International Association for Cryptologic Research

IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

17 August 2018
Job Posting Assistant, Associate and/or Full Professors National Chengchi University, Taipei, Taiwan
The Computer Science Department at National Chengchi University invites applications for multiple tenure-track/tenured faculties from outstanding candidates at all ranks (assistant, associate, and full professor) to begin at Spring 2019 or Fall 2019.

Initial review of applications will begin on October 1st, 2018 and continue until the position is filled. The position may close when an adequate number of qualified applications are received.

We seek candidates in research areas related to all fields in Computer Science. Candidates from the following research areas are especially welcome:

• Artificial Intelligence

• Information Security

• Interdisciplinary fields of computer science and social science (eg., CS and Digital Content, CS and Communication, CS and Finance, etc. )

At a minimum, candidates must have a Ph.D. degree in Computer Science or a closely related field and have demonstrated strong research ability.

Applicants must send curriculum vitae, transcripts, diploma certificate, a copy of Ph.D. dissertation or abstract, recent publications, and at least two recommendation letters to recruit (at) or

Faculty Recruit Committee Department of Computer Science

National Chengchi University

64, Sec. 2, ZhiNan Rd. Wenshan District

Taipei, Taiwan, 11605


Applicants are invited to visit our web page at .

Closing date for applications: 1 February 2019

Contact: Raylin Tso

Chairman of the Department of Computer Science, National Chengchi University

eMail: raylin (at)

More information:

Job Posting Security Engineer InfoSec Global, Zurich, Switzerland or Toronto, Canada
InfoSec GLobal(ISG) secures data and communications for critical systems and IoT devices. Our Cryptographic Life-Cycle Management delivers a platform that provides threat management, enables crypto agility and creates a path to quantum safe. We are looking for a Security Engineer who will be responsible for

• Implementation of cryptographic primitives (optimizations, countermeasures)

• Implementation of security protocols

• Side-channel analysis of implementations

• C programming proficiency

• Applied research in cryptography and security

• Patent and standards development

You have a Master in Computer Science with 5 years of experience in Security Engineering or a PhD in Computer Science with a focus on Security and a profound knowledge in cryptography and embedded devices


• Software development in C and Java

• Development on embedded devices

• Experience with development on Android and iOS

• Experience with ARM processors

• Experience with side-channel analysis and attacks

• Experience with implementation of cryptographic primitives

• Experience with Latex

• Experience with applied research

Closing date for applications: 19 October 2018

Contact: Jennifer Quaid


jennifer.quaid (at)

Job Posting Post-Quantum Cryptography Expert InfoSec Global, Zurich, Switzerland
InfoSec Global (ISG) is a next-generation cryptography company that secures data and communications for critical systems and IoT devices. ISG’s Cryptographic Life-Cycle Management delivers a platform that provides threat management, enables crypto agility and creates a path to quantum safe. We are looking for a Post Quantum Cryptography Expert who will be responsible for:

• Writing and publishing and public speaking

• Prototyping, proof of concept development

• Consultancy in the field of asymmetric cryptography

• Applied research in post quantum cryptography

• Patent and standards development

Education Required:

• PhD in Cryptography

• Profound knowledge in cryptography

• Profound knowledge in lattice-based cryptography

• Profound knowledge in code-based cryptography

• Profound knowledge in isogeny-based cryptography


• Software development in C, Java or Python

• Experience with implementation of cryptographic primitives

• Experience with development on Windows, Linux, Android and iOS

• Experience with Latex

• Experience with applied research

Closing date for applications: 31 October 2018

Contact: Jennifer Quaid

InfoSec Global

jennifer.quaid (at)

Job Posting Security Architect InfoSec Global, Zurich, Switzerland or Toronto, Canada
InfoSec Global (ISG) is a next-generation cryptography company that secures data and communications for critical systems and IoT devices. ISG’s Cryptographic Life-Cycle Management delivers a platform that provides threat management, enables crypto agility and creates a path to quantum safe. We are looking for a Security Architect who will be responsible for:

• Writing and publishing and public speaking

• Design and analysis of IT security systems

• Prototype, proof of concept development

• Consultancy in the field of secure systems

• Applied research in cryptography and security

• Patent and standards development

Education and Experience: You have a Master in Computer Science with 5 years of experience in Security Engineering or a PhD in Computer Science with focus on Security, and a profound knowledge in cryptography, network security, systems engineering, security design, cloud security and security protocols.

