International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

01:42 [Event][New] CPSS'15: 1st Cyber-Physical System Security Workshop

  Submission: 28 December 2014
Notification: 31 January 2015
From April 14 to April 14
Location: Singapore, Singapore
More Information:

16:02 [News] President\'s message 9/2014


Here is a brief update on IACR matters as of CRYPTO 2014.


***Communications and website


First of all, I would like to thank Christopher Wolf for his service\r\nand dedication to the IACR in his role as Newsletter Editor (later,\r\nCommunications Secretary). From 2009 until this summer, he has led\r\nthe communications and publicity activities of the IACR and made the\r\nwebsite an interesting and interactive experience.


The Board of Directors has appointed Mike Rosulek (Oregon State\r\nUniversity, US) as the Communications Secretary; Yu Yu (Shanghai Jiao\r\nTong University, CN) also joins the communications team and serves as\r\none of the webmasters.


***Cryptography Research Fund for Students


Thanks to the generous donation of 1 Mio. USD from Cryptography\r\nResearch Inc. (a division of Rambus) the IACR has created the\r\n*Cryptography Research Fund for Students.*


The fund aims at promoting cryptology to students and supporting\r\nscholarly work in the field. With its help, the IACR can greatly\r\nincrease its support for students in cryptology through:


1) Waiving the registration fee for student speakers at EUROCRYPT,\r\n CRYPTO, ASIACRYPT and, now, also at CHES, FSE, TCC and PKC;


2) Expanding its support for Cryptology Schools (see below);


3) Further activities, as coordinated by an Endowment Committee that\r\n oversees the fund. (Please contact its chair, Greg Rose, with more\r\n ideas.)


The IACR has created an investment fund with a conservative strategy\r\nso that this program can be funded in perpetuity. Combined with a\r\nsmaller commitment from the IACR, the sum in the fund can support the\r\nongoing activities detailed above as well as let the capital keep\r\nup with inflation.


***Parallel sessions


In response to the growth of the field over the last years, the Board\r\nin 2011 sent a message to Program Chairs and Program Committees of the\r\nthree main conferences asking them \"to accept substantially more\r\npapers than used to be the case and to work with their General Chair\r\nfor the logistics to make this possible.\" As one can see from the\r\npublication statistics over the recent years\r\n( the message has\r\nbeen received partially, but not uniformly implemented. As of today,\r\nthe Board believes that this effort should go further. During the\r\nrecent meeting at CRYPTO, a majority of the Board expressed the opinion\r\nthat a program of, say, 60 or more talks should be arranged at least\r\npartially in parallel sessions.


Hence, during its meeting at CRYPTO, the Board has decided to ask the\r\nProgram Chairs and Committees of the three IACR conferences in 2015\r\n\"to have parallel sessions for a significant part of the program.\" It\r\nis intended for 2015 only. At a discussion during the membership\r\nmeeting, a vote indicated a clear majority in favor of this change for\r\n2015, but there was also a significant minority against. After\r\nASIACRYPT 2015 a referendum among the IACR membership will be held for\r\ndeciding whether the format should be kept like this.


Per IACR\'s policy, Program Chairs and Committees are responsible for\r\nthe scientific program; the General Chairs are responsible for the\r\nlogistics and the organization. The Board guides these processes and\r\nensures continuity across IACR\'s activities.


***Cryptology Schools


The Board has approved funding for the first three IACR Cryptology\r\nSchools, which take place later this year and next year.


1) School on Cryptographic Attacks (\r\n 13-17 October 2014, Porto, Portugal


2) School on Design and Security of Cryptographic Algorithms and Devices,\r\n 5-10 July 2015 (tentative), location to be decided.


3) Asian Workshop on Symmetric Key Cryptography - Cryptology School,\r\n 19-22 December 2014, Chennai, India (


See the website for more information.




There will be elections for three IACR Director positions later this\r\nyear; nominations are now open and due by October 10, 2014. Please\r\nconsider running and see the announcement on the website:\r\n



\r\n\r\n Christian Cachin\r\n IACR President\r\n

15:17 [PhD][New] Elisabeth Oswald: On Side-Channel Attacks and the Application of Algorithmic Countermeasures

  Name: Elisabeth Oswald
Topic: On Side-Channel Attacks and the Application of Algorithmic Countermeasures
Category: implementation

15:15 [PhD][New] Carolyn Whitnall: Statistical methods for non-profiled differential side-channel analysis: Theory and evaluation

  Name: Carolyn Whitnall
Topic: Statistical methods for non-profiled differential side-channel analysis: Theory and evaluation
Category: (no category)


