International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

05:35 [Job][New] Post-doctoral Researcher, Queen’s University Belfast, Centre for Secure Information Technologies (CSIT), UK

  Applications are invited for a post-doctoral researcher to carry out research in the area of physical unclonable functions (PUFs) (new constructions, protocol design and implementations) and, in general, to contribute to the research activity of the Data Security Systems research group within the Centre for Secure Information Technology (CSIT: at Queen’s University Belfast.

Applicants must hold a 2.1 Honours Degree (or equivalent) in Electrical and Electronic Engineering/Computer Science/Mathematics or a related discipline and hold, or be about to obtain, a PhD in a relevant subject.

Further information and the application process are available at the University’s job vacancies website (see link below under Research Fellow, Ref: 12/102270)

05:35 [Job][New] Faculty Members, Indian Statistical Institute, Kolkata


203 B. T. ROAD, KOLKATA - 7OO 108

The R. C. Bose Centre for Cryptology and Security at Indian Statistical Institute is looking for suitable candidates from Indian nationals in the following academic positions.

Essential Requirements:


Lecturers are not part of the regular faculty cadre in the institute.

Appointment at this level may be made as Lecturer-cum-Post Doctoral Fellow on contractual basis to enable bright young researchers with a Ph.D. degree to teach and earn experience in a premier institution.

Appointment of lecturers will be purely on temporary basis for a maximum period of 3 (three) years.

Assistant, Associate and Full Professors:

These are permanent positions. One should have a Ph.D. with first class or equivalent in the appropriate branch in the preceeding degrees with a very good academic record throughout and at least three, six and ten years (respectively) of industrial/research/teaching experience, excluding however, the experience gained while pursuing Ph.D.

The gross emolument in this position is approximately INR 80,000/-,

1,05,000/-, 1,20,000/- (respectively) per month at this point of time and it is expected to increase at a rate of 6% in each year.

This advertisement is primarily for candidates with strong background in the area of cryptology and data security. However, candidates with

background in computer science, mathematics, or statistics with interest in the area of cryptology and data security are also encouraged to apply.

Suitable relaxations may be granted for outstanding and reserved

(SC, ST, OBC, PH) candidates.

Interested candidates may send the resume by email to coec (at) attached as a PDF file or by post to \\\"The Director, Indian Statistical Institute, 203 B T Road, Kolkata 700 108\\\". Documents, such as pre

03:17 [Pub][ePrint] PUFs: Myth, Fact or Busted? A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon (Extended Version), by Stefan Katzenbeisser, Ünal Kocabas, Vladimir Rozic, Ahmad-Reza Sadeg

  Physically Unclonable Functions~(PUFs) are an emerging technology and have been proposed as central building blocks in a variety of cryptographic protocols and security architectures. However, the security features of PUFs are still under investigation: Evaluation results in the literature are difficult to compare due to varying test conditions, different analysis methods and the fact that representative data sets are publicly unavailable.

In this paper, we present the first large-scale security analysis of ASIC implementations of the five most popular intrinsic electronic PUF types, including arbiter, ring oscillator, SRAM, flip-flop and latch PUFs. Our analysis is based on PUF data obtained at different operating conditions from $96$ ASICs housing multiple PUF instances, which have been manufactured in TSMC 65nm CMOS technology. In this context, we present an evaluation methodology and quantify the robustness and unpredictability properties of PUFs. Since all PUFs have been implemented in the same ASIC and analyzed with the same evaluation methodology, our results allow for the first time a fair comparison of their properties.

03:17 [Pub][ePrint] Domain-Specific Pseudonymous Signatures for the German Identity Card, by Jens Bender and Özgür Dagdelen and Marc Fischlin and Dennis Kügler

  The restricted identication protocol for the new German identity card basically provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not malicious ones). The protocol can be augmented to allow also for signatures under the pseudonyms. In this paper, we thus view---and define---this idea more abstractly as

a new cryptographic signature primitive with some form of anonymity, and use the term domain-specific pseudonymous signatures. We then analyze the restricted identication solutions in terms of the formal

security requirements.

03:17 [Pub][ePrint] Plaintext Awareness in Identity-Based Key Encapsulation, by Mark Manulis and Bertram Poettering and Douglas Stebila

  The notion of plaintext awareness (PA) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen ciphertext attacks (INDCCA), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving PA in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving PA of schemes in one model cannot be adapted to the other model. Existing research addresses PA in detail only in the public key setting.

This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of PA in proof strategies of INDCCA security, and explores relationships between PA and other security properties.

On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and INDCCA-secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of gamma-uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs) this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is PA and INDCCA-secure by applying our construction to a popular IB-KEM and optimizing it for better performance.

03:17 [Pub][ePrint] Computational Soundness of Coinductive Symbolic Security under Active Attacks, by Mohammad Hajiabadi, Bruce M. Kapron

  In Eurocrypt 2010, Miccinacio initiated an investigation of cryptographically sound, symbolic security analysis with respect to coinductive adversarial knowledge, and demonstrated that under an adversarially passive model, certain security criteria (e.g. indistinguishability) may be given a computationally sound symbolic characterization, without the assumption of key acyclicity. Left open in his work was the fundamental question of ``the viability of extending the coinductive approach to prove computational soundness results in the presence of active adversaries.\'\' In this paper we make some initial steps toward answering this question in the affirmative with respect to an extension of a trace-based security model (proposed by Micciancio and Warinschi in TCC 2004) including asymmetric and symmetric encryption; in particular we prove that a random computational trace can be soundly abstracted by a coinductive symbolic trace with overwhelming probability, provided that both the underlying encryption schemes provide IND-CCA2 security (plus {ciphertext integrity} for the symmetric scheme), and that the diameter of the underlying coinductively-hidden subgraph is constant in every symbolic trace. This result holds even if the protocol allows arbitrarily nested applications of symmetric/asymmetric encryption, unrestricted transmission of symmetric keys, and adversaries who adaptively corrupt users, along with other forms of active attack.

