International Association for Cryptologic Research

IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

22 October 2018
Message franking enables a receiver to report a potential abuse in a secure messaging system which employs an end to end encryption. Such mechanism is crucial for accountability and is already widely adopted in real world product such as Facebook messenger. Grubs et al initiated a systematic study of such a new primitive, and Dodis et al gave a more efficient construction.

We observe that in all existing message franking schemes, the receiver has to reveal the whole communication for a session in order to report one abuse. This is highly undesirable in many settings where revealing other non-abusive part of the communication leaks too much information; what is worse, a foxy adversary may intentionally mixing private information of the receiver with the abusive message so that the receiver will be reluctant to report. This essentially renders the abuse reporting mechanism ineffective.

To tackle this problem, we propose a new primitive called targeted opening compactly committing AEAD (TOCE for short). In a TOCE, the receiver can select arbitrary subset of bits from the plaintext to reveal during opening, while keep all the rest still secure as in an authenticated encryption. We gave a careful formulation and give a generic construction. The generic construction allowing a bit level opening may require a substantial number of passes of symmetric key ciphers when encrypting a large message such as a picture. We thus further set forth and give a more efficient non-black-box construction allowing a block-level (e.g., 256 bit) opening. We also propose a privacy-efficiency trade off if we can relax the security of non-opened messages to be one way secure (they are still semantically secure if no opening).
Multi-user (mu) security considers large-scale attackers (e.g., state actors) that given access to a number of sessions, attempt to compromise {\em at least} one of them. Mu security of authenticated encryption (AE) was explicitly considered in the development of TLS 1.3.

This paper revisits the mu security of GCM, which remains to date the most widely used dedicated AE mode. We provide new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying.

As one of the main applications, we give tight security bounds for the nonce-randomization mechanism adopted in the record protocol of TLS 1.3 as a mitigation of large-scale multi-user attacks. We provide tight security bounds that yield the first validation of this method. In particular, we solve the main open question of Bellare and Tackmann (CRYPTO '16), who only considered restricted attackers which do not attempt to violate integrity, and only gave non-tight bounds.
ePrint Report Deconstructing the Blockchain to Approach Physical Limits Vivek Bagaria, Sreeram Kannan, David Tse, Giulia Fanti, Pramod Viswanath
Transaction throughput, confirmation latency and confirmation reliability are fundamental performance measures of any blockchain system in addition to its security. In a decentralized setting, these measures are limited by two underlying physical network attributes: communication capacity and speed-of-light propagation delay. Existing systems operate far away from these physical limits. In this work we introduce Prism, a new proof-of-work blockchain protocol, which can achieve 1) security against up to 50% adversarial hashing power; 2) optimal throughput up to the capacity C of the network; 3) confirmation latency for honest transactions proportional to the propagation delay D, with confirmation error probability exponentially small in CD ; 4) eventual total ordering of all transactions. Our approach to the design of this protocol is based on deconstructing the blockchain into its basic functionalities and systematically scaling up these functionalities to approach their physical limits.
ePrint Report Reconsidering Generic Composition: the Tag-then-Encrypt case Francesco Berti, Olivier Pereira, Thomas Peters
Authenticated Encryption ($\mathsf{AE}$) achieves confidentiality and authenticity, the two most fundamental goals of cryptography, in a single scheme. A common strategy to obtain $\mathsf{AE}$ is to combine a Message Authentication Code $(\mathsf{MAC})$ and an encryption scheme, either nonce-based or $\mathsf{iv}$-based. Out of the 180 possible combinations, Namprempre et al.~[25] proved that 12 were secure, 164 insecure and 4 were left unresolved: A10, A11 and A12 which use an $\iv$-based encryption scheme and N4 which uses a nonce-based one. The question of the security of these composition modes is particularly intriguing as N4, A11, and A12 are more efficient than the 12 composition modes that are known to be provably secure.\\ We prove that: $(i)$ N4 is not secure in general, $(ii)$ A10, A11 and A12 have equivalent security, $(iii)$ A10, A11, A12 and N4 are secure if the underlying encryption scheme is either misuse-resistant or ``message malleable'', a property that is satisfied by many classical encryption modes, $(iv)$ A10, A11 and A12 are insecure if the underlying encryption scheme is stateful or untidy.\\ All the results are quantitative.
ePrint Report QuisQuis: A New Design for Anonymous Cryptocurrencies Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, Claudio Orlandi
Despite their usage of pseudonyms rather than persistent identifiers, most existing cryptocurrencies do not provide users with any meaningful levels of privacy. This has prompted the creation of privacy-enhanced cryptocurrencies such as Monero and Zcash, which are specifically designed to counteract the tracking analysis possible in currencies like Bitcoin. These cryptocurrencies, however, also suffer from some drawbacks: in both Monero and Zcash, the set of potential unspent coins is always growing, which means users cannot store a concise representation of the blockchain. In Zcash, furthermore, users cannot deny their participation in anonymous transactions.