\r\nDifferential side-channel analysis (DSCA) aims at recovering cryptographically-secured secret information by exploiting the relationship between the physically-observable characteristics of a device and the data manipulated inside it. Prior knowledge about this relationship (obtained, perhaps, by detailed examination of an equivalent device) is known to greatly enhance attack success. What may be achieved with little or no prior knowledge at all is less clear. Strategies designed on such a basis have been loosely termed `generic\', but the scenarios in which these are possible without some meaningful knowledge on the leakage appear rare.\r\n


\r\nIn this thesis we formalise the notion of `generic DSCA\' in order to understand it better and to make concrete statements about when and in what sense it is possible. We confirm that the range of scenarios to which it may be applied truly is limited---requiring that the device at some stage implements a predictable function which is non-injective and sufficiently nonlinear (e.g. the DES S-Box transformations).\r\n


\r\nWe explore popular proposals based on mutual information and other non-parametric statistics. To facilitate meaningful comparisons we first introduce a theoretic evaluation framework to enable like-for-like comparisons between different methods and avoid the pit-falls of (necessarily estimator-dependent) empirical comparisons. One of the lessons learned by employing this framework is that mutual information is indeed optimal in some information-theoretic sense (as was initially supposed) and that it is the added burden of estimation which makes it a poor choice in all but the most unusual of leakage scenarios.\r\n


\r\nWe also analyse linear regression-based methods and their use as `generic\' strategies. Applied in this way, they are restricted to the same limited scope as any other such strategy. However, we identify a unique feature of the way they operate whi[...]

09:17 [Pub][ePrint] A 128-bit Block Cipher Based on Three Group Arithmetics, by Shenghui Su and Shuwang Lu

  Enlightened by the IDEA block cipher, the authors put forward the REESSE3+ block cipher (a symmetric key cryptosystem) based on three group arithmetics: addition modulo 2 (bit XOR), addition modulo 2 ^ 16, and multiplication modulo 2 ^ 16 + 1. Different from IDEA, REESSE3+ uses 128-bit block inputs, a 256-bit key, and a renovative round function. The authors describe the REESSE3+ cipher algorithm in the graph, and expound the encryption subkeys, encryption operation, decryption subkeys, and decryption operation. Further, demonstrate the correctness of the REESSE3+ cipher algorithm, and analyze the security of REESSE3+ from three aspects. The measures for assuring the security of REESSE3+ cover those for assuring the security of IDEA, and thus, the ability of REESSE3+ in resisting differential analysis is at least equivalent to that of IDEA.

09:17 [Pub][ePrint] Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials, by Christian Hanser and Daniel Slamanig

  Structure-preserving signatures are a quite recent but important building block for many cryptographic protocols. In this paper, we introduce a new type of structure-preserving signatures, which allows to sign group element vectors and to consistently randomize signatures and messages without knowledge of any secret.

More precisely, we consider messages to be (representatives of) equivalence classes on vectors of group elements (coming from a single prime order group), which are determined by the mutual ratios of the discrete logarithms of the representative\'s vector components. By multiplying each component with the same scalar, a different representative of the same equivalence class is obtained.

We propose a definition of such a signature scheme, a security model and give an efficient construction, which we prove secure in the SXDH setting, where EUF-CMA security is proven against generic forgers in the generic group model and the so called class hiding property is proven under the DDH assumption.

As a second contribution, we use the proposed signature scheme to build an efficient multi-show attribute-based anonymous credential system (ABC) that allows to encode an arbitrary number of attributes. This is -- to the best of our knowledge -- the first ABC system that provides constant-size credentials and constant-size showings. To allow an efficient construction in combination with the proposed signature scheme, we also introduce a new, efficient, randomizable polynomial commitment scheme. Aside from these two building blocks, the credential system requires a very short and constant-size proof of knowledge to provide freshness in the showing protocol. We present our ABC system along with a suitable security model and rigorously prove its security.

09:17 [Pub][ePrint] The Feasibility of Outsourced Database Search in the Plain Model, by Carmit Hazay and Hila Zarosim

  The problem of securely outsourcing computation to an untrusted server gained momentum with the recent penetration of cloud computing services. The ultimate goal in this setting is to design efficient protocols that minimize the computational overhead of the clients and instead rely on the extended resources of the server. In this paper, we focus on the outsourced database search problem which is highly motivated in the context of delegatable computing since it offers storage alternatives for massive databases, that may contain confidential data. This functionality is described in two phases: (1) setup phase and (2) query phase. The main goal is to minimize the parties workload in the query phase so that it is proportional to the query size and its corresponding response.

