International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

10:17 [Pub][ePrint] Cryptanalysis of Two Candidate Fixes of Multilinear Maps over the Integers, by Jean-Sebastien Coron and Tancrede Lepoint and Mehdi Tibouchi

  Shortly following Cheon, Han, Lee, Ryu and Stehle attack against the multilinear map of Coron, Lepoint and Tibouchi (CLT), two independent approaches to thwart this attack have been proposed on the cryptology ePrint archive, due to Garg, Gentry, Halevi and Zhandry on the one hand, and Boneh, Wu and Zimmerman on the other. In this short note, we show that both countermeasures can be defeated in polynomial time using extensions of the Cheon et al. attack.

10:17 [Pub][ePrint] Geppetto: Versatile Verifiable Computation, by Craig Costello and Cédric Fournet and Jon Howell and Markulf Kohlweiss and Benjamin Kreuter and Michael Naehrig and Bryan Parno and Samee Zahur

  Cloud computing sparked interest in Verifiable Computation protocols, which allow a weak client to securely outsource computations to remote parties. Recent work has dramatically reduced the client\'s cost to verify the correctness of results, but the overhead to produce proofs largely remains impractical.

Geppetto introduces complementary techniques for reducing prover overhead and increasing prover flexibility. With Multi-QAPs, Geppetto reduces the cost of sharing state between computations (e.g., for MapReduce) or within a single computation by up to two orders of magnitude. Via a careful instantiation of cryptographic primitives, Geppetto also brings down the cost of verifying outsourced cryptographic computations (e.g., verifiably computing on signed data); together with Geppetto\'s notion of bounded proof bootstrapping, Geppetto improves on prior bootstrapped systems by five orders of magnitude, albeit at some cost in universality. Geppetto also supports qualitatively new properties like verifying the correct execution of proprietary (i.e., secret) algorithms. Finally, Geppetto\'s use of energy-saving circuits brings the prover\'s costs more in line with the program\'s actual (rather than worst-case) execution time.

Geppetto is implemented in a full-fledged, scalable compiler that consumes LLVM code generated from a variety of apps, as well as a large cryptographic library.

10:17 [Pub][ePrint] Secure Lightweight Entity Authentication with Strong PUFs: Mission Impossible II, by Jeroen Delvaux and Dawu Gu and Roel Peeters and Ingrid Verbauwhede

  Physically unclonable functions (PUFs) exploit the unavoidable manufacturing variations of an integrated circuit (IC). Their input-output behavior serves as a unique IC \'fingerprint\'. Therefore, they have been envisioned as an IC authentication mechanism, in particular the subclass of so-called strong PUFs. The protocol proposals are typically accompanied with two PUF promises: lightweight and an increased resistance against physical attacks. In our prior CHES 2014 manuscript, we reviewed eight proposals in chronological order. This work comprehends a sequel. Most notably, five additional strong PUF protocols are included in our large-scale overview-analysis. Again, numerous security and practicality issues are revealed. Furthermore, we improve the transparency of our analysis by explicitly listing protocol requirements. These can also be used as a guideline for future protocol design. Finally, token privacy has been included in the analysis.

07:00 [Job][New] Postdoc fellow, Zhejiang University City College

  one postdoc position is opening at Zhejiang University City College, Hangzhou, CHINA. The position is centered on design, implementation and applications of cryptographic algorithms and protocols in the cloud computing and database management systems. The University offers highly competitive salaries and is an equal opportunity employer.

If you are interested in this position, please send your CV and recent 3-publication to zhuhf (at)

07:00 [Job][New] 6 Ph.D. students and 2 Post-docs, Cosic, KU Leuven, Belgium


COSIC’s research focus lays in the design, evaluation and implementation of cryptographic algorithms and protocols, the development of security architectures for information and communication systems, the development of security mechanisms for embedded systems and the design and analysis of privacy preserving systems.