In this paper, we address both of these limitations. By combining a technique we call updatable keys with efficient zero-knowledge arguments, we propose a new cryptocurrency, QuisQuis, that achieves provably secure notions of anonymity while still allowing users to deny participation and store a relatively small amount of data.
19 October 2018
Announcement NIST standardization effort of threshold schemes Public comments on draft report thru Oct 22
NIST is considering the standardization of threshold schemes for cryptographic primitives. Your feedback and participation is welcome. Below are some useful links and dates: For questions or comments, contact threshold-crypto (at)
18 October 2018
Context. Methods of known kleptography implementations are being investigated. The article focuses mostly on SETUP design of subliminal data leakage channels.

Aim. Suggest approaches to develop SETUP resistant cryptosystems.

Methods. The necessary conditions for SETUP implementation are building in entropy source (otherwise generated secret will be predictable). In this article, it's considered subscriber whose protocol implementation is suspected to be modified by Developer (the malicious actor who is able to influence on cryptosystem implementation) to create subliminal leakage channel. The possible countermeasure is to prohibit usage own random sources for subscribers, enforce generate random values from public counters. %them to use external Trusted Random Number Generation service.

Results. The formal model for basic SETUP scheme has been suggested. Approach to develop SETUP resistant protocols has been described. Two basic SETUP-resistance protocols (nonce generation protocol and Diffie-Hellman key agreement protocol) have been proposed.
We give a simple proof that the decisional Learning With Errors (LWE) problem with binary secrets (and an arbitrary polynomial number of samples) is at least as hard as the standard LWE problem (with unrestricted, uniformly random secrets, and a bounded, quasi-linear number of samples). This proves that the binary-secret LWE distribution is pseudorandom, under standard worst-case complexity assumptions on lattice problems. Our results are similar to those proved by (Brakerski, Langlois, Peikert, Regev and Stehle, STOC 2013), but provide a shorter, more direct proof, and a small improvement in the noise growth of the reduction.
ECDSA is a standardized signing algorithm that is widely used in TLS, code signing, cryptocurrency and more. Due to its importance, the problem of securely computing ECDSA in a distributed manner (known as threshold signing) has received considerable interest. However, despite this interest, there is still no full threshold solution for more than 2 parties (meaning that any $t$-out-of-$n$ parties can sign, security is preserved for any $t-1$ or fewer corrupted parties, and $t\leq n$ can be any value thus supporting an honest minority) that has practical key distribution. This is due to the fact that all previous solutions for this utilize Paillier homomorphic encryption, and efficient distributed Paillier key generation for more than two parties is not known.

In this paper, we present the first truly practical full threshold ECDSA signing protocol that has both fast signing and fast key distribution. This solves a years-old open problem, and opens the door to practical uses of threshold ECDSA signing that are in demand today. One of these applications is the construction of secure cryptocurrency wallets (where key shares are spread over multiple devices and so are hard to steal) and cryptocurrency custody solutions (where large sums of invested cryptocurrency are strongly protected by splitting the key between a bank/financial institution, the customer who owns the currency, and possibly a third-party trustee, in multiple shares at each). There is growing practical interest in such solutions, but prior to our work these could not be deployed today due to the need for distributed key generation.
A software watermarking scheme enables one to embed a "mark" (i.e., a message) within a program while preserving the program's functionality. Moreover, there is an extraction algorithm that recovers an embedded message from a program. The main security goal is that it should be difficult to remove the watermark without destroying the functionality of the program. Existing constructions of watermarking focus on watermarking cryptographic functions like pseudorandom functions (PRFs); even in this setting, realizing watermarking from standard assumptions remains difficult. The first lattice-based construction of secret-key watermarking due to Kim and Wu (CRYPTO 2017) only ensures mark-unremovability against an adversary who does not have access to the mark-extraction oracle. The construction of Quach et al. (TCC 2018) achieves the stronger notion of mark-unremovability even if the adversary can make extraction queries, but has the drawback that the watermarking authority (who holds the watermarking secret key) can break pseudorandomness of all PRF keys in the family (including unmarked keys).

