International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:48 [Job][New] Fully funded Ph.D., Ecole normale supérieure (Paris Area, France)

  The objective of this thesis is the forensic reconstruction of partially erased data of various types. The problem that we will tackle is formalized as follows: We consider a data object instance as the result of a function F(t,r) where t encodes the objet type and r is a random number. The OS can create objects, erase them or update them. Erasure is done by forgetting the object’s reference and hence implicitly recycling the space on which it was written. The problem consists in reconstructing algorithmically erased data objects of various types and modeling the conditions under which various assortments of types subject to a given number of rewriting cycles can still be recovered. The methods that will be developed will subsequently be applied to iOS and Android.

The candidate should have solid programming and algorithmic skills. Prior knowledge of reverse engineering tools such as IDA Pro is a plus. The candidate will interact with zero-day exploit hunters and physical reverse engineering experts and will have access to very advanced computing and forensic facilities. This proposal is reserved to French nationals only and is fully funded.

Interested candidates should contact directly david.naccache (at)

16:17 [Pub][ePrint] Multiple-Use Transferable E-Cash , by Pratik Sarkar

  Ecash is a concept of electronic cash which would allow users to carry money in form of digital coins. Transaction can be done both offline and online in absence of a third party/financial institution. This paper proposes an offline model which supports multiple usage of transferable ecoin. The protocol is based on RSA, digital signature and a two-step encryption process. In this two step encryption, the user account details are encrypted in the coin using unique numbers in each step. The first encryption takes place during the successful receipt of the coin, where a receive end number is used for encryption,which is unique for every receipt. The second step of encryption takes place during successful spending of the coin,where a spending end receive number is used for encryption, which is unique for every spenfing of the coin. These two unique numbers comprise the major part of encryption in this model, prevents double spending and preserves user anonymity.

16:17 [Pub][ePrint] Weaknesses in a Recently Proposed RFID Authentication Protocol, by Mete Akg\\\"{u}n, M. Ufuk \\c{C}a\\v{g}layan

  Many RFID authentication protocols have been proposed to provide desired security and privacy level for RFID systems. Almost all of these protocols are based symmetric cryptography because of the limited resources of RFID tags. Recently Cheng et. al have been proposed an RFID security protocol based on chaotic maps. In this paper, we analyze the security of this protocol and discover its vulnerabilities. We firstly present a de-synchronization attack in which a passive adversary makes the shared secrets out-of-synchronization by eavesdropping just one protocol session. We secondly present a secret disclosure attack in which a passive adversary extracts secrets of a tag by eavesdropping just one protocol session. An adversary having the secrets of the tag can launch some other attacks.

16:17 [Pub][ePrint] Tightly-Secure Signatures From Lossy Identification Schemes, by Michel Abdalla and Pierre-Alain Fouque and Vadim Lyubashevsky and Mehdi Tibouchi

  In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short Discrete Logarithm problem, while still maintaining the non-tight reduction to the computational version of the problem upon which the original scheme of Girault et al. is based. The second signature scheme we construct is a modification of the scheme of Lyubashevsky (Asiacrypt 2009) that is based on the worst-case hardness of the shortest vector problem in ideal lattices. And the third scheme is a very simple signature scheme that is based directly on the hardness of the Subset Sum problem.

We also present a general transformation that converts what we term lossy identification schemes into signature schemes with tight security reductions. We believe that this greatly simplifies the task of constructing and proving the security of

such signature schemes.

15:08 [Job][New] Post-Doc, EPFL, Switzerland

  The Laboratory for Security and Cryptography (LASEC) at EPFL is hiring a post doctoral researcher. Applicants are encouraged to apply to job_lasec (at) by sending a detailed CV and a research plan.

LASEC is active in research on cryptography and security. More specifically, our main interests currently span (but are not limited to) the following:

  • hardware implementation and embedded systems,

  • homomorphic and functional encryption,

  • provable security.

We strongly encourage the application by researchers who have proved

excellence in one of these domains.

The selection of applicants will be made on a competitive basis.

Besides conducting top-quality research, postdocs are required to

participate the the lab activities such as training students at all levels,

running projects, fund raising, etc.

EPFL is a top-ranked research and teaching institution that attracts

some of the best intellects in the world. EPFL offers excellent

facilities, environment, and salaries. EPFL\\\'s campus is a multi

cultural, idyllic spot overlooking Lake Geneva and facing the Alps.

