International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:54 [Job][New] PhD students and Postdocs in Symmetric Crypto, DTU, Copenhagen, Denmark

  The cryptology section at the department of applied mathematics and computer science at the Technical University of Denmark (DTU Compute) is looking for up to two Post-Docs and two Ph.D. students in the area of symmetric cryptology.

For more information please contact Christian Rechberger (crec (at)

22:17 [Pub][ePrint] 2048XKS-F & 4096XKS-F - Two Software Oriented High Security Block Ciphers, by Dieter Schmidt

  2048XKS-F (eXtended Key Schedule - Feistel) is a Feistel cipher with a block length of 2048 bit and a key size of 4096 bit or 8192 bit, respectively. It uses the round function of the Subtitution-Permutation-Networks (SPN)1024 [11] and 1024XKS [12]as the f-function. 4096XKS-F is a Feistel cipher with a block length of 4096 bit and a key size of 8192 bit or 16384 bit, respectively. It uses the round function of the Substitution-Permutation-Network (SPN) 2048XKS as the f-function. Both 2048XKS-F and 4096XKS-F have 32 rounds. Additionally, there are #define statements in the reference implementation tocontrol which of the functions are compiled first, e.g. the diffusion layer or the s-box layer. In total, there are 6 #define statements in each reference implementation, making up 64 different ciphers. 2048XKS-F and 4096XKS-F are designed for 32 bit microprocessors with an integer hardware multiplier.

22:17 [Pub][ePrint] How to Hide Circuits in MPC: An Efficient Framework for Private Function Evaluation, by Payman Mohassel and Saeed Sadeghian

  We revisit the problem of general-purpose \\emph{private function evaluation} (PFE) wherein a single party $P_1$ holds a circuit $\\C$, while each $P_i$ for $1 \\le i \\leq n$ holds a private input $x_i$, and the goal is for a subset (or all) of the parties to learn $\\C(x_1, \\ldots, x_n)$ but nothing else. We put forth a general framework for designing PFE where the task of hiding the circuit and securely evaluating its gates are addressed independently: First, we reduce the task of hiding the circuit topology to oblivious evaluation of a mapping that encodes the topology of the circuit, which we refer to as \\emph{oblivious extended permutation} (OEP) since the mapping is a generalization of the permutation mapping. Second, we design a subprotocol for private evaluation of a single gate (PFE for one gate), which we refer to as \\emph{private gate evaluation} (PGE). Finally, we show how to naturally combine the two components to obtain efficient and secure PFE.

We apply our framework to several well-known general-purpose MPC constructions, in each case, obtaining the most efficient PFE construction to date, for the considered setting. Similar to the previous work we only consider semi-honest adversaries in this paper.

\\begin{itemize} \\item In the \\emph{multiparty} case with dishonest majority, we apply our techniques to the seminal GMW protocol~\\cite{GMW87} and obtain the first general-purpose PFE with \\emph{linear complexity} in the circuit size.

\\item In the \\emph{two-party} case, we transform Yao\'s garbled circuit protocol~\\cite{yao86} into a constant-round two-party PFE. Depending on the instantiation of the underlying subprotocol, we either obtain a two-party PFE with linear complexity that improves on the only other work with similar asymptotic efficiency (Katz and Malka, ASIACRYPT 2011), or a two-party PFE that provides the best concrete efficiency to date despite not being linear.

\\item The above two constructions are for boolean circuits. In case of \\emph{arithmetic circuits}, we obtain the first PFE with linear complexity based on any additively homomorphic encryption scheme. \\end{itemize}

Though each construction uses different techniques, a common feature in all three is that the overhead of hiding the circuit $\\C$ is essentially equal to the cost of running the OEP protocol on a vector of size $|\\C|$. As a result, to improve efficiency, one can focus on lowering the cost of the underlying OEP protocol. OEP can be instantiated using a singly homomorphic encryption or any general-purpose MPC but we introduce a new construction that we show is significantly more efficient than these alternatives, in practice. The main building block in our OEP construction is an efficient protocol for \\emph{oblivious switching network evaluation} (OSN), a generalization of the previously studied oblivious shuffling problem which is of independent interest. Our results noticeably improve efficiency of the previous solutions to oblivious shuffling, yielding a factor of 25 or more gain in computation and communication.

