International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:30 [Job][New] Two PhD Positions, University of Bristol

  The Government Communications Headquarters (GCHQ) in Cheltenham has agreed in principle to sponsor two PhD/Doctoral Studentships at Bristol University in the area of Cryptography. See the link below for the two project descriptions.

The studentships are only open to UK nationals and the successful candidate will be required to spend in the region of 2 - 4 weeks per year at GCHQ headquarters in Cheltenham. To be considered for this studentship, candidates must therefore be prepared to undergo GCHQ\\\'s security clearance procedures.

The studentships will be funded for a period of 3.5 years. GCHQ will cover the costs of university fees (currently £ 3828 per annum) and will provide an annual stipend to the student corresponding to the National Minimum Stipend (currently £ 13,590 per annum) plus an additional stipend of £ 7,000 per annum. Making a total tax-free stipend of £ 20,590 per annum. A generous travel budget is also provided to enable attendance at international conferences and workshops.

08:41 [News] Deadline for Nominations of IACR Fellows

  Nominations and endorsements for IACR Fellows are due on December 31. Instructions are available at

13:03 [Job][New] Two Post-Docs, Nanyang Technological University, Singapore

  We are looking for two Post-Docs in coding and lattice based cryptography. Contact us if you have (or will have soon) a PhD in Cryptography or a related subject, an excellent publication record and would like to work in a fun environment in Singapore.

More information on Coding and Crypto Research Group at Nanyang Technological University can be found at

The applications will be considered immediately. The positions are for 1 year, but renewable up to 3 years.

18:17 [Pub][ePrint] Direct Chosen-Ciphertext Secure Attribute-Based Key Encapsulations without Random Oracles, by Johannes Blömer and Gennadij Liske

  We present a new technique to realize attribute-based encryption (ABE) schemes secure in the standard model against chosen-ciphertext attacks (CCA-secure). Our approach is to extend certain concrete chosen-plaintext secure (CPA-secure) ABE schemes to achieve more efficient constructions than the known generic constructions of CCA-secure ABE schemes. We restrict ourselves to the construction of attribute-based key encapsulation mechanisms (KEMs) and present two concrete CCA-secure schemes: a key-policy attribute-based KEM that is based on Goyal\'s key-policy ABE and a ciphertext-policy attribute-based KEM that is based on Waters\' ciphertext-policy ABE. To achieve our goals, we use an appropriate hash function and need to extend the public parameters and the ciphertexts of the underlying CPA-secure encryption schemes only by a single group element. Moreover, we use the same hardness assumptions as the underlying CPA-secure encryption schemes.

18:17 [Pub][ePrint] A note on high-security general-purpose elliptic curves, by Diego F. Aranha and Paulo S. L. M. Barreto and Geovandro C. C. F. Pereira

  In this note we describe some general-purpose, high-efficiency elliptic curves targeting at security levels beyond $2^{128}$. As a bonus, we also include legacy-level curves. The choice was made to facilitate state-of-the-art implementation techniques.

15:17 [Pub][ePrint] Communication-Efficient MPC for General Adversary Structures, by Joshua Lampkins and Rafail Ostrovsky

  A multiparty computation (MPC) protocol allows a set of players to compute a function of their inputs while keeping the inputs private and at the same time securing the correctness of the output. Most MPC protocols assume that the adversary can corrupt up to a fixed fraction of the number of players. Hirt and Maurer initiated the study of MPC under more general corruption patterns, in which the adversary is allowed to corrupt any set of players in some pre-defined collection of sets [6]. In this paper we consider this important direction of research and present significantly improved communication complexity of MPC protocols for general adversary structures. More specifically, ours is the first unconditionally secure protocol that achieves linear communication in the size of Monotone Span Program representing the adversary structure in the malicious setting against any Q2 adversary structure, whereas all previous protocols were at least cubic.

15:17 [Pub][ePrint] Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall, by Nir Bitansky and Ran Canetti and Omer Paneth and Alon Rosen

  We show that if there exist indistinguishability obfuscators for all circuits then there do not exist auxiliary-input extractable one-way functions. In particular, the knowledge of exponent assumption with

respect to adversaries with auxiliary input is false in any group where computing discrete logarithms is intractable. The proof uses the \"punctured programs\" technique of [Sahai-Waters 2013].

15:17 [Pub][ePrint] Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation, by Dan Boneh and Mark Zhandry

  In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. In addition to being the first constructions of these primitives from iO, our schemes also enjoy several interesting properties that have not been achievable before:

- Our multiparty key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users.

- Our broadcast encryption schemes support distributed setup, where users choose their own secret keys. The broadcast ciphertext size is independent of the number of users.

- Our traitor tracing system is fully collusion resistant and provides ciphertexts that are logarithmic in the number of users and constant-sized secret keys. This construction resolves an open problem relating to differential privacy.

Our proof of security for traitor tracing introduces a new tool for iO proofs: the construction makes use of a key-homomorphic symmetric cipher which plays a crucial role in the proof of security.

15:17 [Pub][ePrint] There is no Indistinguishability Obfuscation in Pessiland, by Tal Moran and Alon Rosen

  We show that if $\\NP \\neq co-RP$ then the existence of efficient indistinguishability obfuscation (\\iO) implies the existence of one-way functions. Thus, if we live in ``Pessiland\", where $\\NP$ problems are hard on the average but one-way functions do not exist, or even in ``Heuristica\", where $\\NP$ problems are hard in the worst case but easy on average, then \\iO is impossible. Our result makes it redundant to explicitly assume the existence of one-way functions in most ``cryptographically interesting\" applications of \\iO.

15:17 [Pub][ePrint] Elliptic and Hyperelliptic Curves: a Practical Security Analysis, by Joppe W. Bos and Craig Costello and Andrea Miele

  Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. For the first time, we perform a systematic security assessment of elliptic curves and hyperelliptic curves of genus~2, by incorporating all of the known optimizations. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.

15:17 [Pub][ePrint] FlexDPDP: FlexList-based Optimized Dynamic Provable Data Possession, by Ertem Esiner and Adilet Kachkeev and Samuel Braunfeld and Alptekin K\\\"up\\c{c}\\\"u and \\\"Oznur \\\"Ozkasap

  With popularity of cloud storage, efficiently proving the integrity of data stored at an untrusted server has become significant. Authenticated Skip Lists and Rank-based Authenticated Skip Lists (RBASL) have been used in cloud storage to provide support for provable data update operations. In a dynamic file scenario, an RBASL falls short when updates are not proportional to a fixed block size; such an update to the file, however small, may translate to O(n) many block updates to the RBASL, for a file with n blocks.

To overcome this problem, we introduce FlexList: Flexible Length-Based Authenticated Skip List. FlexList translates even variable-size updates to O(u) insertions, removals, or modifications, where u is the size of the update divided by the block size. We present various optimizations on the four types of skip lists (regular, authenticated, rank-based authenticated, and FlexList). We compute one single proof to answer multiple (non-)membership queries and obtain efficiency gains of 35%, 35% and 40% in terms of proof time, energy, and size, respectively. We also deployed our implementation of FlexDPDP (DPDP with FlexList instead of RBASL) on PlanetLab, demonstrating that FlexDPDP performs comparable to the most efficient static storage scheme (PDP), while providing dynamic data support.