International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:17 [Pub][ePrint] Eavesdropping or Disrupting a Communication --- On the Weakness of Quantum Communications, by Zhengjun Cao

  What is the behavior of an adversary to launch attacks against a communication? The good choice is to eavesdrop the communication such that the communicators can not detect the eavesdropping. The general choice is to disrupt the communication at low cost, say, measuring the transferred quantum signals in the well-known BB84 quantum key distribution protocol. The bad choice is to disrupt it at even high cost, such as severing copper or fiber, if it is necessary. In this note we remark that a quantum communication is very vulnerable to low cost attacks. The plan to build a large quantum photonic network is infeasible.

06:17 [Pub][ePrint] A note on verifying the APN property, by Pascale Charpin and Gohar M. Kyureghyan

  We show that for an arbitrary mapping $F$ on $F_2^n$ to verify that it is APN, it is enough to consider the difference mappings of $F$

defined by elements from an hyperplane.

15:17 [Pub][ePrint] Efficient computation of addition-subtraction chains using generalized continued Fractions, by Amadou Tall and Ali Yassin Sanghare

  The aim of this paper is to present a new way of computing short addition-subtraction chains using the generalized continued fractions where subtraction is allowed. We will recover the most used ways of getting addition-subtraction chains. This method is not always optimal but gives minimal chains that are easy to compute.

15:17 [Pub][ePrint] Analysis of BLAKE2, by Jian Guo and Pierre Karpman and Ivica Nikolic and Lei Wang and Shuang Wu

  We present a thorough security analysis of the hash function family BLAKE2, a recently proposed and already in use tweaked version of the SHA-3 finalist BLAKE. We study how existing attacks on BLAKE apply to BLAKE2 and to what extent the modifications impact the attacks. We design and run two improved searches for (impossible) differential attacks -- the outcomes suggest higher number of attacked rounds in the case of impossible differentials (in fact we improve the best results for BLAKE as well), and slightly higher for the differential attacks on the hash/compression function (which gives an insight into the quality of the tweaks). We emphasize the importance of each of the modifications, in particular we show that an improper initialization could lead to collisions and near-collisions for the full-round compression function. We analyze the permutation of the new hash function and give rotational attacks and internal differentials for the whole design. We conclude that the tweaks in BLAKE2 were chosen properly and, despite having weaknesses in the theoretical attack frameworks of permutations and of fully-chosen state input compression functions, the hash function of BLAKE2 has only slightly lower security margin than BLAKE.

15:17 [Pub][ePrint] How To Construct Extractable One-Way Functions Against Uniform Adversaries, by Nir Bitansky and Ran Canetti and Omer Paneth

  A function $f$ is extractable if it is possible to algorithmically ``extract,\'\' from any program that outputs a value $y$ in the image of $f,$ a preimage of $y$.

When combined with hardness properties such as one-wayness or collision-resistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a non-standard {\\em knowledge assumption} on certain functions.

We give the first construction of extractable one-way functions assuming only standard hardness assumptions (e.g.,subexponential security of Decision Diffie-Hellman or Quadratic Residousity).

Our functions are extractable against adversaries with bounded polynomial advice and unbounded polynomial running time. We then use these functions to construct the first 2-message zero-knowledge arguments and 3-message zero-knowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the same assumptions.

The construction uses ideas from [Barak, FOCS01] and [Barak, Lindell, and Vadhan, FOCS03], and rely on the recent breakthrough construction of privately verifiable $\\P$-delegation schemes [Kalai, Raz, and Rothblum]. The extraction procedure uses the program evaluating $f$ in a non-black-box way, which we show to be necessary.

15:17 [Pub][ePrint] Verifiable Delegation of Computation on Outsourced Data, by Michael Backes and Dario Fiore and Raphael M. Reischuk

  We address the problem in which a client stores a large amount of data with an untrusted server in such a way that, at any moment, the client can ask the server to compute a function on some portion of its outsourced data. In this scenario, the client must be able to efficiently verify the correctness of the result despite no longer knowing the inputs of the delegated computation, it must be able to keep adding elements to its remote storage, and it does not have to fix in advance (i.e., at data outsourcing time) the functions that it will delegate. Even more ambitiously, clients should be able to verify in time independent of the input-size - a very appealing property for computations over huge amounts of data.

In this work we propose novel cryptographic techniques that solve the above problem for the class of computations of quadratic polynomials over a large number of variables. This class covers a wide range of significant arithmetic computations - notably, many important statistics. To confirm the efficiency of our solution, we show encouraging performance results, e.g., correctness proofs have size below 1 kB and are verifiable by clients in less than 10 milliseconds.

08:05 [Job][New] Post-Doc, Telecom ParisTech, Communication and Electrical Engineering Department, Sophia-Antipolis, France


We are looking for a postdoctoral researcher to contribute a project named LibreCloud on self hosted, distributed, redundant and secured cloud services. The main goal of the LibreCloud project is to help end users to better control their personal information and data, at a very low cost and with the quality of service of a commercial cloud solution.