Skills: Software development in C, Java and Python, Experience with security in Windows, Linux, Android and iOS, Experience with cloud infrastructure, Experience with IoT environment, Experience with Latex, Experience with applied research

Closing date for applications: 31 October 2018

Contact: Jennifer Quaid

InfoSec Global

jennifer.quaid (at)

Event Calendar NTCW'19: NIST Threshold Cryptography Workshop 2019 Gaithersburg, USA, 11 March - 12 March 2019
Event date: 11 March to 12 March 2019
Submission deadline: 17 December 2018
Notification: 15 January 2019
Goyal and Kumar (STOC'18) recently introduced the notion of non-malleable secret sharing. Very roughly, the guarantee they seek is the following: the adversary may potentially tamper with all of the shares, and still, either the reconstruction procedure outputs the original secret, or, the original secret is ``destroyed" and the reconstruction outputs a string which is completely ``unrelated" to the original secret. Prior works on non-malleable codes in the 2 split-state model imply constructions which can be seen as 2-out-of-2 non-malleable secret sharing (NMSS) schemes. Goyal and Kumar proposed constructions of t-out-of-n NMSS schemes. These constructions have already been shown to have a number of applications in cryptography.

We continue this line of research and construct NMSS for more general access structures. We give a generic compiler that converts any statistical (resp. computational) secret sharing scheme realizing any access structure into another statistical (resp. computational) secret sharing scheme that not only realizes the same access structure but also ensures statistical non-malleability against a computationally unbounded adversary who tampers each of the shares arbitrarily and independently. Instantiating with known schemes we get unconditional NMMS schemes that realize any access structures generated by polynomial size monotone span programs. Similarly, we also obtain conditional NMMS schemes realizing access structure in monotoneP (resp. monotoneNP) assuming one-way functions (resp. witness encryption).

