D_{\\ell,k}-MDDH$ assumption states that it is hard to decide whether

a vector in $G^\\ell$ is linearly dependent of the columns of some matrix in $G^{\\ell\\times k}$ sampled according to distribution $D_{\\ell,k}$.

It covers known assumptions such as $DDH$, $2-Lin$ (linear assumption), and $k-Lin$ (the $k$-linear assumption).

Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in $m$-linear groups to the irreducibility of certain polynomials which describe the output of $D_{\\ell,k}$.

We use the hardness results to find new distributions for which the $D_{\\ell,k}-MDDH$-Assumption holds generically in $m$-linear groups.

In particular, our new assumptions $2-SCasc$ and $2-ILin$ are generically hard in bilinear groups and, compared to $2-Lin$, have shorter description size, which is a relevant parameter for efficiency in many applications.

These results support using our new assumptions as natural replacements for the $2-Lin$ Assumption which was already used in a large number of applications.

To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any $MDDH$-Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash-proof systems, pseudo-random functions, and Groth-Sahai NIZK and NIWI proofs.

As an independent contribution we give more efficient NIZK and NIWI proofs for membership in a subgroup of $G^\\ell$, for validity of ciphertexts and for equality of plaintexts. The results imply very significant efficiency improvements for a large number of schemes, most notably Naor-Yung type of constructions.

15:17 [Pub][ePrint] A note on quantum related-key attacks, by Martin Roetteler and Rainer Steinwandt

  In a basic related-key attack against a block cipher, the adversary has access to encryptions under keys that differ from the target key by bit-flips. In this short note we show that for a quantum adversary such attacks are quite powerful: if the secret key is (i) uniquely determined by a small number of plaintext-ciphertext pairs, (ii) the block cipher can be evaluated efficiently, and (iii) a superposition of related keys can be queried, then the key can be extracted efficiently.

15:17 [Pub][ePrint] Delegatable Pseudorandom Functions and Applications, by Aggelos Kiayias and Stavros Papadopoulos and Nikos Triandopoulos and Thomas Zacharias

  We put forth the problem of delegating the evaluation of a

pseudorandom function (PRF) to an untrusted proxy. A {\\em delegatable PRF}, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secret-key. PRF delegation is

\\emph{policy-based}: the trapdoor is constructed with respect to a

certain policy that determines the subset of input values which the

proxy is allowed to compute. Interesting DPRFs should achieve

\\emph{low-bandwidth delegation}: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed.

The main challenge in constructing DPRFs is in maintaining the

pseudorandomness of unknown values in the face of an attacker that

adaptively controls proxy servers. A DPRF may be optionally equipped

with an additional property we call \\emph{policy privacy}, where any

two delegation predicates remain indistinguishable in the view of a

DPRF-querying proxy: Achieving this raises new design challenges as

policy privacy and efficiency are seemingly conflicting goals.

For the important class of policies described as (1-dimensional)

\\emph{ranges}, we devise two DPRF constructions and rigorously prove

their security. Built upon the well-known tree-based GGM PRF

family~\\cite{GGM86}, our constructions are generic and feature only

logarithmic delegation size in the number of values conforming to the

policy predicate. At only a constant-factor efficiency reduction, we

show that our second construction is also policy private. As we

finally describe, their new security and efficiency properties render

our delegated PRF schemes particularly useful in numerous security

applications, including RFID, symmetric searchable encryption, and

broadcast encryption.

15:17 [Pub][ePrint] Comments on Three Multi-Server Authentication Protocols, by Yalin Chen 1, *Jue-Sam Chou2, Wen-Yi Tsai 3

  Recently, Tsai et al., Liao et al. and Li et al. each proposed a multi-server authentication protocol. They claimed their protocols are secure and can withstand various attacks. However, we found some security loopholes in each of their schemes, for example, both Tsai et al.\'s and Liao et al.\'s schemes suffers from server spoofing attack by an insider server. Li et al.s\' suffers from the lost smart card password-guessing attack. In addition, Liao et al.\'s scheme also has the off-line password-guessing attack. In this paper, we will first review then show the attacks on each of the schemes. Then, based on Li et al.\'s scheme, we proposed a novel one and examined its security in several security features. After security analysis, we concluded that our protocol outperformed Li et al.\'s scheme in the security feature of lost smart card password-guessing attack.

Keywords: multi-server, password authentication protocol

11:22 [Job][New] Senior Scientist Medical Security, Philips Research Europe, Netherlands-North Brabant-Eindhoven

  Your responsibilities:

-Carry out industrial research in medical security and informatics, enlarging relevant knowledge and bringing-in new knowledge;

-Pro-actively make knowledge available for operational use within Philips, such as to contribute to successful transfers of research results to the customer;

-Keep abreast of technical, application and market developments in the relevant technological and industrial areas, showing interest in the business aspects;

-Contribute to the definition of the group\\\'s research program

Contribute pro-actively to a creative and inspiring working environment;

More specifically:

-You perform independent research, define and lead projects in the area of security. The results of your work are adopted by the Philips Healthcare businesses and translated into successful products. You maintain and build close contacts with Philips Healthcare businesses and contribute to the strategy of the research group.

-You create technologies that ensure the security of Philips Healthcare products and services. In addition you contribute security specifications to international standards. You have a full understanding of the state-of-the-art and create original contributions. Important research questions include specification and enforcement of security policies, cloud computing security, authorization and authentication as well as security/risk analysis of specific systems.

-External exposure (for example by means of scientific publications) and external collaborations (for example with universities or in the context of European research projects) are highly encouraged.

