International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] Lattice Cryptography for the Internet, by Chris Peikert

  In recent years, \\emph{lattice-based} cryptography has been recognized

for its many attractive properties, such as strong provable security

guarantees and apparent resistance to quantum attacks, flexibility for

realizing powerful tools like fully homomorphic encryption, and high

asymptotic efficiency. Indeed, several works have demonstrated that

for basic tasks like encryption and authentication, lattice-based

primitives can have performance competitive with (or even surpassing)

those based on classical mechanisms like RSA or Diffie-Hellman.

However, there still has been relatively little work on developing

lattice cryptography for deployment in \\emph{real-world} cryptosystems

and protocols.

In this work we take a step toward that goal, by giving efficient

and practical lattice-based protocols for key transport, encryption,

and authenticated key exchange that are suitable as ``drop-in\'\'

components for proposed Internet standards and other open protocols.

The security of all our proposals is provably based (sometimes in the

random-oracle model) on the well-studied ``learning with errors over

rings\'\' problem, and hence on the conjectured worst-case hardness of

problems on ideal lattices (against quantum algorithms).

One of our main technical innovations (which may be of independent

interest) is a simple, low-bandwidth \\emph{reconciliation} technique

that allows two parties who ``approximately agree\'\' on a secret value

to reach \\emph{exact} agreement, a setting common to essentially all

lattice-based encryption schemes. Our technique reduces the

ciphertext length of prior (already compact) encryption schemes nearly

twofold, at essentially no cost.% in security, key size, or runtime.

16:17 [Pub][ePrint] Implementing Pairing-Based Cryptosystems in USB Tokens, by Zhaohui Cheng

  In the last decade, pairing-based cryptography has been the most intensively studied subject in the cryptography field. Various optimization techniques have been developed to speed up the pairing computation. However, implementing a pairing-based cryptosystem in resource constrained devices has been less tried. Moreover, due to progress on solving the discrete logarithm problem, those implementations are no longer safe to use. In this paper, we report an implementation of a couple of pairing-based cryptosystems at a high security level on a 32-bit microcontroller in a USB token. It shows that USB tokens supporting secure pairing-based cryptosystems are viable.

06:15 [Event][New] Post-quantum Cryptography Summer School

  From September 29 to September 30
Location: Waterloo, Canada
More Information:

21:56 [Job][New] PhD Positions in Applied Cryptology, Worcester Polytechnic Institue, MA, USA

  The Vernam Group for Security and Privacy at WPI in Worcester, MA has open PhD positions in applied cryptology. In particular there are two openings in side channel analysis and leakage resilient implementation.

Candidates should have a Master’s degree in electronics, computer science or applied mathematics, with strong interest in algorithms and signal processing. Prior experience in side channel analysis and embedded software or hardware design is an asset.

We offer a competitive salary and an international cutting-edge research program in an attractive working environment. WPI is one of the highest-ranked technical colleges in the US. Located in the greater Boston area, it maintains close interaction with many of the nearby universities and companies.

12:54 [Event][New] SAC'2014: Selected Areas in Cryptography

  Submission: 28 May 2014
From August 14 to August 15
Location: Montreal, Quebec, Canada
More Information:

08:49 [Event][New] CANS 2014: 13rd International Conference on Cryptology and Network Security

  Submission: 10 June 2014
Notification: 25 July 2014
From October 22 to October 24
Location: Heraklion, Crete, Greece
More Information:

13:17 [Pub][ePrint] Some security bounds for the DGHV scheme, by Franca Marinelli and Riccardo Aragona and Chiara Marcolla and Massimiliano Sala

  The correctness in decrypting a ciphertext after some operations in the DGVH scheme depends heavily on the dimension of the secret key. In this paper we compute two bounds on the size of the secret key for the DGHV scheme to decrypt correctly a ciphertext after a fixed number of additions and a fixed number of multiplication. Moreover we improve the original bound on the dimension of the secret key for a general circuit.

