International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] Cryptanalysis of Ascon, by Christoph Dobraunig and Maria Eichlseder and Florian Mendel and Martin Schläffer

  We present a detailed security analysis of the CAESAR candidate Ascon. Amongst others, cube-like, differential and linear cryptanalysis are used to evaluate the security of Ascon. Our results are practical key-recovery attacks on round-reduced versions of Ascon-128, where the initialization is reduced to 5 out of 12 rounds. Theoretical key-recovery attacks are possible for up to 6 rounds of initialization. Moreover, we present a practical forgery attack for 3 rounds of the finalization, a theoretical forgery attack for 4 rounds finalization and zero-sum distinguishers for the full 12-round Ascon permutation. Besides, we present the first results regarding linear cryptanalysis of Ascon, improve upon the results of the design document regarding differential cryptanalysis, and prove bounds on the minimum number of (linearly and differentially) active S-boxes for the Ascon permutation.

19:17 [Pub][ePrint] Tight Parallel Repetition Theorems for Public-Coin Arguments using KL-divergence, by Kai-Min Chung and Rafael Pass

  We present a new and conceptually simpler proof of a tight parallel-repetition theorem for public-coin arguments (Pass-Venkitasubramaniam, STOC\'07, Hastad et al, TCC\'10, Chung-Liu, TCC\'10). We follow the same proof framework as the previous non-tight parallel-repetition theorem of Hastad et al---which relied on *statistical distance* to measure the distance between experiments---and show that it can be made tight (and further simplied) if instead relying on *KL-divergence* as the distance between the experiments.

We then show that our proof technique directly yields tight ``Chernoff-type\'\' parallel-repetition theorems (where one considers a ``threshold\'\' verifier that accepts iff the prover manages to convince a certain fraction of the parallel verifiers, as opposed to all of them) for any public-coin interactive argument; previously, tight results were only known for either constant-round protocols, or when the gap between the threshold and the original error-probability is a constant.

19:17 [Pub][ePrint] Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions Or: How to Secretly Embed a Circuit in Your PRF, by Zvika Brakerski and Vinod Vaikuntanthan

  Boneh et al. (Crypto 13) and Banerjee and Peikert (Crypto 14) constructed pseudorandom functions (PRFs) from the Learning with Errors (LWE) assumption by embedding combinatorial objects, a path and a tree respectively, in instances of the LWE problem. In this work, we show how to generalize this approach to embed circuits, inspired by recent progress in the study of Attribute Based Encryption.

Embedding a universal circuit for some class of functions allows us to produce constrained keys for functions in this class, which gives us the first standard-lattice-assumption-based constrained PRF (CPRF) for general bounded-description bounded-depth functions, for arbitrary polynomial bounds on the description size and the depth. (A constrained key w.r.t a circuit $C$ enables one to evaluate the PRF on all $x$ for which $C(x)=1$, but reveals nothing on the PRF values at other points.) We rely on the LWE assumption and on the one-dimensional SIS (Short Integer Solution) assumption, which are both related to the worst case hardness of general lattice problems. Previous constructions for similar function classes relied on such exotic assumptions as the existence of multilinear maps or secure program obfuscation. The main drawback of our construction is that it does not allow collusion (i.e. to provide more than a single constrained key to an adversary).

Similarly to the aforementioned previous works, our PRF family is also key homomorphic.

Interestingly, our constrained keys are very short. Their length does not depend directly either on the size of the constraint circuit or on the input length.

We are not aware of any prior construction achieving this property, even relying on strong assumptions such as indistinguishability obfuscation.

03:30 [Job][New] Post-Doc, Ph.D. student, University of Massachusetts Amherst

  For two NSF projects in the area of hardware Trojans we are looking for post-docs and Ph.D. students who are interested in research that bridge applied cryptography and modern hardware design. Both projects are very exciting and cutting-edge. We are looking for candidates which have previous experience in one of the two areas:

Topic Area 1) Applied cryptography, hardware security, implementation attacks

Topic Area 2) VLSI design, FPGA design, circuit design, embedded systems

Candidates for the post-doc position should have a strong publication record in the leading cryptography conferences (Topic Area 1) or leading computer engineering journals (Topic Area 2). Candidates for the Ph.D. position should have a BS&MS degree with excellent grades, relevant course work and some initial experience in one of the topic areas, either through MS-level research or industry.

The candidates should be open to work in an interdisciplinary fashion, i.e., to conduct high-quality research that bridges applied cryptography and modern hardware design. They will collaborate with Christof Paar (applied cryptography, on leave from the Univ. of Bochum) as well as Sandip Kundu and Russ Tessier (both computer engineering) at UMass Amherst. It is expected that the candidates also interact with researchers at the University of Bochum.

Sounds interesting? Please send your resume (CV, transcript of records) and names/email addresses of two people how can provide references.

