International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] McEliece in the world of Escher, by Danilo Gligoroski and Simona Samardjiska and H{\\aa}kon Jacobsen and Sergey Bezzateev

  We present a new family of linear binary codes of length $n$ and dimension $k$ accompanied with a fast list decoding algorithm that can correct up to $\\frac{n}{2}$ errors in a bounded channel with an error density $\\rho$. The decisional problem of decoding random codes using these generalized error sets is NP-complete. Next we use the properties of these codes to design both an encryption scheme and a signature scheme. Although in the open literature there have been several proposals how to produce digital signatures from the McEliece public key scheme, as far as we know, this is the first public key scheme based on codes where signatures are produced in a straightforward manner from the decryption procedure of the scheme. The security analysis of our scheme have two main parts:

1. An extensive list of attacks using the Information Set Decoding techniques adopted for our codes; 2. An analysis of the cost of a distinguishing attack based on rank attacks on the generator matrix of the code or on its dual code. Based on this security analysis we suggest some concrete parameters for the security levels in the range of $2^{80} - 2^{128}$.

16:40 [PhD][Update] Nizamuddin: On the Design of signcryption Schemes

  Name: Nizamuddin
Topic: On the Design of signcryption Schemes
Category:public-key cryptography

16:40 [PhD][Update] Mehmet Sabir Kiraz: Secure and Fair Two-Party Computation

  Name: Mehmet Sabir Kiraz
Topic: Secure and Fair Two-Party Computation
Category:cryptographic protocols

Description: Consider several parties that do not trust each other, yet they wish to correctly compute some common function of their local inputs while keeping these inputs private. This problem is known as “Secure Multi-Party Computation”, and was introduced by Andrew Yao in 1982. Secure multi-party computations have some real world examples like electronic auctions, electronic voting or Fingerprinting. In this thesis we consider the case where there are only two parties involved. This is known as “Secure Two-Party Computation”. If there is a trusted third party called Carol, then the problem is pretty straightforward. The participating parties could hand their inputs in Carol who can compute the common function correctly and could return the outputs to the corresponding parties. The goal is to achieve (almost) the same result when there is no trusted third party. Cryptographic protocols are designed in order to solve these kinds of problems. These protocols are analyzed within an appropriate model in which the behavior of parties is structured. The basic level is called the Semi-Honest Model where parties are assumed to follow the protocol specification, but later can derive additional information based on the messages which have been received so far. A more realistic model is the so-called Malicious Model. The common approach is to First analyze a protocol in the semi-honest model and then later extend it into the malicious model. Any cryptographic protocol for secure two-party computation must satisfy the following security requirements: correctness, privacy and fairness. It must guarantee the correctness of the result while preserving the privacy of the parties’ inputs, even if one of the parties is malicious and behaves arbitrarily throughout the protocol. It must also guarantee fairness. This roughly means that whenever a party aborts the protocol prematurely, he or she should not have any advantage over the other party in discovering the o[...]

16:39 [PhD][New] Zubair Naqvi: Security using Cryptographic Systems in Banks

  Name: Zubair Naqvi
Topic: Security using Cryptographic Systems in Banks
Category: public-key cryptography

Description: In this thesis, we describe how security is implemented in the banking systems using the art of cryptography and analyse the security of distributed computations. Since a computational process is always inseparable from physical phenomena thatmake it observable,simplified mathematical models,such as finite automata and Turingmachines have their limitations. Namely,\r\nsome artifacts that are observable in theoretical models might not be present or\r\nmeaningful in practice. Therefore, we must make a constant conscious effort to\r\nassure that theoretical models adequately represent the reality.[...]

16:39 [PhD][New] George Summers: Cryptographic Systems

  Name: George Summers
Topic: Cryptographic Systems
Category: (no category)

16:38 [PhD][New]


16:37 [PhD][New] Josep Balasch: Implementation Aspects of Security and Privacy in Embedded Design

  Name: Josep Balasch
Topic: Implementation Aspects of Security and Privacy in Embedded Design
Category: implementation

Description: Embedded devices are nowadays largely represented across the compute continuum. From mobile phones to smart cards and RFID tags, digital devices are becoming increasingly ubiquitous, mobile and integrated with their environment. This gradual shift towards pervasive computing envisions many benefits in sectors as diverse as financial, entertainment, health care, information access, or automotive. Along with these possibilities however, there are also inherent risks to be addressed. It is in this context that this dissertation is situated. It provides contributions to the security of embedded devices and the privacy of the humans interacting with them.\r\n\r\nThe first part of the thesis is devoted to physical security. Many existing and future applications have built-in security capabilities which rely on keeping cryptographic keys secret. Typical examples include payment tokens, digital identity documents, or access control cards. As these devices operate in hostile environments, they need protection against physical attacks. Among these, side channel attacks and fault attacks represent two of the major threats in the security of embedded devices. \r\n\r\nOur contributions in this area encompass three different but related aspects. First, we provide an in-depth analysis of vulnerabilities that lead to physical attacks. In particular, we characterize the effects of fault injections based on setup-time violations on a low-end microcontroller. Second, we show how physical attacks are still a prominent threat for secure devices by successfully attacking a widely used family of secure memories. And third, we devise and thoroughly evaluate a high-level mitigation against side channel attacks. More specifically, we employ the inner product construction to design a masking-based countermeasure implementable at any order. \r\n\r\nThe second part of the thesis deals with privacy aspects. Systems such as location-based services, health-care monitoring, or smart homes rely on [...]

