International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-10-21
06:49 [Job][New]

New York University, one of the largest and most highly regarded private universities, is seeking to add several tenured/tenure-track faculty members to its Electrical and Computer Engineering (ECE) Department as part of a major multi-year growth phase.

The faculty and students of the school are at the forefront of the high-tech start-up culture in New York City and have access to world-class research centers in cyber security (crissp.poly.edu) and wireless communications (nyuwireless.com), among other areas. We enjoy close collaborations with the Langone School of Medicine, the Courant Institute and other schools of NYU. The ECE Department invites outstanding applications for tenure-track or tenured faculty appointments in all areas of ECE, with particular emphasis on Computer Engineering and RF/Analog Circuits. Candidates with a strong record of interdisciplinary research and funding in emerging areas are preferred. Candidates must have a PhD degree in ECE or related discipline and must have the ability to develop and lead high-quality research and attract external funding. Applicants should include a cover letter, current resume, research and teaching statements, and letters from at least three references. All application materials should be submitted electronically.

Applications received by January 17, 2014 will receive full consideration. NYU is an affirmative action, equal opportunity employer.

06:49 [Job][New]

We are seeking for up to three researchers who would

• Conduct research in any area of mathematical cryptology

• Supervise minor and major theses

• Organize student seminars

Junior research position.

The length of this contract is for up to three years. A subsequent application for a tenure track position is possible. Applications will be accepted up to January 31, 2014. Results will be announced by the end of March, 2014. The starting day is negotiable, but must be before October 1, 2014.

Senior research position.

The deadlines and the contract length are the same as in the case of Junior research position. Successful candidates may apply in the future for the position of Full or Associate Professor.

(An Assistant Professor position is available too, under different conditions. See a different call.)

Environment and mission

The school of mathematics has carried a program called Mathematical methods of information security for more than 10 years. The program is organized both at a bachelor level (3 years) and a master degree level (additional two years). Each of these levels is completed by both final exams and a minor thesis. Besides specifically cryptographic subjects the curriculum emphasizes mathematics that is relevant for cryptography (computer algebra, number theory, elliptic curves, complexity, probability).

The program produces 7-15 students a year, and their position at the job market seems to be very favorable. Our aim is to strengthen the research associated with this program. The criteria are the quality of the research program and the ability to involve students in research. Communication language is English (or Czech or Slovak).

06:48 [Job][New]

We are seeking a researcher who would

• Conduct research in any area of mathematical cryptology

• Supervise minor and major theses

• Organize student seminars

This is a non-tenure track position. It can become tenure after successful habilitation. The starting day is negotiable, but must be between January 1 and July 31, 2014.

Environment and mission

The school of mathematics has carried a program called Mathematical methods of information security for more than 10 years. The program is organized both at a bachelor level (3 years) and a master degree level (additional two years). Each of these levels is completed by both final exams and a minor thesis. Besides specifically cryptographic subjects the curriculum emphasizes mathematics that is relevant for cryptography (computer algebra, number theory, elliptic curves, complexity, probability).

The program produces 7-15 students a year, and their position at the job market seems to be very favorable. Our aim is to strengthen the research associated with this program. The criteria are the quality of the research program and the ability to involve students in research. Communication language is English (or Czech or Slovak).

2013-10-18
05:18 [Job][New]

ERCIM (European Research Consortium for Informatics and Mathematics) currently invites applications for one year postdoctoral fellowships in Computer Science, Information Technology, and Applied Mathematics. Fellowships must be hosted at one of the ERCIM member institutions, including the Norwegian University of Science and Technology (NTNU) in Trondheim, Norway.

The information security group at NTNU (http://www.item.ntnu.no/research/infosec) welcomes applications from candidates interested in projects in cryptology and related areas. Applications must be made directly to ERCIM. Informal enquiries regarding the information security group can be made to any of the group professors.

2013-10-15
09:17 [Pub][ePrint]

In January 2013, the Stribog hash function officially replaced GOST R 34.11-94 as the new Russian cryptographic hash standard GOST R 34.11-2012. Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3 selected by NIST. In this paper we investigate the structural integral properties of reduced version of the Stribog compression function and its internal permutation. Specifically, we present a forward and backward higher order integrals that can be used to distinguish 4 and 3.5 rounds, respectively. Moreover, using the start from the middle approach, we combine the two proposed integrals to get 6.5-round and 7.5-round distinguishers for the internal permutation and 6-round and 7-round distinguishers for the compression function.

09:17 [Pub][ePrint]

A PAKR (Password-Authenticated Key Retrieval) protocol and its multi-server system allow one party (say, client), who has a rememberable password, to retrieve a long-term static key in an exchange of messages with at least one other party (say, server) that has a private key associated with the password. In this paper, we analyze the only one PAKR (named as PKRS-1) standardized in IEEE 1363.2 [9] and its multi-server system (also, [11]) by showing that any passive/active attacker can find out the client\'s password and the static key with off-line dictionary attacks. This result is contrary to the security statement of PKRS-1 (see Chapter 10.2 of IEEE 1363.2 [9]).

09:17 [Pub][ePrint]

We initiate the study of {\\em extractability obfuscation}, a notion first suggested by Barak et al. (JACM 2012): An extractability obfuscator eO for a class of algorithms M guarantees that if an efficient attacker A can distinguish between obfuscations eO(M_1), eO(M_2) of two algorithms M_1,M_2 \\in M, then A can efficiently recover (given M_1 and M_2) an input on which M_1 and M_2 provide different outputs.