In this work, we construct new lattice-based secret-key watermarking schemes for PRFs that both provide unremovability against adversaries that have access to the mark-extraction oracle and offer a strong and meaningful notion of pseudorandomness even against the watermarking authority (i.e., the outputs of unmarked keys are pseudorandom almost everywhere). Moreover, security of several of our schemes can be based on the hardness of computing quasi-polynomial approximations to worst-case lattice problems. This is a qualitatively weaker assumption than that needed for existing lattice-based constructions of watermarking (that support message-embedding), all of which require sub-exponential approximation factors. Our constructions rely on a new cryptographic primitive called an extractable PRF, which is of independent interest.
Efficient scalar multiplication algorithms require a single finite field inversion at the end to convert from projective to affine coordinates. This inversion consumes a significant proportion of the total time. The present work makes a comprehensive study of inversion over Mersenne and pseudo-Mersenne prime order fields. Inversion algorithms for such primes are based on exponentiation which in turn requires efficient algorithms for multiplication, squaring and modulo reduction. From a theoretical point of view, we present a number of algorithms for multiplication/squaring and reduction leading to a number of different inversion algorithms which are appropriate for different settings. Our algorithms collect together and generalise ideas which are scattered across various papers and codes. At the same time, they also introduce new ideas to improve upon existing works. A key theoretical feature of our work, which is not present in previous works, is that we provide formal statements and detailed proofs of correctness of the different reduction algorithms that we describe. On the implementation aspect, a total of twenty primes are considered, covering all previously proposed cryptographically relevant (pseudo-)Mersenne prime order fields at various security levels. For each of these fields, we provide 64-bit assembly implementations of all the relevant inversion algorithms for a wide range of Intel processors. We were able to find previous 64-bit implementations of inversion for six of the twenty primes considered in this work. On the Haswell, Skylake and Kabylake processors of Intel, for all the six primes where previous implementations are available, our implementations outperform such previous implementations. The assembly codes that we have developed are publicly available and can be used as a plug-in to replace the inversion routines in existing softwares for scalar multiplication.
The recent progress in key derivation (Barak at al. CRYPTO'11, Dodis Yu TCC'2013) introduced the concept of constrained profiles for attackers advantage, recognizing that security bounds can be significantly improved (alternatively: lots of randomness can be saved) when the advantage, as the function of the key, is bounded in mean or variance. This paper studies \emph{minimal requirements for keys} to achieve security under such restricted attackers.

We frame the problem as characterizing \emph{pseudorandomness against constrained distinguishers} and show that minimal assumptions are respectively (a) high smooth min-entropy and (b) high smooth collision entropy. This matches the (folklore extension of) assumptions of previous works.

Besides providing lower bounds, we offer more insights into this key derivation problem and elegant proof techniques of geometric flavor.
ePrint Report Efficient UC Commitment Extension with Homomorphism for Free (and Applications) Ignacio Cascudo, Ivan Damgård, Bernardo David, Nico Döttling, Rafael Dowsley, Irene Giacomelli
Homomorphic universally composable (UC) commitments allow for the sender to reveal the result of additions and multiplications of values contained in commitments without revealing the values themselves while assuring the receiver of the correctness of such computation on committed values. In this work, we construct essentially optimal additively homomorphic UC commitments from any (not necessarily UC or homomorphic) extractable commitment. We obtain amortized linear computational complexity in the length of the input messages and rate 1. Next, we show how to extend our scheme to also obtain multiplicative homomorphism at the cost of asymptotic optimality but retaining low concrete complexity for practical parameters. While the previously best constructions use UC oblivious transfer as the main building block, our constructions only require extractable commitments and PRGs, achieving better concrete efficiency and offering new insights into the sufficient conditions for obtaining homomorphic UC commitments. Moreover, our techniques yield public coin protocols, which are compatible with the Fiat-Shamir heuristic. These results come at the cost of realizing a restricted version of the homomorphic commitment functionality where the sender is allowed to perform any number of commitments and operations on committed messages but is only allowed to perform a single batch opening of a number of commitments. Although this functionality seems restrictive, we show that it can be used as a building block for more efficient instantiations of recent protocols for secure multiparty computation and zero knowledge non-interactive arguments of knowledge.
ePrint Report Constrained PRFs for Bit-fixing from OWFs with Constant Collusion Resistance Alex Davidson, Shuichi Katsumata, Ryo Nishimaki, Shota Yamada
Constrained pseudorandom functions (CPRFs) allow learning `constrained' PRF keys that can evaluate the PRF on a subset of the input space, or based on some sort of predicate. First introduced by Boneh and Waters [AC'13], Kiayias et al. [CCS'13] and Boyle et al. [PKC'14], they have been shown to be a useful cryptographic primitive with many applications. The full security definition of CPRFs requires the adversary to learn multiple constrained keys, a requirement for all of these applications. Unfortunately, existing constructions of CPRFs satisfying this security notion are only known from exceptionally strong cryptographic assumptions, such as indistinguishability obfuscation (IO) and the existence of multilinear maps, even for very weak predicates. CPRFs from more standard assumptions only satisfy security for a single constrained key query.

