International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

03:17 [Pub][ePrint] Privacy in the Genomic Era, by Muhammad Naveed and Erman Ayday and Ellen W. Clayton and Jacques Fellay and Carl A. Gunter and Jean-Pierre Hubaux and Bradley A. Malin and XiaoFeng Wang

  Genome sequencing technology has advanced at a rapid pace and it is now possible to generate highly-detailed genotypes inexpensively. The collection and analysis of such data has the potential to support various applications, including personalized medical services. While the benefits of the genomics revolution are trumpeted by the biomedical community, the increased availability of such data has major implications for personal privacy; notably because the genome has certain essential features, which include (but are not limited to) (i) an association with traits and certain diseases, (ii) identification capability (e.g., forensics), and (iii) revelation of family relationships. Moreover, direct-to-consumer DNA testing increases the likelihood that genome data will be made available in less regulated environments, such as the Internet and for-profit companies. The problem of genome data privacy thus resides at the crossroads of computer science, medicine, and public policy. While the computer scientists have addressed data privacy for various data types, there has been less attention dedicated to genomic data. Thus, the goal of this paper is to provide a systematization of knowledge for the computer science community. In doing so, we address some of the (sometimes erroneous) beliefs of this field and we report on a survey we conducted about genome data privacy with biomedical specialists. Then, after characterizing the genome privacy problem, we review the state-of-the-art regarding privacy attacks on genomic data and strategies for mitigating such attacks, as well as contextualizing these attacks from the perspective of medicine and public policy. This paper concludes with an enumeration of the challenges for genome data privacy and presents a framework to systematize the analysis of threats and the design of countermeasures as the field moves forward.

03:17 [Pub][ePrint] Sanctum: Minimal RISC Extensions for Isolated Execution, by Victor Costan and Ilia Lebedev and Srinivas Devadas

  Sanctum is a set of minimal extensions to a standard RISC architecture that offers strong provable isolation of software modules running concurrently and sharing resources. Sanctum is similar to

SGX in its API, but protects against an important class of additional software attacks, including cache timing and memory access pattern attacks. It does so via a principled approach to eliminating entire attack surfaces through isolation rather than plugging attack-specific privacy leaks.

Sanctum\'s hardware changes over a standard RISC architecture do not impact the cycle time, as they do not extend critical execution paths. Sanctum does not change any major CPU building block (e.g., ALU, MMU, cache), and only requires additional hardware at the interfaces between these building blocks corresponding to less than two percent chip area overhead. Over a set of benchmarks, Sanctum\'s worst observed overhead for isolated execution is 14.6% over an idealized insecure baseline.

03:17 [Pub][ePrint] FourQ: four-dimensional decompositions on a Q-curve over the Mersenne prime, by Craig Costello and Patrick Longa

  We introduce FourQ, a high-security, high-performance elliptic curve that targets the 128-bit security level. At the highest level, cryptographic scalar multiplications on FourQ can use a four-dimensional Gallant-Lambert-Vanstone decomposition to minimize the total number of elliptic curve group operations. At the group arithmetic level, Four$\\Q$ admits the use of extended twisted Edwards coordinates and can therefore exploit the fastest known elliptic curve addition formulas over large characteristic fields. Finally, at the finite field level, arithmetic is performed modulo the extremely fast Mersenne prime p=2^127-1. We show that this powerful combination facilitates scalar multiplications that are significantly faster than all prior works. On Intel\'s Ivy Bridge and Sandy Bridge architectures, our software computes a variable-base scalar multiplication in 73,000 cycles and 76,000 cycles, respectively; and, on the same platforms, our software computes a Diffie-Hellman shared secret in 119,000 cycles and 126,000 cycles, respectively.

03:17 [Pub][ePrint] A Framework for Identity-Based Encryption with Almost Tight Security, by Nuttapong Attrapadung, Goichiro Hanaoka, Shota Yamada

  We show a framework for constructing identity-based encryption (IBE) schemes that are (almost) tightly secure in the multi-challenge and multi-instance setting. In particular, we formalize a new notion called broadcast encoding, analogously to encoding notions by Attrapadung (Eurocrypt \'14) and Wee (TCC \'14). We then show that it can be converted into such an IBE. By instantiating the framework using several encoding schemes (new or known ones), we obtain the following:

- We obtain (almost) tightly secure IBE in the multi-challenge, multi-instance setting, both in composite and prime-order groups. The latter resolves the open problem posed by Hofheinz et al (PKC \'15).

