International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

22:17 [Pub][ePrint] Safe enclosures: towards cryptographic techniques for server protection, by Sergiu Bursuc and Julian P. Murphy

  Cryptography is generally used to protect sensitive data from an untrusted server. In this paper, we investigate the converse question: can we use cryptography to protect a trusted server from untrusted data?

As a first step in this direction, we propose the notion of safe enclosures. Intuitively, a safe enclosure is a cryptographic primitive that encapsulates data in a way that allows to perform some computation on it, while at the same time protecting the server from malicious data. Furthermore, a safe enclosure should come equipped with a dedicated protocol that implements the enclosing function with unconditional integrity. Otherwise, unguarded data may reach the server. We discuss the novelty of these concepts, propose their formal definition and show several realizations.

22:17 [Pub][ePrint] On the Security of Recently Proposed RFID Protocols, by Mete Akg\\\"{u}n, M. Ufuk \\c{C}a\\v{g}layan

  RFID authentication protocols should have a secret updating phase in order to protect the privacy of RFID tags against tag tracing attacks. In the literature, there are many lightweight RFID authentication protocols that try to provide key updating with lightweight cryptographic primitives. In this paper, we analyse the security of two recently proposed lightweight RFID authentication protocol against de-synchronization attacks. We show that secret values shared between the back-end server and any given tag can be easily desynchronised. This weakness stems from the insufficient design of these protocols.

22:17 [Pub][ePrint] Errorless Smooth Projective Hash Function based on LWE, by Olivier Blazy and Céline Chevalier and Léo Ducas and Jiaxin Pan

  Smooth Projective Hash Functions are one of the base tools to build

interactive protocols; and this notion has lead to the construction of numerous protocols enjoying strong security notions, such as the security in the Bellare-Pointcheval-Rogaway (BPR) model or even Universal Composability (UC).

Yet, the construction of SPHF has been almost limited to discrete-logarithm or pairing type assumptions up to now. This stands in contrast with domains such as homomorphic encryption or functional encryption, where Lattice Based Cryptography has already caught up and overtook discrete-log/pairing based cryptography. So far, work in the direction of UC based on lattices is almost restricted to a paper from Peikert, Vaikuntanathan, and Waters (Crypto 2008) dealing with Oblivious Transfer in the UC framework, and work in the direction of password-authenticated key exchange protocols (PAKE) to one from

Katz and Vaikuntanathan (Asiacrypt 2009) on a 3-round Password-Authenticated Key Exchange, but restraining itself to the BPR model. It seems that dealing with errors in those contexts is not as easy as it is for encryption.

In this work, we identify the problem at its source, namely, the lattice version of Diffie-Hellman key exchange protocol: the key greement is only approximate. We explicit a simple folklore trick to obtain true, errorless, one-round key exchange from LWE. We then show that this trick can be adapted to various lattice encryption schemes, leading, with some technicalities, to errorless SPHF\'s. From there, we derive three new results, namely the first lattice-based following protocols: a one-round PAKE secure in the BPR model, a 3-round PAKE secure in the UC model, and a UC commitment scheme, all of them based on SIS and LWE assumptions.

22:17 [Pub][ePrint] Leakage Resilient Fully Homomorphic Encryption, by Alexandra Berkoff and Feng-Hao Liu

  We construct the first leakage resilient variants of fully homomorphic encryption (FHE) schemes. Our leakage model is bounded adaptive leakage resilience. We first construct a leakage- resilient leveled FHE scheme, meaning the scheme is both leakage resilient and homomorphic for all circuits of depth less than some pre-established maximum set at the time of key generation. We do so by applying ideas from recent works analyzing the leakage resilience of public key encryption schemes based on the decision learning with errors (DLWE) assumption to the Gentry, Sahai and Waters ([17]) leveled FHE scheme. We then move beyond simply leveled FHE, removing the need for an a priori maximum circuit depth, by presenting a novel way to combine schemes. We show that by combining leakage resilient leveled FHE with multi-key FHE, it is possible to create a leakage resilient scheme capable of homomorphically evaluating circuits of arbitrary depth, with a bounded number of distinct input ciphertexts.