In this work, we give the first construction of a CPRF that can issue a constant number of constrained keys for bit-fixing predicates, only requiring the existence of one-way functions (OWFs). This is a much weaker assumption compared with all previous constructions. In addition, we prove that the new scheme satisfies \(1\)-key privacy (otherwise known as constraint-hiding), and that it also achieves fully adaptive security. This is the only construction to achieve adaptive security outside of the random oracle model, and without sub-exponential security losses. Our technique represents a noted departure from existing CPRF constructions. We hope that it may lead to future constructions that can expose a greater number of keys, or consider more expressive predicates (such as bounded-depth circuit constraints).
ePrint Report PaLa: A Simple Partially Synchronous Blockchain T-H. Hubert Chan, Rafael Pass, Elaine Shi
Classical-style BFT protocols use two or more rounds of voting to confirm each block, e.g., in PBFT, they are called the “prepare” round and the “commit” round respectively. Recently, an elegant pipelining idea came out of the cryptocurrency community, i.e., if each block required two rounds of voting, why not piggyback the second round on the next block’s voting? We refer to this idea as the pipelined-BFT paradigm. We describe a simple partially synchronous blockchain protocol called PaLa that is inspired by the pipelined-BFT paradigm. In PaLa, a proposer proposes a block extending the freshest notarized chain seen so far. Consensus nodes vote on the proposal if certain conditions are met. When a block gains at least 2n 3 votes it becomes notarized. A block becomes finalized if the next immediate block becomes notarized too. We propose a conceptually simple and provably secure committee rotation algorithm for PaLa. We also describe a generalization called “doubly-pipelined PaLa” that is geared towards settings that require high throughput.
ePrint Report PiLi: An Extremely Simple Synchronous Blockchain T-H. Hubert Chan, Rafael Pass, Elaine Shi
We describe PiLi, an extremely simple synchronous blockchain that tolerates minority corruptions. The protocol description is the extremely natural and intuitive. Informally, every epoch, an eligible proposer proposes a block (tagged with the current epoch) extending the freshest notarized chain observed so far. Nodes vote on all valid proposals from eligible proposers as long as 1) the proposed block extends from a parent chain has been notarized in the node’s view; and 2) this parent is “not too stale”. When a block gains votes from the majority of nodes, it is considered notarized but not necessarily final. If a node observes a notarized chain ending with 6 blocks of consecutive epochs and no other notarized blocks of these 6 epochs have been seen, then this notarized chain except the trailing 5 blocks are considered final.
ePrint Report FPGA-based Assessment of Midori and GIFT Lightweight Block Ciphers Carlos Andres Lara-Nino, Arturo Diaz-Perez, Miguel Morales-Sandoval
Lightweight block ciphers are today of paramount importance to provide security services in constrained environments. Recent studies have questioned the security properties of PRESENT, which makes it evident the need to study alternative ciphers. In this work we provide hardware architectures for Midori and GIFT, and compare them against implementations for PRESENT and GIMLI under fair conditions. The hardware description for our designs is made publicly available.

QED-it, a funded Tel-Aviv based startup, is looking for experienced software engineers to join its core team. We are tackling the hardest and most interesting problems in the Blockchain space - solving the consensus/privacy paradox, using zero-knowledge-proofs. ZKP is a new technology, that up until recently was solely explored in academia.

We are funded by smart money from top tier angels, and have assembled a team of experts in cryptography, computer science, security and distributed systems.

QED-it is building a unique product combining cutting-edge technology, design and implementation of cryptographic protocols and user/developer-facing APIs. We’re looking to expand our team with more great individuals!

As a Software Engineer working on Protocol, you will:

  1. Apply zkSNARKs and design protocols in a variety of use-cases
  2. Collaborate with research scientists to implement cutting-edge cryptography efficiently
  3. Develop tools to make cryptographic constructions deployable in a multitude of environments

About you

  1. You have a few years of work experience in software engineering roles, preferably with some experience in using experimental technologies, cutting-edge environments, languages and algorithms
  2. Have a strong sense of long-term/delivery trade-off
  3. Looking to be a part of a product bridging multiple levels of complexity in its first stages
  4. Good communication skills and able to quickly adapt to new challenges when needed
  5. You enjoy work in a fluctuating environment, dealing with (some) uncertainty
  6. Without using Google, you know what Q.E.D. means, possibly even 2 different meanings

What you get

  1. Competitive full-time compensation
  2. A driver seat at an expanding, global technology company in an exciting, emerging industry
  3. Sharp, motivated peers who can’t wait to meet you :)

Closing date for applications: 31 December 2018

Contact: Emilie NOEL

Head of recruiting

emilie (at)


More information:

Job Posting Postdocs in Symmetric Post-Quantum Cryptology DTU Compute’s Section for Cyber Security
DTU Compute’s Section for Cyber Security invites applications for two appointments as a postdoctoral researcher within the area of symmetric post-quantum cryptology. The positions are available from 1 February 2019 or according to mutual agreement.