Our starting point is the semi-honest protocol from FaustHV13 (ICALP 2013) that offers a simulation based secure protocol for outsourced pattern matching in the random oracle setting with optimal workload. In this work we study whether the random oracle is necessary for protocols with minimal interaction that meet the optimal communication/computation bounds in the query phase. We answer this question negatively and demonstrate a lower bound on the communication or the computational overhead in this phase. We further abstract the security properties of the underlying cryptographic primitive that enables to obtain private outsourced database search with minimal interaction. For a large class of search functionalities the communication complexity of our protocol meets the above lower bound.

09:17 [Pub][ePrint] Analysis Of Variance and CPA in SCA, by Sebastien Tiran and Guillaume Reymond and Jean-Baptiste Rigaud and Driss Aboulkassimi and Benedikt Gierlichs and Mathieu Carbone and Gilles Ducharme and Philipp

  This paper introduces Side-Channel Analysis results obtained on an unprotected circuit characterized by a surprisingly non-linear leakage. While in such a case, Correlation Power Analysis is not adapted, we show that a more generic attack, based on the Analysis Of Variance (AOV) outperfoms CPA. It has the advantage of detecting non-linear leakage, unlike Correlation Power Analysis, and of providing similar or much better results in all cases, with a similar computation time.

09:17 [Pub][ePrint] Formal Treatment of Privacy-Enhancing Credential Systems, by Jan Camenisch and Stephan Krenn and Anja Lehmann and Gert Læssøe Mikkelsen and Gregory Neven and Michael Østergaard Pedersen

  Privacy-enhancing attribute-based credentials (PABCs) are the core ingredient to privacy-friendly authentication systems, allowing users to obtain credentials on attributes and prove possession of these credentials in an unlinkable fashion while revealing only a subset of the attributes. To be useful in practice, however, PABCs typically need additional features such as i) revocation, ii) pooling prevention by binding credentials to users\' secret keys, iii) pseudonyms as privacy-friendly user public keys, iv) proving equality of attributes without revealing their values, v) or advanced issuance where attributes can be \"blindly\" carried over into new credentials. Provably secure solutions exist for most of these features in isolation, but it is unclear how they can be securely combined into a full-fledged PABC system, or even which properties such a system would aim to fulfill. We provide a formal treatment of PABC systems supporting the mentioned features by defining their syntax and security properties, resulting in the most comprehensive definitional framework for PABCs so far. Unlike previous efforts, our definitions are not targeted at one specific use-case; rather, we try to capture generic properties that can be useful in a variety of scenarios. We believe that our definitions can also be used as a starting point for diverse application-dependent extensions and variations of PABCs. We present and prove secure a generic and modular construction of a PABC system from simpler building blocks, allowing for a \"plug-and-play\" composition based on different instantiations of the building blocks. Finally, we give secure instantiations for each of the building blocks, including in particular instantiations based on CL- and Brands-signatures which are the core of the Idemix and U-Prove protocols.

09:17 [Pub][ePrint] A Note on Quantum Security for Post-Quantum Cryptography, by Fang Song

  Shor\'s quantum factoring algorithm and a few other efficient quantum algorithms break many classical crypto-systems. In response, people proposed post-quantum cryptography based on computational problems that are believed hard even for quantum computers. However, security of these schemes against \\emph{quantum} attacks is elusive. This is because existing security analysis (almost) only deals with classical attackers and arguing security in the presence of quantum adversaries is challenging due to unique quantum features such as no-cloning.

This work proposes a general framework to study which classical security proofs can be restored in the quantum setting. Basically, we split a security proof into (a sequence of) classical security reductions, and investigate what security reductions are ``quantum-friendly\'\'. We characterize sufficient conditions such that a classical reduction can be ``lifted\'\' to the quantum setting.

We then apply our lifting theorems to post-quantum signature schemes. We are able to show that the classical generic construction of hash-tree based signatures from one-way functions and and a more efficient variant proposed in~\\cite{BDH11} carry over to the quantum setting. Namely, assuming existence of (classical) one-way functions that are resistant to efficient quantum inversion algorithms, there exists a quantum-secure signature scheme. We note that the scheme in~\\cite{BDH11} is a promising (post-quantum) candidate to be implemented in practice and our result further justifies it. Actually, to obtain these results, we formalize a simple criteria, which is motivated by many classical proofs in the literature and is straightforward to check. This makes our lifting theorem easier to apply, and it should be useful elsewhere to prove quantum security of proposed post-quantum cryptographic schemes. Finally we demonstrate the generality of our framework by showing that several existing works (Full-Domain hash in the quantum random-oracle model~\\cite{Zha12ibe} and the simple hybrid arguments framework in~\\cite{HSS11}) can be reformulated under our unified framework.