Towards considering more general tampering models, we also propose a construction of n-out-of-n NMSS. Our construction is secure even if the adversary could divide the shares into any two (possibly overlapping) subsets and then arbitrarily tamper the shares in each subset. Our construction is based on a property of inner product and an observation that the inner-product based construction of Aggarwal, Dodis and Lovett (STOC'14) is in fact secure against a tampering class that is stronger than 2 split-states. We also show applications of our construction to the problem of non-malleable message transmission.
ePrint Report Prime and Prejudice: Primality Testing Under Adversarial Conditions Martin R. Albrecht, Jake Massimo, Kenneth G. Paterson, Juraj Somorovsky
This work provides a systematic analysis of primality testing under adversarial conditions, where the numbers being tested for primality are not generated randomly, but instead provided by a possibly malicious party. Such a situation can arise in secure messaging protocols where a server supplies Diffie-Hellman parameters to the peers, or in a secure communications protocol like TLS where a developer can insert such a number to be able to later passively spy on client-server data. We study a broad range of cryptographic libraries and assess their performance in this adversarial setting. As examples of our findings, we are able to construct 2048-bit composites that are declared prime with probability \(1/16\) by OpenSSL's primality testing in its default configuration; the advertised performance is \(2^{-80}\). We can also construct 1024-bit composites that always pass the primality testing routine in GNU GMP when configured with the recommended minimum number of rounds. And, for a number of libraries (Cryptlib, LibTomCrypt, JavaScript Big Number, WolfSSL), we can construct composites that always pass the supplied primality tests. We explore the implications of these security failures in applications, focusing on the construction of malicious Diffie-Hellman parameters. We show that, unless careful primality testing is performed, an adversary can supply parameters $(p,q,g)$ which on the surface look secure, but where the discrete logarithm problem in the subgroup of order $q$ generated by $g$ is easy. We close by making recommendations for users and developers. In particular, we promote the Baillie-PSW primality test which is both efficient and conjectured to be robust even in the adversarial setting for numbers up to a few thousand bits.
ePrint Report Definitions for Plaintext-Existence Hiding in Cloud Storage Colin Boyd, Gareth T. Davies, Kristian Gjøsteen, Håvard Raddum, Mohsen Toorani
Cloud storage services use deduplication for saving bandwidth and storage. An adversary can exploit side-channel information in several attack scenarios when deduplication takes place at the client side, leaking information on whether a specific plaintext exists in the cloud storage. Generalising existing security definitions, we introduce formal security games for a number of possible adversaries in this domain, and show that games representing all natural adversarial behaviors are in fact equivalent. These results allow users and practitioners alike to accurately assess the vulnerability of deployed systems to this real-world concern.
Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon's s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use ``pseudo constant time'' countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.
ePrint Report Secret Sharing with Binary Shares Fuchun Lin, Mahdi Cheraghchi, Venkatesan Guruswami, Reihaneh Safavi-Naini, Huaxiong Wang
Secret sharing is a fundamental cryptographic primitive. One of the main goals of secret sharing is to share a long secret using small shares. In this paper we consider a family of statistical secret sharing schemes indexed by N, the number of players. The family is associated with a pair of relative thresholds tau and kappa, that for a given N, specify a secret sharing scheme with privacy and reconstruction thresholds, N tau and N kappa, respectively. These are non-perfect schemes with gap N(kappa-tau) and statistical schemes with errors epsilon(N) and delta(N) for privacy and reconstruction, respectively. We give two constructions of secret sharing families as defined above, with security against (i) an adaptive, and (ii) a non-adaptive adversary, respectively. Both constructions are modular and use two components, an invertible extractor and a stochastic code, and surprisingly in both cases, for any kappa>tau, give explicit families for sharing a secret that is a constant fraction (in bits) of N, using binary shares. We show that the construction for non-adaptive adversary is optimal in the sense that it asymptotically achieves the upper bound N(kappa-tau) on the secret length. We relate our results to known works and discuss open questions.
ePrint Report Achilles' Heel: the Unbalanced Mask Sets May Destroy a Masking Countermeasure Jingdian Ming, Wei Cheng, Huizhong Li, Guang Yang, Yongbin Zhou, Qian Zhang
Low Entropy Masking Scheme (LEMS) has attracted wide attention for its low-cost feature of small fixed mask sets in Side-Channel-Analysis (SCA). To achieve the expected side channel security, it is necessary to find a balanced mask set to reduce the correlations between key dependent variables and their corresponding leakages. However, the security proof of LEMS, based on an inadequate assumption, might lead to consequent mask sets proposed without balance property, which could cause vulnerable LEMS implementations. This paper focusing on correcting and improving this scheme, first gives the formal definitions of univariate balance property on mask sets and extends it to multivariate settings. From these definitions, we propose three fundamental properties to analyze the balance of mask sets in Rotating Sbox Masking (RSM), the most popular LEMS implementations. To demonstrate the definitions and properties, three state-of-the-art RSM mask sets were selected as research objects. The corresponding attacks when any properties violated distinctly indicate the necessity of evaluating the balance property of the mask set in advance (during the design phase). However, it is found impossible to get a mask set for the RSM with all three properties satisfied, which means the vulnerabilities of RSM scheme in its unbalanced mask set are unavoidable. Thus, this promising masking scheme may be broken for its unqualified mask set.
16 August 2018
Event Calendar ICMC 2019: Fifth International Conference on Mathematics and Computing KIIT University, Bhubaneswar, India, 7 February - 9 February 2019
Event date: 7 February to 9 February 2019
Submission deadline: 15 September 2018
Notification: 25 October 2018
Event Calendar CTCrypt'19: 8th Workshop on Current Trends in Cryptology Svetlogorsk, Kaliningrad region, Russia, 4 June - 7 June 2019
Event date: 4 June to 7 June 2019
Submission deadline: 18 February 2019
Notification: 8 April 2019
Job Posting Senior Research fellow, or Research fellow National University of Singapore
Applications are invited for several Research fellow or senior research fellow positions at the National Satellite of Excellence on Trustworthy Systems at the National University of Singapore. Applicants should have a PhD in Computer Science or related discipline with research focus on security, or programming languages, or embedded systems. Please email your CV to abhik (at) for inquiries.

