International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] Privacy Preserving Revocable Predicate Encryption Revisited, by Kwangsu Lee and Intae Kim and Seong Oun Hwang

  Predicate encryption (PE) that provides both the access control of ciphertexts and the privacy of ciphertexts is a new paradigm of public-key encryption. An important application of predicate encryption is a searchable encryption system in a cloud storage, where it enables a client to securely outsource its data to an untrusted cloud server and to search over it even without revealing a keyword itself. One practical issue of predicate encryption is to devise an efficient revocation method to revoke a user when the secret key of the user is compromised. Privacy preserving revocable predicate encryption (RPE) can provide not only revocation, but also the privacy of revoked users.

In this paper, we first define two new security models of privacy preserving RPE: the strongly full-hiding security and the weakly full-hiding security. The strongly full-hiding security provides the full privacy of ciphertexts against outside and inside adversaries, but the weakly full-hiding security only provides the full privacy of ciphertexts against an outside adversary who cannot decrypt the challenge ciphertext. Next, we propose two general RPE constructions from any inner product encryption (IPE) schemes, and prove their security. This first RPE scheme provides the strongly full-hiding security, but the size of ciphertexts is proportional to the number of users in the system. The second RPE scheme improves the efficiency of the first RPE scheme such that the size of ciphertexts is sublinear and the decryption algorithm is efficient, but it provides the weakly full-hiding security.

19:17 [Pub][ePrint] Security Evaluation of Rakaposhi Stream Cipher, by Mohammad Ali Orumiehchiha and Josef Pieprzyk and Elham Shakour and Ron Steinfeld

  Rakaposhi is a synchronous stream cipher, which uses three main components a non-linear

feedback shift register (NLFSR), a dynamic linear feedback shift register (DLFSR) and a

non-linear filtering function ($NLF$). NLFSR consists of 128 bits and is initialised

by the secret key $K$. DLFSR holds 192 bits and is initialised by an initial vector ($IV$).

$NLF$ takes 8-bit inputs and returns a single output bit.

The work identifies weaknesses and properties of the cipher. The main observation

is that the initialisation procedure has the so-called sliding property.

The property can be used to launch distinguishing and key recovery attacks.

The distinguisher needs four observations of the related $(K,IV)$ pairs. The key recovery algorithm allows to discover the secret key $K$ after observing

$2^{9}$ pairs of $(K,IV)$. In the proposed related-key attack, the number of related $(K,IV)$ pairs is $2^{(128+192)/4}$ pairs.

The key recovery algorithm allows to discover the secret key $K$ after observing

$2^9$ related $(K,IV)$ pairs.

Further the cipher is studied when the registers enter short cycles.

When NLFSR is set to all ones, then the cipher degenerates to a linear feedback

shift register with a non-linear filter.

Consequently, the initial state (and Secret Key and $IV$) can be recovered with complexity


If DLFSR is set to all zeros, then $NLF$ reduces to a low non-linearity filter

function. As the result, the cipher is insecure allowing the adversary

to distinguish it from a random cipher after $2^{17}$ observations of

keystream bits. There is also the key recovery algorithm that allows to

find the secret key with complexity $2^{54}$.

16:17 [Pub][ePrint] Galindo-Garcia Identity-Based Signature Revisited, by Sanjit Chatterjee and Chethan Kamath and Vikas Kumar

  In Africacrypt 2009, Galindo-Garcia [11] proposed a lightweight identity-based signature (IBS) scheme based on the Schnorr signature. The construction is simple and claimed to be the most efficient IBS till date. The security is based on the discrete-log assumption and the security argument consists of two reductions: B1 and B2, both of which use the multiple-forking lemma [4] to solve the discrete-log problem (DLP).