COSIC is looking for 8 motivated researchers who fit into following profiles:

  • PhD candidate in public key cryptography and cryptographic protocols (multiple positions)
  • PhD candidate in symmetric cryptography and PRNGs
  • PhD position in biometry and federated identity management
  • PhD position in secure circuits for RNG and PUFs
  • Post-doctoral position in biometry and federated identity management
  • Post-doctoral position in multi party computation

General Profile and Skills required

For all the above positions the candidates must hold a Master’s Degree in engineering, mathematics or computer science, have good grades and have a keen interest in cryptography. We prefer candidates who can demonstrate that they have developed their research skills during their Master’s studies. For the postdoctoral positions a PhD degree in the relevant area is required. The candidate should also have an interest in implementation of cryptographic algorithms.

How to apply

Send following documents (in pdf) to jobs-cosic (at)

  • Curriculum Vitae
  • Motivation letter
  • List of publications
  • Relevant research experience
  • Study curriculum with rankings
  • English proficiency
  • Pdf of diploma and transcripts (translation if the original is not in Dutch, English, French or German)
  • Research propo

07:17 [Pub][ePrint] Privacy-Preserving Data Publish-Subscribe Service on Cloud-based Platforms, by Kan Yang and Xiaohua Jia and Kuan Zhang and Xuemin (Sherman) Shen

  Data publish-subscribe service is an effective approach to share and filter data. Due to the huge volume and velocity of data generated daily, cloud systems are inevitably becoming the platform for data publication and subscription. However, the privacy becomes a challenging issue as the cloud server cannot be fully trusted by both data publishers and data subscribers. In this paper, we propose a privacy-preserving data publish-subscribe service for cloud-based platforms. Specifically, we first formulate the problem of privacy-preserving data publish-subscribe service by refining its security requirements on cloud-based platforms. Then, we propose a bi-policy attribute-based encryption (BP-ABE) scheme as the underlying technique that enables the encryptor to define access policies and the decryptor to define filtering policies. Based on BP-ABE, we also propose a \\underline{P}rivacy-preserving \\underline{D}ata \\underline{P}ublish-\\underline{S}ubscribe (PDPS) scheme on cloud-based platforms, which enables the cloud server to evaluate both subscription policy and access policy in a privacy-preserving way. The security analysis and performance evaluation show that the PDPS scheme is secure in standard model and efficient in practice.

07:17 [Pub][ePrint] A Comprehensive Comparison of Shannon Entropy and Smooth Renyi Entropy, by Maciej Skorski

  We provide a new result that links two crucial entropy notions: Shannon entropy $\\mathrm{H}_1$ and collision entropy $\\mathrm{H}_2$. Our formula gives the \\emph{worst possible} amount of collision entropy in a probability distribution, when its Shannon entropy is fixed.

Our results and techniques used in the proof immediately imply

many quantitatively tight separations between Shannon and smooth Renyi entropy, which were previously known as qualitative statements or one-sided bounds. In particular, we precisely calculate the number of bits that can be extracted from a Shannon entropy source, and calculate how far from the uniform distribution is a distribution with the given amount Shannon entropy. To illustrate our results we provide clear numerical examples.

In the typical situation, when the gap between Shannon entropy of a distribution and its length is bigger than $1$, the length of the extracted sequence is very small, even if we allow the randomness quality to be poor. In the case of almost full entropy, where the gap is close to $0$, the $\\ell_2$-distance to uniform is roughly of the same order as the gap. Therefore, it is actually not possible to decide the strong quality of supposed true randomness, {efficiently and at extremely high confidence level} , by means of Shannon entropy estimators, like Maurer\'s Universal Test or others.

Our approach involves convex optimization techniques, applied to characterize worst case distributions, and the use of the Lambert $W$ function, by which we resolve equations coming from Shannon entropy constraints. We believe that it may be of independent interests and useful in studying Shannon entropy with constraints elsewhere.

07:17 [Pub][ePrint] Attacks on Secure Ownership Transfer for Multi-Tag Multi-Owner Passive RFID Environments, by Jorge Munilla and Mike Burmester and Albert Peinado

  Sundaresan et al proposed recently a novel ownership transfer protocol for multi-tag multi-owner RFID environments that complies with the EPC Class1 Generation2 standard. The authors claim that this provides individual-owner privacy and prevents tracking attacks. In this paper we show that this protocol falls short of its security objectives. We describe attacks that allow: a) an eavesdropper to trace a tag, b) the previous owner to obtain the private information that the tag shares with the new owner, and c) an adversary that has access to the data stored on a tag to link this tag to previous interrogations (forward-secrecy). We then analyze the security proof and show that while the first two cases can be solved with a more careful design, for lightweight RFID applications strong privacy remains an open problem.

