International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] An Approach to Reduce Storage for Homomorphic Computations, by Jung Hee Cheon and Jinsu Kim

  We introduce a hybrid homomorphic encryption by combining public key encryption (PKE) and somewhat homomorphic encryption (SHE) to reduce storage for most applications of somewhat or fully homomorphic encryption (FHE). In this model, one encrypts messages with a PKE and computes on encrypted data using a SHE or a FHE after homomorphic decryption.

To obtain efficient homomorphic decryption, our hybrid schemes is constructed by combining IND-CPA PKE schemes without complicated message paddings with SHE schemes with large integer message space. Furthermore, we remark that if the underlying PKE is multiplicative on a domain closed under addition and multiplication, this scheme has an important advantage that one can evaluate a polynomial of arbitrary degree without recryption.

We propose such a scheme by concatenating ElGamal and Goldwasser-Micali scheme over a ring $\\Z_N$ for a composite integer $N$ whose message space is $\\Z_N^\\times$.

To be used in practical applications, homomorphic decryption of the base PKE is too expensive. We accelerate the homomorphic evaluation of the decryption by introducing a method to reduce the degree of exponentiation circuit at the cost of additional public keys. Using same technique, we give an efficient solution to the open problem~\\cite{KLYC13} partially.

As an independent interest, we obtain another generic conversion method from private key SHE to public key SHE. Differently from Rothblum~\\cite{RothTCC11}, it is free to choose the message space of SHE.

19:17 [Pub][ePrint] Ambiguous One-Move Nominative Signature Without Random Oracles, by Dennis Y. W. Liu and Duncan S. Wong and Qiong Huang

  Nominative Signature is a useful tool in situations where a signature has to be created jointly by two parties, a nominator (signer) and a nominee (user), while only the user can verify and prove to a third party about the validity of the signature. In this paper, we study the existing security models of nominative signature and show that though the existing models have captured the essential security requirements of nominative signature in a strong sense, especially on the unforgeability against malicious signers/users and invisibility, they are yet to capture a requirement regarding the privacy of the signer and the user, and this requirement has been one of the original ones since the notion of nominative signature was first introduced. In particular, we show that it is possible to build a highly efficient nominative signature scheme which can be proven secure in the existing security models, while in practice it is obvious to find out from the component(s) of a nominative signature on whether a particular signer or user has involved in the signature generation, which may not be desirable in some actual applications. We therefore propose an enhanced security property, named \"Ambiguity\", and also propose a new \\emph{one-move} nominative scheme for fulfilling this new security requirement without random oracles, and among the various types of nominative signature, one-move is the most efficient type. Furthermore, this new scheme is at least 33% more efficient during signature generation and 17% shorter in signature size when compared with the existing one-move signature schemes without random oracles even that the existing ones in the literature may not satisfy this new Ambiguity requirement.

19:17 [Pub][ePrint] PUF-Based RFID Authentication Secure and Private under Complete Memory Leakage, by Daisuke Moriyama and Shin\'ichiro Matsuo and Moti Yung

  RFID tags are getting their presence noticeable on smartphones,

credit cards, toll payment devices, and other objects. They are

expected to become an important tool for e-commerce, logistics,

point-of-sale transactions, and so on, representing ``things\'\' and

``human holding things\'\' in transactions. Since a huge amount of tags are expected to be needed to be attached to various ``objects,\'\' a low-cost tag manufacturing is necessary. Thus, it is hard to imagine they will implement hardware protection mechanisms (like co-processor, TPMs). Therefore, side-channel (leakage) attacks are a critical threat. Another threat that is well known in the RFID topic is tag tracing and violation of privacy.

In this paper, we consider physically unclonable functions (PUFs) as tamper resilient building block and propose security model with memory leaking adversary, trying to violate security and privacy of tags (we note that PUFs are structure-less and there is a hope they can be put on top of RFID chips more so than TPMs). We then design the first provably secure and provably private RFID authentication protocol withstanding information leakage from the non-volatile memory of the tag, and provides the two properties of: (1) security against impersonation, and (2) privacy protection against tag tracing.

19:17 [Pub][ePrint] Cryptanalysis of Zorro, by Jian Guo and Ivica Nikolic and Thomas Peyrin and Lei Wang

  At CHES 2013 was presented a new block cipher called Zorro. Although it uses only 4 S-boxes per round, the designers showed the resistance of the cipher against various attacks, and concluded the cipher has a large security margin. In this paper, we give a key recovery attack on the full cipher in the single-key model that works for $2^{64}$ out of $2^{128}$ keys. Our analysis is based precisely on the fact that the non-linear layer has only 4 S-boxes. We exploit this twice in a two-stage attack: first, we show that Zorro has an equivalent description that does not have constants in the rounds, and then, we launch an internal differential attack on the newly described cipher. With computer verifications we confirm the correctness of the analysis.

