Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:
To receive your credentials via mail again, please click here.
You can also access the full news archive.
trusted parameters for many schemes from just a single trusted setup. In such a scheme
a trusted setup process will produce universal parameters $U$. These parameters can
then be combined with the description, $d(\\cdot)$ of any particular cryptographic setup
algorithm to produce parameters $p_d$ that can be used by the cryptographic system associated
with $d$. We give a solution in the random oracle model based on indistinguishability obfuscation.
algorithm derived from the first round CAESAR candidate StriBob
and the Whirlpool hash algorithm. The main advantage of WhirlBob over
StriBob is its greatly reduced implementation footprint on
resource-constrained platforms. Remarkably, the entire C reference
implementation of WhirlBob $\\pi$ fits onto a single page of the Appendix.
On most low-end microcontrollers the total software footprint of
$\\pi$+BLNK = WhirlBob AEAD is less than half a kilobyte. The greatly
reduced hardware gate count is also reflected as efficient bitsliced
straight-line implementations, especially on 64-bit platforms. Bitslicing
works as an efficient countermeasure against AES-style cache timing
side-channel attacks. The new design utilizes only the LPS or $\\rho$
keying line of Whirlpool in a flexible domain-separated Sponge mode BLNK
and adds the number of rounds in $\\pi$ permutation from 10 to 12 as a
countermeasure against Rebound Distinguishing attacks of ASIACRYPT \'09.
As with StriBob, the reduced-size Sponge design has a strong provable
security link with the original hash algorithm. We finally present some
discussion and analysis on differences between Whirlpool, the Russian
GOST Streebog hash, and the recently proposed draft Russian
Encryption Standard Kuznyechik.
the automorphism $(-1)$ acting on it.
Kummer varieties can be seen as a higher dimensional generalisation of
the $x$-coordinate representation of a point of an elliptic curve
given by its Weierstrass model. Although there is no group law on the
set of points of a Kummer variety, there remains enough arithmetic
to enable the computation of exponentiations via a
Montgomery ladder based on differential additions.
In this paper, we explain that the arithmetic of a Kummer variety
is much richer than
usually thought. We describe a set of composition laws
which exhaust this arithmetic and show that these
laws may turn out to be useful in order to improve certain
algorithms. We explain how to compute efficiently these laws in the model of
Kummer varieties provided by level $2$ theta functions. We also
explain how to recover the full group law of the abelian variety
with a representation almost as compact and in many cases as efficient as
the level $2$ theta functions model of Kummer varieties.
k-SIS problem. The Boneh-Freeman reduction from SIS to k-SIS suffers from an exponential loss in k. We improve and extend it to an LWE to k-LWE reduction with a polynomial loss in k, by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, we present the first algebraic construction of a traitor tracing scheme whose security relies on the worst-case hardness of standard lattice problems. The proposed LWE traitor tracing is almost as efficient as the LWE encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to untrusted parties. To this aim, we introduce the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from k-LWE allows us to achieve public traceability, by publishing the projected keys of the users. We believe that the new lattice tools and the projective sampling
family are quite general that they may have applications in other areas.
worst-case complexity of approximating the Shortest Vector Problem in ideal lattices within polynomial
factors. The distinguishing feature of our scheme is that it achieves short signatures (consisting of a
single lattice vector), and relatively short public keys (consisting of O(log n) vectors.) Previous lattice
schemes in the standard model with similarly short signatures, due to Boyen (PKC 2010) and Micciancio
and Peikert (Eurocrypt 2012), had substantially longer public keys consisting of Ω(n) vectors (even when
implemented with ideal lattices). We also present a variant of our scheme that further reduces the public
key size to just O(log log n) vectors and allows for a tighther security proof by making the signer stateful.