International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

10:40 [Job][New] Computing Security Department Chair, Rochester Institute of Technology, Rochester, NY, USA

  The Department of Computing Security at the Rochester Institute of Technology invites applications for the position of Department Chair to begin August 2014.

In July of 2012, the Department of Computing Security at RIT was established to address critical security challenges that cut across computing disciplines. The department engages in a wide range of research and teaching activities, including: big data analytics, cryptology and covert communications, digital forensics, mobile devices, networks, privacy, security measurement, security pedagogy, sensors, software, and systems security. Through these activities, the department seeks to advance the discipline and to meet the rapidly growing need for computing security professionals.

The successful candidate will be ready to assume the leadership and administrative responsibilities of the department. A key role will be to lead the department in shaping and expanding its research and scholarship profile. Applicants are required to have a Ph.D. or equivalent in a related field and experience commensurate with that of a full professor. Applicants must have demonstrated research excellence in computing security, a track record of external funding, and a strong commitment to undergraduate and graduate education.

Candidates should visit and search 575BR for specific information about the position and the application process. Refer to for information about RIT and the B. Thomas Golisano College of Computing and Information Sciences.

RIT is an equal opportunity employer that promotes and values diversity, pluralism, and inclusion.  For more information or inquiries, please visit

06:17 [Pub][ePrint] Practical Cryptanalysis of a Public-Key Encryption Scheme Based on New Multivariate Quadratic Assumptions, by Martin R. Albrecht and Jean-Charles Faugère and Robert Fitzpatrick and Ludovic Perret

  In this paper, we investigate the security of a public-key encryption scheme introduced by Huang, Liu and Yang (HLY) at PKC\'12. This new scheme can be provably reduced to the hardness of solving a set of quadratic equations whose coefficients of highest degree are chosen according to a discrete Gaussian distributions. The other terms being chosen uniformly at random. Such a problem is a variant of the classical problem of solving a system of non-linear equations (PoSSo), which is known to be hard for random systems. The main hypothesis of Huang, Liu and Yang is that their variant is not easier than solving PoSSo for random instances. In this paper, we disprove this hypothesis. To this end, we exploit the fact that the new problem proposed by Huang, Liu and Yang reduces to an easy instance of the Learning With Errors (LWE) problem. The main contribution of this paper is to show that security and efficiency are essentially incompatible for the HLY proposal. That is, one cannot find parameters which yield a secure and a practical scheme. For instance, we estimate that a public-key of at least 1.03 GB is required to achieve 80-bit security against known attacks. As a proof of concept, we present practical attacks against all the parameters proposed Huang, Liu and Yang. We have been able to recover the private-key in roughly one day for the first challenge proposed by HLY and in roughly three days for the second challenge.

06:17 [Pub][ePrint] Obfuscating Conjunctions, by Zvika Brakerski and Guy N. Rothblum

  We show how to securely obfuscate the class of conjunction functions (functions like $f(x_1, \\ldots, x_n) = x_1 \\land \\lnot x_4 \\land \\lnot x_6 \\land \\cdots \\land x_{n-2}$). Given any function in the class, we produce an obfuscated program which preserves the input-output functionality of the given function, but reveals nothing else.

Our construction is based on multilinear maps, and can be instantiated using the recent candidates proposed by Garg, Gentry and Halevi (EUROCRYPT 2013) and by Coron, Lepoint and Tibouchi (CRYPTO 2013). We show that the construction is secure when the conjunction is drawn from a distribution, under mild assumptions on the distribution. Security follows from multilinear entropic variants of the Diffie-Hellman assumption. We conjecture that our construction is secure for any conjunction, regardless of the distribution from which it is drawn. We offer supporting evidence for this conjecture, proving that our obfuscator is secure for any conjunction against generic adversaries.

06:17 [Pub][ePrint] Partially blind password-based signatures using elliptic curves, by Kristian Gjøsteen

  Password-based signatures allow a user who can only remember a password to create digital signatures with the help of a server, without revealing the messages to be signed to the server.

Certain applications require the ability to disclose part of the message to the server. We define partially blind password-based signatures and construct a scheme based that we prove secure, based on a novel computational problem related to computing discrete logarithms.

Our scheme is based on Nyberg-Rueppel signatures. We give a variant of Nyberg-Rueppel signatures that we prove secure based on our novel computational problem.

Unlike previous password-based signature schemes, our scheme can be instantiated using elliptic curve arithmetic over small prime fields. This is important for many applications

06:17 [Pub][ePrint] The Norwegian Internet Voting Protocol, by Kristian Gjøsteen

  The Norwegian government ran a trial of internet remote voting during the 2011 local government elections, and will run another trial during the 2013 parliamentary elections. A new cryptographic voting protocol will be used, where so-called return codes allow voters to verify that their ballots will be counted as cast.

This paper discusses this cryptographic protocol, and in particular the ballot submission phase.