Our attack is the first to use internal differentials for block ciphers, thus we adapt Daemen\'s attack on Even-Mansour construction

to the case of internal differentials (instead of differentials), which allows us to recovery to full key.

This work provides as well insights on alternative descriptions of general Zorro-type ciphers (incomplete non-linear layers),

the importance of well chosen constants, and the advantages of Daemen\'s attack.

19:17 [Pub][ePrint] Method to secure data in the cloud while preserving summary statistics, by Sanchita Barman, Bimal Roy

  In this paper we propose a method which will preserve sum-

mary statistics of data organized in a two way table. We have shown that

fully homomorphic encryption is a powerful solution. However it has a

number of disadvantages which makes it impractical. We have proposed

a Restricted homomorphic encryption method which uses Pailier encryp-

tion and order preserving encryption. This new method can be used for

practical purposes owing to it\'s efficiency in terms of both speed and


19:17 [Pub][ePrint] Practical Privacy-Preserving Range and Sort Queries with Update-Oblivious Linked Lists, by Erik-Oliver Blass and Travis Mayberry and Guevara Noubir

  We present RASP, a new protocol for privacy-preserving range

search and sort queries on encrypted data in the face of an

untrusted data store. The contribution of RASP over related work

is twofold: first, RASP improves privacy guarantees by ensuring

that after a query for range [a,b] any new record added to the

data store is indistinguishable from random, even if the new

record falls within range [a,b]. Second, RASP is highly

practical, abstaining from expensive asymmetric cryptography and

bilinear pairings. Instead, RASP only relies on hash and block

cipher operations. The main idea of RASP is to build upon a new

update-oblivious bucket-based data structure. We allow for data

to be added to buckets without leaking into which bucket it has

been added. As long as a bucket is not explicitly queried, the

data store does not learn anything about bucket

contents. Furthermore, no information is leaked about data

additions following a query. Besides formally proving RASP\'s

privacy, we also present a practical evaluation of RASP using

Amazon Dynamo.

09:30 [Job][New] CEO / General Manager, ESCRYPT Inc., Ann Arbor, USA, North America

  As an internationally active and highly growth-oriented company in the field of embedded security, ESCRYPT supports all industry segments in need of security solutions for embedded systems, including automotive, industrial control systems, energy, and consumer electronics. In this area, ESCRYPT, a 100-percent subsidiary of ETAS GmbH, a member of the Bosch Group, is a leading system house.


You will be the CEO/General Manager of ESCRYPT Inc., a branch of ESCRYPT with today around 10 people.

The position profile includes:

- Team leader to motivate the ESCRYPT employees

- Familiarity with small technology companies and ability to handle large stake-holders.

- Ability to effectively manage administrative tasks

- Commercial and sales orientation: ability to drive the business and to manage business development

- Technical background to understand fundamentals of ESCRYPT’s business


You must have BS Degree in Computer Science, Engineering, or a related technical field, as well as experience in team leadership, sales and business strategy. MS in Computer Science or Engineering, or an MBA is strongly preferred.


- Willing to work in a flexible team

- Reliability

- Independent and thoughtful

- Pleasant communication skills


We offer opportunities for working independently and with self-reliance in a dynamic team whose members are highly qualified and internationally experienced. Your work environment will feature challenging and diversified tasks, flat hierarchies, and performance based-compensation in an appealing and open-minded corporate climate. We offer generous benefits.

Send us your full application with key number USA-1310GM by email to jobs (at) We look forward to hearing from you!


Dr. Thomas Wollinger


21:17 [Pub][ePrint] Non-Malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures, by Benoit Libert and Thomas Peters and Marc Joye and Moti Yung

  Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the Fiat-Shamir

heuristics. Since 2008, the Groth-Sahai techniques have been the most efficient in constructing non-interactive witness indistinguishable and zero-knowledge proofs for algebraic relations. For the important task of proving membership in linear subspaces, Jutla and Roy (Asiacrypt 2013) gave significantly more efficient proofs in the quasi-adaptive setting (QA-NIZK). For membership of the row space of a $t \\times n$ matrix, their QA-NIZK proofs save $O(2t)$ group elements compared to Groth-Sahai. Here, we give QA-NIZK proofs made of a {\\it constant} number group elements -- regardless of the number of equations or the number of variables -- and additionally prove them {\\it unbounded} simulation-sound. Unlike previous unbounded simulation-sound Groth-Sahai-based proofs, our construction does not involve quadratic pairing product equations and does not rely on a chosen-ciphertext-secure encryption scheme. Instead, we build on structure-preserving signatures with homomorphic properties. We apply our methods to design new and improved CCA2-secure encryption schemes. In particular, we build the first efficient threshold CCA-secure keyed-homomorphic encryption scheme ({\\it i.e.}, where homomorphic operations can only be carried out using a dedicated evaluation key) with publicly verifiable ciphertexts.

