International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

13:17 [Pub][ePrint] How to Delegate Computations: The Power of No-Signaling Proofs, by Yael Tauman Kalai and Ran Raz and Ron Rothblum

  We construct a 1-round delegation scheme (i.e., argument-system)

for every language computable in time t=t(n), where the running

time of the prover is poly(t) and the running time of the

verifier is n*polylog(t). In particular, for every language in P

we obtain a delegation scheme with almost linear time

verification. Our construction relies on the existence of a

computational sub-exponentially secure private information

retrieval (PIR) scheme.

The proof exploits a curious connection between the problem of

computation delegation and the model of multi-prover interactive

proofs that are sound against no-signaling (cheating) strategies,

a model that was studied in the context of multi-prover

interactive proofs with provers that share quantum entanglement,

and is motivated by the physical principle that information

cannot travel faster than light.

For any language computable in time t=t(n), we construct a

multi-prover interactive proof (MIP) that is sound against

no-signaling strategies, where the running time of the provers is

poly(t), the number of provers is polylog(t), and the running

time of the verifier is n*polylog(t).

In particular, this shows that the class of languages that have

polynomial-time MIPs that are sound against no-signaling

strategies, is exactly EXP. Previously, this class was only known

to contain PSPACE.

To convert our MIP into a 1-round delegation scheme, we use the

method suggested by Aiello et-al (ICALP, 2000), which makes use

of a PIR scheme. This method lacked a proof of security. We prove

that this method is secure assuming the underlying MIP is secure

against no-signaling provers.

13:17 [Pub][ePrint] Formal Treatment of Distributed Trust in Electronic Voting, by Stephan Neumann and Melanie Volkamer

  Electronic voting systems are among the most security critical distributed systems. Different trust concepts are implemented to mitigate the risk of conspiracies endangering security properties. These concepts render systems often very complex and end users no longer recognize whom they need to trust. Correspondingly, specific trust considerations are necessary to support users. Recently, resilience terms have been proposed in order to express, which entities can violate the addressed security properties in particular by illegal collaborations. However, previous works derived these resilience terms manually. Thus, successful attacks can be missed. Based on this approach, we propose a framework to formally and automatically derive these terms. Our framework comprises a knowledge calculus, which allows us to model knowledge and reason about knowledge of collaborating election entities. The introduced framework is applied to deduce previously manually derived resilience terms of three remote electronic voting systems, namely Polyas, Helios and the Estonian voting system. Thereby, we were able to discover mistakes in previous derivations.

13:17 [Pub][ePrint] Near-linear time, Leakage-resilient Key Evolution Schemes from Expander Graphs, by Adam Smith and Ye Zhang

  We develop new schemes for deterministically updating a stored

cryptographic key that provide security against an internal

adversary who can control the update computation and leak bounded

amounts of information to the outside world. Our schemes are much

more efficient than the previous schemes for this model, due to Dziembowski,

Kazana and Wichs (CRYPTO 2011). Specifically, our update operation

runs in time quasilinear in the key length, rather than quadratic,

while offering a similar level of leakage resilience.

In order to design our scheme, we strengthen the connections between

the model of Dziembowski et al. and ``pebbling games\'\', showing that

random-oracle-based key evolution schemes are secure as long as the

graph of the update function\'s calls to the oracle has

appropriate combinatorial properties. This builds on a connection

between pebbling and the random oracle model first established by

Dwork, Naor and Wee (CRYPTO 2005). Our scheme\'s efficiency relies on the

existence (which we show) of families of ``local\'\'

bipartite expander graphs of constant degree.

13:17 [Pub][ePrint] SNR to Success Rate: Reaching the Limit of Non-Profiling DPA, by Suvadeep Hajra and Debdeep Mukhopadhyay

  Profiling power attacks like Template attack and Stochastic attack optimizes their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling DPA attacks, since integration of the leakage of a higher Signal-to-Noise Ratio (SNR) sample point with the leakages of lower SNR sample points might result in a decrease in the overall performance. We study the issue of optimally combining the leakages of multiple sample points using a linear function in great details. In this work, our contributions are three-fold: 1) we first derive a relation between the success rate of a CPA attack and the SNR of the power traces, 2) we introduce a multivariate leakage model for Virtex-5 FPGA device, and 3) using the proposed multivariate leakage model, we derive the linear Finite Impulse Response (FIR) filter coefficients which maximizes the SNR of the output leakage, thus optimizes the success rate of the CPA attacks in a non-profiling setup.

