International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, by Nicolas T. Courtois and Pinar Emi

  In this paper we study the question of key management and

practical operational security in bitcoin digital currency storage systems. We study the security two most used bitcoin HD Wallet key management solutions (e.g. in BIP032 and in earlier systems). These systems have extensive audit capabilities but this property comes at a very high price. They are excessively fragile. One small security incident in a remote corner of the system and everything collapses, all private keys can be recovered and ALL bitcoins within the remit of the system can be stolen. Privilege escalation attacks on HD Wallet solutions are not new. In this paper we take it much further. We propose new more advanced combination attacks in which the security of keys hold in cold storage can be compromised without executing any software exploit on the cold system, but through security incidents at operation such as bad random number or related random events.

In our new attacks all bitcoins over whole large security domains can be stolen by people who have the auditor keys which are typically stored in hot systems connected to the Internet and can be stolen easily. Our combination attacks allow to recover private keys which none of the earlier attacks in isolation could hope to recover. Classical bad random attacks typically concern only very few bitcoin accounts, and only some very lucky holders of bitcoins can actually steal other people\'s bitcoins.

In this paper we go beyond identical random attacks and show several

attacks which also work with related random events, which events are

more probable and yet less likely to be detected before it is too late. We also present several attacks which work across distinct security domains which share no common setup, code or keys. Yet in certain circumstances all the bitcoins in each domain can be stolen. All our attacks are practical and realistic given the numerous relevant events have already happened in the bitcoin blockchain hundreds of times, some as recently as September 2014.

It is not clear if this problem can be repaired, i.e. if there exists a key management solution with similar audit capabilities as BIP032 which would be immune against this sort of advanced combination attacks.

15:17 [Pub][ePrint] A Proxy Re-Encryption Scheme with the Unforgeability of Re-Encryption Keys against Collusion Attacks, by Ryotaro Hayashi and Tatsuyuki Matsushita

  Proxy re-encryption (PRE) schemes are cryptosystems which allow a proxy who has a re-encryption key to convert a ciphertext originally encrypted for one party into a ciphertext which can be decrypted by another party. In IWSEC 2011, Hayashi et al. proposed the new security notion for PRE called ``unforgeability of re-encryption keys against collusion attacks,\'\' UFReKey-CA for short. They proposed the PRE schemes and claimed that their schemes meet UFReKey-CA. However, Isshiki et al. pointed out that the schemes do not meet UFReKey-CA in IWSEC 2013. It is an open problem of constructing the scheme which meets UFReKey-CA. In this paper, we propose new PRE schemes which meet confidentiality (RCCA security) assuming that the q-wDBDHI problem is hard and meet UFReKey-CA assuming that the 2-DHI problem is hard.

13:45 [Event][New] IWSEC 2015: The 10th International Workshop on Security

  Submission: 31 March 2015
Notification: 22 May 2015
From August 26 to August 28
Location: Nara, Japan
More Information:

06:17 [Pub][ePrint] Verifiable computation using multiple provers, by Andrew J. Blumberg and Justin Thaler and Michael Walfish and Victor Vu

  The increasing ubiquity of the cloud computing paradigm has renewed focus on the classical problem of allowing weak clients to check the results of computation delegated to powerful servers. Recent advances in proof-based verifiable computation have led to several near-practical protocols. Protocols based on interactive proofs (IPs) work with highly restrictive models of computation and are thus efficient only for a limited class of computations. In contrast, protocols based on argument systems apply to a much larger class of computations, but efficiency requires amortization of very expensive setup costs.

This paper initiates the study of the practical efficiency of multiprover interactive proofs (MIPs). We present a new MIP for delegating computation that extends insights from a powerful IP protocol (Goldwasser et al., STOC, 2008). Without reductions or amplification, our protocol uses only two provers (departing from prior work on MIPs), and achieves both the efficiency of interactive proof-based protocols and the generality of argument system-based protocols. Also, this result, together with recently developed machinery, creates a potential avenue toward concretely efficient arguments without setup costs.

We describe Clover, a built system for verifiable computation, based on our protocol. Although Clover does not implement the full theory (it has setup costs), it applies to problems that existing IPs cannot efficiently handle, and achieves performance comparable to, or better than, the best argument systems.

03:17 [Pub][ePrint] Two-Round Adaptively Secure MPC from Indistinguishability Obfuscation, by Sanjam Garg and Antigoni Polychroniadou

  Adaptively secure multiparty computation first studied by Canetti, Feige, Goldreich, and Naor in 1996, is a fundamental notion in cryptography. Adaptive security is particulary hard to achieve in settings where arbitrary number of parties can be corrupted and honest parties are not trusted to properly erase their internal state. We still do not know how to realize constant round protocols for this task against even if we were to restrict ourselves to semi-honest adversaries and to the simpler two-party setting. Specifically the round complexity of known protocols grows with the depth of the circuit the parties are trying to compute.

In this work, using indistinguishability obfuscation, we construct a UC-secure two-round adaptively secure multiparty computation protocol.

03:17 [Pub][ePrint] Adaptively Secure Two-party Computation From Indistinguishability Obfuscation , by Ran Canetti and Shafi Goldwasser and Oxana Poburinnaya

  We present the first two-round, two-party general function evaluation protocol that is secure against honest-but-curious adaptive corruption of both parties. In addition, the protocol is incoercible for one of the parties, and fully leakage tolerant. It requires a global (non-programmable) reference string and is based on one way functions and general-purpose indistinguishability obfuscation with sub-exponential security, as well as augmented non-committing encryption.

A Byzantine version of the protocol, obtained by applying the Canetti et al. [STOC 02] compiler, achieves UC security with comparable efficiency parameters, but is no longer incoercible.

