International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:17 [Pub][ePrint] Verifiable Attribute-based Keyword Search over Outsourced Encrypted Data, by Qingji Zheng and Shouhuai Xu and Giuseppe Ateniese

  It is quite common nowadays for data owners to outsource their data to the cloud.

However, since the cloud is not fully trusted, the outsourced data should be encrypted, which brings a range of problems, such as: How can authorized data users search over a data owner\'s outsourced encrypted data?

How should a data owner grant search capabilities to data users?

How can data users be assured that the cloud faithfully executed the search operations? Towards ultimately addressing these problems, in this paper we propose a novel cryptographic scheme, called {\\em verifiable attribute-based keyword search} (\\vabks). This scheme

allows a data user, whose attributes or credentials satisfy a data owner\'s access control policy,

to (i) search over the data owner\'s outsourced encrypted data,

(ii) outsource the tedious search operations to the cloud, and

(iii) verify whether the cloud has faithfully executed the search operations.

We define \\vabks\'s security properties, and present concrete constructions that are proven to possess these properties. Performance evaluation shows that the proposed schemes are practical.

06:17 [Pub][ePrint] Secret Key Cryptosystem based on Polar Codes over Binary Erasure Channel, by Reza Hooshmand, Masoumeh Koochak Shooshtari, Mohammad Reza Aref

  This paper proposes an efficient secret key cryptosystem based on polar codes over Binary Erasure Channel. We introduce a method, for the first time to our knowledge, to hide the generator matrix of the polar codes from an attacker. In fact, our main goal is to achieve secure and reliable communication using finite-length polar codes. The proposed cryptosystem has a significant security advantage against chosen plaintext attacks in comparison with the Rao-Nam cryptosystem. Also, the key length is decreased after applying a new compression algorithm. Moreover, this scheme benefits from high code rate and proper error performance for reliable communication.

06:17 [Pub][ePrint] Towards A Practical JCJ / Civitas Implementation, by Stephan Neumann and Christian Feier and Melanie Volkamer and Reto Koenig

  Internet voting continues to enjoy wide interest from both research and practice. Among the Internet voting schemes developed over the last decades, JCJ / Civitas stands out from the masses due to its innovative approach to resist voter coercion. To achieve its ambitious goal, the scheme builds upon particularly restrictive assumptions and an abstract credential handling rendering the scheme impractical for real-world use. At ARES 2012, Neumann and Volkamer presented a proposal which implements several of these assumptions (voter-side assumptions) and the credential handling by the use of smart cards. While addressing these practical shortcomings of JCJ / Civitas, their proposal did not take performance into account, and accordingly its performance has not been evaluated. In the present work, we revise the ARES proposal from a performance perspective in a security-invariant manner. Based on the herein proposed revisions, we are able to conclude that the revised ARES proposal is feasible to be used in real-world elections.

06:17 [Pub][ePrint] Practical & Provably Secure Distance-Bounding, by Ioana Boureanu and Aikaterini Mitrokotsa and Serge Vaudenay

  Distance-bounding is a practical solution to be used in security-sensitive contexts, to prevent relay attacks. Its applied cryptographic role is definitely spreading fast and it is clearly far reaching, extending from contactless payments to remote car unlocking. However, security models for distance-bounding are not well-established and, as far as we know, no existing protocol is proven to resist all classical attacks: distance-fraud, mafia-fraud, and terrorist-fraud. We herein amend the latter, whilst maintaining the lightweight nature that makes these protocols appropriate for concrete applications. Firstly, we develop a general formalism for distance-bounding protocols and their security requirements. In fact, we also propose specifications of generalised frauds, stemming from the (attack-prone) multi-party scenarios. This entails our incorporation of newly advanced threats, e.g., distance-hijacking. Recently, Boureanu et al. proposed the SKI protocol. We herein extend it and prove its security. To attain resistance to terrorist-fraud, we put forward the use of a leakage scheme and of secret sharing, which we specialise and reinforce with additional requirements. In view of resistance to generalised mafia-frauds (and terrorist frauds), we further introduce the notion of circular-keying for pseudorandom functions (PRFs); this notion models the employment of a PRF, with possible linear reuse of the key. We also identify the need of PRF masking to fix common mistakes in existing security proofs/claims of distance-fraud security. We then enhance our design such that we guarantee resistance to terrorist-fraud in the presence of noise. To our knowledge, all this gives rises the first practical and provably secure class of distance-bounding protocols, even when our protocols are run in noisy communications, which is indeed the real-life setting of deployed, time-critical cryptographic protocols.

09:17 [Pub][ePrint] HPAZ: a High-throughput Pipeline Architecture of ZUC in Hardware, by Zongbin Liu and Neng Gao and Jiwu Jing and Peng Liu

  Abstract.In this paper, we propose a high-throughput pipeline architecture of the stream cipher ZUC which has been included in the security portfolio of 3GPP LTE-Advanced. In the literature, the schema with the highest throughput only implements the working stage of ZUC. The schemas which implement ZUC completely can only achieve a much lower throughput, since a self-feedback loop in the critical path significantly reduces operating frequency. In this paper we design a mixed two-stage pipeline architecture which not only completely implements ZUC but also significantly raises the throughput. We have imple-mented our architecture on FPGA and ASIC. On FPGA platform, the new architecture increases the throughput by 45%, compared with the latest work, and particularly the new architecture also saves nearly 12% of hardware resource. On 65nm ASIC technology, the throughput of the new design can up to 80Gbps, which is 2.7 times faster than the fastest one in the literature, in particularly, it also saves at least 40% of hardware resource. In addition to the academic design, compared with the fastest commercial design, the new architecture doubles the throughput of that. To the best of our knowledge, this evaluation

result is so far the best outcome. It can be assumed that hardware implementations of ZUC following our architecture will fit in future LTE equipments better

06:17 [Pub][ePrint] Reset Indifferentiability and its Consequences, by Paul Baecher and Christina Brzuska and Arno MIttelbach

  The equivalence of the random oracle model and the ideal cipher model has been studied in a long series of results. Holenstein, Künzler, and Tessaro (STOC, 2011) have recently completed the picture positively, assuming that, roughly speaking, equivalence is indifferentiability from each other. However, under the stronger notion of reset indifferentiability this picture changes significantly, as Demay et al. (EUROCRYPT, 2013) and Luykx et al. (ePrint, 2012) demonstrate.

