Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:
To receive your credentials via mail again, please click here.
You can also access the full news archive.
In our construction a membership witness needs to be updated only a logarithmic number times in the number of subsequent element additions. Thus, an out-of-date witness can be easily made current. Vice versa, a verifier with an out-of-date accumulator value can still verify a current membership witness. These properties make our accumulator construction uniquely suited for use in distributed applications, such as blockchain-based public key infrastructures.
We first observe that compact RE is equivalent to a variant of the notion of indistinguishability obfuscation (iO)---which we refer to as puncturable iO---for the class of Turing machines without inputs. For the case of circuits, puncturable iO and iO are equivalent (and this fact is implicitly used in the powerful ``punctured program\'\' paradigm by Sahai and Waters [SW13]).
We next show the following:
- Impossibility in the Plain Model: Assuming the existence of subexponentially secure one-way functions, subexponentially-secure sublinear RE does not exists. (If additionally assuming subexponentially-secure iO for circuits we can also rule out polynomially-secure sublinear RE.) As a consequence, we rule out also puncturable iO for Turing machines (even those without inputs).
- Feasibility in the CRS model and Applications to iO for circuits: Subexponentially-secure sublinear RE in the CRS model and one-way functions imply iO for circuits through a simple construction generalizing GGM\'s PRF construction. Additionally, any compact (even with sublinear compactness) functional encryption essentially directly yields a sublinear RE in the CRS model, and as such we get an alternative, modular, and simpler proof of the results of [AJ15,BV15] showing that subexponentially-secure sublinearly compact FE implies iO.
- Applications to iO for Unbounded-input Turing machines: Subexponentially-secure compact RE for natural restricted classes of distributions over programs and inputs (which are not ruled out by our impossibility result, and for which we can give candidate constructions) imply iO for unbounded-input Turing machines. This yields the first construction of iO for unbounded-input Turing machines that does not rely on (public-coin) differing-input obfuscation.
combining the Simon and Speck block cipher. While the design allows a
smaller and more efficient hardware implementation, its security margins are not well understood. The lack of design rationals of its predecessors further leaves some uncertainty on the security of Simeck.
In this work we give a short analysis of the impact of the design changes by comparing the lower bounds for differential and linear characteristics with Simon. We also give a comparison of the effort of finding those bounds, which surprisingly is significant less for Simeck while covering a larger number of rounds.
Furthermore, we provide new differentials for Simeck which can cover
more rounds compared to previous results on Simon. Based on this we
mount key recovery attacks on 19/26/33 rounds of Simeck32/48/64,
which also give insights on the reduced key guessing effort due to the
different set of rotation constants.
mimics the visual appearance of another one. If such an attack is successful,
the integrity of what the user sees as well as the confidentiality of what she
inputs into the system can be violated by the adversary. A common example of
mobile application spoofing is a phishing attack where the adversary tricks the
user into revealing her password to a malicious application that resembles the
In this work, we propose a novel approach for addressing mobile application
spoofing attacks by leveraging the visual similarity of application screens. We
use deception rate as a novel metric for measuring how many users would confuse
a spoofing application for the genuine one. We conducted a large-scale online
study where participants evaluated spoofing samples of popular mobile
applications. We used the study results to design and implement a prototype
spoofing detection system, tailored to the estimation of deception rate for
mobile application login screens.
bits, having both good cryptographic properties and a low implementation
cost. Such S-Boxes are suitable building-blocks in many lightweight
block ciphers since they may achieve a better security level than
designs based directly on smaller S-Boxes. We focus on S-Boxes
corresponding to three rounds of a balanced Feistel and of a balanced
MISTY structure, and generalize the recent results by Li and Wang on the
best differential uniformity and linearity offered by such a
construction. Most notably, we prove that Feistel networks supersede
MISTY networks for the construction of 8-bit permutations. Based on
these results, we also provide a particular instantiation of an 8-bit
permutation with better properties than the S-Boxes used in several
ciphers, including Robin, Fantomas or CRYPTON.
Recent results by Seurin and Treger and Bernhard et al. formally confirmed such limitations for proofs derived from the Schnorr protocol via the Fiat-Shamir transform.
The limitations relate to the concept of adaptive proofs where an extractor needs to recover witnesses from proofs selected adaptively, as opposed to the standard setting where the extractor needs to work just for one proof.
Their main result is a separation between these two settings: under the one-more discrete log assumption, no efficient adaptive extractor can recover all witnesses from non-interactive Schnorr proofs (selected adaptively).
In this paper we generalize, strengthen and extend these results.
First we show that the above separation result holds for generic Sigma-protocols under the natural generalization of the one-more dlog assumption.
Next, we strengthen the theorem by weakening the hypothesis.
Our new assumption, which we call Sigma-one-wayness, says that a dishonest verifier in a single execution of an interactive Sigma protocol cannot recover the witness.
This assumption is incomparable to zero-knowledge, as we will explain.
The main result of this paper clarifies the relation between adaptive proofs of knowledge (with rewinding) and other existing notions.
Bernhard et al. introduced adaptive proofs as a new concept lying
between proofs of knowledge (PoKs, with a rewinding extractor) and
straight-line extractable proofs. They showed a separation between PoKs and
adaptive proofs but left open the question whether adaptive proofs are always
Our result implies that all adaptive proofs admit a straight-line extractor
against the honest prover. This means that adaptive proofs are not a new class
of proofs after all but simply another way to describe proofs with
Finally, we ask ourselves whether the result could be extended to a
reduction to one-wayness of the function concerned -- for Schnorr, this would
mean solving the discrete logarithm (DLOG) problem. Our answer is negative: if
there is any generic metareduction from adaptivity of Fiat-Shamir-Schnorr to
DLOG then there is also a meta-metareduction breaking DLOG directly.