The LibreCloud project aims at packaging a GNU/Linux distribution tailored for cheap and power efficient personal computers (Raspberry Pi, Parallella, Plug Computers). The distribution shall be easy to install and manage and shall embed the largest possible set of services (agenda, notes, address books, bookmarks, keyring, storage, e-mail,...) that are usually found on commercial cloud infrastructures. Its main characteristics shall be strong security (privacy, confidentiality, integrity) and safety (redundancy, backups, continuous availability across time and space).

06:17 [Pub][ePrint] Verifiable Attribute-based Keyword Search over Outsourced Encrypted Data, by Qingji Zheng and Shouhuai Xu and Giuseppe Ateniese

  It is quite common nowadays for data owners to outsource their data to the cloud.

However, since the cloud is not fully trusted, the outsourced data should be encrypted, which brings a range of problems, such as: How can authorized data users search over a data owner\'s outsourced encrypted data?

How should a data owner grant search capabilities to data users?

How can data users be assured that the cloud faithfully executed the search operations? Towards ultimately addressing these problems, in this paper we propose a novel cryptographic scheme, called {\\em verifiable attribute-based keyword search} (\\vabks). This scheme

allows a data user, whose attributes or credentials satisfy a data owner\'s access control policy,

to (i) search over the data owner\'s outsourced encrypted data,

(ii) outsource the tedious search operations to the cloud, and

(iii) verify whether the cloud has faithfully executed the search operations.

We define \\vabks\'s security properties, and present concrete constructions that are proven to possess these properties. Performance evaluation shows that the proposed schemes are practical.

06:17 [Pub][ePrint] Secret Key Cryptosystem based on Polar Codes over Binary Erasure Channel, by Reza Hooshmand, Masoumeh Koochak Shooshtari, Mohammad Reza Aref

  This paper proposes an efficient secret key cryptosystem based on polar codes over Binary Erasure Channel. We introduce a method, for the first time to our knowledge, to hide the generator matrix of the polar codes from an attacker. In fact, our main goal is to achieve secure and reliable communication using finite-length polar codes. The proposed cryptosystem has a significant security advantage against chosen plaintext attacks in comparison with the Rao-Nam cryptosystem. Also, the key length is decreased after applying a new compression algorithm. Moreover, this scheme benefits from high code rate and proper error performance for reliable communication.

06:17 [Pub][ePrint] Towards A Practical JCJ / Civitas Implementation, by Stephan Neumann and Christian Feier and Melanie Volkamer and Reto Koenig

  Internet voting continues to enjoy wide interest from both research and practice. Among the Internet voting schemes developed over the last decades, JCJ / Civitas stands out from the masses due to its innovative approach to resist voter coercion. To achieve its ambitious goal, the scheme builds upon particularly restrictive assumptions and an abstract credential handling rendering the scheme impractical for real-world use. At ARES 2012, Neumann and Volkamer presented a proposal which implements several of these assumptions (voter-side assumptions) and the credential handling by the use of smart cards. While addressing these practical shortcomings of JCJ / Civitas, their proposal did not take performance into account, and accordingly its performance has not been evaluated. In the present work, we revise the ARES proposal from a performance perspective in a security-invariant manner. Based on the herein proposed revisions, we are able to conclude that the revised ARES proposal is feasible to be used in real-world elections.

06:17 [Pub][ePrint] Practical & Provably Secure Distance-Bounding, by Ioana Boureanu and Aikaterini Mitrokotsa and Serge Vaudenay

  Distance-bounding is a practical solution to be used in security-sensitive contexts, to prevent relay attacks. Its applied cryptographic role is definitely spreading fast and it is clearly far reaching, extending from contactless payments to remote car unlocking. However, security models for distance-bounding are not well-established and, as far as we know, no existing protocol is proven to resist all classical attacks: distance-fraud, mafia-fraud, and terrorist-fraud. We herein amend the latter, whilst maintaining the lightweight nature that makes these protocols appropriate for concrete applications. Firstly, we develop a general formalism for distance-bounding protocols and their security requirements. In fact, we also propose specifications of generalised frauds, stemming from the (attack-prone) multi-party scenarios. This entails our incorporation of newly advanced threats, e.g., distance-hijacking. Recently, Boureanu et al. proposed the SKI protocol. We herein extend it and prove its security. To attain resistance to terrorist-fraud, we put forward the use of a leakage scheme and of secret sharing, which we specialise and reinforce with additional requirements. In view of resistance to generalised mafia-frauds (and terrorist frauds), we further introduce the notion of circular-keying for pseudorandom functions (PRFs); this notion models the employment of a PRF, with possible linear reuse of the key. We also identify the need of PRF masking to fix common mistakes in existing security proofs/claims of distance-fraud security. We then enhance our design such that we guarantee resistance to terrorist-fraud in the presence of noise. To our knowledge, all this gives rises the first practical and provably secure class of distance-bounding protocols, even when our protocols are run in noisy communications, which is indeed the real-life setting of deployed, time-critical cryptographic protocols.