The aim of the new position is to expand the Section’s research in symmetric cryptology and align it with potential novel threats.

The research field of this new Postdoc position is within post-quantum security for symmetric cryptographic algorithms, both basic primitives and modes of operation. We aim to hire two postdocs with complementary skill sets: one with more focus on symmetric cryptography and cryptanalysis as well as one with more emphasis on quantum computing and algorithms

Responsibilities and tasks

The main tasks of these postdoc positions are to analyze existing symmetric cryptographic primitives with respect to post-quantum challenges as well as to design and evaluate new primitives to address these challenges. In this position, you will actively engage in our ongoing and prospective research activities on analysis and design of block ciphers, hash functions, authentication schemes and authentication encryption schemes from the point of view of post-quantum security.

External stays are planned at our research partners in Europe

Application procedure

To apply, please read the full job advertisement at

Application deadline: 1 December 2018

DTU is a technical university providing internationally leading research, education, innovation and scientific advice. Our staff of 6,000 advance science and technology to create innovative solutions that meet the demands of society, and our 11,200 students are being educated to address the technological challenges of the future. DTU is an independent academic university collaborating globally with business, industry, government and public agencies.

Closing date for applications: 1 December 2018

Contact: Further information can be obtained from Assoc. Prof. Andrey Bogdanov, anbog (at)

More information:

Job Posting Assistant/Associate/Full Professor Worcester Polytechnic Institute
Worcester Polytechnic Institute (WPI) is inviting applications for a tenure track faculty position in the Department of Electrical and Computer Engineering at the Assistant, Associate, or Full Professor level.

The successful candidate will have a strong background in the broad area of Cybersecurity and privacy, with expertise subdomains including Blockchains and decentralized trust, secure computation, hardware security and side-channel analysis, adversarial learning, and security in the cloud and IoT devices.

Candidates must have a Ph.D. degree in Electrical Engineering, Computer Engineering or related areas with outstanding academic credentials that clearly demonstrate their ability to conduct independent and successful research in their areas of expertise and to build cross-disciplinary research programs. Applicants must show potential for an innovative and sustainable research and teaching career. WPI expects faculty to be involved in a balance of research, teaching and service activities, including mentoring student project and thesis work at the undergraduate, master’s and doctoral levels.

Applications should include curriculum vitae, statements of teaching and research interests, and a list of five professional references. This search will remain open until the position is filled.

Closing date for applications: 1 July 2019

Contact: Berk Sunar, Professor.

Electrical & Computer Engineering Dept.

Worcester Polytechnic Institute


More information:

16 October 2018
Job Posting Multiple faculty positions in cybersecurity Oregon State University, School of EECS
The School of Electrical Engineering and Computer Science at Oregon State University invites applications for two or more full-time, nine-month, tenure-track faculty positions in any area of cybersecurity including but not limited to systems security (operating systems, distributed systems, networked systems, embedded systems, real-time systems, cyber-physical systems, and energy delivery systems), hardware security, software security, privacy, cryptography and usable security. Appointment will start in Fall 2019 and is anticipated at the Assistant Professor rank, but candidates with exceptional qualifications may be considered for appointment at the rank of Associate or Full Professor. Applicants must hold a Ph.D. degree in Computer Science, Electrical and Computer Engineering, or closely related discipline by employment start date, and should demonstrate a strong commitment and capacity to initiate new funded research as well as to expand, complement, and collaborate with existing research programs in the OSU College of Engineering and beyond. Furthermore, applicants should demonstrate a strong commitment to undergraduate and graduate teaching, including developing new courses related to their research expertise. Duties include teaching, research, and service.

Apply online at (posting #P02523UF) with the following documents: A letter of interest; vita; a two-page statement of research interests; a one-page statement of teaching interests; a one-page statement on efforts towards equity and inclusion; and names and contact information for at least three references. To be assured full consideration, applications must be received by December 1, 2018.

Closing date for applications: 1 December 2018

Contact: Mike Rosulek: rosulekm (at)

More information:

15 October 2018
Election IACR 2018 election is now open! Voting is possible through Nov 15
The 2018 Election for Directors of the IACR Board is now open.

You may vote as often as you wish now through November 15th 23:00 UTC using the Helios ( cryptographically-verifiable election system, but only your last vote will be counted.

Please see for a brief overview of how the Helios system works and for information on the IACR decision to adopt Helios.

