International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:34 [PhD][New] Aurore Guillevic: Arithmetic of pairings on algebraic curves for cryptography

  Name: Aurore Guillevic
Topic: Arithmetic of pairings on algebraic curves for cryptography
Category: public-key cryptography

Description: Since 2000 pairings became a very useful tool to design new protocols in cryptography. Short signatures and identity-based encryption became also practical thanks to these pairings. This thesis contains two parts. One part is about optimized pairing implementation on different elliptic curves according to the targeted protocol. Pairings are implemented on supersingular elliptic curves in large characteristic and on Barreto-Naehrig curves. The pairing library developed at Thales is used in a broadcast encryption scheme prototype. The prototype implements pairings over Barreto-Naehrig curves. Pairings over supersingular curves are much slower and have larger parameters. However these curves are interesting when implementing protocols which use composite-order elliptic curves (the group order is an RSA modulus). We implement two protocols that use pairings on composite-order groups and compare the benchmarks and the parameter size with their counterpart in a prime-order setting. The composite-order case is 30 up to 250 times much slower according to the considered step in the protocols: the efficiency difference in between the two cases is very important. A second part in this thesis is about two families of genus 2 curves. Their Jacobians are isogenous to the product of two elliptic curves over a small extension field. The properties of elliptic curves can be translated to the Jacobians thanks to this isogeny. Point counting is as easy as for elliptic curves in this case. We also construct two endomorphisms both on the Jacobians and the elliptic curves. These endomorphisms can be used for scalar multiplication improved with a four-dimensional Gallant-Lambert-Vanstone method.[...]

01:07 [Event][New] IWDW2015: 14th International Workshop on Digital Forensics and Watermarking

  Submission: 20 June 2015
Notification: 8 August 2015
From October 7 to October 10
Location: Tokyo, Japan
More Information:

20:21 [Event][New] PST2015: 13th International Conference on Privacy, Security and Trust

  Submission: 15 April 2015
From July 21 to July 23
Location: İzmir, Turkey
More Information:

20:15 [Job][New] Post-Doc, Tampere University of Technology, Finland

  The Department of Pervasive Computing at Tampere University of Technology (TUT) is seeking applications for an open post-doc position, funded by a collaborative project within the TEKES Innovative Cities program (INKA). The specific role of TUT in the project is side-channel analysis of real-world devices and software. Qualified candidates should have interests in one or more of the following areas:

  • side-channel analysis
  • software-based side-channels
  • cryptography engineering
  • embedded security
  • hardware-assisted security

The contract is for one year with the possibility of extension and TUT offers extremely competitive post-doc salaries. The start date is flexible and review of applications begins immediately and continues until the position is filled. Interested candidates should submit a CV via email.

15:17 [Pub][ePrint] Sequential Secret Sharing as a New Hierarchical Access Structure, by Mehrdad Nojoumian and Douglas R. Stinson

  Due to the rapid growth of the next generation networking and system technologies, computer networks require new design and management. In this context, security, and more specifically, access structures have been one of the major concerns. As such, in this article, sequential secret sharing (SQS), as an application of dynamic threshold schemes, is introduced. In this new cryptographic primitive, different (but related) secrets with increasing thresholds are shared among a set of players who have different levels of authority. Subsequently, each subset of the players can only recover the secret in their own level. Finally, the master secret will be revealed if all the secrets in the higher levels are first recovered. We briefly review the existing threshold modification techniques. We then present our construction and compare it with other hierarchical secret sharing schemes such as disjunctive and conjunctive multilevel secret sharing protocols.

15:17 [Pub][ePrint] Zero-Knowledge Accumulators and Set Operations, by Esha Ghosh and Olga Ohrimenko and Dimitrios Papadopoulos and Roberto Tamassia and Nikos Triandopoulos

  Accumulators provide a way to succinctly represent a set with elements drawn from a given domain, using an \\emph{accumulation value}. Subsequently, short proofs for the set-\\emph{membership} (or \\emph{non-membership}) of any element from the domain can be constructed and efficiently verified with respect to this accumulation value. Accumulators have been widely studied in the literature, primarily, as an \\emph{authentication} primitive:

a malicious prover (e.g., an untrusted server) should not be able to provide convincing proofs on false statements (e.g., successfully prove membership for a value not in the set) to a verifier that issues membership queries (of course, having no access to set itself).