13:17 [Pub][ePrint] Compact Hardware Implementation of Ring-LWE Cryptosystems, by Sujoy Sinha Roy and Frederik Vercauteren and Nele Mentens and Donald Donglong Chen and Ingrid Verbauwhede

  In this paper we propose an efficient and compact hardware implementation of a polynomial multiplier based on the Fast Fourier Transform (FFT) for use in ring-LWE cryptosystems. We optimize the forward wrapped convolution by merging the pre-processing and the FFT and propose an advanced memory access scheme which reduces the number

of memory accesses and the number of RAM slices used in the design.

These techniques result in a hardware implementation of a polynomial multiplier for the ring-LWE cryptosystem of dimension 256 that uses only 281 slices and one block RAM on a Virtex V.

Finally, we also propose a modification of a ring-LWE encryption system

that reduces the number of FTT operations from five to four resulting

in a near 20% speed-up.

13:17 [Pub][ePrint] LHash: A Lightweight Hash Function (Full Version), by Wenling Wu and Shuang Wu and Lei Zhang and Jian Zou and Le Dong

  In this paper, we propose a new lightweight hash function

supporting three different digest sizes: 80, 96 and 128 bits,

providing preimage security from 64 to 120 bits, second preimage

and collision security from 40 to 60 bits. LHash requires about

817 GE and 1028 GE with a serialized implementation. In faster

implementations based on function $T$, LHash requires 989 GE and

1200 GE with 54 and 72 cycles per block, respectively.

Furthermore, its energy consumption evaluated by energy per bit is

also remarkable. LHash allows to make trade-offs among security,

speed, energy consumption and implementation costs by adjusting

parameters. The design of LHash employs a kind of Feistel-PG structure in

the internal permutation, and this structure can

utilize permutation layers on

nibbles to improve the diffusion speed. The adaptability of LHash

in different environments is good, since different versions of

LHash share the same basic computing module. The low-area

implementation comes from the hardware-friendly S-box and linear

diffusion layer. We evaluate the resistance of LHash against known

attacks and confirm that LHash provides a good security margin.

13:17 [Pub][ePrint] Theoretical Bitcoin Attacks with less than Half of the Computational Power (draft), by Lear Bahack

  A widespread security claim of the Bitcoin system, presented in the original Bitcoin whitepaper, states that the security of the system is guaranteed as long as there is no attacker in possession of half or more of the total computational power used to maintain the system. This claim, however, is proved based on theoretically flawed assumptions.

In the paper we analyze two kinds of attacks based on two theoretical flaws: the Block Discarding Attack and the Difficulty Raising Attack. We argue that the current theoretical limit of attacker\'s fraction of total computational power essential for the security of the system is in a sense not $\\frac{1}{2}$ but a bit less than $\\frac{1}{4}$, and outline proposals for protocol change that can raise this limit to be as close to $\\frac{1}{2}$ as we want.

The basic idea of the Block Discarding Attack has been noted as early as 2010, and lately was independently though-of and analyzed by both author of this paper and authors of a most recently pre-print published paper. We thus focus on the major differences of our analysis, and try to explain the unfortunate surprising coincidence. To the best of our knowledge, the second attack is presented here for the first time.

13:17 [Pub][ePrint] How to Fake Auxiliary Input, by Dimitar Jetchev and Krzysztof Pietrzak

  Consider a joint distribution $(X,A)$ on a set ${\\cal X}\\times\\{0,1\\}^\\ell$. We show that for any family ${\\cal F}$ of distinguishers $f \\colon {\\cal X} \\times \\{0,1\\}^\\ell \\rightarrow \\{0,1\\}$, there exists a simulator $h \\colon {\\cal X} \\rightarrow \\{0,1\\}^\\ell$ such that


\\item no function in ${\\cal F}$ can distinguish $(X,A)$ from $(X,h(X))$ with advantage $\\epsilon$,

\\item $h$ is only $O(2^{3\\ell}\\epsilon^{-2})$ times less efficient than the functions in ${\\cal F}$.


For the most interesting settings of the parameters (in particular, the cryptographic case where $X$ has superlogarithmic min-entropy, $\\epsilon > 0$ is negligible and ${\\cal F}$ consists of circuits of polynomial size), we can make the simulator $h$ \\emph{deterministic}.

As an illustrative application of this theorem, we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt\'09. Our proof is simpler and quantitatively much better than the original proof using the dense model theorem, giving meaningful security guarantees if instantiated with a standard blockcipher like AES.

