International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] Zero-knowledge Argument for Polynomial Evaluation with Application to Blacklists, by Stephanie Bayer and Jens Groth

  Verification of a polynomial\'s evaluation in a secret committed value plays a role in cryptographic applications such as non-membership or membership proofs. We construct a novel special honest verifier zero-knowledge argument for correct polynomial evaluation. The argument has logarithmic communication cost in the degree of the polynomial, which is a significant improvement over the state of the art with cubic root complexity at best. The argument is relatively efficient to generate and very fast to verify compared to previous work. The argument has a simple public-coin 3-move structure and only relies on the discrete logarithm assumption.

The polynomial evaluation argument can be used as a building block to construct zero-knowledge membership and non-membership arguments with communication that is logarithmic in the size of the blacklist. Non-membership proofs can be used to design anonymous blacklisting schemes allowing online services to block misbehaving users without learning the identity of the user. They also allow the blocking of single users of anonymization networks without blocking the whole


19:17 [Pub][ePrint] Tighter Reductions for Forward-Secure Signature Schemes, by Michel Abdalla and Fabrice Benhamouda and David Pointcheval

  In this paper, we revisit the security of factoring-based signature schemes built via the Fiat-Shamir transform and show that they can admit tighter reductions to certain decisional complexity assumptions such as the quadratic-residuosity, the high-residuosity, and the $\\phi$-hiding assumptions. We do so by proving that the underlying identification schemes used in these schemes are a particular case of the lossy identification notion recently introduced by Abdalla et al. at Eurocrypt 2012. Next, we show how to extend these results to the forward-security setting based on ideas from the Itkis-Reyzin forward-secure signature scheme. Unlike the original Itkis-Reyzin scheme, our construction can be instantiated under different decisional complexity assumptions and has a much tighter security reduction. Finally, we show that the tighter security reductions provided by our proof methodology can result in concrete efficiency gains in practice, both in the standard and forward-security setting, as long as the use of stronger security assumptions is deemed acceptable. All of our results hold in the random oracle model.

19:17 [Pub][ePrint] SCA Resistance Analysis of Sponge based MAC-PHOTON, by N. Nalla Anandakumar

  PHOTON is a lightweight hash function which was proposed

by Guo et al. in CRYPTO 2011 for low-resource ubiquitous computing

devices such as RFID tags, wireless sensor nodes and smart cards. In

this paper, we analyze Side-Channel Attack (SCA) resistance of FPGA

(Field-Programmable Gate Array) implementations of the PHOTON, when

it is used with a secret key to generate a Message Authentication Code (MAC). First, we describe three architectures of the MAC-PHOTON based on the concepts of iterative, folding and unrolling, and we provide their performance results on the Xilinx Virtex-5 FPGAs. Second, we analysed security of the MAC-PHOTON against side-channel attack using a SASEBOGII development board.

19:17 [Pub][ePrint] Side-Channel Protection by Randomizing Look-Up Tables on Reconfigurable Hardware - Pitfalls of Memory Primitives, by Pascal Sasdrich and Oliver Mischke and Amir Moradi and Tim Güneysu

  Block Memory Content Scrambling (BMS), presented at CHES 2011, enables an effective way of first-order side-channel protection for cryptographic primitives at the cost of a significant reconfiguration time for the mask update. In this work we analyze alternative ways to implement dynamic first-order masking of AES with randomized look-up tables that can reduce this mask update time. The memory primitives we consider in this work include three distributed RAM components (RAM32M, RAM64M, and RAM256X1S) and one BRAM primitive (RAMB8BWER). We provide a detailed study of the area and time overheads of each implementation technique with respect to the operation (encryption) as well as reconfiguration (mask update) phase. We further compare the achieved security of each technique to prevent first-order side-channel leakages. Our evaluation is based on one of the most general forms of leakage assessment methodology known as non-specific t-test. Practical SCA evaluations (using a Spartan-6 FPGA platform) demonstrate that solely the BRAM primitive but none of the distributed RAM elements can be used to realize an SCA-protected implementation.

19:17 [Pub][ePrint] Side-Channel Security Analysis of Ultra-Low-Power FRAM-based MCUs, by Amir Moradi and Gesine Hinterwälder

  By shrinking the technology and reducing the energy requirements of integrated circuits, producing ultra-low-power devices has practically become possible. Texas Instruments as a pioneer in developing FRAM-based products announced a couple of different microcontroller (MCU) families based on the low-power and fast Ferroelectric RAM technology. Such MCUs come with embedded cryptographic module(s) as well as the assertion that - due to the underlying ultra-low-power technology - mounting successful side-channel analysis (SCA) attacks has become very difficult. In this work we practically evaluate this claimed hardness by means of state-of-the-art power analysis attacks. The leakage sources and corresponding attacks are presented in order to give an overview on the potential risks of making use of such platforms in security-related applications. In short, we partially confirm the given assertion. Some modules, e.g., the embedded cryptographic accelerator, can still be attacked but with slightly immoderate effort. On the contrary, the other leakage sources are easily exploitable leading to straightforward attacks being able to recover the secrets.

19:17 [Pub][ePrint] Evaluating the Duplication of Dual-Rail Precharge Logics on FPGAs, by Alexander Wild and Amir Moradi and Tim Güneysu

  Power-equalization schemes for digital circuits aim to harden cryptographic designs against power analysis attacks. With respect to dual-rail logics most of these schemes have originally been designed for ASIC platforms, but much efforts have been spent to map them to FPGAs as well. A particular challenge is here to apply those schemes to the predefined logic structures of FPGAs (i.e., slices, LUTs, FFs, and routing switch boxes) for which special tools are required. Due to the absence of such routing tools Yu and Schaumont presented the idea of duplicating (i.e., dualizing) a fully-placed-and-routed dual-rail precharge circuit with equivalent routing structures on an FPGA. They adopted such architecture from WDDL providing the Double WDDL (DWDDL)scheme.

