International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Modern Cryptography Through the Lens of Secret Sharing, by Ilan Komargodski and Mark Zhandry

  Secret sharing is a mechanism by which a trusted dealer holding a secret ``splits\'\' the secret into many ``shares\'\' and distributes the shares to a collections of parties. Associated with the sharing is a monotone access structure, that specifies which parties are ``qualified\'\' and which are not: any qualified subset of parties can (efficiently) reconstruct the secret, but no unqualified subset can learn anything about the secret. In the most general form of secret sharing, the access structure can be any monotone NP language.

In this work, we consider two very natural extensions of secret sharing. In the first, which we call distributed secret sharing, there is no trusted dealer at all, and instead the role of the dealer is distributed amongst the parties themselves. Distributed secret sharing can be thought of as combining the features of multiparty non-interactive key exchange and standard secret sharing, and may be useful in settings where the secret is so sensitive that no one individual dealer can be trusted with the secret. Our second notion is called functional secret sharing, which incorporates some of the features of functional encryption into secret sharing by providing more fine-grained access to the secret. Qualified subsets of parties do not learn the secret, but instead learn some function applied to the secret, with each set of parties potentially learning a different function.

Our main result is that both of the extensions above are equivalent to several recent cutting-edge primitives. In particular, general-purpose distributed secret sharing is equivalent to witness PRFs, and general-purpose functional secret sharing is equivalent to indistinguishability obfuscation. Thus, our work shows that it is possible to view some of the recent developments in cryptography through a secret sharing lens, yielding new insights about both these cutting-edge primitives and secret sharing.

15:17 [Pub][ePrint] Solving LWE via List Decoding, by Mingqiang Wang and Xiaoyun Wang and Kunxian Xia and Jincheng Zhuang

  Learning with errors (LWE) was introduced by Regev in 2005, which enjoys attractive worst-case hardness properties. It has served as the foundation for a variety of cryptographic schemes. There are two main types of attacks against LWE: one for the decision version of LWE, the other for the search version of LWE.

In this paper, we apply the list decoding method to solve search version of LWE. Our algorithm runs in probabilistic polynomial time and results in specific security estimates for a large range of parameters. To our knowledge, it is the first time to apply the list decoding method to recover the key of LWE.

Our algorithm improves Laine and Lauter\'s result.

15:17 [Pub][ePrint] New multilinear maps from ideal lattices, by Gu Chunsheng

  Recently, Hu and Jia presented an efficient attack on the GGH map. They show that the MPKE and WE based on GGH with public tools of encoding are not secure. Currently, an open problem is to fix GGH with functionality-preserving. We present a new construction of multilinear map using ideal lattices, which maintains functionality of GGH with public tools of encoding, such as applications of GGH-based MPKE and WE. The security of our construction depends upon new hardness assumption.

15:17 [Pub][ePrint] Authenticated Encryption without Tag Expansion (or, How to Accelerate AERO), by Kazuhiko Minematsu

  Standard form of authenticated encryption (AE) requires the ciphertext to be expanded by

the nonce and the authentication tag. These expansions can be problematic

when messages are relatively short and communication cost is high.

This paper studies a form of AE scheme whose ciphertext is only expanded by

nonce, with the help of stateful receiver which also enables detection of replays.

While there is a scheme having this feature, called AERO, proposed by McGrew and Foley,

there is no formal treatment based on the provable security framework.

We propose a provable security framework for such AE schemes, which we call MiniAE, and

show several secure schemes using standard symmetric crypto primitives.

Most notably, one of our schemes

has a similar structure as OCB mode of operation and uses only one blockcipher call

to process one input block, thus the computation cost is comparable to the

nonce-based encryption-only schemes.

