International Association for Cryptologic Research

International Association
for Cryptologic Research


Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed
Twitter bird icon
via Twitter
Weibo icon
via Weibo
Facebook icon
via Facebook

10 August 2020

University of Cologne, Department of Mathematics and Computer Science, Cologne, Germany
Job Posting Job Posting
The University of Cologne invites applications for a Professorship (f/m/d) for IT Security (W2) in the Department of Mathematics and Computer Science, starting at earliest convenience.
The successful candidate has a proven track record of high-quality scientific publications in one of, but not limited to, the following areas:
- Cryptography and its protocols
- Quantum and post-quantum cryptography
- Software security
- Security of embedded systems
- Security of the Internet of Things and of cyber physical systems
- Security of autonomous systems and related technologies

Please apply with the usual documents (curriculum vitae, list of publications and teaching activities, copies of certificates of academic examinations and appointments) via the University of Cologne’s Academic Job Portal ( no later than September 22, 2020. Your application should be addressed to the Dean of the Faculty of Mathematics and Natural Sciences.
For further details please find complete job announcement in the Academic Job Portal of the University.

Closing date for applications:

Contact: Dean of the Faculty of Mathematics and Natural Sciences, Prof. Dr. Paul H. M. van Loosdrecht (email:

More information:

Real World Crypto Real World Crypto
The call for contributed talks for Real World Crypto has now been posted:

RWC 2021 will be held Jan 11-13 in Amsterdam.
University of St. Gallen, Switzerland
Job Posting Job Posting
The University of St. Gallen in Switzerland and the chair of Cyber Security invites applications from PhD holders in the area of cryptography and information security. The researcher will join a group of researchers focusing in applied and theoretical cryptography, network and information security and privacy-preservation led by Prof. Katerina Mitrokotsa. We are affiliated to the Department of Computer Science (DCS) and the Institute of Computer Science.

Research area: Research areas include but are not limited to:
  • Verifiable computation
  • Secure Multi Party Computation
  • Privacy-preserving authentication
  • Cryptographic primitives
  • Differential privacy
Your Profile
  • A Ph.D. degree in Computer Science, Applied Mathematics or a relevant field
  • Competitive research record in cryptography or information security
  • Strong mathematical and algorithmic CS background
  • Good skills in programming is beneficial
  • Excellent written and verbal communication skills in English
Deadline for applications: 31 August
Starting date: Fall 2020 or by mutual agreement

Closing date for applications:

Contact: Prof. Katerina Mitrokotsa

More information:

National Cheng Kung University, Taiwan
Job Posting Job Posting
Qualification: - Candidates should have a Ph.D. Degree (CS or EE), and strong background on • Artificial Intelligence/Machine Learning, Federated Learning, Edge/Fog Computation, Internet-of-Things, Cryptographic Protocols, Applied Cryptography - Strong publication record (major journals or top conference papers). - Good written and oral communication skills. - Work experience in relevant research projects is preferable. The initial appointment will be for 1 year but it can be extended depending on the availability of funding and the candidate's performance. These positions come with attractive salary and benefits. The travel support will also be provided to attend international conferences or to visit oversea universities. How to apply: Interested candidates kindly send their CV to Prof. Tony Q.S. Quek (email: Initial screening of applications will begin immediately and the position will remain open until filled. Only shortlist will be notified.

Closing date for applications:

Contact: Prof. Tony Q.S. Quek (email:


04 August 2020

TalTech, Centre for HW Security; Tallinn, Estonia
Job Posting Job Posting
The Centre for Hardware Security at TalTech ( invites applications for a postdoctoral research position in post quantum cryptography. We are looking for motivated individuals with a strong background in circuit design, especially with experience in ASICs and/or hardware implementation of crypto cores. The end goal of the project is to validate a PQC algorithm in silicon.

Requirements for postdoctoral research position: Having a PhD degree is mandatory for this position but candidates close to the completion of a PhD are also highly encouraged to apply. The ideal candidate should have a track record in the topic or in a closely related field, as well as in-depth knowledge of digital IC design tools (genus, innovus, design compiler, ICC, etc.)
General conditions: Funding for this position is project-based and is already in place. Candidates with adequate backgrounds will be invited to interview over Skype. This position has an immediate start date (but a future start date can be arranged given the current situation w/ coronavirus). Salary is commensurate with experience.
How to apply: Please submit your CV to Prof. Pagliarini by email ( using the subject ‘PQC postdoc position’.