- We obtain the first (almost) tightly secure IBE with sub-linear size public parameters (master public keys). In particular, we can set the size of the public parameters to constant at the cost of longer ciphertexts. This gives a partial solution to the open problem

posed by Chen and Wee (Crypto \'13).

By applying (a variant of) the Canetti-Halevi-Katz transformation to our schemes, we obtain several CCA-secure PKE schemes with tight security in the multi-challenge, multi-instance setting. One of our schemes achieves very small ciphertext overhead, consisting of less than 12 group elements. This significantly improves the state-of-the-art construction by Libert et al.~(in ePrint Archive) which requires 47 group elements. Furthermore, by modifying one of our IBE schemes obtained above, we can make it anonymous. This gives the first anonymous IBE whose security is almost tightly shown in the multi-challenge setting.

03:17 [Pub][ePrint] Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-boxes, by Henri Gilbert and Jérôme Plût and Joana Treger

  We present a cryptanalysis of the ASASA public key cipher

introduced at Asiacrypt 2014.

This scheme alternates three layers of affine transformations A

with two layers of quadratic substitutions S.

We show that the partial derivatives of the public key polynomials

contain information about the intermediate layer.

This enables us to present a very simple distinguisher

between an ASASA public key and random polynomials.

We then expand upon the ideas of the distinguisher

to achieve a full secret key recovery.

This method uses only linear algebra and has a complexity

dominated by the cost of computing

the kernels of $2^{26}$ small matrices with entries

in $\\mathbb F_{16}$.

03:17 [Pub][ePrint] Cryptanalysis of Reduced-Round Whirlwind (Full Version), by Bingke Ma and Bao Li and Ronglin Hao and Xiaoqian Li

  The \\texttt{Whirlwind} hash function, which outputs a 512-bit digest, was designed by Barreto $et\\ al.$ and published by \\textit{Design, Codes and Cryptography} in 2010. In this paper, we provide a thorough cryptanalysis on \\texttt{Whirlwind}. Firstly, we focus on security properties at the hash function level by presenting (second) preimage, collision and distinguishing attacks on reduced-round \\texttt{Whirlwind}. In order to launch the preimage attack, we have to slightly tweak the original Meet-in-the-Middle preimage attack framework on \\texttt{AES}-like compression functions by partially fixing the values of the state. Based on this slightly tweaked framework, we are able to construct several new and interesting preimage attacks on reduced-round \\texttt{Whirlpool} and \\texttt{AES} hashing modes as well. Secondly, we investigate security properties of the reduced-round components of \\texttt{Whirlwind}, including semi-free-start and free-start (near) collision attacks on the compression function, and a limited-birthday distinguisher on the inner permutation. As far as we know, our results are currently the best cryptanalysis on \\texttt{Whirlwind}.

00:17 [Pub][ePrint] Efficiency Evaluation of Cryptographic Protocols for Boardroom Voting, by Oksana Kulyk, Stephan Neumann, Jurlind Budurushi, Melanie Volkamer, Rolf Haenni, Reto Koenig, Philemon von Bergen

  Efficiency is the bottleneck of many cryptographic protocols towards their practical application in different contexts. This holds true also in the context of electronic voting, where cryptographic protocols are used to ensure a diversity of security requirements, e.g. secrecy and integrity of cast votes. A new and promising application area of electronic voting is boardroom voting, which in practice takes place very frequently and often on simple issues such as approving or refusing a budget. Hence, it is not a surprise that a number of cryptographic protocols for boardroom voting have been already proposed.

In this work, we introduce a security model adequate for the boardroom voting context. Further, we evaluate the efficiency of four boardroom voting protocols, which to best of our knowledge are the only boardroom voting protocols that satisfy our security model. Finally, we compare the performance of these protocols in different election settings.