Information about EPFL:

08:54 [Job][New] 3 Phd Students in Trustworthy Hardware/Hardware Security, New York University Polytechnic School of Engineering, USA, North America

  3 PhD Fellowships in the area of hardware Security. A strong background in VLSI Design, Nano-electronics. VLSI Testing, Reliability, Security. Highly competitive, 4-year guaranteed fellowships are available.

19:17 [Pub][ePrint] Automatic Search for Differential Trails in ARX Ciphers (Extended Version), by Alex Biryukov and Vesselin Velichkov

  We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui\'s algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui\'s algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations. The source code of the tool is publicly available as part of a larger toolkit for the analysis of ARX at the following address: .

16:17 [Pub][ePrint] Detecting Hidden Leakages, by Amir Moradi and Sylvain Guilley and Annelie Heuser

  Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

16:17 [Pub][ePrint] A Study of Goldbach\'s conjecture and Polignac\'s conjecture equivalence issues, by Jian Ye and Chenglian Liu

  The famous Goldbach\'s conjecture and Polignac\'s conjecture are two of all unsolved problems in the field of number theory today. As well known, the Goldbach\'s conjecture and the Polignac\'s conjecture are equivalent. Most of the literatures does not introduce about internal equivalence in Polignac\'s conjecture. In this paper, we would like to discuss the internal equivalence to the Polignac\'s conjecture, say $T_{2k}(x)$ and $T(x)$ are equivalent. Since $T_{2k}\\sim T(x)\\sim 2c\\cdot \\frac{x}{(\\ln x)^{2}}$, we rewrite and re-express to $T(x)\\sim T_{4}(x)\\sim T_{8}(x)\\sim T_{16}(x)\\sim T_{32}(x)\\sim T_{2^{n}}(x)\\sim 2c\\cdot \\frac{x}{(\\ln x)^{2}}$. And then connected with the Goldbach\'s conjecture. Finally, we will point out the important prime number symmetry role of play in these two conjectures.

16:17 [Pub][ePrint] A generic view on trace-and-revoke broadcast encryption schemes, by Dennis Hofheinz and Christoph Striecks

  At Eurocrypt 2011, Wee presented a generalization of threshold public key encryption, threshold signatures, and revocation schemes arising from threshold extractable hash proof systems. In particular, he gave instances of his generic revocation scheme from the DDH assumption (which led to the Naor-Pinkas revocation scheme), and from the factoring assumption (which led to a new revocation scheme). We expand on Wee\'s work in two directions:

(a) We propose threshold extractable hash proof instantiations from the \"Extended Decisional Diffie-Hellman\" (EDDH) assumption due to Hemenway and Ostrovsky (PKC 2012). This in particular yields EDDH-based variants of threshold public key encryption, threshold signatures, and revocation schemes. In detail, this yields a DCR-based revocation scheme.

(b) We show that our EDDH-based revocation scheme allows for a mild form of traitor tracing (and, thus, yields a new trace-and-revoke scheme). In particular, compared to Wee\'s factoring-based scheme, our DCR-based scheme has the advantage that it allows to trace traitors.

16:17 [Pub][ePrint] How to Keep a Secret: Leakage Deterring Public-key Cryptography, by Aggelos Kiayias and Qiang Tang

  How is it possible to prevent the sharing of cryptographic

functions? This question appears to be fundamentally hard to address

since in this setting the owner of the key {\\em is} the adversary:

she wishes to share a program or device that (potentially only

partly) implements her main cryptographic functionality. Given that

she possesses the cryptographic key, it is impossible for her to be

{\\em prevented} from writing code or building a device that uses

that key. She may though be {\\em deterred} from doing so.

We introduce {\\em leakage-deterring} public-key cryptographic

primitives to address this problem. Such primitives have the feature

of enabling the embedding of owner-specific private data into the

owner\'s public-key so that given access to {\\em any} (even

partially functional) implementation of the primitive, the recovery

of the data can be facilitated. We formalize the notion of

leakage-deterring in the context of encryption, signature, and

identification and we provide efficient generic constructions that

facilitate the recoverability of the hidden data while retaining

privacy as long as no sharing takes place.