Closing date for applications:

Contact: Samuel Pagliarini (

More information:

Nathan Manohar, Peter Manohar, Rajit Manohar
ePrint Report ePrint Report
The ongoing COVID-19 pandemic has caused health organizations to consider using digital contact tracing to help monitor and contain the spread of COVID-19. Due to this urgent need, many different groups have developed secure and private contact tracing phone apps. However, these apps have not been widely deployed, in part because they do not meet the needs of healthcare officials.

We present HABIT, a contact tracing system using a wearable hardware device designed specifically with the goals of public health officials in mind. Unlike current approaches, we use a dedicated hardware device instead of a phone app for proximity detection. Our use of a hardware device allows us to substantially improve the accuracy of proximity detection, achieve strong security and privacy guarantees that cannot be compromised by remote attackers, and have a more usable system, while only making our system minimally harder to deploy compared to a phone app in centralized organizations such as hospitals, universities, and companies.

The efficacy of our system is currently being evaluated in a pilot study at Yale University in collaboration with the Yale School of Public Health.
Eli Ben-Sasson, Lior Goldberg, David Gurevich
ePrint Report ePrint Report
A report on the selection process of the STARK friendly hash (SFH) function for standardization by the Ethereum Foundation. The outcome of this process, described here, is our recommendation to use the Rescue function over a prime field of size approximately $ 2^{61}$ in sponge mode with $12$ field elements per state.

With an Appendix by Jean-Charles Faugere and Ludovic Perret of CryptoNext Security.
Vijaya Ramachandran, Elaine Shi
ePrint Report ePrint Report
As secure processors such as Intel SGX (with hyperthreading) become widely adopted, there is a growing appetite for private analytics on big data. Most prior works on data-oblivious algorithms adopt the classical PRAM model to capture parallelism. However, it is widely understood that PRAM does not best capture realistic multicore processors, nor does it reflect parallel programming models adopted in practice.

In this paper, we initiate the study of parallel data oblivious algorithms on realistic multicores, best captured by the binary fork-join model of computation. We first show that data-oblivious sorting can be accomplished by a binary fork-join algorithm with optimal total work and optimal (cache-oblivious) cache complexity, and in O(log n log log n) span (i.e., parallel time) that matches the best-known insecure algorithm. Using our sorting algorithm as a core primitive, we show how to data-obliviously simulate general PRAM algorithms in the binary fork-join model with non-trivial efficiency. We also present results for several applications including list ranking, Euler tour, tree contraction, connected components, and minimum spanning forest. For a subset of these applications, our data-oblivious algorithms asymptotically outperform the best known insecure algorithms. For other applications, we show data oblivious algorithms whose performance bounds match the best known insecure algorithms.

Complementing these asymptotically efficient results, we present a practical variant of our sorting algorithm that is self-contained and potentially implementable. It has optimal caching cost, and it is only a log log n factor off from optimal work and about a log n factor off in terms of span; moreover, it achieves small constant factors in its bounds.
Johannes Mittmann, Werner Schindler
ePrint Report ePrint Report
Montgomery’s and Barrett’s modular multiplication algorithms are widely used in modular exponentiation algorithms, e.g. to compute RSA or ECC operations. While Montgomery’s multiplication algorithm has been studied extensively in the literature and many side-channel attacks have been detected, to our best knowledge no thorough analysis exists for Barrett’s multiplication algorithm. This article closes this gap. For both Montgomery’s and Barrett’s multiplication algorithm, differences of the execution times are caused by conditional integer subtractions, so-called extra reductions. Barrett’s multiplication algorithm allows even two extra reductions, and this feature increases the mathematical difficulties significantly.

We formulate and analyse a two-dimensional Markov process, from which we deduce relevant stochastic properties of Barrett’s multiplication algorithm within modular exponentiation algorithms. This allows to transfer the timing attacks and local timing attacks (where a second side-channel attack exhibits the execution times of the particular modular squarings and multiplications) on Montgomery’s multiplication algorithm to attacks on Barrett’s algorithm. However, there are also differences. Barrett’s multiplication algorithm requires additional attack substeps, and the attack efficiency is much more sensitive to variations of the parameters. We treat timing attacks on RSA with CRT, on RSA without CRT, and on Diffie-Hellman, as well as local timing attacks against these algorithms in the presence of basis blinding. Experiments confirm our theoretical results.

