International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] Resolving the conflict between generality and plausibility in verified computation, by Srinath Setty and Benjamin Braun and Victor Vu and Andrew J. Blumberg and Bryan Parno and Michael Walfish

  The area of proof-based verified computation (outsourced computation

built atop probabilistically checkable proofs and cryptographic

machinery) has lately seen renewed interest. Although recent work has

made great strides in reducing the overhead of naive applications of the

theory, these schemes still cannot be considered practical. The core

issue is that the work for the prover is immense, in general; it

is near-practical only for hand-compiled computations that can

be expressed in special forms.

This paper addresses that problem. Provided one is willing to batch

verification, we develop a protocol that

achieves the efficiency of the

best manually constructed protocols in the literature yet applies to all


Our protocol

is built on the observation that the

recently-proposed QAPs of Gennaro et al. (ePrint 2012/215) yield a

linear PCP that works with the efficient argument protocol of Setty et

al. (ePrint 2012/598, Security 2012, NDSS 2012), itself based on the

proposal of Ishai et al. (CCC 2007).

The consequence is a prover whose total work is not much more than

_linear_ in the running time of the computation.

We implement the protocol in the

context of a built system that includes a compiler and a parallel GPU

implementation. The result, as indicated by an experimental evaluation,

is a system that is _almost_ usable for real problems -- without

special-purpose tailoring.

16:17 [Pub][ePrint] {Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes, by David McGrew

  The block cipher modes of operation that are widely used (CBC, CTR, CFB) are secure up to

the birthday bound; with a $w$-bit block cipher, they are secure if $w2^{w}$ or fewer bits of data are encrypted, and insecure above that bound. However, the detailed security

properties close to this bound are not widely appreciated, despite the fact that $64$-bit block ciphers are sometimes used in that domain. This work addresses the issue by describing and analyzing plaintext-recovery attacks that are effective close to that bound. We describe possible-plaintext attacks, which can learn unknown plaintext values that are encrypted with CBC, CFB, or OFB. We also introduce impossible plaintext cryptanalysis, which can recover information encrypted with CTR, and can improve attacks against the aforementioned modes as well. These attacks work at the birthday bound, or even slightly below that bound, when

the target plaintext values are encrypted under a succession of keys.

16:17 [Pub][ePrint] Order-Preserving Symmetric Encryption, by Alexandra Boldyreva and Nathan Chenette and Younho Lee and Adam O\'Neill

  We initiate the cryptographic study of order-preserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al.~(SIGMOD \'04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosen-plaintext attack (IND-CPA) is unachievable by a practical OPE scheme. Instead, we propose a security notion in the spirit of pseudorandom functions (PRFs) and related primitives asking that an OPE scheme look ``as-random-as-possible\" subject to the order-preserving constraint.

We then design an efficient OPE scheme and prove its security under our notion based on pseudorandomness of an underlying blockcipher. Our construction is based on a natural relation we uncover between a random order-preserving function and the hypergeometric probability distribution.

In particular, it makes black-box use of an efficient sampling algorithm for the latter.

16:17 [Pub][ePrint] Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions, by Alexandra Boldyreva and Nathan Chenette and Adam O\'Neill

  We further the study of order-preserving symmetric encryption (OPE), a primitive for allowing efficient range queries on encrypted data, recently initiated (from a cryptographic perspective) by Boldyreva et al.~(Eurocrypt \'09).

First, we address the open problem of characterizing what encryption via a random order-preserving function (ROPF) leaks about underlying data (ROPF being the ``ideal object\'\' in the security definition, POPF, satisfied by their scheme.)

In particular, we show that, for a database of randomly distributed plaintexts and appropriate choice of parameters, ROPF encryption leaks neither the precise value of any plaintext nor the precise distance between any two of them.

The analysis here introduces useful new techniques.

On the other hand, we show that ROPF encryption leaks approximate value of any plaintext as well as approximate distance between any two plaintexts, each to an accuracy of about square root of the domain size.

We then study schemes that are not order-preserving, but which nevertheless allow efficient range queries and achieve security notions stronger than POPF. In a setting where the entire database is known in advance of key-generation (considered in several prior works), we show that recent constructions of ``monotone minimal perfect hash functions\'\' allow to efficiently achieve (an adaptation of) the notion of IND-O(rdered) CPA also considered by Boldyreva et al., which asks that \\emph{only} the order relations among the plaintexts is leaked.