16:33 [Event][New] SECITC '15: 8th Int'l Conference on Security for Information Technology&Communications

  Submission: 1 March 2015
Notification: 20 March 2015
From June 11 to June 12
Location: Bucharest, Romania
More Information:

16:33 [Job][New] Postdoctoral Researcher (Drone Security), University College Cork, Ireland

  The Computer Security Group in the Department of Computer Science conducts basic and applied research in computer security. The group is supported externally by national funding agencies and Irish and international companies.

Applications are invited for a post-doctoral researcher position (Drone System Security). The selected applicant will be supported in making a submission to the Irish Research Council for a Post-Doctoral Fellowship award. Recipients of this award receive funding of approximately Euro31,000 per annum for two years. The offer is conditional on obtaining this award from the Irish Research Council. The position is open to applicants of any nationality or residency.

The project will consider system security issues in Unmanned Autonomous Vehicles (UAV). The research will focus on platform vulnerabilities and the development of new security mechanisms.

Applicants should have a PhD in Computer Science or a closely related discipline with research interests in computer security, preferably at systems and/or networking level. Candidates are expected to have a high-quality publication record in the related field. Experience with embedded systems development will be an advantage.

The deadline for submitting an application to the Irish Research Council is November 27, 2014, with the successful applicant starting work at UCC in October 2015. Interested candidates should submit a Curriculum Vitae and the name of two referees to Dr. Simon Foley (s.foley (at) and Dr. Jonathan Petit (j.petit (at), not later than November 1, 2014.

15:17 [Pub][ePrint] Semantically Secure Order-Revealing Encryption: Multi-Input Functional Encryption Without Obfuscation, by Dan Boneh and Kevin Lewi and Mariana Raykova and Amit Sahai and Mark Zhandry and Joe Zimmerman

  Deciding \"greater-than\" relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, non-interactive binary search on encrypted data. Order-preserving encryption provides one solution, but provably provides only limited security guarantees. Two-input functional encryption is another approach, but requires the full power of obfuscation machinery and is currently not implementable.

We construct the first implementable encryption system supporting greater-than comparisons on encrypted data that provides the \"best-possible\" semantic security. In our scheme there is a public algorithm that given two ciphertexts as input, reveals the order of the corresponding plaintexts and nothing else. Our constructions are inspired by obfuscation techniques, but do not use obfuscation. For example, to compare two 16-bit encrypted values (e.g., salaries or age) we only need a 9-way multilinear map. More generally, comparing $k$-bit values requires only a $(k/2+1)$-way multilinear map. The required degree of multilinearity can be further reduced, but at the cost of increasing ciphertext size.

Beyond comparisons, our results give an implementable secret-key multi-input functional encryption scheme for functionalities that can be expressed as (generalized) branching programs of polynomial length and width. Comparisons are a special case of this class, where for $k$-bit inputs the branching program is of length $k+1$ and width $4$.

15:17 [Pub][ePrint] Implementation and Evaluation of a Leakage-Resilient ElGamal Key Encapsulation Mechanism, by David Galindo and Johann Gro{\\ss}sch{\\\"a}dl and Zhe Liu and Praveen Kumar Vadnala and Srinivas Vivek

  Leakage-resilient cryptography aims to extend the rigorous guarantees achieved through the provable security paradigm to physical implementations. The constructions and mechanisms designed on basis of this new approach inevitably suffer from an Achilles heel: a bounded leakage assumption is needed. Currently, a huge gap exists between the theory of such designs and their implementation to confirm the leakage resilience in practice. The present work tries to narrow this gap for the leakage-resilient bilinear ElGamal key encapsulation mechanism (BEG-KEM) proposed by Kiltz and Pietrzak in 2010. Our first contribution is a variant of the bounded-leakage and the only-computation-leaks model that is closer to practice. We weaken the restriction on the image size of~the leakage functions in these models and only insist that the inputs to the leakage functions have sufficient min-entropy left, in spite of the leakage, with no limitation on the quantity of this leakage. We provide a novel security reduction for BEG-KEM in this relaxed leakage model using the generic bilinear group axiom. Secondly, we show that a naive implementation of the exponentiation in BEG-KEM makes it impossible to meet the leakage bound. Instead of trying to find an exponentiation algorithm that meets the leakage axiom (which is a non-trivial problem in practice), we propose an advanced scheme, BEG-KEM+, that avoids exponentiation by a secret value, but rather uses an encoding into the base group due to Fouque and Tibouchi. Thirdly, we present a software implementation of BEG-KEM+ based on the Miracl library and provide detailed experimental results. We also assess its (theoretical) resistance against power analysis attacks from a practical perspective, taking into account the state-of-the-art in side-channel cryptanalysis.

15:17 [Pub][ePrint] An Improved Transformation between HILL and Metric Conditional Pseudoentropy, by Maciej Skorski

  HILL Entropy and Metric Entropy are generalizations of the information-theoretic notion of min-entropy to the setting where an adversary is computationally bounded.

The notion of HILL Entropy appeared in the breakthrough construction of a PRG from any one-way function, and has become the most important and most widely used definition of computational entropy. In turn, Metric Entropy which is defined as a relaxation of HILL Entropy, has been proven to be much easier to handle, in particular in the context of computational generalizations of the Dense Model Theorem.

Fortunately, Metric Entropy can be converted, with some loss in quality, to HILL Entropy as shown by Barak, Shaltiel and Wigderson.

In this paper we improve their result, slightly reducing the loss in quality of entropy. Interestingly, our bound is independent of size of the probability space in comparison to the result of Barak et al. Our approach is based on the theory of convex approximation in $L^p$-spaces.