International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

13:17 [Pub][ePrint] Post-Quantum Secure Onion Routing (Future Anonymity in Today\'s Budget), by Satrajit Ghosh and Aniket Kate

  The onion routing (OR) network Tor provides anonymity to its users by routing their encrypted traffic through three proxies (or nodes). The key cryptographic challenge, here, is to establish symmetric session keys using a secure key exchange between the anonymous users and the selected nodes. The Tor network currently employs a one-way authenticated key exchange (1W-AKE) protocol \'ntor\' for this purpose. Nevertheless, ntor as well as other known 1W-AKE protocols rely solely on some classical Diffie-Hellman (DH) type assumptions for their (forward) security, and thus privacy of Today\'s anonymous communication could not be ensured once quantum computers arrive.

In this paper, we demonstrate utility of quantum-secure lattice-based cryptography towards solving this problem for onion routing. In particular, we present a novel hybrid 1W-AKE protocol (HybridOR) that is secure under the lattice-based ring learning with error (ring-LWE) assumption as well as the gap DH assumption. Due to its hybrid design, HybridOR is not only resilient against quantum attacks but also at the same time allows the OR nodes to use the current DH public keys and subsequently requires no modification to the the current Tor public key infrastructure. Moreover, thanks to the recent progress in lattice-based cryptography in the form of efficient ring-based constructions, our protocol is also computationally more efficient than the currently employed 1W-AKE protocol ntor, and it only introduces small and manageable communication overhead to the Tor protocol.

19:17 [Pub][ePrint] Onion ORAM: A Constant Bandwidth and Constant Client Storage ORAM (without FHE or SWHE), by Srinivas Devadas and Marten van Dijk and Christopher W. Fletcher and Ling Ren

  We present techniques to construct constant bandwidth, client storage and server storage blowup Oblivious RAM schemes in the (single-server) client-server setting.

Crucially, our constructions \\emph{do not rely on Fully Homomorphic Encryption (FHE) or Somewhat Homomorphic Encryption (SWHE)}

but instead rely only on an public-key additive homomorphic encryption scheme such as the Paillier or Damg\\r{a}rd-Jurik Cryptosystem cryptosystem.

The key mechanism that we use to get constant bandwidth overhead is \\emph{layered encryption}: to perform an ORAM eviction operation, the server performs an oblivious permutation operation on the eviction candidate blocks \\emph{without sending any data blocks back to the client}.

After each permutation, each block that was involved in the permutation gets an additional layer of encryption.

Importantly, the bandwidth needed for this operation is independent of the data block size.

If layered encryption is combined with previous ORAM schemes na\\\"{i}vely, the number of layers grows unbounded (with the number of accesses made to the ORAM).

This blows up server storage and bandwidth (due to ciphertext blowup) as well as client computation (as the client must ``peel\'\' off all layers to get the underlying plaintext).

To address this challenge, we propose \\emph{Onion ORAM}, a new ORAM scheme that is designed and optimized to bound the number of encryption layers on each block to $\\tilde{O}(\\log N)$, where $N$ is the number of blocks in the ORAM---\\emph{i.e., independent of the number of ORAM accesses}.

Putting it together, with sufficiently large block size $B=\\Omega(k \\log^2 N \\log^2 \\log N)$~bits for a security parameter $k$, Onion ORAM achieves $O(B)$ bandwidth, $O(B)$ client storage and $O(BN)$ server storage--only a constant factor blowup in all the three metrics.

Using the Damg\\r{a}rd-Jurik cryptosystem as our underlying primitive, Onion ORAM achieves the aforementioned asymptotics for block sizes $B=\\Omega(\\log^5 N \\log^2 \\log N)$~bits and security against known attacks with complexity $O\\left(N^{\\omega(1)}\\right)$, superpolynomial in the security parameter.

19:17 [Pub][ePrint] Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions, by Jan Camenisch and Robert R. Enderlein and Gregory Neven

  Protecting user data entails providing authenticated users access to their data.

The most prevalent and probably also the most feasible approach to the latter is by username and password.

With password breaches through server compromise now reaching billions of affected passwords, distributing the password files and user data

over multiple servers is not just a good idea, it is a dearly needed solution to a topical problem.

Threshold password-authenticated secret sharing (TPASS) protocols enable users to share secret data among a set of servers so that they can later recover that data using a single password.

No coalition of servers up to a certain threshold can learn anything about the data or perform an offline dictionary attack on the password.

Several TPASS protocols have appeared in the literature and one is even available commercially.