Closing date for applications: 30 June 2019

Contact: Prof. Abhik Roychoudhury

School of Computing

National University of Singapore

abhik (at)

More information:

Job Posting PostDoc Flensburg University
We are looking for a PostDoc to research on topics related theory and practice of functional encryption, including

* pairing-based

* lattice-based

* black-box (im)possibility results

and applications to Internet of Things and Blockchain. Research is conducted within the EU H2020 Functional Encryption Technology (FENTEC) project in conjunction with the academic partners Edinburg University, ENS Paris, Flensburg University, Helsinki University, KU Leuven and the industrial partners ATOS, Kudelski Group (former Nagravision), WALLIX and XLAB.

The position includes

* competitive salary

* travel budget (conference, project meetings, research visits)

* team of 1-2 PhDs

* academic freedom to create own research profile

* (optional) teaching opportunity

Please send your CV to The Chancelor, Mrs. Sabine Christiansen at personal.bewerbungen(at)

Closing date for applications: 1 September 2018

Contact: Prof. Dr. Sebastian Gajek, Head of the IT-Security and Cryptography group (ITSC), Web:, Email: sebastian.gajek(at)

More information:

Simula UiB has open positions for senior researchers in cryptography.

About us: Simula UiB is a research organization located in Bergen, Norway. We currently employ 17 people researching cryptography and information theory and supervising master and Ph.D. students. Due to increased base funding from the Norwegian government, we are now looking to expand our activity and hire two senior researchers in permanent positions.

What we want: We are looking for someone who is an active researcher in cryptography, with an excellent publication record. The successful candidate is expected to attract and supervise students. We envision the ideal candidate to be someone who has 10–15 years of experience since obtaining his/her Ph.D. degree. Candidates with less experience should also apply.

What we offer:

Competitive salary and a fast hiring process.

Two Ph.D. positions and one postdoc position are associated with each researcher.

Funding for travel and hosting visitors.

A good working environment in modern offices located centrally in Bergen.

Closing date for applications:

Contact: Website:

If you want to learn more about this opportunity please email Kjell Jørgen Hole (CEO) at hole (at), Håvard Raddum (leader of the crypto section) at haavardr (at) or Øyvind Ytrehus (chief scientist) at oyvindy (at)

This is an urgent call for interested applicants. A funded Ph.D. student position is available starting January 2019 (all documents submitted by Sep. 15th, 2018 for International students) to work on different aspects of Cryptographic Engineering in the CSE department with Dr. Mehran Mozaffari Kermani (CSE department of University of South Florida, Tampa, FL).

The required expertise includes:

- Master’s in Computer Engineering or Electrical Engineering

- Solid background in digital design, VLSI, computer arithmetic, and ASIC/FPGA implementations

- Solid HDL expertise

- Outstanding English (if English tests are taken) to be eligible for department funding

- Motivation to work beyond the expectations from an average Ph.D. student and publish in top tier venues

Please closely observe the admission requirement details before emailing,

We are looking for motivated, talented, and hardworking applicants who have background and are interested in working on different aspects of Cryptographic Engineering with emphasis on:

- Cryptographic hardware systems

- Side-channel attacks, particularly fault and power analysis attacks

Please send me your updated CV (including list of publications, language test marks, and references), transcripts for B.Sc. (and/or M.Sc.), and a statement of interest to mehran2 (at) as soon as possible.