15:17 [Pub][ePrint] Fine-grained sharing of encrypted sensor data over cloud storage with key aggregation, by Hung Dang and Yun Long Chong and Francois Brun and Ee-Chien Chang

  We consider scenarios in sensor network where the sensed samples are each encrypted with a different key and streamed to a cloud storage. The large number of samples poses technical challenge in fine-grained sharing. For instance, if the data owner wants to grant a user access to a large subset of the samples, the straightforward solution of sending all corresponding keys to the user would overwhelm the data owner\'s network resources. Although existing solution such as Attribute-Based Encryption (ABE) and Key Aggregation Cryptosystem (KAC) can aggregate a number of keys into a single key of small size, each of the techniques has limitations in certain aspects, which render them impractical in our applications. In particular, ABE generally incurs large overhead in ciphertext size, while KAC, though attaining constant ciphertext size and aggregated key size, requires quadratic reconstruction time with respect to the number of keys to be reconstructed. In this paper, we made an observation that for a large class of queries, specifically the combination of range and down-sampling queries, there is a algorithmic enhancement for KAC that reduces its reconstruction time from quadratic to linear. Such improvement addresses the main hurdle in adopting KAC for large datasets. Experimental studies show that on those class of queries, the proposed algorithm outperforms the original KAC by at least $90$ times when reconstructing $2^{15}$ keys. We also give a Minimum Spanning Tree (MST)-based algorithm for general queries and a clustering algorithm to trade-off the reconstruction time with the size of aggregated key. Experimental studies show that these algorithms can reduce the reconstruction time for keys that are dense in small range.

15:17 [Pub][ePrint] Predictable Arguments of Knowledge, by Antonio Faonio and Jesper Buus Nielsen and Daniele Venturi

  We initiate a formal investigation on the power of predictability for argument of knowledge systems for NP.

Specifically, we consider private-coin argument systems where the answers of the prover can be predicted, given the private randomness of the verifier.

We show that predictable arguments of knowledge (PAoK) can be made extremely laconic, with the prover sending a single bit, and assumed to have only one round (two messages) without loss of generality. We then explore constructs of PAoK. For specific relations we obtain PAoK from Extractable Hash Proof systems (Wee, Crypto \'10); we also show that PAoK are equivalent to Extractable Witness Encryption. Unfortunately, the latter poses serious doubts on the existence of PAoK for all NP. However, we show that for the class of random self-reducible problems in NP we can avoid the problem relying on the assumption of public-coin differing-inputs obfuscation (Ishai et al., TCC \'15).

Finally, we apply PAoK in the context of leakage-tolerant PKE protocols.

At PKC \'13 Nielsen et al. have shown that any leakage-tolerant PKE protocol requires long keys already when it tolerates super-logarithmic leakage.

We strengthen their result proving a more fine-grained lower bound for any constant numbers bits of leakage.

15:17 [Pub][ePrint] On Generic Constructions of Circularly-Secure, Leakage-Resilient Public-Key Encryption Schemes, by Mohammad Hajiabadi, Bruce M. Kapron, Venkatesh Srinivasan

  Abstract. We propose generic constructions of public-key encryption schemes, satisfying key- dependent message (KDM) security for projections and different forms of key-leakage resilience, from CPA-secure private key encryption schemes with two main abstract properties: (1) additive homomorphism with respect to both messages and randomness, and (2) reproducibility, providing a means for reusing encryption randomness across independent secret keys. More precisely, our construction transforms a private-key scheme with the stated properties (and one more mild condition) into a public-key one, providing:

- n-KDM-projection security, an extension of circular security, where the adversary may also ask for encryptions of negated secret key bits;

- a (1-o(1)) resilience rate in the bounded-memory leakage model of Akavia et al. (TCC 2009); and

- Auxiliary-input security against subexponentially-hard functions.

We introduce homomorphic weak pseudorandom functions, a homomorphic version of the weak PRFs proposed by Naor and Reingold (FOCS \'95) and use them to realize our base encryption scheme. We obtain homomorphic weak PRFs under assumptions including subgroup indistinguishability (implied, in particular, by QR and DCR) and homomorphic hash-proof systems (HHPS). As corollaries of our results, we obtain (1) a projection-secure encryption scheme (as well as a scheme with a (1-o(1)) resilience rate) based solely on the HHPS assumption, and (2) a unifying approach explaining the results of Boneh et al (CRYPTO \'08) and Brakerski and Goldwasser (CRYPTO \'10). Finally, by observing that Applebaum\'s KDM amplification method (EUROCRYPT \'11) preserves both types of leakage resilience, we obtain schemes providing at the same time high leakage resilience and KDM security against any fixed polynomial-sized circuit family.