2018 members of the IACR (generally people who attended an IACR conference or workshop in 2017) should shortly receive voting credentials from sent to their email address of record with the IACR. Questions about this election may be sent to

Information about the candidates can be found below and also at

The IACR Election Committee
Masayuki Abe (Chair)
Shai Halevi
Tancrède Lepoint (Returning Officer)

Candidates for election:

Michel Abdalla
Statement: After two three-year terms as director, I seek again the opportunity to continue serving the community as an IACR director. If reelected, I'll continue to help improve existing services provided by IACR, offer new services, and promote worldwide dissemination of cryptologic research.
Longer Statement:
Personal Webpage:

Anna Lysyanskaya
Statement: I felt very honored to be elected six years ago, and I hope to continue to serve the cryptographic community. My priorities are (1) high quality research and its effective dissemination, (2) listening and responding to IACR members’ needs, (3) mentoring, (4) dialogue with related research, industry and other communities.
Longer Statement:
Personal Webpage:

Nadia Heninger
Statement: I would be pleased to give back to the community by serving as an IACR director. I would like to promote diversity among the research areas and members of the cryptographic community and strengthen ties and exchange of ideas with the security and privacy communities.
Personal Webpage:

Satya Lokam
Statement: If elected, I wish to increase the impact and outreach of IACR in the Asia-Pacific region. Being in the cryptology community in this region for over a decade (Asiacrypt: GC, Steering Committee, Indocrypt: GC, Asia-CCS blockchain workshops), I can represent their unique perspectives and challenges to BoD.
Longer Statement:
Personal Webpage:

Maria Naya Plasencia
Statement: I am an active IACR member and was the first co-editor-in-chief of the IACR Transactions on Symmetric Cryptology journal, contributing to open access transition. I feel I owe the community some time: promoting diversity (including scientific), interdisciplinary research and maintaining our ideal scientific environment with respect and dialogue.
Longer Statement:
Personal Webpage:

Josh Benaloh
Statement: I have had the privilege of serving on the IACR Board for 17 years - as an officer, a conference chair, and a director. We have grown and addressed many challenges in those years, and we have many new challenges today. I seek the opportunity to continue working for the community.
Longer Statement:
Personal Webpage:

Ran Canetti
Statement: My goal: Help facilitate and preserve quality cryptographic research, done anywhere. This includes:
- Preserving transparency, integrity and quality of scientific review processes.
- Facilitating the publication process for scientific work.
- Assisting in the recognition of excellent researchers, in all levels of seniority and environments.
- Promoting gender equality and culture of acceptance.
We initiate the study of structured encryption schemes with computationally-secure leakage. Specifically, we focus on the design of volume-hiding encrypted multi-maps; that is, of encrypted multi-maps that hide the response length to computationally-bounded adversaries. We describe the first volume-hiding STE schemes that do not rely on naive padding; that is, padding all tuples to the same length. Our first construction has efficient query complexity and storage but can be lossy. We show, however, that the information loss can be bounded with overwhelming probability for a large class of multi-maps (i.e., with lengths distributed according to a Zipf distribution). Our second construction is not lossy and can achieve storage overhead that is asymptotically better than naive padding for Zipf-distributed multi-maps. We also show how to further improve the storage when the multi-map is highly concentrated in the sense that it has a large number of tuples with a large intersection.

We achieve these results by leveraging computational assumptions. Not just for encryption but, more interestingly, to hide the volumes themselves. Our first construction achieves this using a pseudo-random function whereas our second construction achieves this by relying on the conjectured hardness of the planted densest subgraph problem which is a planted variant of the well-studied densest subgraph problem. This assumption was previously used to design public-key encryptions schemes (Applebaum et al., STOC '10) and to study the computational complexity of financial products (Arora et al., ICS '10).
ePrint Report Threshold Single Password Authentication Devriş İşler, Alptekin Küpçü
Passwords are the most widely used form of online user authentication. In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either non-portable or insecure against many attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks. Three previous studies (Acar et al. 2013, Bicakci et al. 2011, and Jarecki et al. 2016) provide solutions secure against offline dictionary attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). These works provide solutions where offline dictionary attacks are impossible as long as the adversary does not corrupt both the login server and the storage provider. For the first time, improving these previous works, we provide a more secure generalized solution employing multiple storage providers, where our solution is proven secure against offline dictionary attacks as long as the adversary does not corrupt the login server and threshold-many storage providers. We define ideal and real world indistinguishability for threshold single password authentication (Threshold SPA) schemes, and formally prove security of our solution via ideal-real simulation. Our solution provides security against all the above-mentioned attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks, and requires no change on the server side. Thus, our solution can immediately be deployed via a browser extension (or a mobile application) and support from some storage providers. We further argue that our protocol is efficient and scalable, and provide performance numbers where the user and storage load are only a few milliseconds.
ePrint Report Distributed Single Password Protocol Framework Devriş İşler, Alptekin Küpçü
Passwords are the most widely used factor in various areas such as secret sharing, key establishment, and user authentication. Single password protocols are proposed (starting with Belenkiy et. al [4]) to overcome the challenges of traditional password protocols and provide provable security against offline dictionary, man-in-the-middle, phishing, and honeypot attacks. While they ensure provable security, they allow a user securely to use a single \textit{low-entropy human memorable} password for all her accounts. They achieve this with the help of a cloud or mobile storage device. However, an attacker corrupting both the login server and storage can mount an offline dictionary attack on user's single password.

