International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption, by Keita Emura and Goichiro Hanaoka and Koji Nuida and Go Ohtake and Takahiro Matsuda and Shota Yamada

  In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can \\lq\\lq freely\'\' perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously.

In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call \\emph{keyed-homomorphic public-key encryption} (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, a \\emph{homomorphic transitional universal hash family}, and present a number of KH-PKE schemes through hash proof systems. We also present a practical construction of KH-PKE from the DDH assumption. For $\\ell$-bit security, our DDH-based scheme yields only $\\ell$-bit longer ciphertext size than that of the Cramer-Shoup PKE scheme.

09:17 [Pub][ePrint] Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full $\\mbox{AES}^{2}$, by Itai Dinur and Orr Dunkelman and Nathan Keller and Adi Shamir

  The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs.

The original $1$-round construction was naturally generalized into $r$-round structures with one key, two alternating keys, and completely independent keys.

In this paper we describe the first key recovery attack on the one-key 3-round version of EM which is asymptotically faster than exhaustive search

(in the sense that its running time is $o(2^n)$ rather than $O(2^n)$ for an $n$-bit key).

We then use the new cryptanalytic techniques in order to improve the best known

attacks on several concrete EM-like schemes. In the case of LED-128, the best previously known attack could only be applied to 6 of its 12 steps. In this paper we develop a new attack which increases the number of attacked steps to 8, is slightly faster than the previous attack on 6 steps, and uses about a thousand times less data.

Finally, we describe the first attack on the full $\\mbox{AES}^{2}$ (which uses two complete AES-128 encryptions and three independent $128$-bit keys, and looks exceptionally strong) which is about 7 times faster than a standard meet-in-the-middle attack, thus violating its security claim.

09:17 [Pub][ePrint] Efficient Simultaneous Privately and Publicly Verifiable Robust Provable Data Possession from Elliptic Curves, by Christian Hanser and Daniel Slamanig

  When outsourcing large sets of data to the cloud, it is desirable for clients to efficiently check, whether all outsourced data is still retrievable at any later point in time without requiring to download all of it. Provable data possession (PDP)/proofs of retrievability (PoR), for which various constructions exist, are concepts to solve this issue. Interestingly, by now, no PDP/PoR scheme leading to an efficient construction supporting both private and public verifiability simultaneously is known. In particular, this means that up to now all PDP/PoR schemes either allow public or private verifiability exclusively, since different setup procedures and metadata sets are required. However, supporting both variants simultaneously seems interesting, as publicly verifiable schemes are far less efficient than privately verifiable ones. In this paper, we propose the first simultaneous privately and publicly verifiable (robust) PDP protocol, which allows the data owner to use the more efficient private verification and anyone else to run the public verification algorithm. Our construction, which is based on elliptic curves, achieves this, as it uses the same setup procedure and the same metadata set for private and public verifiability. We provide a rigorous security analysis and prove our construction secure in the random oracle model under the assumption that the elliptic curve discrete logarithm problem is intractable. We give detailed comparisons with the most efficient existing approaches for either private or public verifiability with our proposed scheme in terms of storage and communication overhead, as well as computational effort for the client and the server. Our analysis shows that for choices of parameters, which are relevant for practical applications, our construction outperforms all existing privately and publicly verifiable schemes significantly. This means, that even when our construction is used for either private or public verifiability alone, it still outperforms the most efficient constructions known, which is particularly appealing in the public verifiability setting.

09:17 [Pub][ePrint] Strongly Secure One-round Group Authenticated Key Exchange in the Standard Model, by Yong Li and Zheng Yang

  One-round group authenticated key exchange (GAKE) protocols typically provide implicit authentication and appealing bind-width efficiency. As a special case of GAKE -- the pairing-based one-round tripartite authenticated key exchange (3AKE), recently gains much attention of research community due to its strong security. Several pairing-based one-round 3AKE protocols have recently been proposed to achieve provable security in the g-eCK model. In contrast to earlier GAKE models, the g-eCK model particularly formulates the security properties regarding resilience to the leakage of various combinations of long-term key and ephemeral session state, and provision of weak perfect forward secrecy in a single model. However, the g-eCK security proofs of previous protocols are only given under the random oracle model. In this work, we give a new construction for pairing-based one-round 3AKE protocol which is provably secure in the g-eCK model without random oracles. Security of proposed protocol is reduced to the hardness of Cube Bilinear Decisional Diffie-Hellman (CBDDH) problem for symmetric pairing. We also extend the proposed 3AKE scheme to a GAKE scheme with more than three group members, based on multilinear maps. We prove g-eCK security of our GAKE scheme in the standard model under the natural multilinear generalization of the CBDDH assumption.