31 July 2020

Vienna, Austria, 11 February - 13 February 2021
Event Calendar Event Calendar
Event date: 11 February to 13 February 2021
Submission deadline: 14 September 2020
Notification: 12 November 2020
Fabrice Benhamouda, Tancrède Lepoint, Michele Orrù, Mariana Raykova
ePrint Report ePrint Report
We present an algorithm solving the ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) problem in polynomial time for large enough dimensions $\ell$. The algorithm implies polynomial-time attacks against blind signatures such as Schnorr and Okamoto--Schnorr blind signatures, threshold signatures such as the one from GJKR (when concurrent executions are allowed), and multisignatures such as CoSI and the two-round version of MuSig.
Manuel Barbosa, Bernardo Ferreira, João Marques, Bernardo Portela, Nuno Preguiça
ePrint Report ePrint Report
Conflict-free Replicated Data Types (CRDTs) are abstract data types that support developers when designing and reasoning about distributed systems with eventual consistency guarantees. In their core they solve the problem of how to deal with concurrent operations, in a way that is transparent for developers. However in the real world, distributed systems also suffer from other relevant problems, including security and privacy issues and especially when participants can be untrusted.

In this paper we present the first formal cryptographic treatment of CRDTs, as well as proposals for secure implementations. We start by presenting a security notion that is compatible with standard definitions in cryptography. We then describe new privacy-preserving CRDT protocols that can be used to help secure distributed cloud-backed applications, including NoSQL geo-replicated databases. Our proposals are based on standard CRDTs, such as sets and counters, augmented with cryptographic mechanisms that allow operations to be performed on encrypted data.

Our proposals are accompanied with formal security proofs and implement and integrate them in AntidoteDB, a geo-replicated NoSQL database that leverages CRDTs for its operations. Experimental evaluations based on the Danish Shared Medication Record dataset (FMK) exhibit the tradeoffs that our different proposals make and show that they are ready to be used in practical applications.
Runchao Han, Jiangshan Yu, Ren Zhang
ePrint Report ePrint Report
Sharding is considered one of the most promising approaches to solve the scalability issue of permissionless blockchains. In a sharding design, participants are split into groups, called shards, and each shard only executes part of the workloads. Despite its wide adoption in permissioned systems, where participants are fixed and known to everyone, transferring such success to permissionless blockchains is challenging, as it is difficult to allocate participants to different shards uniformly. Specifically, in a permissionless network, participants may join and leave the system at any time, and there can be a considerable number of Byzantine participants.