21:17 [Pub][ePrint] Faster Compact Diffie-Hellman: Endomorphisms on the x-line, by Craig Costello and Huseyin Hisil and Benjamin Smith

  We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie-Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side- channel resistance. The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F_{p^2} with p = 2^{127}-1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

21:17 [Pub][ePrint] Secure Key Exchange and Sessions Without Credentials, by Ran Canetti and Vladimir Kolesnikov and Charles Rackoff and and Yevgeniy Vahlis

  Secure communication is a fundamental cryptographic primitive. Typically, security is achieved by relying on an existing credential infrastructure, such as a PKI or passwords, for identifying the end points to each other. But what can be obtained when no such credential infrastructure is available?

Clearly, when there is no pre-existing credential infrastructure, an adversary can mount successful ``man in the middle\'\' attacks by modifying the communication between the legitimate endpoints. Still, we show that not all is lost, as long as the adversary\'s control over the communication is not complete: We present relatively efficient key exchange and secure session protocols that provide the full guarantee of secure communication as long as the adversary fails to intercept even a single message between the legitimate endpoints.

To obtain this guarantee we strengthen the notion of key exchange to require that the keys exchanged in any two sessions are independent of each other as long as each session has at least one honest endpoint, even if both sessions has an adversarial endpoint. We call this notion credential-free key exchange. We then strengthen the existing notion of secure session protocols to provide the above guarantee given a CFKE (existing definitions and constructions are insufficient for this purpose). We provide two alternative definitions and constructions of CFKE, a game-based one with a construction in the RO model, and a UC one with a construction in the CRS model.

21:17 [Pub][ePrint] Write-Only Oblivious RAM based Privacy-Preserved Access of Outsourced Data, by Lichun Li and Anwitaman Datta

  Oblivious RAM (ORAM) has recently attracted a lot of interest since

it can be used to protect the privacy of data user\'s data access pattern from (honest but curious) outsourced storage. This is

achieved by simulating each original data read or write operation with some read and write operations on some real and dummy data items. This paper proposes two single-server write-only ORAM schemes and one multi-server write-only ORAM scheme, which simulate only the write operations and protect only the write pattern. The reduction of functions however allows to build much simpler and efficient (in terms of communication cost and storage usage) write-only ORAMs. Write-only ORAM can be used in conjunction with Private Information Retrieval (PIR), which is a technique to protect data user\'s read patterns, in order to protect both write and read patterns. Write-only ORAM may be used alone too, when only write patterns need protection. We study two usage scenarios: (i) data publishing/sharing: where a data owner shares the data with others, who only consume the published information. Data consumers should not have write access to the outsourced data, and thus cannot use ORAM to protect their read patterns in this scenario. To hide access patterns from the outsourced storage, the data owner can use ORAM to write data, and data consumers use PIR to read data. Alternatively, for some applications, a data consumer can trivially download all data once or regularly, and neither the data owner nor data consumers mind that the outsourced storage learns such read pattern. Compared with using traditional ORAM, using the simpler write-only ORAM here produces much less communication cost and/or client-side storage usage. Our single-server write-only ORAM scheme produces lower (typically one order lower) communication cost with the same client-side storage usage, or requires much less (typically at least one order less) client-side storage to achieve the same level of communication cost than the best known single-server full functional ORAM schemes do. Compared with the

best known multi-server ORAM scheme, our write-only ORAM schemes have lower (typically one order lower) communication cost, or achieve the same communication cost with the same client-side storage usage in single-server setting. (ii) the data owner\'s personal use: Our write-only ORAM schemes combined with PIR can be used as building blocks for some existing full functional ORAM schemes. This leads to the reduction of the communication costs for two full-functional ORAM schemes by the factors of $O(\\log N)$ and $O(\\sqrt{\\log N}\\times \\log\\log N)$, where $N$ is the maximum data item count. One of these resulting schemes has a communication cost of $O(l)$, where $l$ is data item length. This is typically one order lower than the previous best known ORAM scheme\'s cost, which is $O(\\log N \\times l)$. The other resulting scheme also achieves $O(\\log N \\times l)$ communication cost, but its client-side storage usage is several orders lower than the best known single-server ORAM\'s.