09:17 [Pub][ePrint] A Public Key Cryptoscheme Using the Bit-pair Method, by Shenghui Su and Maozhi Xu and Shuwang Lu

  The authors give the definition of a bit-pair shadow, and design the three algorithms of a public key cryptoscheme called JUNA which regards a bit-pair as an operation unit, and is based on the multivariate permutation problem (MPP) and the anomalous subset product problem (ASPP). Then, demonstrate the correctness of the decryption algorithm, deduce the probability that a plaintext solution is nonunique is nearly zero, and analyze the security of the cryptoscheme against extracting a private key from a public key, and recovering a plaintext from a ciphertext on the assumption that IFP, DLP, and SSP can be solved efficiently. Besides, give the conversion from the ASPP to the anomalous subset sum problem (ASSP) through a discrete logarithm. The facts show the bit-pair method increases the density of a related ASSP knapsack with D > 1, and decreases the length of modulus of the cryptoscheme with lg M = 384, 464, 544, or 640 corresponding to n = 80, 96, 112, or 128.

09:17 [Pub][ePrint] Pickle: A HASH Design, by Lan Luo and Yalan Ye and Zehui Qu and Sharon Goldberg and Xan Du

  For make the cryptography design eatable and popular,

we design the pickle HASH carefully. The pickle can deal large

data into HASH value with 1024bytes block quickly. There are

normal mode and operation mode of pickle from Keccak and

Shabal respectively. The nonlinear transformation is from 3fish of

Skein, which is only use up the MIX function. The pickle is speed

up because of no memory operation mode. The core function P is 8

times MIX without linear permutation and subkey involving in. So,

the full pickle is similar to the interlace code plus a little bit

nonlinear function. The nonlinear character is equal to the Skein

so that we consider it\'s secure. The output from filter function

strong the linear character of pickle.

09:17 [Pub][ePrint] On the Practical Security of a Leakage Resilient Masking Scheme, by Emmanuel Prouff and Matthieu Rivain and Thomas Roche

  At TCC 2012, Dziembowski and Faust show how to construct leakage resilient circuits using secret sharing based on the inner product [2]. At Asiacrypt 2012, Ballash et al. turned the latter construction into an efficient masking scheme and they apply it to protect an implementation of AES against side-channel attacks [1]. The so-called Inner-Product masking (IPmasking for short) was claimed to be secure with respect to two different security models: the $\\lambda$-limited security model (Section 4 of [1]), and the dth-order security model (see definitions p.8 of [1]). In the former model, the security proof makes sense for a sharing dimension $n > 130$ which is acknowledged impractical by the authors. In the latter model, the scheme is claimed secure up to the order $d = n-1$. In this note, we contradict the dth-order security claim by exhibiting a 1st-order flaw in the masking algorithm for any chosen sharing dimension n.

00:17 [Forum] [IACR Publication Reform] Re: The speed of science: two case studies by cbw

  Hi, I guess it\'s quite simple math: If the same paper does not get resubmitted to Crypto / Eurocrypt / Asiacrypt / TCC, we don\'t have to review it again and again 4 (!) times. If the saved time will be spent on better reviews is clearly a different ball-game... Best, Christopher From: 2013-17-06 22:07:18 (UTC)

22:33 [Job][Update] PostDoc Position in Lightweight Cryptography for the Internet of Things, University of Luxembourg

  The Laboratory of Algorithmics, Cryptology and Security (LACS) of the University of Luxembourg is looking for a post-doctoral researcher in the area of lightweight cryptography. The successful candidate will contribute to a research project entitled \\\"Applied Cryptography for the Internet of Things (ACRYPT)\\\", which is funded by the Fonds National de la Recherche (FNR). Besides conducting high-quality research, the tasks associated with this position include the co-supervision of a Ph.D. student and the dissemination of research results. The ACRYPT project is led by Prof. Alex Biryukov and expected to start in summer 2013.

Candidates must hold a Ph.D. degree (or be in the final stages of a Ph.D. program) in cryptography or a closely related discipline. Applications from researchers with experience in embedded systems security, network security, privacy/anonymity, or mobile/wireless security will also be considered. Preference will be given to candidates with a strong publication record including papers in top-tier crypto/security conference proceedings or journals. Candidates with an interest to conduct leading-edge research in one of the following areas are particularly encouraged to apply:

Design and analysis of symmetric cryptographic primitives

Side-channel attacks (e.g. DPA) on symmetric cryptographic primitives and countermeasures

The position is available from July 2013 on basis of a fixed-term contract for a duration of three years, which includes a probation period of six months. LACS offers excellent working conditions in an attractive research environment and a highly competitive salary. Interested candidates are invited to submit their application by email to lacs.acrypt(at) The application material should contain a cover letter explaining the candidate\\\'s motivation and research interests, a detailed CV (including photo), a list of publications, copies of diploma certificates, and nam

22:32 [Job][Update] Professor of Cyber Security, Tallinn University of Technology, Estonia

  The Department of Computer Science at Tallinn University of Technology is looking for a full Professor of Cyber Security.

This appointment is part of the strategic growth of the Department of Computer Science, supported by the Estonian IT Academy program. The department is seeking an energetic and dynamic candidate who will contribute to and complement the current research and teaching activities, and promote cooperation with national and international partners in academia, industry, government, and military. The candidate’s main responsibility in the areas of cyber security will be research activities, supervising Ph.D work, leading department’s cyber security research and study program, and teaching courses on postgraduate level.

The successful candidate will serve as a leader of research and teaching in the field of practical cyber security and digital forensics.

The position has currently been announced for the period Feb 2014 - Jan 2019. It can be extended. Ask the contact persons about details.