We complement these latter works in several ways. First, we show that any simulator satisfying the reset indifferentiability notion must be stateless and pseudo-deterministic. Using this characterization we show that, with respect to reset indifferentiability, two ideal models are either equivalent or incomparable, that is, a model cannot be strictly stronger than the other model. In the case of the random oracle model and the ideal cipher model, this implies that the two are incomparable. Finally, we examine weaker notions of reset indifferentiability that, while not being able to allow composition in general, allow composition for a large class of multi-stage games. Here we show that the seemingly much weaker notion of 1-reset indifferentiability proposed by Luykx et al. is equivalent to reset indifferentiability. Hence, the impossibility of coming up with a reset indifferentiable construction transfers to the setting where only one reset is permitted, thereby re-opening the quest for an achievable and meaningful notion in between the two variants.

06:17 [Pub][ePrint] Solving Terminal Revocation in EAC by Augmenting Terminal Authentication, by Rafik Chaabouni

  In this paper we propose a solution to enable an accurate terminal revocation in the Extended Access Control (EAC). Chaabouni and Vaudenay in [CV09] pointed out the need for an accurate revocation procedure, but failed to provide a complete solution description. We aim at filling this gap. Our solution relies on augmenting terminal authentication with a t-out-of-l threshold signature provided by neighboring terminals. These terminals will be in charge of checking the revocation status of the requested terminal. As Terminals have a real clock embedded and more computational power than Machine Readable Travel Documents (MRTDs), they are better suited for checking revocation status.

17:40 [Job][New] Post-Doc Positions, University of Bristol

  The Cryptography group within the Department of Computer Science has grown considerably in the last year and additional researchers are required in the following areas:

- Analysis of “real world” protocols

- Formal Methods applied to security protocols

- Fully Homomorphic Encryption

- Lattice Based Cryptography

- Provable Security, i.e. Protocol and Mechanism design

- Multi-Party Computation

You will hold a PhD, or expect to be awarded soon, and have experience in one of the sub-areas of cryptography mentioned above.

You will have a good level of analytical skills and the ability to communicate complex information clearly, both orally and through the written word together with the ability to use personal initiative, and creativity, to solve problems encountered in the research context.

Ideally, you will also have a strong publication record in top relevant venues, such as the IACR conferences and journal, ACM-CCS, IEEE S&P, ESORICS, etc

Appointment may be made at the Research Assistant (grade I) or Research Associate (grade J) level depending on skills and experience and will be for 2 to 3 years in the first instance.

17:39 [Job][New] Post-doc, LIX, École polytechnique, France


We are looking for a postdoctoral researcher to participate in Project CATREL (theoretical and practical improvements for algorithms for breaking discrete logarithms over finite fields). This two-year position is with the GRACE team at the École polytechnique (in the southern suburbs of Paris), starting no later than January 1, 2014.

For more information, see

Candidates should have a PhD in number theory or computer science.

Good programming skills and knowledge of number theory are essential; experience in C/C++ development, algorithmic number theory, and computer algebra systems (such as Magma, Sage, Pari-GP, etc) would be an advantage.

03:17 [Pub][ePrint] On the Security of Group-based Proxy Re-encryption Scheme, by Purushothama B R and B B Amberker

  Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext intended for Alice into a ciphertext for Bob without learning anything about the underlying plaintext. Chunbo Ma et al. have proposed a group based proxy re-encryption scheme to convert a ciphertext from one group to another. Any group member can independently decrypt the ciphertexts encrypted to its group. In their paper, the authors gave a security proof to say that the scheme is secure against adaptive chosen ciphertext attack. However, we highlight the flaws in their scheme and show that their scheme is not secure against adaptive chosen ciphertext attack. In this direction, we construct an adversary who issues only one decryption oracle query and break the security of their scheme with non-negligible advantage.

03:17 [Pub][ePrint] Deduction Soundness: Prove One, Get Five for Free, by Florian Böhl and Véronique Cortier and Bogdan Warinschi

  Most computational soundness theorems deal with a limited number of primitives, thereby limiting their applicability. The notion of deduction soundness of Cortier and Warinschi (CCS\'11) aims to facilitate soundness theorems for richer frameworks via composition results: deduction soundness extends, generically, with asymmetric encryption and public data structures. Unfortunately, that paper also hints at rather serious limitations regarding further composition results: composability with digital signatures seems to be precluded.

In this paper we provide techniques for bypassing the perceived limitations of deduction soundness and demonstrate that it enjoys vastly improved composition properties. More precisely, we show that a deduction sound implementation can be modularly extended with all of the basic cryptographic primitives (symmetric/asymmetric encryption, message authentication codes, digital signatures, and hash functions). We thus obtain the first soundness framework that allows for the joint use of multiple instances of all of the basic primitives.

In addition, we show how to overcome an important restriction of the bare deduction soundness framework which forbids sending encrypted secret keys. In turn, this prevents its use for the analysis of a large class of interesting protocols (e.g. key exchange protocols). We allow for more liberal uses of keys as long as they are hidden in a sense that we also define. All primitives typically used to send secret data (symmetric/asymmetric encryption) satisfy our requirement which we also show to be preserved under composition.