International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

01:17 [Pub][ePrint] Primary-Secondary-Resolver Membership Proof Systems, by Moni Naor and Asaf Ziv

  We consider Primary-Secondary-Resolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3-party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and secret keys in order for secondaries (provers with knowledge of both keys) and resolvers (verifiers who only know the public key) to engage in interactive proof sessions regarding elements in the universe and their values. The motivation for such systems is for constructing a secure Domain Name System (DNSSEC) that does not reveal any unnecessary information to its clients.

We require our systems to be complete, so honest executions will result in correct conclusions by the resolvers, sound, so malicious secondaries cannot cheat resolvers, and zero-knowledge, so resolvers will not learn additional information about elements they did not query explicitly. Providing proofs of membership is easy, as the primary can simply precompute signatures over all

the members of the set. Providing proofs of non-membership, i.e. a

denial-of-existence mechanism, is trickier and is the main issue in constructing PSR systems.

We provide three different strategies to construct a denial of existence mechanism. The first uses a set of cryptographic keys for all elements of the universe which are not members, which we implement using hierarchical identity based encryption and a tree based signature scheme. The second construction uses cuckoo hashing with a stash, where in order to prove non-membership, a

secondary must prove that a search for it will fail, i.e. that it is not in the tables or the stash of the cuckoo hashing scheme. The third uses a verifiable ``random looking\'\' function which the primary evaluates over the set of members, then signs the values lexicographically and secondaries then use those signatures to prove to resolvers that the value of the non-member was not

signed by the primary. We implement this function using a weaker variant of verifiable random/unpredictable functions and pseudorandom functions with interactive zero knowledge proofs.

For all three constructions we suggest fairly efficient implementations, of order comparable to other public-key operations such as signatures and encryption. The first approach offers perfect ZK and does not reveal the size of the set in question, the second can be implemented based on very solid cryptographic assumptions and uses the unique structure of cuckoo hashing, while the last technique has the potential to be highly efficient, if one could construct an efficient and secure VRF/VUF or if one is willing to live in the random oracle model.

22:46 [Event][New] Security of symmetric ciphers in network protocols

  From May 25 to May 29
Location: Edinburgh, Scotland
More Information:

21:52 [Event][New] Genopri 2015: Genopri 2015 (2nd International Workshop on Genome Privacy and Security

  Submission: 20 January 2015
Notification: 22 February 2015
From May 21 to May 21
Location: San Jose, USA
More Information:

03:17 [Pub][ePrint] How Secure is TextSecure?, by Tilman Frosch and Christian Mainka and Christoph Bader and Florian Bergsma and Joerg Schwenk and Thorsten Holz

  Instant Messaging has attracted a lot of attention by users for both private and business communication and has especially gained popularity as low-cost short message replacement on mobile devices. However, most popular mobile messaging apps do not provide end-to-end security. Press releases about mass surveillance performed by intelligence services such as NSA and GCHQ lead many people looking for means that allow them to preserve the security and privacy of their communication on the Internet. Additionally fueled by Facebook\'s acquisition of the hugely popular messaging app WhatsApp, alternatives that claim to provide secure communication experienced a significant increase of new users.

A messaging app that has attracted a lot of attention lately is TextSecure, an app that claims to provide secure instant messaging and has a large number of installations via Google\'s Play Store. It\'s protocol is part of Android\'s most popular aftermarket firmware CyanogenMod. In this paper, we present the first complete description of TextSecure\'s complex cryptographic protocol and are the first to provide a thorough security analysis of TextSecure. Among other findings, we present an Unknown Key-Share Attack on the protocol, along with a mitigation strategy, which has been acknowledged by TextSecure\'s developers. Furthermore, we formally prove that---if our mitigation is applied---TextSecure\'s push messaging can indeed achieve the goals of authenticity and confidentiality.

00:17 [Pub][ePrint] Falcon Codes: Fast, Authenticated LT Codes, by Ari Juels and James Kelley and Roberto Tamassia and Nikos Triandopoulos

  In this paper, we introduce Falcon codes, a class of authenticated error correcting codes that are based on LT codes and achieve the following properties, for the first time simultaneously: (1) with high probability, they can correct adversarial symbol corruptions in the encoding of a message, and (2) they allow for very efficient encoding and decoding times, even linear in the message length. We study Falcon codes in a new adversarial model for rateless codes over computational channels, and define a new security notion for corruption-tolerant encoding in this model. We then present three such LT-based coding schemes that achieve resilience to adversarial corruptions via judicious use of simple cryptographic tools while maintaining very fast encoding/decoding times. One variant Falcon code works well with small messages (100s of KB to 10s of MB) but two alternative scalable versions are designed to handle much larger inputs (e.g., messages that are several GBs in size). Our schemes are provably secure against computational adversaries in the standard model. We analyze our new schemes and show that Falcon codes are both asymptotically and practically efficient.