- We rely on the recent candidate virtual black-box obfuscation constructions to provide candidate constructions of extractability obfuscators for NC^1; next, following the blueprint of Garg et~al. (FOCS 2013), we show how to bootstrap the obfuscator for NC^1 to an obfuscator for all non-uniform polynomial-time Turing machines. In contrast to the construction of Garg et al., which relies on indistinguishability obfuscation for NC^1, our construction enables succinctly obfuscating non-uniform {\\em Turing machines} (as opposed to circuits), without turning running-time into description size.

- We introduce a new notion of {\\em functional witness encryption}, which enables encrypting a message m with respect to an instance x, language L, and function f, such that anyone (and only those) who holds a witness w for x\\in L can compute f(m,w) on the message and particular known witness. We show that functional witness encryption is, in fact, equivalent to extractability obfuscation.

- We demonstrate other applications of extractability extraction, including the first construction of fully (adaptive-message) indistinguishability-secure functional encryption for an unbounded number of key queries and unbounded message spaces.

- We finally relate indistinguishability obfuscation and extractability obfuscation and show special cases when indistinguishability obfuscation can be turned into extractability obfuscation.

09:17 [Pub][ePrint]

Boldyreva et al. introduced the notion of multiple forking (MF) as an extension of (general) forking to accommodate nested oracle replay attacks. The primary objective of a (multiple) forking algorithm is to separate out the oracle replay attack from the actual simulation of protocol to the adversary, and this is achieved through the intermediary of a so-called wrapper algorithm. Multiple forking has turned out to be a useful tool in the security argument of several cryptographic protocols. However, a reduction employing the MF Algorithm incurs a significant degradation of O(q^2n), where q denotes the upper bound on the underlying random oracle calls and n, the number of forkings. In this work we take a closer look at the reasons for the degradation with a tighter security bound in mind. We nail down the exact set of conditions for the success of the MF Algorithm. A careful analysis of the protocols (and corresponding security argument) employing multiple forking allow us to relax the overly restrictive conditions of the original MF Algorithm. To achieve this, we club two consecutive invocations of the underlying wrapper into a single logical unit of wrapper Z. We then use Z to formulate the notion of \"dependency\" and \"independency\" among different rounds of the wrapper in the MF Algorithm. The (in)dependency conditions lead to a general framework for multiple forking and significantly better bound for the MF Algorithm. Leveraging (in)dependency to the full reduces the degradation from O(q^2n) to O(q^n). Finally, we study the effect of these observations on the security of the existing schemes. We conclude that by careful design of the protocol (and the wrapper in the security reduction) it is possible to harness our observations to the full extent.

09:17 [Pub][ePrint]

This paper describes several new improvements of modular arithmetic and how to exploit them in order to gain more efficient implementations of commonly used algorithms, especially in cryptographic applications. We further present a new record for modular multiplications per second on a single desktop computer as well as a new record for the ECM factoring algorithm. This new results allow building personal computers which can handle more than 3 billion modular multiplications per second for a 192 bit module at moderate costs using modern graphic cards.

09:17 [Pub][ePrint]

We construct secret-key encryption (SKE) schemes that are secure against related-key attacks and in the presence of key-dependent messages (RKA-KDM secure). We emphasize that RKA-KDM security is not merely the conjunction of individual security properties, but covers attacks in which ciphertexts of key-dependent messages under related keys are available. Besides being interesting in their own right, RKA-KDM secure schemes allow to garble circuits with XORs very efficiently (Applebaum, TCC 2013). Until now, the only known RKA-KDM secure SKE scheme (due to Applebaum) is based on the LPN assumption. Our schemes are based on various other computational assumptions, namely DDH, LWE, QR, and DCR.

We abstract from Applebaum\'s construction and proof, and formalize three generic technical properties that imply RKA-KDM security: one property is IND-CPA security, and the other two are the existence of suitable oracles that produce ciphertexts under related keys, resp. of key-dependent messages. We then give simple SKE schemes that achieve these properties. Our constructions are variants of known KDM-secure public-key encryption schemes. To additionally achieve RKA security, we isolate suitable homomorphic properties of the underlying schemes in order to simulate ciphertexts under related keys in the security proof.

From a conceptual point of view, our work provides a generic and extensible way to construct encryption schemes with multiple special security properties.

09:17 [Pub][ePrint]

We present a new generic construction of a public-key encryption (PKE) scheme secure against leakage-resilient chosen-ciphertext attacks (LR-CCA), from any Hash Proof System (HPS) and any one-time lossy filter (OT-LF). Efficient constructions of HPSs and OT-LFs from the DDH and DCR assumptions suggest that our construction is a practical approach to LR-CCA security. Most of practical PKEs with LR-CCA security, like variants of Cramer-Shoup scheme, rooted from Hash Proof Systems, but with leakage rates at most $1/4-o(1)$ (defined as the ratio of leakage amount to secret-key size). The instantiations of our construction from the DDH and DCR assumptions result in LR-CCA secure PKEs with leakage rate of $1/2-o(1)$.

On the other hand, our construction also creates a new approach for constructing IND-CCA secure (leakage-free) PKE schemes, which may be of independent interest.