International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] Construction of Differential Characteristics in ARX Designs -- Application to Skein, by Gaetan Leurent

  In this paper, we study differential attacks against ARX schemes. We

build upon the generalized characteristics of de Cannière and Rechberger

and the multi-bit constraints of Leurent. We describe a more efficient

way to propagate multi-bit constraints, that allows us to use the

complete set of 2^32 2.5-bit constraints, instead of the reduced sets

used by Leurent.

As a result, we are able to build complex non-linear differential

characteristics for reduced versions of the hash function Skein. We

present several characteristics for use in various attack scenarios;

this results in attacks with a relatively low complexity, in relatively

strong settings. In particular, we show practical free-start and

semi-free-start collision attacks for 20 rounds and 12 rounds of

Skein-256, respectively.

To the best of our knowledge, these are the first examples of complex

differential trails are build for pure ARX designs. We believe this is

an important work to assess the security of ARX designs against

differential cryptanalysis. Our improved tools will be publicly available

with the final version of this paper.

19:17 [Pub][ePrint] Expressive Black-box Traceable Ciphertext-Policy Attribute-Based Encryption, by Zhen Liu and Zhenfu Cao and Duncan S. Wong

  In a Ciphertext-Policy Attribute-Based Encryption (CP-ABE) system, decryption privileges are defined over attributes that could be shared by multiple users. If some of the users leak their decryption privileges to the public or to some third party, say for profit gain, a conventional CP-ABE has no tracing mechanism for finding these malicious users out. There are two levels of traceability for tackling this problem: (1) given a well-formed decryption key, a \\emph{White-Box} tracing algorithm can find out the original key owner; and (2) given a decryption-device while the underlying decryption algorithm or key may not be given, a \\emph{Black-Box} tracing algorithm, which treats the decryption-device as an oracle, can find out at least one of the malicious users whose keys have been used for constructing the decryption-device.

In this paper we propose the first \\emph{Expressive Black-box Traceable CP-ABE} system which has two main merits: (1) it supports fully collusion-resistant black-box traceability, that is, an adversary is allowed to access an arbitrary number of keys of its own choice when building the decryption-device, and (2) it is highly expressive, that is, the system supports policies expressed in any monotonic access structures. In addition, the traceability of this new system is public, that no secret input is required and no authority needs to be called in, instead, anyone can run the tracing algorithm. We show that the system is secure against adaptive adversaries in the standard model, and is efficient, that when compared with the expressive (non-traceable) CP-ABE due to Lewko et al. in Eurocrypt 2010, our new system \\emph{adds} fully collusion-resistant black-box traceability with the price of adding only $O(\\sqrt{\\cal K})$ elements into the ciphertext and public key, rather than increasing the sizes linearly with ${\\cal K}$, which is the number of users in the system.

19:17 [Pub][ePrint] Two is Greater than One, by Joppe W. Bos and Craig Costello and Huseyin Hisil and Kristin Lauter

  In this paper we highlight the benefits of using genus-2 curves in public-key cryptography. Compared to the standardized genus-1 curves, or elliptic curves, arithmetic on genus-2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus-2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus-2 implementations. Our implementation on the Kummer surface breaks the 120 thousand cycle barrier which sets a new software speed record at the 128-bit security level for side-channel resistant scalar multiplications compared to all previous genus-1 and genus-2 implementations.

19:17 [Pub][ePrint] Fully Secure Unbounded Inner-Product and Attribute-Based Encryption, by Tatsuaki Okamoto and Katsuyuki Takashima

  In this paper, we present the first inner-product encryption (IPE) schemes that are unbounded in the sense that the public parameters do not impose additional limitations on the predicates and attributes used for encryption and decryption keys. All previous IPE schemes were bounded, or have a bound on the size of predicates and

attributes given public parameters fixed at setup. The proposed unbounded IPE schemes are fully (adaptively) secure and fully attribute-hiding in the standard model under a standard assumption, the decisional linear (DLIN) assumption. In our unbounded IPE schemes, the inner-product relation is generalized, where the two vectors of inner-product can be different sizes and it provides a great improvement of efficiency in many applications. We also present the first fully secure unbounded attribute-based encryption (ABE) schemes, and the security is proven under the DLIN assumption in the standard model. To achieve these results, we develop novel techniques, indexing and consistent randomness amplification, on the (extended) dual system encryption technique and the dual pairing vector spaces (DPVS).

19:17 [Pub][ePrint] Self-Differential Cryptanalysis of Up to 5 Rounds of SHA-3, by Itai Dinur and Orr Dunkelman and Adi Shamir

  On October 2-nd 2012 NIST announced its selection of the Keccak scheme as the new SHA-3 hash standard. In this paper

we present the first published collision finding attacks on reduced-round versions of Keccak-384 and Keccak-512,

providing actual collisions for 3-round versions, and describing attacks which are much faster than birthday

attacks for 4-round Keccak-384. For Keccak-256, we increase the number of rounds which can be attacked to 5.

All these results are based on a new type of {\\it self-differential} attack, which makes it possible to map

a large number of Keccak inputs into a relatively small subset of possible outputs with a surprisingly large probability, which

makes it easier to find random collisions in this subset.

14:09 [Job][New] Ph.D. / M.Sc. and Summer Internship, Cryptography, Security, and Privacy Research Group, Koç University, Turkey

  Cryptography, Security & Privacy Research Group at Koç University has multiple openings for both M.Sc. and Ph.D. level applications. All accepted applicants will receive competitive scholarships.