22:17 [Pub][ePrint] Multi-bit homomorphic encryption based on learning with errors over rings, by Zhang Wei, Liu Shuguang, Yang Xiaoyuan

  Basing on Learning with errors over rings (RLWE) assumption, we provide a new multi-bit somewhat homomorphic encryption scheme. We introduce canonical embedding to transform a ring element into a vector, such that polynomial multiplication can be performed in O(nlog n) scalar operations, and ciphertext size is reduced at the same time. The CPA security of this scheme can be reduced into RLWE assumption.

22:16 [Job][New] Three Faculty Positions in Information Security (Lecturer/Senior Lecturer), University College London, United Kingdom, European Union

  We are looking to complement and strengthen our existing expertise in Information Security by recruiting outstanding researchers with expertise in any of the following areas: systems/network security, hardware security, computer forensics, information security management, risk analysis and management, economics of security, design and development of secure systems, or human factors of information security. Candidates must have an outstanding research track record. Candidates must hold an earned PhD in Computer Science or a closely related field by the time they begin their appointment. They will be evaluated chiefly on the significance and novelty of their research to date, and their promise for leading a group in a fruitful program of research. They must also demonstrate a zest for innovative and challenging teaching at the graduate and undergraduate levels. A proven record of ability to manage time and evidence of ability to teach and to supervise academic work by undergraduates, masters, and doctoral students are desirable. Our department is a highly collaborative environment, and we seek future colleagues who enjoy working collaboratively within the department, and UCL overall. UCL is strongly committed to multi-disciplinary research we are looking for researchers who conduct empirical security research, and are interested in collaboration with colleagues in the Faculty of Engineering (e.g. Crime Science, the Institute of Making) and beyond. Candidates should further be committed to public communication, and to UCL\\\'s policy of equal opportunity. Candidates for Senior Lecturer level (Grade 9) must have experience in developing a new course.

Warning: we have specific requirements regarding applying online and reference letters arriving by the closing date = 5 April 2013. UCL CS will not request your reference letters; it is your responsibility to ensure your letter-writers send their letters to UCL CS in time to arrive by the above deadline.

09:25 [Job][New] 2 Postdoc + 2 Ph.D. scholarships/Post-Master/Post-Bachelor in Side-Channel and Fault Attacks, Phys. Analysis and Crypto Engineering, Nanyang Technological University, Singapore


Physical Analysis and Cryptographic Engineering (PACE) Labs at Nanyang Technological University are seeking 2 Research Scientists and 2 Research Associates/Assistants in the area of side-channel and fault attacks. PACE is dedicated to all aspects of side-channel and fault attacks and offers brand-new facilities, a very diverse international research environment, and the opportunity to undertake independent research.

Candidates shall hold, or expect to obtain, a Ph.D./M.Sc./B.Sc. in Computer Sciences, Electrical Engineering, Mathematics, Physics, or a related field. A solid background in one or several areas of Information Theory, Digital Signal Processing, Statistics, Mutual Information Analysis, DEMA attacks, fault attacks, practical measurements, material science, lightweight implementations (software and/or hardware) would be considered an advantage.

A) prospective Ph.D. students

More information about the procedure at NTU can be found here

In case applications are received in the near future, it is still possible to make it for the August intake.

B) Postdoc/Post-Master/Post-Bachelor

Starting date is immediately and the contract will be for 2 years.

Salaries are competitive and are determined according to the successful applicants\\\' accomplishments, experience and qualifications.

Interested applicants with a strong publication record in the fields of side-channel and/or fault attacks are encouraged to submit their application including:

1) detailed CV,

2) filled personal particulars form*, and

3) names/contact emails of 2 references

to Prof. Axel Y. Poschmann aposchmann (at)

Review of applications starts immediately and will continue until positions are filled.

19:17 [Pub][ePrint] Blank Digital Signatures, by Christian Hanser and Daniel Slamanig

  In this paper we present a novel type of digital signatures, which we call blank digital signatures. The basic idea behind this scheme is that an

originator can define and sign a message template, describing fixed parts of a message as well as multiple choices for exchangeable

parts of a message. One may think of a form with blank fields, where for such fields the originator specifies all the allowed strings to choose from. Then, a proxy is given

the power to sign an instantiation of the template signed by the originator by using some secret information. By an instantiation, the proxy

commits to one allowed choice per blank field in the template.

The resulting message signature can be publicly verified under the originator\'s and the proxy\'s signature verification keys.