Although designed to tolerate corrupted servers,

unfortunately none of these protocols provide details let alone security proofs about the steps that need to be taken when a compromise actually occurs

and how to proceed.

Indeed, they consider static corruptions only which for instance does not model real world attacks by hackers.

We provide the first TPASS protocol that is provably secure against adaptive server corruptions.

Moreover, our protocol contains an efficient recovery procedure allowing one to re-initialize servers to recover from corruption.

We prove our protocol secure in the universal composability model where servers can be corrupted adaptively at any time; the users\' passwords and secrets remain safe as long as both servers are not corrupted at the same time.

Our protocol does not require random oracles but does assume that servers have certified public keys.

19:17 [Pub][ePrint] Balloon: A Forward-Secure Append-Only Persistent Authenticated Data Structure, by Tobias Pulls and Roel Peeters

  We present Balloon, a forward-secure append-only persistent authenticated data structure. Balloon is designed for an initially trusted author that generates events to be stored in a data structure (the Balloon) kept by an untrusted server, and clients that query this server for events intended for them based on keys and snapshots. The data structure is persistent such that clients can query keys for the current or past versions of the data structure based upon snapshots, which are generated by the author as new events are inserted. The data structure is authenticated in the sense that the server can verifiably prove all operations with respect to snapshots created by the author. No event inserted into the data structure prior to the compromise of the author can be modified or deleted without detection.

Balloon supports efficient (non-)membership proofs and verifiable inserts by the author, enabling the author to verify the correctness of inserts without having to store a copy of the Balloon. We also sketch how to use Balloon to enable client-specific forward-secure author consistency. In case of author inconsistency, a client can make a publicly verifiable statement that shows that the author was inconsistent with respect to his events.

10:17 [Pub][ePrint] A note on the security of Higher-Order Threshold Implementations, by Oscar Reparaz

  At ASIACRYPT 2014, Bilgin et al. describe higher-order threshold implementations: a masking countermeasure claiming resistance against higher-order differential power analysis attacks. In this note, we point out that higher-order threshold implementations do not necessarily provide higher-order security. We give as counterexamples two concrete higher-order threshold implementations that exhibit a second order flaw.

10:17 [Pub][ePrint] Characterization of MDS mappings, by S. M. Dehnavi and A. Mahmoodi Rishakani and M. R. Mirzaee Shamsabad

  MDS codes and matrices are closely related to combinatorial objects like orthogonal arrays and multipermutations. Conventional

MDS codes and matrices were defined on finite fields, but several generalizations of this concept has been done up to now.

In this note, we give a criterion for verifying whether a map is MDS or not.

10:17 [Pub][ePrint] Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security, by Baodong Qin and Shengli Liu and Tsz Hon Yuen and Robert H. Deng and Kefei Chen

  Related-Key Attacks (RKAs) allow an adversary to observe the outcomes of a cryptographic primitive under not only its original secret key e.g., $s$, but also a sequence of modified keys $\\phi(s)$, where $\\phi$ is specified by the adversary from a class $\\Phi$ of so-called Related-Key Derivation (RKD) functions. This paper extends the notion of non-malleable Key Derivation Functions (nm-KDFs), introduced by Faust et al. (EUROCRYPT\'14), to \\emph{continuous} nm-KDFs. Continuous nm-KDFs have the ability to protect against any a-priori \\emph{unbounded} number of RKA queries, instead of just a single time tampering attack as in the definition of nm-KDFs. Informally, our continuous non-malleability captures the scenario where the adversary can tamper with the original secret key repeatedly and adaptively. We present a novel construction of continuous nm-KDF for any polynomials of bounded degree over a finite field. Essentially, our result can be extended to richer RKD function classes possessing properties of \\emph{high output entropy and input-output collision resistance}. The technical tool employed in the construction is the one-time lossy filter (Qin et al. ASIACRYPT\'13) which can be efficiently obtained under standard assumptions, e.g., DDH and DCR. We propose a framework for constructing $\\Phi$-RKA-secure IBE, PKE and signature schemes, using a continuous nm-KDF for the same $\\Phi$-class of RKD functions. Applying our construction of continuous nm-KDF to this framework, we obtain the first RKA-secure IBE, PKE and signature schemes for a class of polynomial RKD functions of bounded degree under \\emph{standard} assumptions. While previous constructions for the same class of RKD functions all rely on non-standard assumptions, e.g., $d$-extended DBDH assumption.