As part of our proof, we formulate a game-based definition of encryption security allowing adaptive corruptions of keys and certain forms of adaptive key-dependent plaintext attack, along with other common forms of CCA2 attack. We prove that (with assumptions similar to above,) security under this game is implied by IND-CCA2 security. This also characterizes a provably benign form of cyclic encryption which can be achieved under standard notions of encryption security, which may be of independent interest.

05:29 [Election] List of Candidates


Candidates for Election in 2012

  • Thomas Peyrin
    I am really attached to the IACR and know its important role in promoting cryptography research. I've participated to several IACR PCs and will serve as co-GC of FSE'13. I will work on maintaining the high standards of IACR events and ensure the concerns of all cryptography sub-communities are considered.

  • Anna Lysyanskaya
    Statement: The IACR is my home research community, and I'd like to give back. My priorities are: (1) High quality research and its effective dissemination, (2) mentoring, (3) dialogue with related research communities, industry, standards and funding agencies.

  • Thomas Berson
    I have served the IACR since 1983 as Secretary, Treasurer, President, and Director. During that time we created conferences, workshops, literature, and community. Our present challenges include balance and tolerance in our evolving community. I know where we have been; I know where we are going. Please vote for me.

  • Michel Abdalla
    As an IACR member for more than a decade, I seek the opportunity to serve the community as a director. If elected, I'd like to help improve existing services provided by IACR, offer new services such as the organization of schools in cryptology, and promote worldwide dissemination of cryptologic research.

  • Xavier Boyen
    In gratitude for my decade in this vibrant community, my stewardship would, inter alia, promulgate open scholarly dissemination, facilitate balanced global outreach and participation, and explore mutually beneficial cross-community partnerships -- progressing carefully, always honoring the continuity of traditions that define us. Best decisions are consensual through meeting of the minds.

Election Committee

  • Josh Benaloh (Chair)
  • David Pointcheval (Returning Officer)
  • Greg Rose

15:17 [Pub][ePrint] Provably Secure Concurrent Error Detection Against Differential Fault Analysis, by Xiaofei Guo, Debdeep Mukhopadhyay and Ramesh Karri

  Differential fault analysis (DFA) poses a significant threat to Advanced Encryption Standard (AES). It has been demonstrated that DFA can use only a single faulty ciphertext to reveal the secret key of AES in an average of 230 computation. Traditionally, concurrent error

detection (CED) is used to protect AES against DFA. However, we emphasize that conventional CED assumes a uniform distribution of faults, which is not a valid assumption in the context of DFA. In contrast, we show practical examples which highlight that an attacker

can inject specific and exploitable faults, thus threatening existing CED. This paper brings to the surface a new CED approach for cryptography, aimed at providing provable security by detecting all possible DFA-exploitable faults, which is a small subset of the entire fault space. We analyze the fault coverage of conventional CED against DFA-exploitable faults, and we find that the fault coverage of most of these techniques are significantly lower than

the one they claimed. We stress that for security, it is imperative that CED should provide 100% fault coverage for DFA-exploitable faults. We further propose an invariance-based CED which provides 100% provable security against all known DFA of AES.

15:17 [Pub][ePrint] Bellcore attack in practice, by Andrey Sidorenko and Joachim van den Berg and Remko Foekema and Michiel Grashuis and Jaap de Vos

  In this paper we analyze practical aspects of the differential fault attack on RSA published by Boneh, Demillo and Lipton from Bellcore. We focus on the CRT variant, which requires only one faulty signature to be entirely broken provided that no DFA countermeasures are in use. Usually the easiest approach for the attacker is to introduce a fault in one of the two RSA-CRT exponentiations. These are time-consuming and often clearly visible in the power profiles. However, protection of the exponentiations against faults does not always circumvent the Bellcore attack. Our goal is to investigate and classify other possible targets of the attack.

15:17 [Pub][ePrint] Security weakness in the Proof of Storage with Deduplication, by Youngjoo Shin, Junbeom Hur, Kwangjo Kim

  Achieving both security and efficiency is the challenging issue for a data outsourcing service in the cloud computing.

Proof of Storage with Deduplication (POSD) is the first solution that addresses the issue for the cloud storage. However, the validity of the POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of the scheme

under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improvement of the POSD scheme to mitigate our attack.

15:17 [Pub][ePrint] New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation, by Shweta Agrawal and Vipul Goyal and Abhishek Jain and Manoj Prabhakaran and Am

  We consider the client-server setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easily motivated from an application standpoint. There are important special cases for which positive results are known - such as concurrent zero knowledge protocols - and it has been an open question explicitly asked, for instance, by Lindell [J. Cryptology\'08] - whether other natural functionalities such as Oblivious Transfer (OT) are possible in this setting.

In this work:

1. We resolve this open question by showing that unfortunately, even in this very limited concurrency setting, broad new impossibility results hold, ruling out not only OT, but in fact all nontrivial asymmetric functionalities. Our new negative results hold even if the inputs of all honest parties are fixed in advance, and the adversary receives no auxiliary information.

2. Along the way, we establish a new unconditional completeness result for asymmetric functionalities, where we characterize functionalities that are non-interactively complete secure against active adversaries. When we say that a functionality F is non-interactively complete, we mean that every other asymmetric functionality can be realized by parallel invocations of several copies of F, with no other communication in any direction. Our result subsumes a completeness result of Kilian [STOC\'00] that uses protocols which require additional interaction in both directions.