00:17 [Pub][ePrint] Concurrent Secure Computation with Optimal Query Complexity, by Ran Canetti and Vipul Goyal and Abhishek Jain

  The multiple ideal query (MIQ) model [Goyal, Jain, and Ostrovsky, Crypto\'10] offers a relaxed notion of security for concurrent secure computation, where the simulator is allowed to query the ideal functionality multiple times per session (as opposed to just once in the standard definition). The model provides a quantitative measure for the degradation in security under concurrent self-composition, where the degradation is measured by the number of ideal queries. However, to date, all known MIQ-secure protocols guarantee only an overall average bound on the number of queries per session throughout the execution, thus allowing the adversary to potentially fully compromise some sessions of its choice. Furthermore, [Goyal and Jain, Eurocrypt\'13] rule out protocols where the simulator makes only an adversary-independent constant number of ideal queries per session.

We show the first MIQ-secure protocol with worst-case per-session guarantee. Specifically, we show a protocol for any functionality that matches the [GJ13] bound: The simulator makes only a constant number of ideal queries in every session. The constant depends on the adversary but is independent of the security parameter.

As an immediate corollary of our main result, we obtain the first password authenticated key exchange (PAKE) protocol for the fully concurrent, multiple password setting in the standard model with no set-up assumptions.

00:17 [Pub][ePrint] Generic Construction of UC-Secure Oblivious Transfer, by Olivier Blazy and Céline Chevalier

  We show how to construct a completely generic UC-secure oblivious transfer scheme from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Our work is based on the work of Abdalla et al. at Asiacrypt 2013, where the authors formalize the notion of SPHF-friendly commitments, i.e. accepting an SPHF on the language of valid commitments (to allow implicit decommitment), and show how to construct from them a UC-secure oblivious transfer in a generic way. But Abdalla et al. only gave a DDH-based construction of SPHF-friendly commitment schemes, furthermore highly relying on pairings. In this work, we show how to generically construct an SPHF-friendly commitment scheme from a collision-resistant CH scheme and an SPHF-friendly CCA encryption scheme. This allows us to propose an instantiation of our schemes based on the DDH, as efficient as that of Abdalla et al., but without requiring any pairing. Interestingly, our generic framework also allows us to propose an instantiation based on the learning with errors (LWE) assumption. For the record, we finally propose a last instantiation based on the decisional composite residuosity (DCR) assumption.

00:17 [Pub][ePrint] SoC it to EM: electromagnetic side-channel attacks on a complex system-on-chip, by J. Longo and E. De Mulder and D. Page and M. Tunstall

  Increased complexity in modern embedded systems has presented various important challenges with regard to side-channel attacks. In particular, it is common to deploy SoC-based target devices with high clock frequencies in security-critical scenarios; understanding how such features align with techniques more often deployed against simpler devices is vital from both destructive (i.e., attack) and constructive (i.e., evaluation and/or countermeasure) perspectives. In this paper, we investigate electromagnetic-based leakage from three different means of executing cryptographic workloads (including the general purpose ARM core, an on-chip co-processor, and the NEON core) on the AM335x SoC. Our conclusion is that addressing challenges of the type above {\\em is} feasible, and that key recovery attacks can be conducted with modest resources.

00:17 [Pub][ePrint] PUA - Privacy and Unforgeability for Aggregation, by Iraklis Leontiadis and Kaoutar Elkhiyaoui and Refik Molvaa and Melek Onen ¨

  xisting work on data collection and analysis for aggregation is mainly

focused on confidentiality issues. That is, the untrusted Aggregator learns only the aggregation result without divulging individual data inputs. In this paper we extend the existing models with stronger security requirements. Apart from the privacy requirements with respect to the individual inputs we ask for unforgeability for the aggregate result. We first define the new security requirements of the model. We also instantiate a protocol for private and unforgeable aggregation for a non-interactive multi-party environment. I.e, multiple unsynchronized users owing to personal sensitive information without interacting with each other contribute their values in a secure way: The Aggregator learns the result of a function without learning individual values and moreover it constructs a proof that is forwarded to a verifier that will let the latter be convinced for the correctness of the computation. The verifier is restricted to not communicate with the users. Our protocol is provably secure in the random oracle model.