NOTE: At this time, I consider only the applicants who have already taken TOEFL/IELTS and GRE exams with excellent marks. The successful candidate will be asked to apply formally very soon to the department, so all the material has to be ready.

Mehran Mozaffari Kermani

Closing date for applications: 30 November 2018

More information:

15 August 2018
Online advertising is a multi-billion dollar industry, forming the primary source of income for many publishers offering free web content. Serving advertisements tailored to users' interests greatly improves the effectiveness of advertisements, which benefits both publishers and users. The privacy of users, however, is threatened by the widespread collection of data that is required for behavioural advertising. In this paper, we present BAdASS, a novel privacy-preserving protocol for Online Behavioural Advertising that achieves significant performance improvements over the state of the art without disclosing any information about user interests to any party. BAdASS ensures user privacy by processing data within the secret-shared domain, using the heavily fragmented shape of the online advertising landscape to its advantage and combining efficient secret-sharing techniques with a machine learning method commonly encountered in existing advertising systems. Our protocol serves advertisements within a fraction of a second, based on highly detailed user profiles and widely used machine learning methods.
ePrint Report On the Leakage of Corrupted Garbled Circuits Aurélien Dupin, David Pointcheval, Christophe Bidan
Secure two-party computation provides a way for two parties to compute a function, that depends on the two parties' inputs, while keeping them private. Known since the 1980s, Yao's garbled circuits appear to be a general solution to this problem, in the semi-honest model. Decades of optimizations have made this tool a very practical solution. However, it is well known that a malicious adversary could modify a garbled circuit before submitting it. Many protocols, mostly based on cut-&-choose, have been proposed to secure Yao's garbled circuits in the presence of malicious adversaries. Nevertheless, how much an adversary can modify a circuit and make it still executable has not been studied yet. The main contribution of this paper is to prove that any modification made by an adversary is equivalent to adding/removing NOT gates arbitrarily in the original circuit, otherwise the adversary can get caught. Thereafter, we study some evaluation functions for which, even without using cut-&-choose, no adversary can gain more information about the inputs by modifying the circuit. We also give an improvement over most recent cut-&-choose solutions by requiring that different circuits of the same function are used instead of just one.
We propose a generic construction of a $\Sigma$-protocol of commit-and-prove type, which is an \textsc{and}-composition of $\Sigma$-protocols on the statements that include a common commitment. Our protocol enables a prover to convince a verifier that the prover knows a bundle of witnesses that have a common component which we call a base witness point. When the component $\Sigma$-protocols are of witness-indistinguishable argument systems, our $\Sigma$-protocol is also a witness-indistinguishable argument system as a whole. As an application, we propose a decentralized multi-authority anonymous authentication scheme. We first define a syntax and security notions of the scheme. Then we give a generic construction of a decentralized multi-authority anonymous authentication scheme. There a witness is a bundle of witnesses each of which decomposes into a common global identity string and a digital signature on it. We mention an instantiation of the generic scheme in the setting of bilinear groups.
We consider Galbraith's space efficient LWE variant, where the $(m \times n)$-matrix $A$ is binary. In this binary case, solving a vectorial subset sum problem over the integers allows for decryption. We show how to solve this problem using (Integer) Linear Programming. Our attack requires only a fraction of a second for all instances in a regime for $m$ that cannot be attacked by current lattice algorithms. E.g.\ we are able to solve 100 instances of Galbraith's small LWE challenge $(n,m) = (256, 400)$ all in a fraction of a second. We also show under a mild assumption that instances with $m \leq 2n$ can be broken in polynomial time via LP relaxation. Moreover, we develop a method that identifies weak instances for Galbraith's large LWE challenge $(n,m)=(256, 640)$.
ePrint Report FairSwap: How to fairly exchange digital goods Stefan Dziembowski, Lisa Eckey, Sebastian Faust