Organization description:

Ideal candidate has:

-A PhD in a relevant area (information security and/or cryptography).

-preferably 5 years of preferably applied research experience in the domain of medical security

21:17 [Pub][ePrint] Achieving the limits of the noisy-storage model using entanglement sampling, by Frédéric Dupuis and Omar Fawzi and Stephanie Wehner

  A natural measure for the amount of quantum information that a physical system $E$ holds about another system $A = A_1,...,A_n$ is given by the min-entropy $\\hmin(A|E)$. Specifically, the min-entropy measures the amount of entanglement between $E$ and $A$, and is the relevant measure when analyzing a wide variety of problems ranging from randomness extraction in quantum cryptography, decoupling used in channel coding, to physical processes such as thermalization or the thermodynamic work cost (or gain) of erasing a quantum system. As such, it is a central question to determine the behaviour of the min-entropy after some process M is applied to the system $A$. Here we introduce a new generic tool relating the resulting min-entropy to the original one, and apply it to several settings of interest, including sampling of subsystems and measuring in a randomly chosen basis.

The results on random measurements yield new high-order entropic uncertainty relations with which we prove the optimality of cryptographic schemes in the bounded quantum storage model. This is an abridged version of the paper; the full version containing all proofs and further applications can be found in \\cite{DFW13}.

21:17 [Pub][ePrint] Linearly Homomorphic Structure-Preserving Signatures and Their Applications, by Benoit Libert and Thomas Peters and Marc Joye and Moti Yung

  Structure-preserving signatures (SPS) are signature schemes where messages, signatures and public keys all consist of elements of a group over which a bilinear map is efficiently computable. This property makes them useful in cryptographic protocols as they nicely compose with other algebraic tools (like the celebrated Groth-Sahai proof systems). In this paper, we consider SPS systems with homomorphic properties and suggest applications that have not been provided before (in particular, not by employing ordinary SPS). We build linearly homomorphic structure-preserving signatures under simple assumptions and show that the primitive makes it possible to verify the calculations performed by a server on outsourced encrypted data (i.e., combining secure computation and authenticated computation to allow reliable and secure cloud storage and computation, while freeing the client from retaining cleartext storage). Then, we give a generic construction of non-malleable (and actually simulation-sound) commitment from any linearly homomorphic SPS. This notably provides the first constant-size non-malleable commitment to group elements.

21:17 [Pub][ePrint] A Fast Implementation of the Optimal Ate Pairing over BN curve on Intel Haswell Processor, by Shigeo MITSUNARI

  We present an efficient implementation of the Optimal Ate Pairing on Barreto-Naehrig

curve over a 254-bit prime field on Intel Haswell processor.

Our library is able to compute the optimal ate pairing over a 254-bit prime field,

in just 1.17 million of clock cycles on a single core of an Intel Core i7-4700MQ(2.4GHz)

processor with TurboBoost technology disabled.

21:17 [Pub][ePrint] A New Class of Public Key Cryptosystems Constructed Based on Reed-Solomon Codes, K(XII)SE(1)PKC. -- Along with a presentation of K(XII)SE(1)PKC over the extension field extensively used for present da

  In this paper, we present a new class of public key cryptosystem based on Reed-Solomon codes, a member of the code based PKC(CBPKC), referred to as K(XII)SE(1)PKC. We show that K(XII)SE(1)PKC can be secure against the various attacks. Particularly we present a member of K(XII)SE(1)PKC constructed based on the Reed-Solomon code over the extension field , which is extensively used in the present day storage systems and the various digital transmission systems. In a sharp contrast with the conventional CBPKC that uses Goppa code, in K(XII)SE(1)PKC, we do not care for the security of the primitive polynominal that generates the Reed-Solomon code.The probabilistic scheme presented in this paper would yield a brand-new technique in the field of CBPKC.

21:17 [Pub][ePrint] On the Achievability of Simulation-Based Security for Functional Encryption, by Angelo De Caro and Vincenzo Iovino Abhishek Jain and Adam O\'Neill and Omer Paneth and Giuseppe Persiano

  This work attempts to clarify to what extent simulation-based security (SIM-security) is achievable for functional encryption (FE) and its relation to the weaker indistinguishability-based security (IND-security). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by circuit-FE) meeting indistinguishability-based security (IND-security) to a circuit-FE scheme meeting SIM-security, where:


\\item In the random oracle model, the resulting scheme is secure for an unbounded number of encryption and key queries, which is the strongest security level one can ask for.

\\item In the standard model, the resulting scheme is secure for a bounded number of encryption and non-adaptive key queries, but an \\emph{unbounded} number of adaptive key queries. This matches known impossibility results and improves upon Gorbunov et al. [CRYPTO\'12] (which is secure for a \\emph{bounded} number of adaptive key queries).


Our compiler is inspired by the celebrated Fiat-Lapidot-Shamir paradigm [FOCS\'90] for obtaining zero-knowledge proof systems from witness-indistinguishable proof systems.

As it is currently unknown whether circuit-FE meeting IND-security exists, the purpose of this result is to establish that it remains a good target for future research despite known deficiencies of IND-security [Boneh et al. -- TCC\'11, O\'Neill -- ePrint \'10].

We also give a tailored construction of SIM-secure hidden vector encryption (HVE) in composite-order bilinear groups.

Finally, we revisit the known negative results for SIM-secure FE, extending them to natural weakenings of the security definition and thus providing essentially a full picture of the (in)achievability of SIM-secure FE.