International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

23:09 [Event][New] RFIDsec 2015: 11th Workshop on RFID Security

  Submission: 17 February 2015
Notification: 7 April 2015
From June 22 to June 23
Location: New York, USA
More Information:

15:53 [Job][New] PhD Studentship in Security/Privacy, University College London

  A grant is available to support a fully-funded PhD studentship to work at the intersection of security, privacy engineering, applied cryptography, and machine learning.

If you are interested and (1) have been involved in competitive research projects (possibly leading to a publication), (2) have a strong background in at least two of the aforementioned topics, please send an email with a short CV and a list of references to jobs (at)

15:52 [Job][New] Visiting Post-Doc or Ph.D. student, Aalto University School of Science, Helsinki, Finland

  We look for a post-doc researcher or advanced Ph.D. student who would like to come to work with us in 2015 for a period of maximum seven months starting May 1, 2015 at the latest. A full salary will be paid during the visit. The visiting researcher should have good background in linear (correlation) attacks on block or stream ciphers.

To apply, send your CV and motivation letter to Prof. Kaisa Nyberg by email: kaisa (dot) nyberg (at) aalto (dot) fi

Applications arriving before Nov 30, 2014, are granted to be taken into consideration when filling this position.

16:17 [Pub][ePrint] Cryptanalysis of JAMBU, by Thomas Peyrin and Siang Meng Sim and Lei Wang and Guoyan Zhang

  In this article, we analyse the security of the authenticated encryption mode JAMBU, a submission to the CAESAR competition that remains currently unbroken. We show that the security claims of this candidate regarding its nonce-misuse resistance can be broken. More precisely, we explain a technique to guess in advance a ciphertext block corresponding to a plaintext that has never been queried before (nor its prefix), thus breaking the confidentiality of the scheme when the attacker can make encryption queries with the same nonce. Our attack is very practical as it requires only about $2^{32}$ encryption queries and computations (instead of the $2^{128}$ claimed by the designers). Our cryptanalysis has been fully implemented in order to verify our findings. Moreover, due to the small tag length of JAMBU, we show how this attack can be extended in the nonce-respecting scenario to break confidentiality in the adaptative chosen-ciphertext model ({\\tt IND-CCA2}) with $2^{96}$ computations, with message prefixes not previously queried.

16:17 [Pub][ePrint] Bicliques with Minimal Data and Time Complexity for AES (Extended Version $\\star$), by Andrey Bogdanov and Donghoon Chang and Mohona Ghosh and Somitra Kumar Sanadhya

  Biclique cryptanalysis is a recent technique that has been successfully applied to AES resulting in key recovery faster than brute force. However, a major hurdle in carrying out biclique cryptanalysis on AES is that it requires very high data complexity. This naturally warrants questions over the practical feasibility of

implementing biclique attack in the real world. In Crypto\'13, Canteaut et al. proposed biclique attack where the data complexity of the attack was reduced to a single plaintext-ciphertext pair. However, no application of the same on AES was suggested.

In this paper, we re-evaluate the security-bound of full round AES against biclique attack. Under some reasonable

restrictions, we exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data


- Among attacks with the minimal data complexity of the unicity distance, the ones with computational

complexity $2^{126.67}$ (for AES-128), $2^{190.9}$ (for AES-192) and $2^{255}$ (for AES-256) are the fastest. Each attack just requires 2 (for AES-128 and AES-192) or 3 (for AES-256) known plaintexts for success probability 1. We obtain these results using the improved biclique attack proposed in Crypto\'13.

- Among attacks with data complexity less than the full codebook, for AES-128, the ones of computational complexity $2^{126.16}$ are the fastest. Within these, the one with data complexity $2^{64}$ requires the smallest amount of data. Thus, the original attack (with data complexity $2^{88}$) did not have the optimal data complexity for AES-128. Similar findings are observed for AES-192 as well (data complexity $2^{48}$ as against $2^{80}$ in the original attack). For AES-256, we find an attack that has a lower computational complexity of $2^{254.31}$ as compared to the original attack complexity of $2^{254.42}$.

- Among all attacks covered, the ones of computational complexity $2^{125.56}$ (for AES-128), $2^{189.51}$ (for AES-192) and $2^{253.87}$ (for AES-256) are fastest, though requiring the full codebook. This can be considered as an indication of the limitations of the independent-biclique attack approach as applied to AES.