We introduce FairSwap -- an efficient protocol for fair exchange of digital goods using smart contracts. A fair exchange protocol allows a sender S to sell a digital commodity x for a fixed price p to a receiver R. The protocol is said to be secure if R only pays if he receives the correct x. Our solution guarantees fairness by relying on smart contracts executed over decentralized cryptocurrencies, where the contract takes the role of an external judge that completes the exchange in case of disagreement. While in the past there have been several proposals for building fair exchange protocols over cryptocurrencies, our solution has two distinctive features that makes it particular attractive when users deal with large commodities. These advantages are: (1) minimizing the cost for running the smart contract on the blockchain, and (2) avoiding expensive cryptographic tools such as zero-knowledge proofs. In addition to our new protocols, we provide formal security definitions for smart contract based fair exchange, and prove security of our construction. Finally, we illustrate several applications of our basic protocol and evaluate practicality of our approach via a prototype implementation for fairly selling large files over the cryptocurrency Ethereum.
Some features of Feistel structures have caused them to be considered as an efficient structure for design of block ciphers. Although several structures are proposed relied on Feistel structure, the type-II generalized Feistel structures (GFS) based on SP-functions are more prominent. Because of difference cancellation, which occurs in Feistel structures, their resistance against differential and linear attack is not as expected. Hitherto, to improve the immunity of Feistel structures against differential and linear attack, two methods are proposed. One of them is using multiple MDS matrices, and the other is using changing permutations of sub-blocks. In this paper by using MILP and summation representation method, a technique to count the active S-boxes is proposed. Moreover in some cases, the results proposed by Shibutani at SAC 2010 are improved. Also multiple MDS matrices are applied to GFS, and by relying on a new proposed approach, the new inequalities related to using multiple MDS matrices are extracted, and results of using the multiple MDS matrices in type II GFS are evaluated. Finally results related to linear cryptanalysis are presented. Our results show that using multiple MDS matrices leads to 22% and 19% improvement in differential cryptanalysis of standard and improved 8 sub-blocks structures, respectively, after 18 rounds.
A large number of parameterized complexity assumptions have been introduced in the bilinear pairing setting to design novel cryptosystems and an important question is whether such ``$q$-type" assumptions can be replaced by some static one. Recently Ghadafi and Groth captured several such parameterized assumptions in the pairing setting in a family called bilinear target assumption (BTA). We apply the D\'{e}j\`{a}Q techniques for all $q$-type assumptions in the BTA family. In this process, first we formalize the notion of extended adaptive parameter-hiding property and use it in the Chase-Meiklejohn's D\'{e}j\`{a}Q framework to reduce those $q$-type assumptions from subgroup hiding assumption in the asymmetric composite-order pairing. In addition, we extend the BTA family further into BTA1 and BTA2 and study the relation between different BTA variants. We also discuss the inapplicability of D\'{e}j\`{a}Q techniques on the $q$-type assumptions that belong to BTA1 or BTA2 family. We then provide one further application of Gerbush et al's dual-form signature techniques to remove the dependence on a $q$-type assumption for which existing D\'{e}j\`{a}Q techniques are not applicable. This results in a variant of Abe et al's structure-preserving signature with security based on a static assumption in composite order setting.
We present Steady: an end-to-end secure logging system engineered to be simple in terms of design, implementation, and assumptions for real-world use. Steady gets its name from being based on a steady (heart)beat of events from a forward-secure device sent over an untrusted network through untrusted relays to a trusted collector. Properties include optional encryption and compression (with loss of confidentiality but significant gain in goodput), detection of tampering, relays that can function in unidirectional networks (e.g., as part of a data diode), cost-effective use of cloud services for relays, and publicly verifiable proofs of event authenticity. The design is formalized and security proven in the standard model. Our prototype implementation ($\approx2,200$ loc) shows reliable goodput of over 1M events/s ($\approx$160 MiB/s) for a realistic dataset with commodity hardware for a device on a GigE network using 16 MiB of memory connected to a relay running at Amazon EC2.