Koç University has a beautiful campus in the middle of a forest, with a nice view of the Black Sea and the Bosporus, and is close to the ?stanbul city center. The application deadline is 15th of January for Spring 2013 applications.

  • For more information about our group and projects, visit

  • For applying online, and questions about the application process, visit

  • For summer internship opportunities, visit

  • For questions, contact Asst. Prof. Alptekin Küpçü

13:40 [Event][New] CASE-13: 1st International workshop on Cloud Computing Applications and SEcurity

  Submission: 15 December 2012
Notification: 20 February 2013
From April 23 to April 25
Location: Irbid, Jordan
More Information:

06:58 [Job][New] Two Ph.D. Positions in Lightweight Cryptography for the Internet of Things, University of Luxembourg


The Laboratory of Algorithmics, Cryptology and Security (LACS) of the University of Luxembourg is looking for two Ph.D. students in the area of lightweight cryptography. The successful candidates will contribute to a research project entitled \"Applied Cryptography for the Internet of Things (ACRYPT)\", which is funded by the Fonds National de la Recherche (FNR). Both Ph.D. students will be supervised by Prof. Alex Biryukov and collaborate with other members of LACS as well as external research partners.

Candidates are expected to hold an M.Sc. degree in computer science, electrical engineering, or applied mathematics with outstanding grades. Applications from M.Sc. students who will graduate in spring 2013 will also be considered. A solid background in algorithms and data structures, discrete mathematics, probability theory and statistics, software development, computer architecture, and information security is a general requirement to qualify for a Ph.D. position in LACS. Hands-on experience in hardware design (VHDL, SystemC) or programming of embedded systems (AVR, MSP430, ARM, etc.) is an asset for one of the two positions. Candidates with an interest to conduct leading-edge research in one of the following areas are particularly encouraged to apply:

  • Design and analysis of symmetric cryptographic primitives
  • Efficient implementation of cryptosystems in hardware and/or software
  • Physical attacks (SPA, DPA, fault attacks, etc.) and countermeasures

Both Ph.D. positions are initially offered for three years, but an extension to a fourth year is possible. The monthly salary is roughly 2,000 Euros net (i.e. after deduction of taxes and social security contributions). Interested candidates are invited to submit their application by email to lacs.acrypt(at) The application material should contain a cover letter explaining the candidate\'s motivation and research interests, a detailed CV (including photo),

06:58 [Job][New] Post-Doc, Ben-Gurion University of the Negev, Israel

  The research will be in the scopes of:

Securing and preserving private computation in the cloud.

Cyber security.

Distributed computing.

04:17 [Pub][ePrint] Fixed Argument Pairing Inversion on Elliptic Curves, by Sungwook Kim and Jung Hee Cheon

  Let $E$ be an elliptic curve over a finite field ${\\mathbb F}_q$ with a power of prime $q$, $r$ a prime dividing $\\#E({\\mathbb F}_q)$, and $k$ the smallest positive integer satisfying $r | \\Phi_k(p)$, called embedding degree. Then a bilinear map $t: E({\\mathbb F}_q)[r] \\times E({\\mathbb F}_{q^k})/rE({\\mathbb F}_{q^k}) \\rightarrow {\\mathbb F}_{q^k}^*$ is defined, called the Tate pairing. And the Ate pairing and other variants are obtained by reducing the domain for each argument and raising it to some power.

In this paper we consider the {\\em Fixed Argument Pairing Inversion (FAPI)} problem for the Tate pairing and its variants. In 2012, considering FAPI for the Ate$_i$ pairing, Kanayama and Okamoto formulated the {\\em Exponentiation Inversion (EI)} problem. However the definition gives a somewhat vague description of the hardness of EI. We point out that the described EI can be easily solved, and hence clarify the description so that the problem does contain the actual hardness connection with the prescribed domain for given pairings.

Next we show that inverting the Ate pairing (including other variants of the Tate pairing) defined on the smaller domain is neither easier nor harder than inverting the Tate pairing defined on the lager domain. This is very interesting because it is commonly believed that the structure of the Ate pairing is so simple and good (that is, the Miller length is short, the solution domain is small and has an algebraic structure induced from the Frobenius map) that it may leak some information, thus there would be a chance for attackers to find further approach to solve FAPI for the Ate pairing, differently from the Tate pairing.

04:17 [Pub][ePrint] Digital Signatures with Minimal Overhead, by Eike Kiltz and Krzysztof Pietrzak and Mario Szegedy

  In a digital signature scheme with message recovery, rather than transmitting the message $m$ and its signature $\\sigma$, a single enhanced signature $\\tau$ is transmitted. The verifier is able to recover $m$ from $\\tau$ and at the same time

verify its authenticity. The two most important parameters of such a scheme are its security and the overhead $|\\tau|-|m|$. A simple argument shows that for any scheme with ``$n$ bits security\" $|\\tau|-|m|\\ge n$, i.e., the overhead is at least the security. The best previous constructions required an overhead of $2n$. In this paper we show that the $n$ bit lower bound can basically be matched. Concretely, we propose a new simple RSA-based digital signature scheme that, for $n=80$ bits security in the random oracle model, has an overhead of $\\approx 90$ bits.

At the core of our security analysis is an almost tight upper bound for the expected number of edges of the densest ``small\'\' subgraph of a random Cayley graph, which may be of independent interest.