Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:
To receive your credentials via mail again, please click here.
You can also access the full news archive.
In this paper, we continue this line of research and show that most existing somewhat homomorphic encryption schemes are not IND-CCA1 secure. In fact, we show that these schemes suffer from key recovery attacks (stronger than a typical IND-CCA1 attack), which allow an adversary to recover the private keys through a number of decryption oracle queries. The schemes, that we study in detail, include those by Brakerski and Vaikuntanathan at Crypto 2011 and FOCS 2011, and that by Gentry, Sahai and Waters at Crypto 2013. We also develop a key recovery attack that applies to the somewhat homomorphic encryption scheme by van Dijk et al., and our attack is more efficient and conceptually simpler than the one developed by Zhang et al.. Our key recovery attacks also apply to the scheme by Brakerski, Gentry and Vaikuntanathan at ITCS 2012, and we also describe a key recovery attack for the scheme developed by Brakerski at Crypto 2012.
After formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for any set that can be decided by a polynomial-size circuit. Our VRFs have the same function values as the Boneh-Waters PRFs and are proved secure under the same hardness assumption, showing that verifiability comes at no cost. Constrained (functional) VRFs were stated as an open problem by Boyle et al.
leakage-resilient signatures secure against existential forgeries,
where the signature is much shorter than the leakage bound.
Current models of leakage-resilient signatures against existential
forgeries demand that the adversary cannot produce a new valid
message/signature pair $(m, \\sigma)$ even after receiving some
$\\lambda$ bits of leakage on the signing key. If $\\vert \\sigma \\vert
\\le \\lambda$, then the adversary can just choose to leak a valid
signature $\\sigma$, and hence signatures must be larger than the
allowed leakage, which is impractical as the goal often is to have
large signing keys to allow a lot of leakage.
We propose a new notion of leakage-resilient signatures against
existential forgeries where we demand that the adversary cannot
produce $n = \\lfloor \\lambda / \\vert \\sigma \\vert \\rfloor + 1$
distinct valid message/signature pairs
$(m_1, \\sigma_1), \\ldots, (m_n, \\sigma_n)$ after receiving
$\\lambda$ bits of leakage. If $\\lambda =
0$, this is the usual notion of existential unforgeability. If $1