Subsequent to this work, Chung, Lui and Pass gave an interactive variant of our main theorem, and used it to investigate weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version of our theorem using their new uniform min-max theorem.

13:17 [Pub][ePrint] A new class of hyper-bent functions and Kloosterman sums, by Chunming Tang, Yanfeng Qi

  This paper is devoted to the characterization of hyper-bent functions.

Several classes of hyper-bent functions have been studied, such as

Charpin and Gong\'s $\\sum\\limits_{r\\in R}\\mathrm{Tr}_{1}^{n}

(a_{r}x^{r(2^m-1)})$ and Mesnager\'s $\\sum\\limits_{r\\in R}\\mathrm{Tr}_{1}^{n}(a_{r}x^{r(2^m-1)})

+\\mathrm{Tr}_{1}^{2}(bx^{\\frac{2^n-1}{3}})$, where $R$ is a set of representations of the cyclotomic

cosets modulo $2^m+1$ of full size $n$ and $a_{r}\\in \\mathbb{F}_{2^m}$.

In this paper, we generalize their results and consider a class of Boolean functions of the form $\\sum_{r\\in R}\\sum_{i=0}^{2}Tr^n_1(a_{r,i}x^{r(2^m-1)+\\frac{2^n-1}{3}i})

+Tr^2_1(bx^{\\frac{2^n-1}{3}})$, where $n=2m$, $m$ is odd, $b\\in\\mathbb{F}_4$, and $a_{r,i}\\in \\mathbb{F}_{2^n}$.

With the restriction of $a_{r,i}\\in \\mathbb{F}_{2^m}$, we present the characterization of hyper-bentness of these functions with character sums. Further, we reformulate this characterization in terms of the number of points on

hyper-elliptic curves. For some special cases, with the help of Kloosterman sums and cubic sums, we determine the characterization for some hyper-bent functions including functions with four, six and ten traces terms. Evaluations of Kloosterman sums at three general points are used in the characterization. Actually, our results can generalized to the general

case: $a_{r,i}\\in \\mathbb{F}_{2^n}$. And we explain this for characterizing binomial, trinomial and quadrinomial hyper-bent functions.

13:17 [Pub][ePrint] A Unified Security Model of Authenticated Key Exchange with Specific Adversarial Capabilities, by Weiqiang Wen and Libin Wang

  The most widely accepted models in the security proofs of Authenticated Key Exchange protocols are the Canetti-Krawczyk model and the extended Canetti-Krawczyk model. They are shown to be incomparable due to the subtleties that they admit different adversarial queries and the definitions of the queries are not specific and strict enough to allow a rigorous comparison be made. Concerning the security of one-round implicitly authenticated Diffie-Hellman key exchange protocols, we present a stronger security model that characterizes specific adversarial capabilities and encompass the Ephemeral Key Reveal and the Session-State Reveal simultaneously. To demonstrate the usability of our model, a new protocol based on the OAKE protocol is proposed, which satisfies the presented stronger security notion and at the same time attains high efficiency as the OAKE protocol. The protocol is proven secure in random oracle model under the gap Diffie-Hellman assumption.

13:17 [Pub][ePrint] PRE^{+}: Dual of Proxy Re-encryption and Its Application, by Xu An Wang and Yunlong Ge and Xiaoyuan Yang

  In Eurocrypt\'98, Blaze et al. introduced the concept of proxy re-encryption (PRE). It allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one which

can be decrypted by Bob, without the proxy knowing the corresponding plaintext. PRE has found many applications, such as in encrypted e-mail forwarding[8], distributed secure file systems[1,2], multicast[10] cloud computation etc. However, all the PRE schemes until now require the delegator (or the delegator and the delegatee cooperatively) to generate the re-encryption keys. We observe

that this is not the only way to generate the re-encryption keys, the encrypter also has the ability to generate re-encryption keys. Based on this observation, we introduce a new primitive: PRE^{+},

which is almost the same as the traditional PRE except the re-encryption keys generated by the encrypter. Interestingly, this PRE^{+} can be viewed as the dual of the traditional PRE. Compared

with PRE, PRE can easily achieve the non-transferable property and message-level based fine-grained delegation, while these two properties are very desirable in practical applications. We first

categorize PRE^{+} as the single-hop and multi-hop variant and discuss its potential applications, then we give the definition and security model for the single-hop PRE^{+}, construct a concrete scheme and

prove its security. Finally we conclude our paper with many interesting open problems.