16:17 [Pub][ePrint] Certificateless Proxy Re-Encryption Without Pairing, by Akshayaram Srinivasan and C. Pandu Rangan

  Proxy Re-Encryption was introduced by Blaze, Bleumer and Strauss to efficiently solve the problem of delegation of decryption rights. In proxy re-encryption, a semi-honest proxy transforms a ciphertext intended for Alice to a ciphertext of the same message for Bob without learning anything about the underlying message. From its introduction, several proxy re-encryption schemes in the Public Key Infrastructure (PKI) and Identity (ID) based setting have been proposed. In practice, systems in the public key infrastructure suffer from the certificate management problem and those in identity based setting suffer from the key escrow problem. Certificateless Proxy Re-encryption schemes enjoy the advantages provided by ID-based constructions without suffering from the key escrow problem.

In this work, we construct the first unidirectional, single-hop CCA-secure certificateless proxy re-encryption scheme without pairing by extending the PKI based construction of Chow et al. proposed in 2010. We prove its security in the random oracle model under the Computational Diffie-Hellman (CDH) assumption. Prior to this work, the only secure certificateless proxy re-encryption scheme is due to Guo et al. proposed in 2013 using bilinear pairing. The construction proposed in this work is more efficient than that system and satisfies stronger security properties. We also show that the recently proposed construction of Yang et al. is insecure with respect to the security model considered in this work.

16:17 [Pub][ePrint] Efficient Generic Zero-Knowledge Proofs from Commitments, by Samuel Ranellucci and Alain Tapp and Rasmus Winther Zakarias

  Even though Zero-knowledge has existed for more than 30

years, few generic constructions for Zero-knowledge exist. In this paper

we present a new kind of commitment scheme on which we build a novel

and efficient Zero-knowledge protocol for circuit satisfiability.

17:11 [Event][New] Lightweight Cryptography Workshop 2015

  Submission: 1 April 2015
Notification: 15 May 2015
From July 20 to July 21
Location: Gaithersburg, MD, USA
More Information:

10:17 [Pub][ePrint] Improved Parameters and an Implementation of Graded Encoding Schemes from Ideal Lattices, by Martin R. Albrecht and Catalin Cocis and Fabien Laguillaumie and Adeline Langlois

  We discuss how to set parameters for GGH-like graded encoding schemes approximating cryptographic multilinear maps from ideal lattices and propose a strategy which reduces parameter sizes for concrete instances. Secondly, we discuss a first software implementation of a graded encoding scheme based on GGHLite, an improved variant of Garg, Gentry and Halevi\'s construction (GGH) due to Langlois, StehlĂ© and Steinfeld. Thirdly, we provide an implementation of non-interactive $N$-partite Diffie-Hellman key exchange. We discuss our implementation strategies and show that our implementation outperforms previous work.

10:17 [Pub][ePrint] Zeroizing without zeroes: Cryptanalyzing multilinear maps without encodings of zero, by Craig Gentry and Shai Halevi and Hemanta K. Maji and Amit Sahai

  We extend the recent zeroizing attacks of Cheon et al. on multilinear maps to some settings where no encodings of zero below the maximal level are available. Some of the new attacks apply to the CLT scheme (resulting in total break) while others apply to the GGH scheme (resulting in a weak-DL attack).

10:17 [Pub][ePrint] Immunizing Multilinear Maps Against Zeroizing Attacks, by Dan Boneh and David J. Wu and Joe Zimmerman

  In recent work Cheon, Han, Lee, Ryu, and Stehle presented an attack on the multilinear map of Coron, Lepoint, and Tibouchi (CLT). They show that given many low-level encodings of zero, the CLT multilinear map can be completely broken, recovering the secret factorization of the CLT modulus. The attack is a generalization of the \"zeroizing\" attack of Garg, Gentry, and Halevi.

We first strengthen the attack of Cheon, Han, Lee, Ryu, and Stehle by showing that CLT can be broken even without low-level encodings of zero. This strengthening is sufficient to show that the subgroup elimination assumption does not hold for the CLT multilinear map.

We then present a generic defense against this type of \"zeroizing\" attack. For an arbitrary asymmetric composite-order multilinear map (including CLT), we give a functionality-preserving transformation that ensures that no sequence of map operations will produce valid encodings (below the zero-testing level) whose product is zero. We prove security of our transformation in a generic model of composite-order multilinear maps. Our new transformation rules out \"zeroizing\" leaving no currently known attacks on the decision linear assumption, subgroup elimination assumption, and other related problems for the CLT multilinear map. Of course, in time, it is possible that different attacks on CLT will emerge.