International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Security and Efficiency Analysis of The Hamming Distance Computation Protocol Based On Oblivious Transfer, by Mehmet Sabır Kiraz and Ziya Alper Genç and Süleyman Kardaş

  In Financial Cryptography 2013, Bringer, Chabanne

and Patey proposed two biometric authentication schemes between

a prover and a verifier where the verifier has biometric

data of the users in plain form. The protocols are based on secure

computation of Hamming distance in the two-party setting. Their

first scheme uses Oblivious Transfer (OT) and provides security

in the semi-honest model. The other scheme uses Committed

Oblivious Transfer (COT) and is claimed to provide full security

in the malicious case.

In this paper, we show that their protocol against malicious

adversaries is not actually secure. We propose a generic attack

where the Hamming distance can be minimized without knowledge

of the real input of the user. Namely, any attacker can

impersonate any legitimate user without prior knowledge. We

propose an enhanced version of their protocol where this attack

is eliminated. We provide a simulation based proof of the security

of our modified protocol. In addition, for efficiency concerns, the

modified version also utilizes Verifiable Oblivious Transfer (VOT)

instead of COT. The use of VOT does not reduce the security of

the protocol but improves the efficiency significantly.

21:17 [Pub][ePrint]


21:12 [PhD][New] J. C. Migliore

  Name: J. C. Migliore

21:12 [PhD][Update] Elisa Gorla: Lifting properties from the general hyperplane section of a projective scheme

  Name: Elisa Gorla
Topic: Lifting properties from the general hyperplane section of a projective scheme
Category:(no category)

15:17 [Pub][ePrint] Universally Composable Non-Interactive Key Exchange, by Eduarda S.V. Freire and Julia Hesse and Dennis Hofheinz

  We consider the notion of a non-interactive key exchange (NIKE). A NIKE scheme allows a party \\(A\\) to compute a common shared key with another party \\(B\\) from \\(B\\)\'s public key and \\(A\\)\'s secret key alone. This computation requires no interaction between \\(A\\) and \\(B\\), a feature which distinguishes NIKE from regular (i.e., interactive) key exchange not only quantitatively, but also qualitatively.

Our first contribution is a formalization of NIKE protocols as ideal

functionalities in the Universal Composability (UC) framework.

As we will argue, existing NIKE definitions (all of which are game-based) do not support a modular analysis either of NIKE schemes themselves, or of the use of NIKE schemes. We provide a simple and natural UC-based NIKE definition that allows for a modular analysis both of NIKE schemes and their use in larger protocols.

We proceed to investigate the properties of our new definition, and in

particular its relation to existing game-based NIKE definitions. We find that

(a) game-based NIKE security is equivalent to UC-based NIKE security

against \\emph{static} corruptions, and

(b) UC-NIKE security against adaptive corruptions cannot be achieved

without additional assumptions (but \\emph{can} be achieved in the random oracle model).

Our results suggest that our UC-based NIKE definition is a useful and simple abstraction of non-interactive key exchange.

15:17 [Pub][ePrint]


15:17 [Pub][ePrint]


15:17 [Pub][ePrint]


15:17 [Pub][ePrint]


15:17 [Pub][ePrint] Binary Elligator Squared, by Diego F. Aranha and Pierre-Alain Fouque and Chen Qian and Mehdi Tibouchi and Jean-Christophe Zapalowicz

  Applications of elliptic curve cryptography to anonymity, privacy and

censorship circumvention call for methods to represent uniformly random

points on elliptic curves as uniformly random bit strings, so that, for

example, ECC network traffic can masquerade as random traffic.

At ACM CCS 2013, Bernstein et al. proposed an efficient approach,

called ``Elligator,\'\' to solving this problem for arbitrary elliptic

curve-based cryptographic protocols, based on the use of efficiently

invertible maps to elliptic curves. Unfortunately, such invertible maps

are only known to exist for certain classes of curves, excluding in

particular curves of prime order and curves over binary fields. A variant

of this approach, ``Elligator Squared,\'\' was later proposed by Tibouchi

(FC 2014) supporting not necessarily injective encodings to elliptic

curves (and hence a much larger class of curves), but, although some

rough efficiency estimates were provided, it was not clear how an actual

implementation of that approach would perform in practice.

In this paper, we show that Elligator Squared can indeed be implemented

very efficiently with a suitable choice of curve encodings. More

precisely, we consider the binary curve setting (which was not discussed

in Tibouchi\'s paper), and implement the Elligator Squared bit string

representation algorithm based on a suitably optimized version of the

Shallue--van de Woestijne characteristic 2 encoding, which we show can

be computed using only multiplications, trace and half-trace

computations, and a few inversions.

On the fast binary curve of Oliveira et al. (CHES 2013), our

implementation runs in an average of only 22850 Haswell cycles, making

uniform bit string representations possible for a very reasonable

overhead---much smaller even than Elligator on Edwards curves.

As a side contribution, we also compare implementations of Elligator and

Elligator Squared on a curve supported by Elligator, namely

Curve25519. We find that generating a random point and its uniform

bitstring representation is around 35-40% faster with Elligator for

protocols using a fixed base point (such as static ECDH), but 30-35%

faster with Elligator Squared in the case of a variable base point

(such as ElGamal encryption). Both are significantly slower

than our binary curve implementation.

15:17 [Pub][ePrint] GGHLite: More Efficient Multilinear Maps from Ideal Lattices, by Adeline Langlois and Damien Stehle and Ron Steinfeld

  The GGH Graded Encoding Scheme, based on ideal lattices, is the first plausible approximation to a cryptographic multilinear map. Unfortunately, using the security analysis in the original paper, the scheme requires very large parameters to provide security for its underlying encoding re-randomization process. Our main contributions are to formalize, simplify and improve the efficiency and the security analysis of the re-randomization process in the GGH construction. This results in a new construction that we call GGHLite. In particular, we first lower the size of a standard deviation parameter of the re-randomization process of the original scheme from exponential to polynomial in the security parameter. This first improvement is obtained via a finer security analysis of the

drowning step of re-randomization, in which we apply the

Rényi divergence instead of the conventional statistical distance as a measure of distance between distributions. Our second improvement is to reduce the number of randomizers needed from $\\Omega(n \\log n)$ to $2$, where $n$ is the dimension of the underlying ideal lattices. These two contributions allow us to decrease the bit size of the public parameters from $O(\\lambda^5 \\log \\lambda)$ for the

GGH scheme to $O(\\lambda \\log^2 \\lambda)$ in GGHLite, with respect to the security parameter $\\lambda$ (for a constant multilinearity parameter $\\kappa$).