Finally, we introduce {\\em modular} order-preserving encryption (MOPE), in which the scheme of Boldyreva et al. is prepended with a random shift cipher. MOPE improves the security of OPE in a sense, as it does not leak any information about plaintext location.

We clarify that our work should not be interpreted as saying the original scheme of Boldyreva et al., or the variants that we introduce, are ``secure\'\' or ``insecure.\'\' Rather, the goal of this line of research is to help practitioners decide whether the options provide a suitable security-functionality tradeoff for a given application.

07:15 [Election] Independent verifier

  Tom Roeder at Microsoft Research has written an independent verifier for the Helios system. You can access it via the 2012 election page or via this link.

17:54 [Job][Update] Cryptography Engineer/Cryptography Scientist, Mile 20 Recruiting, LLC, in Bethesda, MD/USA


• Senior hands-on engineer with broad experience in cryptography

• Experienced with designing and implementing cryptographic algorithms and key management systems

• Must be familiar with algorithms and protocols including AES-CBC, AES-GCM, SHA, EC-DH, EC-DSA, random number generation, PKI

• Knowledge of Suite B crypto, TLS, smartcards/CAC, X.509, soft certificates, PKCS11

• Experience developing crypto APIs for both internal and external use

• Must have strong skills with C/C++ and/or Java programming languages on multiple platforms

• Ability to work with and mentor a team of programmers

• Ability to obtain US security clearance.

Highly desired:

• Familiar with FIPS 140-2 process, VPNs, S/MIME, data at rest crypto, and other cryptographic products.

• Familiar with DoD and US Federal requirements and regulations related to cryptography for SBU/CUI and classified data.

• Familiar with secure voice protocols, such as SRTP, SIP/TLS, SSIP, zRTP, etc.

• Ability to create high-level software design documents.

• Experience writing device drivers, low-level APIs, or software development kits.

• Familiar with implementing crypto in hardware in ASIC or FPGA-based systems

• BA/BS, MS, Ph.D. degree in Cryptography, Mathematics, Computer Science, Software Engineering, Computer Engineering, Electrical Engineering or equivalent experience.

• CISSP, CSSLP, or SANS certifications

12:09 [PhD][New] Shi Bai: Polynomial selection for the number field sieve

  Name: Shi Bai
Topic: Polynomial selection for the number field sieve
Category: foundations

12:08 [PhD][New] Richard Brent

  Name: Richard Brent

12:06 [PhD][New] Flavio D. Garcia: Formal and Computational Cryptography: Protocols, Hashes and Commitments

  Name: Flavio D. Garcia
Topic: Formal and Computational Cryptography: Protocols, Hashes and Commitments
Category: cryptographic protocols

Description: In modern society we are surrounded by distributed systems. Most electronic devices that are currently on the market have some networking capability or are able to communicate with each other. Communication\r\nover shared media is inherently insecure. Therefore, proper design of security protocols is of primary concern. The design and analysis of security protocols is a challenging task. Several protocols have been proposed in the\r\nliterature which later were found to be flawed. This is a consequence of the intrinsic complexity associated with the presence of a malicious adversary. The traditional complexity-theoretical adversarial model is realistic but complex. As a consequence of this, designing and analyzing protocols in\r\nthis model is error prone. The Dolev-Yao model refers to the attacker model in which an adversary has complete control over the communication media. In this model, the adversary is not bounded in running time but\r\nis completely unable to break any cryptographic primitive. This model is satisfactory as it provides a good level of abstraction. Proofs are simpler than the complexity-theoretical ones, and therefore less error prone, still capturing most common mistakes in the design of security protocols. This thesis addresses the problem of secure protocol design from both formal and computational perspectives and also studies the relation among them. We present four original contributions:\r\n• We present a decentralized digital currency for peer-to-peer and grid applications that is able to detect double-spending of the coins and\r\nother types of fraud.\r\n• We develop a formal framework for the analysis of anonymizing protocols in terms of epistemic logic. We illustrate our approach by proving sender anonymity and unlinkability of some well-known anonymizing protocols.\r\n• We relate the Dolev-Yao model, extended with hash functions, with a realistic computational model. We use a special randomized construction to interpret hashes.[...]

12:06 [PhD][New] Jaap-Henk Hoepman

  Name: Jaap-Henk Hoepman

12:06 [PhD][New] Bart Jacobs

  Name: Bart Jacobs