In this work, we revisit the security argument given in [11]. Our contributions are two fold: (i) we identify several problems in the original argument and (ii) we provide a detailed new security argument which allows significantly tighter reductions. In particular, we show that the reduction B1 in [11] fails in the standard security model for IBS [1], while the reduction B2 is incomplete. To remedy these problems, we adopt a two-pronged approach. First, we sketch ways to fill the gaps by making minimal changes to the structure of the original security argument; then, we provide a new security argument. The new argument consists of three reductions: R1, R2 and R3 and in each of them, solving the DLP is reduced to breaking the IBS. R1 uses the general forking lemma [2] together with the programming of the random oracles and Coron\'s technique [7]. Reductions R2 and R3, on the other hand, use the multiple-forking lemma along with the programming of the random oracles. We show that the reductions R1 and R2 are significantly tighter than their original counterparts.

16:17 [Pub][ePrint] A Measure of Security for Ideal Functions, by Daniel Smith-Tone and Cristina Tone

  In this work we present a modification of a well-established measure of dependence appropriate for the analysis of stopping times for adversarial processes on cryptographic primitives. We apply this measure to construct generic criteria for the ideal behavior of fixed functions in both the random oracle and ideal permutation setting. More significantly, we provide a nontrivial extension of the notion of hash function indifferentiability, transporting the theory from the status of providing security arguments for protocols utilizing ideal primitives into the more realistic setting of protocol assurance with fixed functions. The methodology this measure introduces to indifferentiability analysis connects the security of a hash function with an indifferentiable mode to the security of the underlying compression function in a quantitative way; thus, we prove that dependence results on cryptographic primitives provide a direct means of determining the practical resistance or vulnerability of protocols employing such primitives.

16:17 [Pub][ePrint] Search in Encrypted Data: Theoretical Models and Practical Applications, by Qiang Tang

  Recently, the concept of Search in Encrypted Data (SED) has become a highlight in cryptography. A SED scheme enables a client to have third-party server(s) to perform certain search functionalities on his encrypted data. In this book chapter, we aim at conducting a systematic study on SED schemes. Firstly, we describe three application scenarios and identify the desirable security requirements. Secondly, we provide two orthogonal categorizations and review the related security models for each category of SED schemes. Thirdly, we analyze the practical issues related to SED schemes and identify some future research directions.

16:17 [Pub][ePrint] A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption , by Yannick Seurin and Joana Treger

  Adding a Schnorr signature to ElGamal encryption is a popular proposal aiming at thwarting chosen-ciphertext attacks by rendering the scheme plaintext-aware. However, there is no known security proof for the resulting scheme, at least not in a weaker model than the one obtained by combining the Random Oracle Model (ROM) and the Generic Group Model (Schnorr and Jakobsson, ASIACRYPT 2000). In this paper, we propose a very simple modification to Schnorr-Signed ElGamal encryption that leaves keys and ciphertexts size unchanged, for which the resulting scheme is semantically secure under adaptive chosen-ciphertext attacks (IND-CCA2-secure) in the ROM under the Decisional Diffie-Hellman assumption. In fact, we even prove that our new scheme is plaintext-aware in the ROM as defined by Bellare et al. (CRYPTO\'98). Interestingly, we also observe that Schnorr-Signed ElGamal is not plaintext-aware (again, for the definition of Bellare et al.) under the Computational Diffie-Hellman assumption. We show that our new scheme additionally achieves anonymity as well as robustness, a notion formalized by Abdalla et al. (TCC 2010) which captures the fact that it is hard to create a ciphertext that is valid under two different public keys. Finally, we study the hybrid variant of our new proposal, and show that it is IND-CCA2-secure in the ROM under the Computational Diffie-Hellman assumption when used with a symmetric encryption scheme satisfying the weakest security notion, namely ciphertext indistinguishability under one-time attacks (IND-OT-security).

15:41 [Event][New] RCD-2013: Romanian Cryptology Days, RCD-2013

  Submission: 1 May 2013
Notification: 1 July 2013
From September 16 to September 17
Location: Bucharest, Romania
More Information:

10:28 [Event][New] DBSec: 27th IFIP WG 11.3 Working Conference on Data and Application and Privacy

  Submission: 15 February 2013
Notification: 19 April 2013
From July 15 to July 17
Location: Newark, NJ, USA
More Information:

14:47 [Job][New] Post Doc, DFG Research Training Group UbiCrypt, Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany

  The Horst Görtz Institute for IT-Security (HGI) at Ruhr-University Bochum is one of Europe’s leading research centers in IT security. The DFG, or German Research Foundation, awarded more than €4 million to the HGI for the establishment of the interdisciplinary research training group “New Challenges for Cryptography in Ubiquitous Computing”. We are looking for candidates with an outstanding Ph.D. in the fields of computer science, electrical engineering, mathematics or related areas.