15:17 [Pub][ePrint] A Matrix Decomposition Method for Optimal Normal Basis Multiplication, by Can K{\\i}z{\\i}lkale and \\\"{O}mer E\\v{g}ecio\\v{g}lu and \\c{C}etin Kaya Ko\\c{c}

  We introduce a matrix decomposition method and prove

that multiplication in GF$(2^k)$ with a Type 1 optimal normal

basis for can be performed using $k^2-1$ XOR gates irrespective

of the choice of the irreducible polynomial generating the field.

The previous results achieved this bound only with special

irreducible polynomials. Furthermore, the decomposition method

performs the multiplication operation using $1.5k(k-1)$ XOR gates

for Type 2a and 2b optimal normal bases, which matches previous


15:17 [Pub][ePrint] Short Group Signatures via Structure-Preserving Signatures: Standard Model Security from Simple Assumptions, by Benoit Libert and Thomas Peters and Moti Yung

  Group signatures are a central cryptographic primitive which allows users to sign messages while hiding their identity within a crowd of group members. In the standard model (without the random oracle idealization), the most efficient constructions rely on the Groth-Sahai proof systems (Eurocrypt\'08). The structure-preserving signatures of Abe et al. (Asiacrypt\'12) make it possible to design group signatures based on well-established, constant-size number theoretic assumptions (a.k.a. ``simple assumptions\'\') like the Symmetric eXternal Diffie-Hellman or Decision Linear assumptions. While much more efficient than group signatures built on general assumptions, these constructions incur a significant overhead w.r.t.

constructions secure in the idealized random oracle model. Indeed, the best known solution based on simple assumptions requires 2.8 kB per signature for currently recommended parameters. Reducing this size and presenting techniques for shorter signatures are thus natural questions. In this paper, our first contribution is to significantly reduce this overhead. Namely, we obtain the first fully anonymous group signatures based on simple assumptions with signatures shorter than 2 kB at the 128-bit security level. In dynamic (resp. static) groups, our signature length drops to 1.8 kB (resp. 1 kB). This improvement is enabled by two technical tools. As a result of independent interest, we first construct a new structure-preserving signature based on simple assumptions which shortens the best previous scheme by 25%. Our second tool is a new method for attaining anonymity in the strongest sense using a new CCA2-secure encryption scheme which is simultaneously a Groth-Sahai commitment.

15:17 [Pub][ePrint] BitCryptor: Bit-Serialized Compact Crypto Engine on Reconfigurable Hardware, by Ege Gulcan and Aydin Aysu and Patrick Schaumont

  There is a significant effort in building lightweight cryptographic operations, yet the proposed solutions are typically single-purpose modules that can implement a single functionality. In contrast, we propose BitCryptor, a multi-purpose, bit-serialized compact processor for cryptographic applications on reconfigurable hardware. The proposed crypto engine can perform pseudo-random number generation, strong collision-resistant hashing and variable-key block cipher encryption. The hardware architecture utilizes SIMON, a recent lightweight block cipher, as its core. The complete engine uses a bit-serial design methodology to minimize the area. Implementation results on the Xilinx Spartan-3 s50 FPGA show that the proposed architecture occupies 95 slices (187 LUTs, 102 registers), which is 10$\\times$ smaller than the nearest comparable multi-purpose design. BitCryptor is also smaller than the majority of recently proposed lightweight single-purpose designs. Therefore, it is a very efficient cryptographic IP block for resource-constrained domains, providing a good performance at a minimal area overhead.

15:17 [Pub][ePrint] Faster ECC over F_{2^571} (feat. PMULL), by Hwajeong Seo and Zhe Liu and Yasuyuki Nogami and Jongseok Choi and Howon Kim

  In this paper, we show efficient implementations of K-571 over ARMv8. We exploit an advanced 64-bit polynomial multiplication (PMULL) supported by ARMv8 for high speed multiplication and squaring operations. Particularly, multiplication is conducted with three terms of asymptotically faster Karatsuba multiplication. Inversion is constructed by using constant time Fermat-based inversion method. For high speed scalar multiplication, 4TNAF method is exploited which takes an advantage of simple doubling method. Finally, our method conducts ECDH over K-571 within 783,705 clock cycles. Our proposed method on ARMv8 improves the performance by a factor of 4.6 times than previous techniques on ARMv7.