In this work, we introduce a framework for distributed single password protocols (DiSPP) that analyzes existing protocols, improves upon them regarding novel constructions and distributed schemes, and allows exploiting alternative cryptographic primitives to obtain secure distributed single password protocols with various trade-offs. Previous single password solutions can be instantiated as part of our framework. We further introduce a secure DiSPP instantiation derived from our framework enforcing the adversary to corrupt several cloud and mobile storage devices in addition to the login server in order to perform a successful offline dictionary attack. We also provide a comparative analysis of different solutions derived from our framework.
ePrint Report User Study on Single Password Authentication Devriş İşler, Alptekin Küpçü, Aykut Coskun
Single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentications, which are vulnerable to offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against offline dictionary attacks in a provably secure manner. Several cryptographic SPA solutions were proposed in this decade, some based on cloud storage, and some employing a trusted personal mobile device. However, studies on usability of these novel SPA systems are rare, hardening their deployment and the validation of their practicality.

In this paper, we implement two very different SPA systems and assess their usability with the following two comparative experiments: one comparing the state-of-the-art cloud-based browser-extension SPA solution against traditional password-based authentication (where in both cases the user experience is simply entering a username and password), and another comparing the first mobile-application-based SPA solution against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). We obtain that the cloud-based SPA system is easier to use than the traditional approach, making it suitable for daily use deployment, and the mobile-based SPA system is as easy as, but less intimidating and more secure than two-factor authentication, making it a better alternative for online banking type deployments. Hence, SPA systems overall constitute a usable alternative to the existing solutions, while providing offline dictionary attack protection.
Functional encryption (FE) is advanced encryption that enables us to issue functional decryption keys where functions are hardwired. When we decrypt a ciphertext of a message $m$ by a functional decryption key where a function $f$ is hardwired, we can obtain $f(m)$ and nothing else. We say FE is selectively or adaptively secure when target messages are chosen at the beginning or after function queries are sent, respectively. In the setting of weakly-selective setting, function queries are also chosen at the beginning. We say FE is single-key/collusion-resistant when it is secure against adversaries that are given only-one/polynomially-many functional decryption keys, respectively. We say FE is sublinearly-succinct/succinct when the running time of an encryption algorithm is sublinear/poly-logarithmic in the function description size, respectively.

In this study, we propose adaptively secure, collusion-resistant, and succinct (we call ``fully-equipped'') PKFE schemes for circuits. More specifically, we propose a generic transformation from weakly-selectively secure, single-key, and sublinearly-succinct PKFE for circuits into fully-equipped PKFE for circuits. We assume only the existence of weakly-selectively secure, single-key, and sublinearly-succinct PKFE for circuits. That is, our transformation relies on \emph{neither} concrete assumptions such as learning with errors \emph{nor} indistinguishability obfuscation. This is the first generic construction of fully-equipped PKFE that does not rely on indistinguishability obfuscation.

As side-benefits of our results, we obtain the following primitives from weakly-selectively, single-key, and sublinearly-succinct PKFE for circuits: (1) laconic oblivious transfer (2) succinct garbling scheme for Turing machines (3) selectively secure, collusion-resistant, and succinct PKFE for Turing machines (4) low-overhead adaptively secure traitor tracing (5) key-dependent-message secure and leakage-resilient public-key encryption. We also obtain a semi-generic transformation from simulation-based adaptively secure garbling schemes into adaptively indistinguishable garbling schemes whose online complexity does not depend on the output length.
In this work, we introduce and construct $D$-restricted Functional Encryption (FE) for any constant $D \ge 3$, based only on the SXDH assumption over bilinear groups. This generalizes the notion of $3$-restricted FE recently introduced and constructed by Ananth et al. (ePrint 2018) in the generic bilinear group model.

A $D=(d+2)$-restricted FE scheme is a secret key FE scheme that allows an encryptor to efficiently encrypt a message of the form $M=(\vec{x},\vec{y},\vec{z})$. Here, $\vec{x}\in \F_{\prm}^{d\times n}$ and $\vec{y},\vec{z}\in \F_{\prm}^n$. Function keys can be issued for a function $f=\Sigma_{\vec{I}= (i_1,..,i_d,j,k)}\ c_{\vec{I}}\cdot \vec{x}[1,i_1] \cdots \vec{x}[d,i_d] \cdot \vec{y}[j]\cdot \vec{z}[k]$ where the coefficients $c_{\vec{I}}\in \F_{\prm}$. Knowing the function key and the ciphertext, one can learn $f(\vec{x},\vec{y},\vec{z})$, if this value is bounded in absolute value by some polynomial in the security parameter and $n$. The security requirement is that the ciphertext hides $\vec{y}$ and $\vec{z}$, although it is not required to hide $\vec{x}$. Thus $\vec{x}$ can be seen as a public attribute.