22:17 [Pub][ePrint] Another Look at XCB, by {Debrup Chakraborty and Vicente Hernandez-Jimenez and Palash Sarkar

  XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these

two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented

storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and

a \"proof\" for justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it.

For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher.

For such restricted message spaces also the bound that the authors claim is not justified. We show this by pointing out some errors in the proof.

We provide a new security bound for XCBv2, and this bound is much worse than that has been claimed by the authors. We also for the first time

provide a concrete security bound for XCBv1. The new bounds shows that both XCBv1 and XCBv2 are worse in terms of security compared

to all TES for which a concrete security bound is known.

22:17 [Pub][ePrint] Fair and Efficient Secure Multiparty Computation with Reputation Systems, by Gilad Asharov and Yehuda Lindell and Hila Zarosim

  A reputation system for a set of entities is essentially a list of scores that provides a measure of the reliability of each entity in the set. The score given to an entity can be interpreted (and in the reputation system literature it often is~\\cite{FRS}) as the probability that an entity will behave honestly. In this paper, we ask whether or not it is possible to utilize reputation systems for carrying out secure multiparty computation. We provide formal definitions of secure computation in this setting, and carry out a theoretical study of feasibility. We present almost tight results showing when it is and is not possible to achieve \\emph{fair} secure computation in our model. We suggest applications for our model in settings where some information about the honesty of other parties is given. This can be preferable to the current situation where either an honest majority is arbitrarily assumed, or a protocol that is secure for a dishonest majority is used and the efficiency and security guarantees (including fairness) of an honest majority are not obtained.

22:17 [Pub][ePrint] EPCGen2 Pseudorandom Number Generators: Analysis of J3Gen, by Alberto Peinado and Jorge Munilla and Amparo Fúster

  This paper analyzes the cryptographic security of J3Gen, a

promising pseudo random number generator for low-cost passive RFID

tags. Although J3Gen has been shown to fulfill the randomness

criteria set by the EPCglobal Gen2 standard and is intended for

security applications, we describe here two cryptanalytic attacks

which question its security claims: i) a probabilistic attack

based on solving linear equation systems, and ii) a

deterministic attack based on the output sequence decimation.

Numerical results, supported by simulations, show that for the

specific recommended values of the configurable parameters, a low

number of intercepted output bits are enough to crytanalyze J3Gen.

We then make some recommendations which address these issues.

22:17 [Pub][ePrint] Secure multi-party data analysis: end user validation and practical experiments, by Dan Bogdanov and Liina Kamm and Sven Laur and Pille Pruulmann-Vengerfeldt

  Research papers on new secure multi-party computation protocols

rarely confirm the need for the developed protocol with its end users.

One challenge in the way of such validation is that it is hard to explain

the benefits of secure multi-party computation to non-experts.

We present a method that we used to explain the application

models of secure multi-party computation to a diverse group of end users

in several professional areas. In these interviews, we learned that

the potential users were curious about the possibility of using

secure multi-party computation to share and statistically analyse

private data. However, they also had concerns on how the new

technology will change the data analysis processes.

Inspired by this, we implemented a secure multi-party

computation prototype that calculates statistical functions in the same way as

popular data analysis packages like R, SAS, SPSS and Stata.

Finally, we validated the practical feasibility of this application by conducting

an experimental study that combined tax records with education records.

22:17 [Pub][ePrint] Lower Bounds in the Hardware Token Model, by Shashank Agrawal and Prabhanjan Ananth and Vipul Goyal and Manoj Prabhakaran and Alon Rosen

  We study the complexity of secure computation in the tamper-proof hardware token model. Our main focus is on non-interactive unconditional two-party computation using bit-OT tokens, but we also study computational security with stateless tokens that have more complex functionality. Our results can be summarized as follows:

- There exists a class of functions such that the number of bit-OT tokens required to securely implement them is at least the size of the sender\'s input. The same applies for receiver\'s input size (with a different class of functionalities).