Thereby, no verifying party except the originator and the proxy learn anything about the ``unused\'\' choices from the message template given a message signature. Consequently, the template is hidden from verifiers.

We discuss several applications, provide a formal definition of blank digital signature schemes and introduce a security model. Furthermore, we provide an efficient construction of such a blank digital signature scheme from any secure digital signature scheme, pairing-friendly elliptic curves and polynomial commitments, which we prove secure in our model. We also provide a detailed efficiency analysis of our proposed construction supporting its practicality. Finally, we outline several open issues and extensions for future work.

19:17 [Pub][ePrint] Two is the fastest prime, by Thomaz Oliveira and Juilo López and Diego F. Aranha and Francisco Rodríguez-Henríquez

  In this work we present the $\\lambda$-coordinates, a new system for

representing points in binary elliptic curves. We also provide efficient elliptic curve operations based on the new representation and timing results of our software implementation over the field $F_{2^{254}}$. As a result, we improved the known speed records for protected/unprotected single/multi-core software implementations of the random-point elliptic curve scalar multiplication at the 128-bit security level. When implemented on a Sandy Bridge 3.4GHz Intel Xeon processor, our software is able to compute a single/multi-core unprotected scalar multiplication in 72,300 and 47,900 clock cycles, respectively; and a protected single-core scalar multiplication in 114,800 cycles. These numbers improve by 2% on the newer Ivy Bridge platform.

19:17 [Pub][ePrint] Yet Another Attack On the Chinese Remainder Theorem Based Hierarchical Access Control Scheme, by Niu Liu and Shaohua Tang and Lingling Xu

  The hierarchical access control scheme based on Chinese Reminder

Theorem [49] (CRTHACS) was supposed to be capable of hiding

hierarchical structure, but Geiselmann et al. [18] showed practical attacks on CRTHACS to reveal the hierarchies it hides. Then, Zou et al. modified it, and gave a new CRTHACS [50] to resist those attacks. Nevertheless, we find that the modified version is still defective if it permits changes of structure, i.e. the scheme works in a dynamic scenario. In this paper, we describe our attack on the modified version of CRTHACS. We extend the description of the CRTHACS in a more proper form making it easier for us to look into the problem it has. We find the key character of the vulnerability which we name as double-invariance. We generalize our attack in an algebraic form and apply it to a series of hierarchical cryptographic

access control schemes that share the same vulnerability with CRTHACS. We also give the countermeasure to fix this vulnerability.

19:17 [Pub][ePrint] New Lattice Based Signature Using The Jordan Normal Form, by Hemlata Nagesh and Birendra Kumar Sharma

  In this paper it is shown that the use of Jordan normal form instead of

Hermite normal form would improve substantially the efficiency and the security

of the lattice based signature scheme. In this scheme we also use a new

hash function in such a way that the efficiency improved is obtain without

decreasing the security of the function.

19:17 [Pub][ePrint] Hardcore Predicates for a Diffie-Hellman Problem over Finite Fields, by Nelly Fazio and Rosario Gennaro and Irippuge Milinda Perera and William E. Wkeith III

  A long-standing open problem in cryptography is proving the existence of (deterministic) hard-core predicates for the Diffie-Hellman problem defined over finite fields. In this paper we make progress on this problem by defining a very natural variation of the Diffie-Hellman problem over $\\mathbb{F}_{p^2}$ and proving the unpredictability of every single bit of one of the coordinates of the secret DH value.

To achieve our result we modify an idea presented at CRYPTO\'01 by Boneh and Shparlinski [4] originally developed to prove that the LSB of the Elliptic Curve Diffie-Hellman problem is hard. We extend this idea in two novel ways:

1. We generalize it to the case of finite fields $\\mathbb{F}{p^2}$;

2. We prove that any bit, not just the LSB, is hard using the list decoding techniques of

Akavia et al. [1] (FOCS\'03) as generalized at CRYPTO\'12 by Duc and Jetchev [6].

In the process we prove several other interesting results:

- Our result hold also for a larger class of predicates, called segment predicates in [1];

- We extend the result of Boneh and Shparlinski to prove that every bit (and every segment predicate) of the Elliptic Curve Diffie-Hellman problem is hard-core;

- We define the notion of partial one-way function over finite fields $\\mathbb{F}{p^2}$ and prove that every bit (and every segment predicate) of one of the input coordinate for these functions is hard-core.