In essence, in existing constructions the accumulation value acts as a (honestly generated) ``commitment\'\' to the set that allows selective ``opening\'\' as specified by membership queries---but with no ``hiding\'\' properties.

In this paper we revisit this primitive and propose a privacy-preserving enhancement. We define the notion of a \\emph{zero-knowledge accumulator} that provides the following very strong privacy notion: Accumulation values and proofs constructed during the protocol execution leak nothing about the set itself, or any subsequent updates to it (i.e., via element insertions/deletions). We formalize this property by a standard real/ideal execution game. An adversarial party that is allowed to choose the set and is given access to query and update oracles, cannot distinguish whether this interaction takes place with respect to the honestly executed algorithms of the scheme or with a simulator that is not given access to the set itself (and for updates, it does not even learn the type of update that occurred---let alone the inserted/deleted element). We compare our new privacy definition with other recently proposed similar notions showing that it is strictly stronger: We give a concrete example of the update-related information that can be leaked by previous definitions.

We provide a mapping of the relations between zero-knowledge accumulators and primitives that

are either set in the same security model or solve the same problem.

We formally show and discuss a number of implications among primitives, some of which are not immediately evident.

We believe this contribution is interesting on its own, as the area has received considerable attention recently (e.g., with the works of [Naor et al., TCC~2015] and [Derler et al., CT-RSA~2015]).

We then construct the first dynamic universal zero-knowledge accumulator. Our scheme is perfect zero-knowledge and is secure under the $q$-Strong Bilinear Diffie-Hellman assumption.

Finally, building on our dynamic universal zero-knowledge accumulator, we define a \\emph{zero-knowledge authenticated set collection} to handle more elaborate set operations (beyond set-membership). In particular, this primitive allows one to outsource a collection of sets to an untrusted server that is subsequently responsible for answering union, intersection and set difference queries over these sets issued by multiple clients. Our scheme provides proofs that are succinct and efficiently verifiable and, at the same time, leak nothing beyond the query result. In particular, it offers verification time that is asymptotically optimal (namely, the same as simply reading the answer), and proof construction that is asymptotically as efficient as existing state-of-the-art constructions--- that however, do not offer privacy.

15:17 [Pub][ePrint] Feasibility and Infeasibility of Secure Computation with Malicious PUFs, by Dana Dachman-Soled and Nils Fleischhacker and Jonathan Katz and Anna Lysyanskaya and Dominique Schröder

  A recent line of work has explored the use of physically uncloneable functions (PUFs) for secure computation, with the goals of (1) achieving universal composability without (additional) setup, and/or (2) obtaining unconditional security (i.e., avoiding complexity-theoretic assumptions).

Initial work assumed that all PUFs, even those created by an attacker, are honestly generated.

Subsequently, researchers have investigated models in which an adversary can create malicious PUFs with arbitrary behavior. Researchers have considered both malicious PUFs that might be stateful, as well as malicious PUFs that can have arbitrary behavior but are guaranteed to be stateless.

We settle the main open questions regarding secure computation in the malicious-PUF model:

-- We prove that unconditionally secure oblivious transfer is impossible, even in the stand-alone setting, if the adversary can construct (malicious) stateful PUFs.

-- We show that universally composable two-party computation is possible if the attacker is limited to creating (malicious) stateless PUFs. Our protocols are simple and efficient, and do not require any cryptographic assumptions.

15:17 [Pub][ePrint] Computation-Trace Indistinguishability Obfuscation and its Applications, by Yu-Chi Chen and Sherman S. M. Chow and Kai-Min Chung and Russell W. F. Lai and Wei-Kai Lin and Hong-Sheng Zhou

  We introduce a new, instance-based notion of indistinguishability obfuscation, called computation-trace indistinguishability obfuscation (CiO), for (parallel) RAM computation. CiO only obfuscates a fixed, single computation instance, as opposed to iO which obfuscates a function on all input instances. Specifically, for $\\Pi$ defined by (P, x) consisting of a (parallel) RAM program P and an input x, the obfuscations of two instances $\\Pi$ and $\\Pi\'$ are required to be indistinguishable only when the execution of $\\Pi$ and $\\Pi\'$ generate an identical computation trace; namely, identical sequences of CPU states and memory content. On the other hand, we require the obfuscation to be (i) fully succinct: the runtime of the obfuscator (and thus the size of the obfuscated instance) depends only on the description and input/output size of $\\Pi$, but is independent of the time and space complexities of $\\Pi$, and (ii) efficiency preserving: the obfuscated instance is a (parallel) RAM program that preserves parallel/total time and space complexities of $\\Pi$ up to polylogarithmic factors.