07:17 [Pub][ePrint] Privacy-Preserving Face Recognition with Outsourced Computation, by Can Xiang and Chunming Tang

  Face recognition is one of the most important biometrics pattern recognitions, which has been widely applied in a variety of enterprise, civilian and law enforcement. The privacy of biometrics data raises important concerns, in particular if computations over biometric data is performed at untrusted servers. In previous work of privacy-preserving face recognition, in order to protect individuals\' privacy, face recognition is performed over encrypted face images. However, these results increase the computation cost of the client and the face database owners, which may enable face recognition cannot be efficiently executed. Consequently, it would be desirable to reduce computation over sensitive biometric data in such environments. Currently, no secure techniques for outsourcing face biometric recognition is readily available. In this paper, we propose a privacy-preserving face recognition protocol with outsourced computation for the first time, which efficiently protects individuals\' privacy. Our protocol substantially improves the previous works in terms of the online computation cost by outsourcing large computation task to a cloud server who has large computing power. In particular, the overall online computation cost of the client and the database owner in our protocol is at most 1/2 of the corresponding protocol in the state of the art algorithms. In addition, the client requires the decryption operations with only $O(1)$ independent of $M$, where $M$ is the size of the face database. Furthermore, the client can verify the correction of the recognition result.

07:17 [Pub][ePrint] Jackpot Stealing Information From Large Caches via Huge Pages, by Gorka Irazoqui and Thomas Eisenbarth and Berk Sunar

  The cloud computing infrastructure relies on virtualized servers that provide isolation across guest OS\'s through sandboxing. This isolation was demonstrated to be imperfect in past work whichexploited hardware level information leakages to gain access to sensitive information across co-locatedvirtual machines (VMs). In response virtualization companies and cloud services providers have disabled features such as deduplication to prevent such attacks.

In this work, we introduce a ne-grain cross-core cache attack that exploits access time variations on the last level cache. The attack exploits huge pages to work across VM boundaries without requiring

deduplication. No conguration changes on the victim OS are needed, making the attack quite viable. Furthermore, only machine co-location is required, while the target and victim OS can still reside on

diferent cores of the machine. Our new attack is a variation of the prime and probe cache attack whose applicability at the time is limited to L1 cache. In contrast, our attack works in the spirit of the flush and reload attack targeting the shared L3 cache instead. Indeed, by adjusting the huge page size our attack can be customized to work virtually at any cache level/size. We demonstrate the viability of the attack by targeting an OpenSSL1.0.1f implementation of AES. The attack recovers AES keys in the cross-VM setting on Xen 4.1 with deduplication disabled, being only slightly less ecient than the flush and reload attack. Given that huge pages are a standard feature enabled in the memory management unit of OS\'s and that besides co-location no additional assumptions are needed, the attack we present poses a signicant risk to existing cloud servers.

07:17 [Pub][ePrint] Key recovery attacks on Grain family using BSW sampling and certain weaknesses of the filtering function, by Y. Wei and E. Pasalic and F. Zhang and W. Wu

  A novel internal state recovery attack on the whole Grain family of ciphers is proposed in this work. It basically uses the ideas of BSW sampling along with employing a weak placement of the tap positions of the driving LFSRs. The currently best known complexity trade-offs are obtained, and due to the structure of Grain family these attacks are also key recovery attacks. It is shown that the internal state of Grain-v1 can be recovered with the time complexity of about $2^{66}$ operations using a memory of about $2^{58.91}$ bits, assuming availability of $2^{45}$ keystream sequences each of length $2^{49}$ bits generated for different initial values. Moreover, for Grain-128 or Grain-128a, the attack requires about $2^{105}$ operations using a memory of about $2^{82.59}$ bits, assuming availability of $2^{75}$ keystream sequences each of length $2^{76}$ bits generated for different initial values. These results further show that the whole Grain family, due to the choice of tap positions mainly, does not provide enough security margins against internal state recovery attacks. A simple modification of the selection of the tap positions, as a countermeasure against the attacks described here, is given.