In this work we show that this general technique - regardless of the underlying dual-rail logic - is incapable to properly prevent side-channel leakages. Besides theoretical investigations on this issue we present practical evaluations on a Spartan-6 FPGA to demonstrate the flaws in such an approach. In detail, we consider an AES-128 encryption module realized by three dual-rail precharge logic styles as a case study and show that none of those schemes can provide the desired level of protection.

18:52 [Job][New] Research Scientist, Senior Research Scientist, Nanyang Technological University, Singapore

  Tamesek Laboratories at Nanyang Technological University in Singapore is looking for both junior and senior researchers, to fill 3 positions of Research Scientists, or Senior Research Scientists, on the areas of symmetric key cryptography and lightweight cryptography. Both fresh PhD and experienced researchers are welcome to apply.

Salaries are globally competitive and are determined according to the successful applicants accomplishments, experience and qualifications. Review process starts immediately and will continue until all positions are filled.

00:11 [Job][New] Ph.D. position, Ruhr-University Bochum, Horst-Goertz Institute

  We are looking for outstanding candidates for a PhD position with strong interest in cryptography, and in particular practice-oriented provable security. Topics of interest may include: provable security of cryptographic implementations, security analysis of random number generators, cryptographic protocols, computer-assisted security proofs.

The PhD position is funded by the the DFG Research Training Group UbiCrypt, which is part of the Horst-Goertz-Institute. The Horst-Görtz-Institut is a leading university-based institution for interdisciplinary research in the field of IT security and cryptography and offers an attractive research environment.

Applicants are required to have completed (or be close to completing) a Bachelor, Master, or Diplom with outstanding grades in Computer Science, Mathematics, or closely related areas. Additional knowledge in related disciplines such as, e.g., complexity theory or IT security is welcome. The working and teaching language is English.

Please send your application to Sebastian Faust via e-mail. Applications should contain a CV, a short letter of motivation, copies of transcripts and certificates, and (if possible) names of references. Review of applications will start immediately until the position has been filled.

16:26 [Event][New] SECRYPT 2015: 12th International Conference on Security and Cryptography

  Submission: 17 March 2015
Notification: 16 May 2015
From July 20 to July 22
Location: Colmar, France
More Information:

10:17 [Pub][ePrint] On Time and Order in Multiparty Computation, by Pablo Azar and Shafi Goldwasser and Sunoo Park

  The availability of vast amounts of data is changing how we can make medical discoveries, predict global market trends, save energy, improve our infrastructures, and develop new educational strategies. One obstacle to this revolution is the willingness of different entities to share their data with others.

The theory of secure multiparty computation (MPC) seemingly addresses this problem in the best way possible. Namely, parties learn the minimum necessary information: the value of the function computed on their joint data and nothing else. However, the theory of MPC does not deal with an important aspect: {\\it when} do different players receive their output? In time-sensitive applications, the timing and order of output discovery may be another important deciding factor in whether parties choose to share their data via the MPC.

In this work, we incorporate time and order of output delivery into the theory of MPC. We first extend classical MPC to \\emph{ordered MPC} where different players receive their outputs according to an order which in itself is computed on the inputs to the protocol, and to refine the classical notions of guaranteed output delivery and fairness to require instead \\emph{ordered output delivery} and \\emph{prefix-fairness}. We then define {\\it timed-delay MPCs} where explicit time delays are introduced into the output delivery schedule. We show general completeness theorems for ordered MPCs and timed-delay MPCs. We also introduce a new primitive called \\emph{time-line puzzles}, which are a natural extension of classical timed-release crypto, in which multiple events can be serialized in time.

Next, we show how ordered MPC can give rise to MPCs which are provably ``worth\'\' joining, in competitive settings where relative time of output discovery may deter parties from joining the protocol. We formalize a model of collaboration and design a mechanism in which $n$ self-interested parties can decide, based on their inputs, on an ordering of output delivery and a distribution of outputs to be delivered in the mandated order. The mechanism guarantees a higher reward \\emph{for all participants} when joining an ordered MPC or declares that such a guarantee is impossible to achieve. We show a polynomial time algorithm to compute the mechanism for a range of model settings.

10:17 [Pub][ePrint] A Simple Method for Obtaining Relations Among Factor Basis Elements for Special Hyperelliptic Curves, by Palash Sarkar and Shashank Singh

  Nagao had proposed a decomposition method for divisors of hyperelliptic curves defined over a field $\\rF_{q^n}$ with $n\\geq 2$.

Joux and Vitse had later proposed a variant which provided relations among the factor basis elements. Both Nagao\'s and the

Joux-Vitse methods require solving a multi-variate system of non-linear equations. In this work, we revisit Nagao\'s approach

with the idea of avoiding the requirement of solving a multi-variate system. While this cannot be done in general, we are

able to identify special cases for which this is indeed possible. Our main result is for curves $C:y^2=f(x)$ of genus $g$ defined

over $\\rF_{q^2}$ having characteristic greater than two. If $f(x)$ has at most $g$ consecutive coefficients which are

in $\\rF_{q^2}$ while the rest are in $\\rF_q$, then we show that it is possible to obtain a single relation in about

$(2g+3)!$ trials. The method combines well with a sieving method proposed by Joux and Vitse. Our implementation of the

resulting algorithm provides examples of factor basis relations for $g=5$ and $g=6$. We believe that none of the other methods

known in the literature can provide such relations faster than our method. Other than obtaining such decompositions, we

also explore the applicability of our approach for $n>2$ and also for binary characteristic fields.