09:17 [Pub][ePrint] Folding Alternant and Goppa Codes with Non-Trivial Automorphism Groups, by Jean-Charles Faugère and Ayoub Otmani and Ludovic Perret and Frédéric de Portzamparc and Jean-Pierre Tillich

  The main practical limitation of the McEliece public-key encryption scheme is probably the size of its key. A famous trend to overcome this issue is to focus on subclasses of alternant/Goppa codes with a non trivial automorphism group. Such codes display then symmetries allowing compact parity-check or generator matrices. For

instance, a key-reduction is obtained by taking quasi-cyclic (QC) or quasi-dyadic (QD) alternant/Goppa codes.

We show that the use of such symmetric alternant/Goppa codes in cryptography introduces a fundamental weakness. It is indeed possible to reduce the key-recovery on the original symmetric public-code to the key-recovery on a (much) smaller code that has not anymore symmetries. This result is obtained thanks to a new operation on codes called folding that exploits the knowledge of the automorphism group. This operation consists in adding the coordinates of codewords which belong to the same orbit under the action of the automorphism group. The advantage is twofold:

the reduction factor can be as large as the size of the orbits, and it preserves a fundamental property: folding the dual of an alternant (resp. Goppa) code provides the dual of an alternant (resp. Goppa) code. A key point is to show that all the existing constructions of alternant/Goppa codes with symmetries follow a common principal of taking codes whose support is globally invariant under the action of affine transformations (by building upon prior works of T. Berger and A. D¨ur). This enables not only to present a unified view but also to generalize the construction of QC, QD and even quasi-monoidic (QM) Goppa codes. All in all, our results can be harnessed to boost up any key-recovery attack on McEliece systems based on symmetric alternant or Goppa codes, and in particular algebraic attacks.

09:17 [Pub][ePrint] Optimizing Information Set Decoding Algorithms to Attack Cyclosymmetric MDPC Codes, by Ray Perlner

  The most important drawback to code-based cryptography has historically been its large key sizes. Recently, several promising approaches have been proposed to reduce keysizes. In particular, significant keysize reduction has been achieved by using structured, but non-algebraic codes, such as quasi-cyclic (QC) Moderate Density Parity Check (MDPC) codes. Biasi et al. propose further reducing the keysizes of code-based schemes using cyclosymmetric (CS) codes. Biasi et al analyze the complexity of attacking their scheme against standard information-set-decoding attacks. However, the research presented here shows that information set decoding algorithms can be modified, by choosing the columns of the information set in a way that takes advantage of the added symmetry. The result is an attack that significantly reduces the security of the proposed CS-MDPC schemes to the point that they no longer offer an advantage in keysize over QC-MDPC schemes of the same security level.

09:17 [Pub][ePrint] Graph-theoretic design and analysis of key predistribution schemes, by Michelle Kendall and Keith M. Martin

  Key predistribution schemes for resource-constrained networks are methods for allocating symmetric keys to devices in such a way as to provide an efficient trade-off between key storage, connectivity and resilience. While there have been many suggested constructions for key predistribution schemes, a general understanding of the design principles on which to base such constructions is somewhat lacking. Indeed even the tools from which to develop such an understanding are currently limited, which results in many relatively ad hoc proposals in the research literature.

It has been suggested that a large edge-expansion coefficient in the key graph is desirable for efficient key predistribution schemes. However, attempts to create key predistribution schemes from known expander graph constructions have only provided an extreme in the trade-off between connectivity and resilience: namely, they provide perfect resilience at the expense of substantially lower connectivity than can be achieved with the same key storage.

Our contribution is two-fold. First, we prove that many existing key predistribution schemes produce key graphs with good expansion.

This provides further support and justification for their use, and confirms the validity of expansion as a sound design principle. Second, we propose the use of incidence graphs and concurrence graphs as tools to represent, design and analyse key predistribution schemes. We show that these tools can lead to helpful insights and new constructions.

09:17 [Pub][ePrint] Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits, by Dan Boneh and Craig Gentry and Sergey Gorbunov and Shai Halevi and Valeria Nikolaenko and Gil Segev and Vinod

  We construct the first (key-policy) attribute-based encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fan-in gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit {\\em plus} an additive $\\mathsf{poly}(\\secp,d)$ bits, where $\\secp$ is the security parameter and $d$ is the circuit depth. Save the additive $\\mathsf{poly}(\\secp,d)$ factor, this is the best one could hope for. All previous constructions incurred a {\\em multiplicative} $\\mathsf{poly}(\\secp)$ blowup. As another application, we obtain (single key secure) functional encryption with short secret keys.

We construct our attribute-based system using a mechanism we call {\\em fully key-homomorphic encryption} which is a public-key system that lets anyone translate a ciphertext encrypted under a public-key~$\\vx$ into a ciphertext encrypted under the public-key~$(f(\\vx),f)$ of the same plaintext, for any efficiently computable~$f$. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem.

We also present a second (key-policy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector~$\\vx$ is the size of $\\vx$ plus $\\mathsf{poly}(\\secp,d)$ additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, {\\em plus} a $\\mathsf{poly}(\\secp,d)$ factor.