International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

10:10 [Event][New] ICISSP 2015: 1st International Conference on Information Systems Security and Privacy

  From February 9 to February 11
Location: Angers, Loire Valley, France
More Information:

00:17 [Pub][ePrint] Lighter, Faster, and Constant-Time: WhirlBob, the Whirlpool variant of StriBob, by Markku-Juhani O. Saarinen

  WhirlBob is a new Authenticated Encryption with Associated Data (AEAD)

algorithm derived from the first round CAESAR candidate StriBob

and the Whirlpool hash algorithm. The main advantage of WhirlBob over

StriBob is its greatly reduced implementation footprint on

resource-constrained platforms. Remarkably, the entire C reference

implementation of WhirlBob $\\pi$ fits onto a single page of the Appendix.

On most low-end microcontrollers the total software footprint of

$\\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. The greatly

reduced hardware gate count is also reflected as efficient bitsliced

straight-line implementations, especially on 64-bit platforms. Bitslicing

works as an efficient countermeasure against AES-style cache timing

side-channel attacks. The new design utilizes only the LPS or $\\rho$

keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK

and adds the number of rounds in $\\pi$ permutation from 10 to 12 as a

countermeasure against Rebound Distinguishing attacks of ASIACRYPT \'09.

As with StriBob, the reduced-size Sponge design has a strong provable

security link with the original hash algorithm. We finally present some

discussion and analysis on differences between Whirlpool, the Russian

GOST Streebog hash, and the recently proposed draft Russian

Encryption Standard Kuznyechik.

00:17 [Pub][ePrint] What\'s the Gist? Privacy-Preserving Aggregation of User Profiles, by Igor Bilogrevic \\and Julien Freudiger \\and Emiliano De Cristofaro \\and Ersin Uzun

  Over the past few years, online service providers have started gathering increasing amounts of personal information to build user profiles and monetize them with advertisers and data brokers. Users have little control of what information is processed and are often left with an all-or-nothing decision between receiving free services or refusing to be profiled. This paper explores an alternative approach where users only disclose an aggregate model -- the ``gist\'\' -- of their data. We aim to preserve data utility and simultaneously provide user privacy. We show that this approach can be efficiently supported by letting users contribute encrypted and differentially-private data to an aggregator. The aggregator combines encrypted contributions and can only extract an aggregate model of the underlying data. We evaluate our framework on a dataset of 100,000 U.S. users obtained from the U.S. Census Bureau and show that (i) it provides accurate aggregates with as little as 100 users, (ii) it generates revenue for both users and data brokers, and (iii) its overhead is appreciably low.

00:17 [Pub][ePrint] Efficient Hidden Vector Encryption with Constant-Size Ciphertext, by Tran Viet Xuan Phuong and Guomin Yang and Willy Susilo

  A Hidden Vector Encryption (HVE) scheme is a special type of anonymous identity-based encryption (IBE) scheme where the attribute string associated with the ciphertext or the user secret key can contain wildcards. In this paper, we introduce two constant-size ciphertext-policy hidden vector encryption (CP-HVE) schemes. Our first scheme is constructed on composite order bilinear groups, while the second one is built on prime order bilinear groups. Both schemes are proven secure in a selective security model which captures plaintext (or payload) and attribute hiding. To the best of our knowledge, our schemes are the first HVE constructions that can achieve constant-size ciphertext among all the existing HVE schemes.

00:17 [Pub][ePrint] A Provable Security Analysis of Intel\'s Secure Key RNG, by Thomas Shrimpton and R. Seth Terashima

  We provide the first provable-security analysis of the Intel Secure Key hardware RNG (ISK-RNG), versions of which have appeared in Intel processors since late 2011. To model the ISK-RNG, we generalize the PRNG-with-inputs primitive, introduced Dodis et al. introduced at CCS\'13 for their /dev/[u]random analysis. The concrete security bounds we uncover tell a mixed story. We find that ISK-RNG lacks backward-security altogether, and that the forward-security bound for the ``truly random\'\' bits fetched by the RDSEED instruction is potentially worrisome. On the other hand, we are able to prove stronger forward-security bounds for the pseudorandom bits fetched by the RDRAND instruction. En route to these results, our main technical efforts focus on the way in which ISK-RNG employs CBCMAC as an entropy extractor.

21:17 [Pub][ePrint] Arithmetic on Abelian and Kummer Varieties, by David Lubicz and Damien Robert

  A Kummer variety is the quotient of an abelian variety by

the automorphism $(-1)$ acting on it.

Kummer varieties can be seen as a higher dimensional generalisation of

the $x$-coordinate representation of a point of an elliptic curve

given by its Weierstrass model. Although there is no group law on the

set of points of a Kummer variety, there remains enough arithmetic

to enable the computation of exponentiations via a

Montgomery ladder based on differential additions.

In this paper, we explain that the arithmetic of a Kummer variety

is much richer than

usually thought. We describe a set of composition laws

which exhaust this arithmetic and show that these

laws may turn out to be useful in order to improve certain

algorithms. We explain how to compute efficiently these laws in the model of

Kummer varieties provided by level $2$ theta functions. We also

explain how to recover the full group law of the abelian variety

with a representation almost as compact and in many cases as efficient as

the level $2$ theta functions model of Kummer varieties.

21:17 [Pub][ePrint] Hardness of k-LWE and Applications in Traitor Tracing, by San Ling and Duong Hieu Phan and Damien Stehle and Ron Steinfeld

  We introduce the k-LWE problem, a Learning With Errors variant of the

k-SIS problem. The Boneh-Freeman reduction from SIS to k-SIS suffers from an exponential loss in k. We improve and extend it to an LWE to k-LWE reduction with a polynomial loss in k, by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, we present the first algebraic construction of a traitor tracing scheme whose security relies on the worst-case hardness of standard lattice problems. The proposed LWE traitor tracing is almost as efficient as the LWE encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to untrusted parties. To this aim, we introduce the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from k-LWE allows us to achieve public traceability, by publishing the projected keys of the users. We believe that the new lattice tools and the projective sampling

family are quite general that they may have applications in other areas.

21:17 [Pub][ePrint] Improved Short Lattice Signatures in the Standard Model, by Léo Ducas and Daniele Micciancio

  We present a signature scheme provably secure in the standard model (no random oracles) based on the

worst-case complexity of approximating the Shortest Vector Problem in ideal lattices within polynomial

factors. The distinguishing feature of our scheme is that it achieves short signatures (consisting of a

single lattice vector), and relatively short public keys (consisting of O(log n) vectors.) Previous lattice

schemes in the standard model with similarly short signatures, due to Boyen (PKC 2010) and Micciancio

and Peikert (Eurocrypt 2012), had substantially longer public keys consisting of Ω(n) vectors (even when

implemented with ideal lattices). We also present a variant of our scheme that further reduces the public

key size to just O(log log n) vectors and allows for a tighther security proof by making the signer stateful.

21:17 [Pub][ePrint]


21:17 [Pub][ePrint]


21:17 [Pub][ePrint]