- Non-adaptive protocols in the hardware token model imply efficient (decomposable) randomized encodings. This can be interpreted as evidence to the impossibility of non-adaptive protocols for a large class of functions.

- There exists a functionality for which there is no protocol in the stateless hardware token model accessing the tokens at most a constant number of times, even when the adversary is computationally bounded.

En route to proving our results, we make interesting connections between the hardware token model and well studied notions such as OT hybrid model, randomized encodings, and obfuscation.

16:19 [Job][New] Postdoc Positions in IT-Security, Privacy, and Cryptography, Center for IT-Security, Privacy and Accountability, Saarland University, Saarbrücken, Germany


The Information Security and Cryptography (IS&C) group at the Computer Science Department of Saarland University is currently offering several postdoc positions. The IS&C group is part of the Center for IT-Security, Privacy and Accountability (CISPA).

The IS&C group conducts research in various aspects of IT-security, privacy, and cryptography. Topics of particular interest include, but are not limited to:

  • design and formal verification of security protocols, programs, and architectures,
  • privacy enhancing technologies in a broad sense, e.g., privacy in data acquisition,

    processing, and publishing,

  • network and operating systems security,
  • web security,
  • reliability, accountability and trust,
  • cryptography,
  • as well cross-cutting disciplines such as usability and social aspects in this research field.

Positions are being offered for two years, with the possibility of renewal for another year. Postdoc applicants are required to hold a doctoral degree in computer science or a closely related area, or have it completed at the time of taking up the position. We expect successful applicants to have a strong background in one or more of the aforementioned research topics, and to maintain an outstanding academic track record. The working and teaching language is English.

Application Instructions

Applications should contain a CV, copies of transcripts, certificates, as well as a research statement and two references. Applications will be accepted for evaluation until the positions have been filled. Please send your application to Michael Backes via e-mail.

09:52 [Job][New] Ph.D. Position in Lightweight Cryptography for the Internet of Things, University of Luxembourg, Luxembourg


The Laboratory of Algorithmics, Cryptology and Security (LACS) of the University of Luxembourg is looking a Ph.D. student in lightweight cryptography. The successful candidate will contribute to a research project entitled \\\"Applied Cryptography for the Internet of Things (ACRYPT),\\\" which is funded by the Fonds National de la Recherche (FNR). The ACRYPT project is led by Prof. Alex Biryukov and has started in July 2013.

Candidates are expected to hold an M.Sc. degree in computer science, electrical engineering, or applied mathematics with outstanding grades (GPA > 80%). Applications from M.Sc. students who will graduate in spring 2014 will also be considered. A solid background in algorithms and data structures, discrete mathematics, probability theory and statistics, software development, computer architecture, and information security is a general requirement to qualify for a Ph.D. position in LACS. Hands-on experience in hardware design (VHDL, SystemC) or programming of embedded systems (AVR, MSP430, ARM, etc.) is a plus. Candidates with an interest to conduct research in one of the following areas are particularly encouraged to apply:

  • Design and analysis of symmetric cryptographic primitives
  • Efficient implementation of cryptosystems in HW and/or SW
  • Side-channel attacks and countermeasures

The Ph.D. position is initially available for three years, but an extension to a fourth year is possible. LACS offers excellent working conditions in an attractive research environment and a competitive salary (> 2000€ net). Interested candidates are invited to submit their application by email to lacs.acrypt(at) The application material should contain a cover letter explaining the candidate\\\'s motivation and research interests, a CV (including detailed information about the obtained degrees and overall GPA in both the undergraduate and graduate program), as well as a transcript of courses and grades. A