International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:17 [Pub][ePrint] Hybrid Publicly Verifiable Computation, by James Alderman and Christian Janson and Carlos Cid and Jason Crampton

  Publicly Verifiable Outsourced Computation (PVC) allows weak devices to delegate computations to more powerful servers, and to verify the correctness of results.

Delegation and verification rely only on public parameters, and thus PVC lends itself to large multi-user systems where entities need not be registered, yet in such settings the individual user requirements may be diverse.

In this paper, we introduce Hybrid PVC (HPVC) which, with a single setup stage, provides a flexible solution to outsourced computation supporting standard PVC, the enforcement of access control policies restricting the servers that may evaluate a given computation, and a reversed model of PVC which we call Verifiable Delegable Computation (VDC) where data is held remotely by servers. We provide formal frameworks and constructions for such systems.

06:17 [Pub][ePrint] Size-Hiding in Private Set Intersection: what can be done and how to do it without random oracles, by Paolo D\'Arco and Maria Isabel Gonzalez Vasco and Angel L. Perez del Pozo and Clauido Soriente

  In this paper we focus our attention on private set intersection protocols, through which two parties, each holding a set of inputs drawn from a ground set, jointly compute the intersection of their sets. Ideally, no further information than which elements are actually shared is compromised to the other party, yet the input set sizes are often considered as admissible leakage. Considering the (more restricted) size-hiding scenario, we are able to:

- prove that it is impossible to realize an unconditionally secure set intersection protocol (size-hiding or not);

- prove that unconditionally secure size-hiding set intersection is possible in a model where a set up authority provides certain information to the two parties and disappears;

- provide several new computationally secure size-hiding set intersection protocols.

Regarding the latter, in particular we provide a new generic construction without random oracles for the unbalanced setting,

where only the client gets the intersection and hides the size of its set of secrets. The main tool behind this design are smooth projective hash functions for languages derived from perfectly-binding commitments. We stand on the seminal ideas of Cramer-Shoup and Gennaro-Lindell, which have already found applications in several other contexts, such as password-based authenticated key exchange and oblivious transfer.

06:17 [Pub][ePrint] Transformation-Based Outsourcing of Linear Equation Systems over Real Numbers, by Peeter Laud and Alisa Pankova

  This paper studies the possibility of achieving indistinguishability-based security in privately outsourcing linear equation systems over real numbers. The particular task is to solve a full-rank (n x n) system Ax = b. Since the most complex part of this task is inverting A, the problem can be reduced to outsourcing of a square matrix inverse computation. Although outsourcing matrix inverse is trivial for matrices over finite fields, it is not so easy for matrices over real numbers. We study the class of affine transformations for matrices over real numbers, find out which forms are possible at all, and state some properties that the transformation and the initial matrices must satisfy in order to make the initial matrices perfectly (or statistically) indistinguishable after applying the transformation. This paper provides both possibility and impossibility results.

06:17 [Pub][ePrint] Efficient, Pairing-Free, One Round Attribute-Based Authenticated Key Exchange, by Suvradip Chakraborty and Srinivasan Raghuraman and Pandu Rangan C

  In this paper, we present a single round two-party attribute-based authenticated key exchange protocol. Since pairing is a costly operation and the composite order groups must be very large to ensure security, we focus on pairing free protocols in prime order groups. We propose a new protocol that is pairing free, working in prime order group and having tight reduction to Strong Diffie Hellman (SDH) problem under the Attribute-based CK model which is a natural extension of the CK model for the public key setting. Thus, the first major advantage is that smaller key sizes are sufficient to achieve

comparable security. Our scheme has several other advantages. The major one being the capability to handle active adversaries. All the previous Attribute-Based authenticated key exchange protocols can offer security only under passive adversaries. Our protocol recognizes the corruption by an active adversary and aborts the process. Ours is the first scheme achieving this property. We also show how to modify our construction to achieve anonymity of access structure of users. Our attribute-based authenticated key exchange is also the first that enjoys this property. In addition to this property, our scheme satisfies other security properties that are not covered by CK model such as forward secrecy, key compromise impersonation attacks and ephemeral key compromise impersonation attacks.

06:17 [Pub][ePrint] A Note on Lower Bounds for Non-interactive Message Authentication Using Weak Keys, by Divesh Aggarwal and Alexander Golovnev

  In this note, we prove lower bounds on the amount of entropy of random sources necessary for secure message authentication. We consider the problem of non-interactive c-time message authentication using a weak secret key having min-entropy k. We show that existing constructions using (c+1)-wise independent hash functions are optimal.

This result resolves one of the main questions left open by the work of Dodis and Spencer [DS02] who considered this problem for one-time message authentication of one-bit messages.

03:17 [Pub][ePrint] Certificate-Based Encryption Resilient to Key Leakage, by Qihong Yu and Jiguo Li and Yichen Zhang and Wei Wu and Xinyi Huang and Yang Xiang

  Certificate-based encryption (CBE) is an important class of public key encryption but the existing schemes are secure only under the premise that the decryption key (or private key) and master private key are absolutely secret. In fact, a lot of side channel attacks and cold boot attacks can leak secret information of a cryptographic system. In this case, the security of the cryptographic system is destroyed, so a new model called leakage-resilient (LR) cryptography is introduced to solve this problem. While some traditional public key encryption and identity-based encryption with resilient-leakage schemes have been constructed, as far as we know, there is no leakage-resilient scheme in certificate-based cryptosystems. This paper puts forward the first certificate-based encryption scheme which can resist not only the decryption key leakage but also the master secret key leakage. Based on composite order bilinear group assumption, the security of the scheme is proved by using dual system encryption. The relative leakage rate of key is close to 1/3.