The security of the protocol relies on a novel hardness assumption similar to Decision Diffie-Hellman. While DDH is a claim that a random subgroup of a non-cyclic group is indistinguishable from the whole group, our assumption is related to the indistinguishability of certain special subgroups. We discuss this question in some detail.

06:17 [Pub][ePrint] Eavesdropping or Disrupting a Communication --- On the Weakness of Quantum Communications, by Zhengjun Cao

  What is the behavior of an adversary to launch attacks against a communication? The good choice is to eavesdrop the communication such that the communicators can not detect the eavesdropping. The general choice is to disrupt the communication at low cost, say, measuring the transferred quantum signals in the well-known BB84 quantum key distribution protocol. The bad choice is to disrupt it at even high cost, such as severing copper or fiber, if it is necessary. In this note we remark that a quantum communication is very vulnerable to low cost attacks. The plan to build a large quantum photonic network is infeasible.

06:17 [Pub][ePrint] A note on verifying the APN property, by Pascale Charpin and Gohar M. Kyureghyan

  We show that for an arbitrary mapping $F$ on $F_2^n$ to verify that it is APN, it is enough to consider the difference mappings of $F$

defined by elements from an hyperplane.

15:17 [Pub][ePrint] Efficient computation of addition-subtraction chains using generalized continued Fractions, by Amadou Tall and Ali Yassin Sanghare

  The aim of this paper is to present a new way of computing short addition-subtraction chains using the generalized continued fractions where subtraction is allowed. We will recover the most used ways of getting addition-subtraction chains. This method is not always optimal but gives minimal chains that are easy to compute.

15:17 [Pub][ePrint] Analysis of BLAKE2, by Jian Guo and Pierre Karpman and Ivica Nikolic and Lei Wang and Shuang Wu

  We present a thorough security analysis of the hash function family BLAKE2, a recently proposed and already in use tweaked version of the SHA-3 finalist BLAKE. We study how existing attacks on BLAKE apply to BLAKE2 and to what extent the modifications impact the attacks. We design and run two improved searches for (impossible) differential attacks -- the outcomes suggest higher number of attacked rounds in the case of impossible differentials (in fact we improve the best results for BLAKE as well), and slightly higher for the differential attacks on the hash/compression function (which gives an insight into the quality of the tweaks). We emphasize the importance of each of the modifications, in particular we show that an improper initialization could lead to collisions and near-collisions for the full-round compression function. We analyze the permutation of the new hash function and give rotational attacks and internal differentials for the whole design. We conclude that the tweaks in BLAKE2 were chosen properly and, despite having weaknesses in the theoretical attack frameworks of permutations and of fully-chosen state input compression functions, the hash function of BLAKE2 has only slightly lower security margin than BLAKE.

15:17 [Pub][ePrint] How To Construct Extractable One-Way Functions Against Uniform Adversaries, by Nir Bitansky and Ran Canetti and Omer Paneth

  A function $f$ is extractable if it is possible to algorithmically ``extract,\'\' from any program that outputs a value $y$ in the image of $f,$ a preimage of $y$.

When combined with hardness properties such as one-wayness or collision-resistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a non-standard {\\em knowledge assumption} on certain functions.

We give the first construction of extractable one-way functions assuming only standard hardness assumptions (e.g.,subexponential security of Decision Diffie-Hellman or Quadratic Residousity).

Our functions are extractable against adversaries with bounded polynomial advice and unbounded polynomial running time. We then use these functions to construct the first 2-message zero-knowledge arguments and 3-message zero-knowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the same assumptions.

The construction uses ideas from [Barak, FOCS01] and [Barak, Lindell, and Vadhan, FOCS03], and rely on the recent breakthrough construction of privately verifiable $\\P$-delegation schemes [Kalai, Raz, and Rothblum]. The extraction procedure uses the program evaluating $f$ in a non-black-box way, which we show to be necessary.

15:17 [Pub][ePrint] Verifiable Delegation of Computation on Outsourced Data, by Michael Backes and Dario Fiore and Raphael M. Reischuk

  We address the problem in which a client stores a large amount of data with an untrusted server in such a way that, at any moment, the client can ask the server to compute a function on some portion of its outsourced data. In this scenario, the client must be able to efficiently verify the correctness of the result despite no longer knowing the inputs of the delegated computation, it must be able to keep adding elements to its remote storage, and it does not have to fix in advance (i.e., at data outsourcing time) the functions that it will delegate. Even more ambitiously, clients should be able to verify in time independent of the input-size - a very appealing property for computations over huge amounts of data.

In this work we propose novel cryptographic techniques that solve the above problem for the class of computations of quadratic polynomials over a large number of variables. This class covers a wide range of significant arithmetic computations - notably, many important statistics. To confirm the efficiency of our solution, we show encouraging performance results, e.g., correctness proofs have size below 1 kB and are verifiable by clients in less than 10 milliseconds.