$D$-restricted FE allows for useful evaluation of constant-degree polynomials, while only requiring the SXDH assumption over bilinear groups. As such, it is a powerful tool for leveraging hardness that exists in constant-degree expanding families of polynomials over $\mathbb{R}$. In particular, we build upon the work of Ananth et al. to show how to build indistinguishability obfuscation (iO) assuming only SXDH over bilinear groups, LWE, and assumptions relating to weak pseudorandom properties of constant-degree expanding polynomials over $\mathbb{R}$.
ePrint Report Observations on the Dynamic Cube Attack of 855-Round TRIVIUM from Crypto'18 Yonglin Hao, Lin Jiao, Chaoyun Li, Willi Meier, Yosuke Todo, Qingju Wang
Recently, another kind of dynamic cube attack is proposed by Fu \etal. With some key guesses and a transformation in the output bit, they claim that, when the key guesses are correct, the degree of the transformed output bit can drop so significantly that the cubes of lower dimension can not exist, making the output bit vulnerable to the zero-sum cube tester using slightly higher dimensional cubes. They applied their method to 855-round TRIVIUM. In order to verify the correctness of their result, they even proposed a practical attack on 721-round TRIVIUM claiming that the transformed output bit after 721-rounds of initialization does not contain cubes of dimensions 31 and below. However, the degree evaluation algorithm used by Fu \etal is innovative and complicated, and its complexity is not given. Their algorithm can only be implemented on huge clusters and cannot be verified by existing theoretic tools.

In this paper, we theoretically analyze the dynamic cube attack method given by Fu \etal using the division property and MILP modeling technique.

Firstly, we draw links between the division property and Fu \etal's dynamic cube attack so that their method can be described as a theoretically well founded and computationally economic MILP-aided division-property-based cube attack. With the MILP model drawn according to the division property, we analyzed the 721-round TRIVIUM in detail and find some interesting results: \begin{enumerate} \item The degree evaluation using our MILP method is more accurate than that of Fu \etal's. Fu \etal prove that the degree of pure $z^{721}$ is 40 while our method gives 29. We practically proved the correctness of our method by trying thousands of random keys, random 30-dimensional cubes and random assignments to non-cube IVs finding that the summations are constantly 0. \item For the transformed output bit $(1+s_1^{290})\cdot z^{721}$, we proved the same degree 31 as Fu \etal and we also find 32-dimensional cubes have zero-sum property for correct key guesses. But since the degree of pure $z^{721}$ is only 29, the 721-round practical attack on TRIVIUM is violating the principle of Fu \etal's work: after the transformation in the output bit, when the key guesses are correct, the degree of the transformed output bit has not dropped but risen. \item Now that the degree theoretic foundation of the 721-round attack has been violated, we also find out that the key-recovery attack cannot be carried out either. We theoretically proved and practically verified that no matter the key guesses are correct or incorrect, the summation over 32-dimensional cube are always 0. So, no key bit can be recovered at all. \end{enumerate} All these analysis on 721-round TRIVIUM can be verified practically and we open our C++ source code for implementation as well.

Secondly, we revisit their 855-round result. Our MILP model reveal that the 855-round result suffers from the same problems with its 721-round counterpart. We provide theoretic evidence that, after their transformation, the degree of the output bit is more likely to rise rather than drop. Furthermore, since Fu \etal's degree evaluation is written in an unclear manner and no complexity analysis is given, we rewrite the algorithm according to their main ideas and supplement a detailed complexity analysis. Our analysis indicates that a precise evaluation to the degree requires complexities far beyond practical reach. We also demonstrate that further abbreviation to our rewritten algorithm can result in wrong evaluation. This might be the reason why Fu \etal give such a degree evaluation. This is also an additional argument against Fu \etal's dynamic cube attack method.

Thirdly, the selection of Fu \etal's cube dimension is also questionable. According to our experiments and existing theoretic results, there is high risk that the correct key guesses and wrong ones share the same zero-sum property using Fu \etal's cube testers. As a remedy, we suggest that concrete cubes satisfying particular conditions should be identified rather than relying on the IV-degree drop hypothesis.

To conclude, Fu \etal's dynamic cube attack on 855-round TRIVIUM is questionable. 855-round as well as 840-and-up-round TRIVIUM should still be open for further convincible cryptanalysis.
ePrint Report Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications? Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig
A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice.

  older items