03:17 [Pub][ePrint] Query-Complexity Amplification for Random Oracles, by Grégory Demay and Peter Gaži and Ueli Maurer and Björn Tackmann

  Increasing the computational complexity of evaluating a hash

function, both for the honest users as well as for an

adversary, is a useful technique employed for example in

password-based cryptographic schemes to impede brute-force

attacks, and also in so-called proofs of work (used in

protocols like Bitcoin) to show that a certain amount of

computation was performed by a legitimate user. A natural

approach to adjust the complexity of a hash function is to

iterate it $c$~times, for some parameter

$c$, in the hope that any query to the scheme

requires $c$ evaluations of the underlying

hash function. However, results by Dodis et al. (Crypto

2012) imply that plain iteration falls short of achieving

this goal, and designing schemes which provably have such a

desirable property remained an open problem.

This paper formalizes explicitly what it means for a given

scheme to amplify the query complexity of a hash function.

In the random oracle model, the goal of a secure

query-complexity amplifier (QCA) scheme is captured as

transforming, in the sense of indifferentiability, a random

oracle allowing $R$ queries (for the adversary)

into one provably allowing only $r < R$

queries. Turned around, this means that making

$r$ queries to the scheme requires at least

$R$ queries to the actual random oracle. Second,

a new scheme, called collision-free iteration, is proposed and

proven to achieve $c$-fold QCA for both the

honest parties and the adversary, for any fixed


15:10 [Event][New] STM 2015: 11th International Workshop on Security and Trust Management

  Submission: 16 June 2015
Notification: 23 July 2015
From September 21 to September 22
Location: Vienna, Austria
More Information:

15:10 [Event][New] SECRYPT'15: 12th International Conference on Security and Cryptography

  Submission: 15 April 2015
Notification: 19 May 2015
From July 20 to July 22
Location: Colmar, Alsace, France
More Information:

13:08 [PhD][Update] Pablo Rauzy: Formal Software Methods for Cryptosystems Implementation Security

  Name: Pablo Rauzy
Topic: Formal Software Methods for Cryptosystems Implementation Security


Implementations of cryptosystems are vulnerable to physical attacks, and thus need to be protected against them. Of course, malfunctioning protections are useless. Formal methods help to develop systems while assessing their conformity to a rigorous specification. The first goal of my thesis, and its innovative aspect, is to show that formal methods can be used to prove not only the principle of the countermeasures according to a model, but also their implementation, as it is very where the physical vulnerabilities are exploited. My second goal is the proof and the automation of the protection techniques themselves, because handwritten security code is error-prone.

Physical attacks can be classified into two distinct categories. Passive attacks, where the attacker only reads information that leaks through side-channels. And active attacks, where the attacker tampers with the system to have it reveal secrets through its ``normal'' output channel. Therefore, I have pursued my goals in both settings: on a countermeasure that diminishes side-channel leakage (such as power consumption or electromagnetic emanations), and on countermeasures against fault injection attacks.

As there already exists a rigorous security property for protections against side-channel leakage, my contributions concentrate on formal methods for design and verification of protected implementations of algorithms. I have developed a methodology to protect an implementation by generating an improved version of it which has a null side-channel signal-to-noise ratio, as its leakage is made constant (in particular, it does not depend on the secret values). For the sake of demonstration, I have also undertaken to write a tool which automates the application of the methodology on an insecure input code written in assembly language. Independently, the tool is able to prove that this constant leakage property holds for a given implementation, which can be use[...]

12:58 [PhD][New] Hadi Soleimany: Studies in Lightweight Cryptography

  Name: Hadi Soleimany
Topic: Studies in Lightweight Cryptography
Category: secret-key cryptography

Description: The decreasing size of devices is one of the most significant changes in telecommunication and information technologies. This change has been accompanied by a dramatic reduction in the cost of computing devices. The dawning era of ubiquitous computing has opened the door to extensive new applications. Ubiquitous computing has found its way into products thanks to the improvements in the underlying enabling technologies. Considerable developments in constraint devices such as RFID tags facilitate novel services and bring embedded computing devices to our everyday environments. The changes that lie ahead will eventually make pervasive computing devices an integral part of our world.\r\nThe growing prevalence of pervasive computing devices has created a significant need for the consideration of security issues. However, security cannot be considered independently, but instead, should be evaluated alongside related issues such as performance and cost. In particular, there are several limitations facing the design of appropriate ciphers for extremely constrained environments. In response to this challenge, several lightweight ciphers have been designed during the last years. The purpose of this dissertation is to evaluate the security of the emerging lightweight block ciphers.\r\n\r\nThis dissertation develops cryptanalytic methods for determining the exact security level of some inventive and unconventional lightweight block ciphers. The work studies zerocorrelation linear cryptanalysis by introducing the Matrix method to facilitate the finding of zero-correlation linear approximations. As applications, we perform zero-correlation cryptanalysis on the 22-round LBlock and TWINE. We also perform simulations on a small variant of LBlock and present the first experimental results to support the theoretical model of the multidimensional zero-correlation linear cryptanalysis method. In addition, we provide a new perspective on slide cryptanalysis and reflection cryptanalysis [...]