This paper focuses on the shard allocation protocols designed for permissionless networks. We start from formally defining the shard allocation protocol, including its syntax, correctness properties, and performance metrics. Then, we apply this framework to evaluate the shard allocation subprotocols of seven state-of-the-art sharded blockchains. Our evaluation shows that none of them is fully correct or achieves satisfactory performance. We attribute these deficiencies to their redundant security assumptions and their extreme choices between two performance metrics: self-balance and operability. We further prove a fundamental trade-off between these two metrics, and prove that shard allocation should be non-memoryless in order to parametrise this trade-off. Non-memorylessness specifies that each shard allocation does not only rely on the current and the incoming system states, but also previous system states. Based on these insights, we propose WORMHOLE, a non-memoryless shard allocation protocol that minimises security assumptions and allows parametrisation between self-balance and operability. We formally prove WORMHOLE’s correctness, and show that WORMHOLE outperforms existing shard allocation protocols.
Philipp Schindler, Aljosha Judmayer, Markus Hittmeir, Nicholas Stifter, Edgar Weippl
ePrint Report ePrint Report
Generating randomness collectively has been a long standing problem in distributed computing. It plays a critical role not only in the design of state-of-the-art BFT and blockchain protocols, but also for a range of applications far beyond this field. We present RandRunner, a random beacon protocol with a unique set of guarantees that targets a realistic system model. Our design avoids the necessity of a (Byzantine fault-tolerant) consensus protocol and its accompanying high complexity and communication overhead. We achieve this by introducing a novel extension to verifiable delay functions (VDFs) in the RSA setting that does not require a trusted dealer or distributed key generation (DKG) and only relies on well studied cryptographic assumptions. This design allows RandRunner to tolerate adversarial or failed leaders while guaranteeing safety and liveness of the protocol despite possible periods of asynchrony.
Doyoung Chung, Jooyoung Lee, Seungkwang Lee, Dooho choi
ePrint Report ePrint Report
Grover’s search algorithm allows a quantum adversary to find a k-bit secret key of a block cipher by making O(2k/2) block cipher queries. Resistance of a block cipher to such an attack is evaluated by quantum resources required to implement Grover’s oracle for the target cipher. The quantum resources are typically estimated by the T-depth of its circuit implementation (time) and the number of qubits used by the circuit (space). Since the AES S-box is the only component which requires T-gates in the quantum implementation of AES, recent research has put its focus on efficient implementation of the AES S-box. However, any efficient implementation with low T-depth will not be practical in the real world without considering qubit consumption of the implementation. In this work, we propose seven methods of trade-off between time and space for the quantum implementation of the AES S-box. In particular,one of our methods turns out to use the smallest number of qubits among the existing methods, significantly reducing its T-depth.
Fei Meng
ePrint Report ePrint Report
Attribute-based encryption (ABE) is a promising type of cryptosystem achieving fine-grained access control on encrypted data. Revocable attribute-based encryption (RABE) is an extension of ABE that provides revocation mechanisms when user's attributes change, key exposure, and so on. In this paper, we propose two directly revocable ciphertext-policy attribute-based encryption (DR-ABE) schemes from lattices, which support flexible threshold access policies on multi-valued attributes, achieving user-level and attribute-level user revocation, respectively. Specifically, the revocation list is defined and embedded into the ciphertext by the message sender to revoke a user in the user-level revocable scheme or revoke some attributes of a certain user in the attribute-level revocable scheme. We also discuss how to outsource decryption and reduce the workload for the end user. Our schemes are proved to be secure in the standard model, assuming the hardness of the learning with errors (LWE) problem.
JongHyeok Lee, Dong-Guk Han
ePrint Report ePrint Report
Recently, research on deep learning based side-channel analysis (DLSCA) has received a lot of attention. Deep learning-based profiling methods similar to template attacks as well as non-profiling-based methods similar to differential power analysis have been proposed. DLSCA methods have been proposed for targets to which masking schemes or jitter-based hiding schemes are applied. However, most of them are methods for finding the secret key, except for methods for preprocessing, and there are no studies on the target to which the dummy-based hiding schemes or shuffling schemes are applied. In this paper, we propose a DLSCA for detecting dummy operations. In the previous study, dummy operations were detected using the method called BCDC, but there is a disadvantage in that it is impossible to detect dummy operations for commercial devices such as an IC card. We consider the detection of dummy operations as a multi-label classification problem and propose a deep learning method based on CNN to solve it. As a result, it is possible to successfully perform detection of dummy operations on an IC card, which was not possible in the previous study.

30 July 2020

Election Election
The 2020 election is being held to fill the three IACR Director positions currently held by Masayuki Abe, Tancrède Lepoint, and Moti Yung, whose 3-year terms are ending.

Nominations are due by September 24, 2020.
Information about nomination is available at

29 July 2020

Suyash Bagad, Saravanan Vijayakumaran
ePrint Report ePrint Report
Revelio (CVCBT 2019) is a proof of reserves protocol for MimbleWimble-based cryptocurrencies which provides privacy to a cryptocurrency exchange by hiding the exchange-owned outputs in a larger anonymity set of unspent outputs. A drawback of Revelio is that the proof size scales linearly in the size of the anonymity set. To alleviate this, we design RevelioBP, a Bulletproofs-based proof of reserves protocol with proof sizes which scale logarithmically in the size of the anonymity set. This improvement allows us to use the set of all UTXOs as the anonymity set, resulting in better privacy for the exchange. On the downside, the higher proof generation and verification time of RevelioBP than that of Revelio might affect practical deployment of RevelioBP. Through implementation of RevelioBP, we quantitatively analyse trade-offs in design of MimbleWimble proofs of reserves in terms of scalability and performance. We conclude that unless proof size is a concern for exchanges, Revelio is a marginally better choice for proof of reserves. On the other hand, if an exchange is willing to pay in terms of proof generation time, RevelioBP offers proof sizes significantly smaller than Revelio.
Colin O'Flynn
ePrint Report ePrint Report
Electromagnetic Fault Injection (EMFI) is a well-known technique for performing fault injection attacks. While such attacks may be easy demonstrated in a laboratory condition, the applicability of them to real-life environments is required to understand how concerned about EMFI designers of systems should be. This work targets a recent (2019) automotive ECU, and analyzes the target microcontroller used in laboratory conditions, and then transitions the attack to a real-world “in-situ” attack.

The specific work appears relevant to several devices in the MPC55xx and MPC56xx series, which are automotive-focused PowerPC devices.
◄ Previous Next ►