As our main results, we construct CiO for parallel RAM (PRAM) computation based on iO for circuits and one-way functions, and demonstrate the power of CiO by the following applications.

o With digital signatures, our CiO for PRAM immediately implies the first two-message (publicly-

verifiable) delegation scheme for outsourcing PRAM computation, where the delegator\'s runtime depends only on the program description and input/output size, and the server\'s complexity matches the PRAM complexity of the computation up to polylogarithmic factors.

o With public-key encryption, our CiO for PRAM, and a specific oblivious PRAM construction, we construct the first fully succinct randomized encoding (RE) for PRAM computation, where the encoder\'s runtime (and thus the encoding size) depends only on the program description and input/output size, and the decoding complexity matches PRAM complexity of the computation up to polylogarithmic factors.

o By plugging our fully succinct RE for PRAM into existing transformations, we obtain the first constructions of several cryptographic primitives for PRAM, such as functional encryptions with succinct (PRAM) function keys, succinct reusable garbling schemes, and succinct indistinguishability obfuscations (the later requires sub-exponential security). Notably, this implies that, while CiO is weaker than iO, sub-exponentially secure CiO for PRAM implies sub-exponentially secure iO for PRAM.

15:17 [Pub][ePrint] Higher-order cryptanalysis of LowMC, by Christoph Dobraunig and Maria Eichlseder and Florian Mendel

  LowMC is a family of block ciphers developed particularly for use in multi-party computations and fully homomorphic encryption schemes, where the main performance penalty comes from non-linear operations. Thus, LowMC has been designed to minimize the total quantity of logical \"and\" operations, as well as the \"and\" depth. To achieve this, the LowMC designers opted for an incomplete S-box layer that does not cover the complete state, and compensate for it with a very dense, randomly chosen linear layer. In this work, we exploit this design strategy in a cube-like key-recovery attack. We are able to recover the secret key of a round-reduced variant of LowMC with PRESENT-like security, where the number of rounds is reduced from 11 to 9. Our attacks are independent of the actual instances of the used linear layers and therefore, do not exploit possible weak choices of them. From our results, we conclude that the resulting security margin of 2 rounds is smaller than expected.

15:17 [Pub][ePrint] Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves, by Franck Rondepierre

  This paper deals with the protection of elliptic curve scalar

multiplications against side-channel analysis by using the atomicity principle.

Unlike other atomic patterns, we investigate new formul\\ae{} with

same cost for both doubling and addition. This choice is particularly well

suited to evaluate double scalar multiplications with the Straus-Shamir

trick. Since fixed point multiplications highly benefit from this trick, our

pattern allows a huge improvement in this case as other atomic patterns

cannot use it. Surprisingly, in other cases our choice remains very

efficient. Besides, we also point out a security threat when the curve

parameter $a$ is null and propose an even more efficient pattern in this


15:17 [Pub][ePrint] Improved Dual System ABE in Prime-Order Groups via Predicate Encodings, by Jie Chen and Romain Gay and Hoeteck Wee

  We present a modular framework for the design of efficient

adaptively secure attribute-based encryption (ABE) schemes for a

large class of predicates under the standard k-Lin assumption

in prime-order groups; this is the first uniform treatment of dual

system ABE across different predicates and across both composite and

prime-order groups. Via this framework, we obtain concrete

efficiency improvements for several ABE schemes. Our framework has

three novel components over prior works: (i) new techniques for

simulating composite-order groups in prime-order ones, (ii) a

refinement of prior encodings framework for dual system ABE in

composite-order groups, (iii) an extension to weakly

attribute-hiding predicate encryption (which includes anonymous

identity-based encryption as a special case).