13:17 [Pub][ePrint] A Subexponential Construction of Graph Coloring for Multiparty Computation, by Hassan Jameel Asghar, Yvo Desmedt, Josef Pieprzyk, and Ron Steinfeld

  We show the first deterministic construction of an unconditionally secure multiparty computation (MPC) protocol in the passive adversarial model over black-box non-Abelian groups which is both optimal and has subexponential complexity of construction. More specifically, following the result of Desmedt et al. (2012) that the problem of MPC over non-Abelian groups can be reduced to finding a $t$-reliable $n$-coloring of planar graphs, we show the construction of such a graph which allows a path from the input nodes to the output nodes when any $t$-party subset is in the possession of the adversary. Unlike the (deterministic) constructions from Desmedt et al. (2012) our construction is subexponential and optimal at the same time, i.e., it is secure for any $t < \\frac{n}{2}$.

13:17 [Pub][ePrint] Efficient and Strongly Secure Dynamic Domain-Specific Pseudonymous Signatures for ID Documents, by Julien Bringer and Hervé Chabanne and Roch Lescuyer and Alain Patey

  The notion of domain-specific pseudonymous signatures (DSPS) has recently been introduced for private authentication of ID documents, like passports, that embed a chip with computational abilities. Thanks to this privacy-friendly primitive, the document authenticates to a service provider through a reader and the resulting signatures are anonymous, linkable inside the service and unlinkable across services. A subsequent work proposes to enhance security and privacy of DSPS through group signatures techniques. In this paper, we improve on these proposals in three ways. First, we spot several imprecisions in previous formalizations. We consequently provide a clean security model for \\emph{dynamic domain-specific pseudonymous signatures}, where we correctly address the dynamic and adaptive case. Second, we note that using group signatures is somehow an overkill for constructing DSPS, and we provide an optimized construction that achieves the same strong level of security while being more efficient. Finally, we study the implementation of our protocol in a chip and show that our solution is well-suited for these limited environments. In particular, we propose a secure protocol for delegating the most demanding operations from the chip to the reader.

16:17 [Pub][ePrint] Fine Tuning the Function Field Sieve Algorithm for the Medium Prime Case, by Palash Sarkar and Shashank Singh

  This work builds on the variant of the function field sieve (FFS) algorithm for the medium prime case introduced by Joux and

Lercier in 2006. We make two contributions. The first contribution introduces a divisility and smoothness technique which

is similar to that of the special-q technique used in integer factorisation algorithms. Such a technique, though, has not

been earlier used in the context of discrete log computations and provides concrete speed-ups in the practical run-time of

the relation collection and the descent phases of the FFS algorithm. The second contribution is to improve the

descent phase of the algorithm. The improvements are based on increasing the degree of freedom and the use of a walk

technique. As a consequence, we show that it is feasible to carry out discrete log computations for certain fields which are

excluded by the analysis of Joux and Lercier. In concrete terms, we present record computations of discrete logs for fields

with 16 and 18-bit prime characteristic. Further, we provide concrete analysis of the effectiveness of the FFS algorithm for

certain fields with medium sized prime characteristic.

19:17 [Pub][ePrint] Verifiable Computation in Multiparty Protocols with Honest Majority, by Peeter Laud and Alisa Pankova

  A lot of cryptographic protocols have been proposed for semi-honest model. In general, they are much more efficient than those proposed for the malicious model. In this paper, we propose a method that allows to detect the parties that have violated the protocol rules after the computation has ended, thus making the protocol secure against covert attacks. This approach can be useful in the settings where for any party it is fatal to be accused in violating protocol rules. In this way, up to the verification, all the computation can be performed in semi-honest model, which makes it very efficient in practice. The verification is statistical zero-knowledge, and it is based on linear probabilistically checkable proofs ($\\PCP$) for verifiable computation. Each malicious party is detected with probability $1 - \\varepsilon$ for a negligible $\\varepsilon$ that is defined by the failure of the corresponding linear $\\PCP$. The initial protocol has to be executed only once, and the verification requires in total $3$ additional rounds (if some parties act dishonestly, in the worst case they may force the protocol to substitute each round with $4$ rounds, due to the transmission functionality that prevents the protocol from stopping). The verification also ensures that all the parties have sampled all the randomness from an appropriate distribution. Its efficiency does not depend on whether the inputs of the parties have been shared, or each party uses its own private input.

The major drawback of the proposed scheme is that the number of values sent before and after the protocol is exponential in the number of parties. Nevertheless, the settings make the verification very efficient for a small number of parties.