The research training group will study problems which are fundamental for securing the Internet of Things. The research is structured in three levels: cryptographic primitives, device and system level. The research topics range from cryptographic foundations such as fully homomorphic encryption for privacy in cloud computing, over security for medical implants to internet security solutions involving new national ID cards.

Beside the own research, the main task of the Post-Doc is to work with the UbiCrypt Ph.D. students, and to encourage collaboration between them. Thus, an interest in working with doctoral students and a broad interest in current research are required.

- Start: 01.04.2013

- Competitive salary

- Application: Send your documents by January 15, 2013, to grako (at)

- Required documents: CV, certificates (Bachelor, Master/Diplom, Ph.D.), transcripts , motivation for applying (1 page), names of at least two people who can provide reference letters (email addresses are sufficient)

A group of internationally renowned researchers together with excellent funding provides an extremely interesting scientific environment. The HGI is known for its good working atmosphere.

13:17 [Pub][ePrint] Protocols for Multiparty Coin Toss With Dishonest Majority, by Amos Beimel and Eran Omri and Ilan Orlov

  Coin-tossing protocols are protocols that generate a random bit with uniform distribution. These protocols are used as a building block in many cryptographic protocols. Cleve [STOC 1986] has shown that if at least half of the parties can be malicious, then, in any r-round coin-tossing protocol, the malicious parties can cause a bias of Omega(1/r) to the bit that the honest parties output. However, for more than two decades the best known protocols had bias t/\\sqrt{r}, where t is the number of corrupted parties. Recently, in a surprising result, Moran, Naor, and Segev [TCC 2009] have shown that there is an r-round two-party coin-tossing protocol with the optimal bias of O(1/r). We extend Moran et al. results to the multiparty model when less than 2/3 of the parties are malicious. The bias of our protocol is proportional to 1/r and depends on the gap between the number of malicious parties and the number of honest parties in the protocol. Specifically, for a constant number of parties or when the number of malicious parties is somewhat larger than half, we present an r-round m-party coin-tossing protocol with optimal bias of O(1/r).

13:17 [Pub][ePrint] Impossibility Results for Indifferentiability with Resets, by Atul Luykx and Elena Andreeva and Bart Mennink and Bart Preneel

  The indifferentiability framework of Maurer, Renner, and Holenstein (MRH) has gained immense popularity in recent years and has proved to be a powerful way to argue security of cryptosystems that enjoy proofs in the random oracle model. Recently, however, Ristenpart, Shacham, and Shrimpton (RSS) showed that the composition theorem of MRH has a more limited scope than originally thought, and that extending its scope required the introduction of reset-indifferentiability, a notion which no practical domain extenders satisfy with respect to random oracles.

In light of the results of RSS, we set out to rigorously tackle the specifics of indifferentiability and reset-indifferentiability by viewing the notions as special cases of a more general definition. Our contributions are twofold. Firstly, we provide the necessary formalism to refine the notion of indifferentiability regarding composition. By formalizing the definition of stage minimal games we expose new notions lying in between regular indifferentiability (MRH) and reset-indifferentiability (RSS).

Secondly, we answer the open problem of RSS by showing that it is impossible to build any domain extender which is reset-indifferentiable from a random oracle. This result formally confirms the intuition that reset-indifferentiability is too strong of a notion to be satisfied by any hash function. As a consequence we look at the weaker notion of single-reset-indifferentiability, yet there as well we demonstrate that there are no ``meaningful\'\' domain extenders which satisfy this notion. Not all is lost though, as we also view indifferentiability in a more general setting and point out the possibility for different variants of indifferentiability.