16:43 [Event][New] [Extension] SI Security and Privacy in Unified Communications

  Submission: 21 November 2014
Notification: 3 April 2015
From April 3 to April 3
More Information:

16:42 [Job][New] Principal Solution Specialist - Encryption, SafeNet


Serve as a SME (Subject Matter Expert) advising SafeNet customers, partners and prospects on SafeNet Data Protection solutions to secure data while at rest (storage, file and database encryption), in use (hardware security modules, encryption technologies), and in transit (wide area network encryption).

This focused expertise will drive increased revenue for SafeNet StorageSecure, Hardware Security Modules, KeySecure and ProtectV products.

Technical Requirements

• Experienced in the concepts of Cryptography, Security and PKI

• Experience with Hardware Security Modules (HSM)

• Experience with the concept and practice of Key Management

• Experience with virtualisation products such as VMWare, XEN and HyperV is beneficial, as well as prior involvement with Amazon Web Services

• Strong familiarity with Windows and Linux based systems

• Familiarity with a range of enterprise security solutions would be beneficial as they relate to the wider SafeNet portfolio. These include database encryption, data tokenization, storage encryption, wide area network encryption, and authentication.

The position will require significant travel throughout the EMEA region.

For further information, please contact julia.robson (at)

16:41 [Job][New] Post-Doc, Nanyang Technological University, Singapore

  We are looking for two Post-Docs (Research Fellows) on symmetric key cryptography and computer security. The positions are for 2 years.

We encourage candidates with an excellent track-record in cryptography and computer security to apply. Please send your application with a CV, a cover letter and two reference letters.

Review starts immediately until suitable candidates have been hired.

15:17 [Pub][ePrint] The Power of Negations in Cryptography, by Siyao Guo and Tal Malkin and Igor C. Oliveira and Alon Rosen

  The study of monotonicity and negation complexity for Boolean

functions has been prevalent in complexity theory as well as in computational learning theory, but little attention has been given to

it in the cryptographic context. Recently, Goldreich and

Izsak (2012) have initiated a study of whether cryptographic

primitives can be monotone, and showed that one-way functions can be

monotone (assuming they exist), but a pseudorandom generator cannot.

In this paper, we start by filling in the picture and proving that many

other basic cryptographic primitives cannot be monotone. We then

initiate a quantitative study of the power of negations,

asking how many negations are required. We provide several

lower bounds, some of them tight,

for various cryptographic primitives and building blocks

including one-way permutations, pseudorandom functions, small-bias generators, hard-core predicates, error-correcting codes, and randomness extractors.

Among our results, we highlight the following.

i) Pseudorandom functions can only be computed by circuits

containing at least log n - O(1) negations

(which is optimal up to the additive term).

ii) We prove that error-correcting codes with optimal distance

parameters require log n - O(1) negations (again, optimal up to

the additive term).

iii) Unlike one-way functions, one-way permutations cannot be


iv) We prove a general result for monotone functions,

showing a lower bound on the depth of any

circuit with t negations on the bottom that computes a monotone function f in terms of the monotone

circuit depth of f. This result addresses a question posed by Koroth and Sarma (2014) in the context of the circuit complexity

of the Clique problem.

Our results lead to a few intriguing open problems, and to interesting directions for further research.

00:17 [Pub][ePrint] Some Security Results of the RC4 + Stream Cipher, by Subhadeep Banik and Sonu Jha

  RC4+ stream cipher was proposed by Maitra et. al.

at Indocrypt 2008. It was claimed by the authors that this new

stream cipher is designed to overcome all the weaknesses reported

on the alleged RC4 stream cipher. In the design specifications of

RC4+, the authors make use of an 8-bit design parameter called

pad which is fixed to the value 0xAA. The first Distinguishing

Attack on RC4+ based on the bias of its first output byte was shown by Banik et. al. in Indocrypt 2013. In this paper, it was also mentioned that the distinguishing attack would still hold if the pad used in RC4+ is fixed to any even 8-bit constant other than 0xAA. Therefore, the question that arises is whether the design of RC4+ can be protected by fixing the pad parameter to some constant odd value. In this paper, we try to answer this very question. We show that the design is still vulnerable by mounting a distinguishing attack even if the pad is fixed to some constant 8-bit odd value. Surprisingly we find that if the value of the pad is made equal to 0x03, the design provides maximum resistance to distinguishing attacks. Lastly we return to the original cipher i.e. in which pad is set to 0xAA and unearth another bias in the second output byte of the cipher, thereby showing that practical implementations of this cipher should discard the use of the first two output bytes for encryption.

00:17 [Pub][ePrint] A Practical Attack Against the HIVE Hidden Volume Encryption System, by Kenneth G. Paterson and Mario Strefler

  The HIVE hidden volume encryption system was proposed by Blass et al. at ACM-CCS 2014. Even though HIVE has a security proof, this paper demonstrates an attack on its implementation that breaks the main security property claimed for the system by its authors, namely plausible hiding against arbitrary-access adversaries. Our attack is possible because of HIVE\'s reliance on the RC4 stream cipher to fill unused blocks with pseudorandom data. While the attack can be easily eliminated by using a better pseudorandom generator, it serves as an example of why RC4 should be avoided in all new applications and a reminder that one has to be careful when instantiating primitives.