10:17 [Pub][ePrint] Oblivious Polynomial Evaluation and Secure Set-Intersection from Algebraic PRFs, by Carmit Hazay

  In this paper we study the two fundamental functionalities oblivious polynomial evaluation in the exponent and set-intersection, and introduce a new technique for designing efficient secure protocols for these problems (and others). Our starting point is the [BenabbasGV11] technique (CRYPTO 2011) for verifiable delegation of polynomial evaluations, using algebraic PRFs. We use this tool, that is useful to achieve verifiability in the outsourced setting, in order to achieve privacy in the standard two-party setting. Our results imply new simple and efficient oblivious polynomial evaluation (OPE) protocols. We further show that our OPE protocols are readily used for secure set-intersection, implying much simpler protocols in the plain model. As a side result, we demonstrate the usefulness of algebraic PRFs for various search functionalities, such as keyword search and oblivious transfer with adaptive queries. Our protocols are secure under full simulation-based definitions in the presence of malicious adversaries.

22:17 [Pub][ePrint] On the Cryptographic Hardness of Finding a Nash Equilibrium, by Nir Bitansky and Omer Paneth and Alon Rosen

  We prove that finding a Nash equilibrium of a game is hard, assuming the existence of indistinguishability obfuscation and injective one-way functions with sub-exponential hardness. We do so by showing how these cryptographic primitives give rise to a hard computational problem that lies in the complexity class PPAD, for which finding Nash equilibrium is known to be complete.

Previous proposals for basing PPAD-hardness on program obfuscation considered a strong \"virtual black-box\" notion that is subject to severe limitations and is unlikely to be realizable for the programs in question. In contrast, for indistinguishability obfuscation no such limitations are known, and recently, several candidate constructions of indistinguishability obfuscation were suggested based on different hardness assumptions on multilinear maps.

Our result provides further evidence of the intractability of finding a Nash equilibrium, one that is extrinsic to the evidence presented so far.

13:17 [Pub][ePrint] How to Generate Repeatable Keys Using Physical Unclonable Functions Correcting PUF Errors with Iteratively Broadening and Prioritized Search, by Nathan E. Price and Alan T. Sherman

  We present an algorithm for repeatably generating keys using entropy from a Physical Unclonable Function (PUF). PUFs are logically identical physical constructs with Challenge-Response Pairs (CRPs) unique to each device. Applications include initialization of server keys and encryption of FPGA configuration bitstreams. One problem with PUFs is response errors. Our algorithm corrects PUF errors that inhibit key repeatability.

Our approach uses a PUF to generate an error-free PUF value in three steps. First, we repeatedly sample the PUF to determine the most likely value. Second, we apply an iteratively-broadening search to search up to some number of bit errors (in our experiments we use two). Third, we apply exhaustive search until the correct value is found or failure is declared. The searches are prioritized by the known bit error rates in decreasing magnitude. We assume the application includes a test for the correct value (e.g., some matching plaintext-ciphertext pairs).

Previous algorithms often omit noisy PUF bits or use error-correcting codes and helper data. Our algorithm can use all PUF bits regardless of noise. Our approach is simple, and for appropriate parameter choices, fast. Unlike previous approaches using error-correcting codes, when used for public-key cryptography our method requires storing only the public key and no other helperdata in non-volatile storage.

We implemented a latch-based PUF on FPGAs and measured PUF characteristics to analyze the effectiveness of the algorithm. Tests for a 1024-bit PUF show 351 samples reduce the probability of errors to less than 10^-6. The iterative broadening and exhaustive searches further reduce failure rates.

13:17 [Pub][ePrint] Cryptanalysis of a New Additive Homomorphic Encryption based on the co-ACD Problem, by Moon Sung Lee

  In CCS\'14, Cheon et al. proposed a new additive homomorphic encryption scheme

which is claimed to be the most efficient among the additive homomorphic encryption schemes.

The security is proved based on the hardness of a new problem, the (decisional) co-approximate common divisor problem.

In this paper,

we cryptanalyze the scheme and investigate the hardness of an aforementioned problem.

Our first result

shows that

Cheon et al.\'s scheme is insecure for the range of parameters considered in the original paper~\\cite{CLSCCS14}.

Experiments show that the message can be recovered in seconds for the proposed parameters.

We also analyze the condition of the parameters to thwart the proposed attack.

As a second result,

we show that the co-approximate common divisor problem

is easy for the similar range of parameters,

in condition that the modulus is known and is a product of two primes.

In our estimate, to thwart the proposed attack,

the parameters should be enlarged many times.

Apart from the scheme,

the co-approximate common divisor problem itself is interestingly related

to the well-known hard problem, an approximate common divisor problem.

And further investigation on this relationship would be desirable.