The motivation for this work comes from the need to strengthen security of secure multi-party protocols with the ability to guarantee that the participants provide their truthful inputs in the computation. This is outside the traditional security models even in the presence of malicious participants, but input manipulation can often lead to privacy and result correctness violations. Thus, in this work we treat the problem of combining secure multi-party computation (SMC) techniques based on secret sharing with signatures to enforce input correctness in the form of certification. We modify two currently available signature schemes to achieve private verification and efficiency of batch verification and show how to integrate them with two prominent SMC protocols.
ePrint Report BeeHive: Double Non-interactive Secure Multi-party Computation Lijing Zhou, Licheng Wang, Yiru Sun, Tianyi Ai
Currently, round complexity and communication complexity are two fundamental issues of secure multi-party computation (MPC) since all known schemes require communication for each multiplication operation. In this paper, we propose a double non-interactive secure multi-party computation, called BeeHive, that essentially addresses the two fundamental issues. Specifically, in the proposed scheme, the first non-interactivity denotes that shareholders can independently generate shares (these shares will be responses that are sent to the dealer) of any-degree polynomial of secret numbers without interaction. Furthermore, the second non-interactivity indicates that the dealer can verify correctness of responses sent by shareholders without interaction. To the best of our knowledge, it is the first work to realize that shareholders can generate shares of any-degree polynomial of secret numbers without interaction. Existing secure MPCs are not suitable for blockchain due to their issues of round complexity and communication complexity, while the proposed Beehive is very suitable. Therefore, we present a general architecture of blockchain-based Beehive. Finally, we implemented the proposed scheme in Python with a detailed performance evaluation.
In this paper, we extend the work on purely mathematical Trojan horses initially presented by Young and Yung. This kind of mechanism affects the statistical properties of an infected random number generator (RNG) by making it very sensitive to input entropy. Thereby, when inputs have the correct distribution the Trojan has no effect, but when the distribution becomes biased the Trojan worsens it. Besides its obvious malicious usage, this mechanism can also be applied to devise lightweight health tests for RNGs. Currently, RNG designs are required to implement an early detection mechanism for entropy failure, and this class of Trojan horses is perfect for this job.
13 August 2018
Event date: 2 April to 4 April 2019
Submission deadline: 1 December 2018
Notification: 25 January 2019
9 August 2018
An Oblivious PRF (OPRF) is a protocol between a server holding a key to a PRF and a user holding an input. At the end of the interaction, the user learns the output of the OPRF on its input and nothing else. The server learns nothing, including nothing about the user's input or the function's output. OPRFs have found many applications in multiple areas of cryptography. Everspaugh et al. (Usenix 2015) introduced Partially Oblivious PRF (pOPRF) in which the OPRF accepts an additional non-secret input that can be chosen by the server itself, and showed applications in the setting of password hardening protocols. We further investigate pOPRFs showing new constructions, including distributed multi-server schemes, and new applications. We build simple pOPRFs from regular OPRFs, in particular obtaining very efficient DH-based pOPRFs, and provide (n,t)-threshold implementation of such schemes.

We apply these schemes to build Oblivious Key Management Systems (KMS) as a much more secure alternative to traditional wrapping-based KMS. The new system hides keys and object identifiers from the KMS, offers unconditional security for key transport, enables forward security, provides key verifiability, reduces storage, and more. Further, we show how to provide all these features in a distributed threshold implementation that additionally protects the service against server compromise. Finally, we extend the scheme to a threshold Oblivious KMS with updatable encryption so that upon the periodic change of OPRF keys by the server, an efficient update procedure allows a client of the KMS service to non-interactively update all its encrypted data to be decryptable only by the new key. Our techniques improve on the efficiency and security of several recent works on updatable encryption from Crypto and Eurocrypt. We report on an implementation of the above schemes and their performance, showing their practicality and readiness for use in real-world systems. In particular, our pOPRF constructions achieve speeds of over an order of magnitude relative to previous pOPRF schemes.

  older items