11:58 [Event][New] SPRO 2015: International Workshop on Software Protection

  Submission: 23 January 2015
Notification: 18 February 2015
From May 19 to May 19
Location: Florence, Italy
More Information:

11:56 [Job][New] Ph.D in Information Security, University of Surrey, Guildford (UK)

  The Department of Computing at the University of Surrey ( seeks to recruit a motivated doctoral student to work in the area of Information Security.

The studentship is for three years and includes a stipend of £16,000 per year and tuition fees, and is available to students of UK/EU residency.

The successful candidate will participate in the Formal Methods and Security group (, will work in an exciting international environment and will have the opportunity to participate in the development of the recently launched Surrey Centre for Cyber Security (

The main tasks of the Ph.D. student will be to develop state-of-the-art techniques for the security analysis of real world protocols. In particular, he/she will work in one of the following areas:

- Formal methods applied to security protocols;

- Applied Cryptography and Provable Security.

The position will remain open until a suitable candidate is found so there is no fixed closing date for applications.

10:17 [Pub][ePrint] Cryptanalysis of a (Somewhat) Additively Homomorphic Encryption Scheme Used in PIR, by Tancrède Lepoint and Mehdi Tibouchi

  Private Information Retrieval (PIR) protects users\' privacy in outsourced storage applications and can be achieved using additively homomorphic encryption schemes. Several PIR schemes with a \"real world\" level of practicality, both in terms of computational and communication complexity, have been recently studied and implemented. One of the possible building block is a conceptually simple and computationally efficient protocol proposed by Trostle and Parrish at ISC 2010, that relies on an underlying secret-key (somewhat) additively homomorphic encryption scheme, and has been reused in numerous subsequent works in the PIR community (PETS 2012, FC 2013, NDSS 2014, etc.).

In this paper, we show that this encryption scheme is not one-way: we present an attack that decrypts arbitrary ciphertext without the secret key, and is quite efficient: it amounts to applying the LLL algorithm twice on small matrices. Used against existing practical instantiations of PIR protocols, it allows the server to recover the

users\' access pattern in a matter of seconds.

10:17 [Pub][ePrint] Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification, by Nico Döttling

  Cryptography based on the Learning Parity with Noise (LPN) problem has several very desirable aspects: Low computational overhead, simple implementation and conjectured post-quantum hardness. Choosing the LPN noise parameter sufficiently low allows for public key cryptography. In this work, we construct the first standard model public key encryption scheme with key dependent message security based solely on the low noise LPN problem. Additionally, we establish a new connection between LPN with a bounded number of samples and LPN with an unbounded number of samples. In essence, we show that if LPN with a small error and a small number of samples is hard, then LPN with a slightly larger error and an unbounded number of samples is also hard. The key technical ingredient to establish both results is a variant of the LPN problem called the extended LPN problem.

10:17 [Pub][ePrint] Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based, by San Ling and Khoa Nguyen and Huaxiong Wang

  We introduce a lattice-based group signature scheme that provides several noticeable improvements over the contemporary ones: simpler construction, weaker hardness assumptions, and shorter sizes of keys and signatures. Moreover, our scheme can be transformed into the ring setting, resulting in a scheme based on ideal lattices, in which the public key and signature both have bit-size soft-O(n log N), for security parameter n, and for group of N users. Towards our goal, we construct a new lattice-based cryptographic tool: a statistical zero-knowledge argument of knowledge of a valid message-signature pair for Boyen\'s signature scheme (Boyen, PKC\'10), which potentially can be used as the building block to design various privacy-enhancing cryptographic constructions.

10:17 [Pub][ePrint] One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model, by Florian Bergsma, Tibor Jager, Jörg Schwenk

  One-round authenticated key exchange (ORKE) is an established research area, with many prominent protocol constructions like HMQV (Krawczyk, CRYPTO 2005) and Naxos (La Macchia et al., ProvSec 2007), and many slightly different, strong security models. Most constructions combine ephemeral and static Diffie-Hellman Key Exchange (DHKE), in a manner often closely tied to the underlying security model.

We give a generic construction of ORKE protocols from general assumptions, with security in the standard model, and in a strong security model where the attacker is even allowed to learn the randomness or the long-term secret of either party in the target session. The only restriction is that the attacker must not learn both the randomness and the long-term secret of one party of the target session, since this would allow him to recompute all internal states of this party, including the session key.

This is the first such construction that does not rely on random oracles.

The construction is intuitive, relatively simple, and efficient. It uses only standard primitives, namely non-interactive key exchange, a digital signature scheme, and a pseudorandom function, with standard security properties, as building blocks.

10:17 [Pub][ePrint] Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption, by Yannis Rouselakis and Brent Waters

  We propose an efficient large-universe multi-authority ciphertext - policy attribute-based encryption system. In a large-universe ABE scheme, any string can be used as an attribute of the system, and these attributes are not necessarily enumerated during setup. In a multi-authority ABE scheme, there is no central authority that distributes the keys to users. Instead, there are several authorities, each of which is responsible for the authorized key distribution of a specific set of attributes. Prior to our work, several schemes have been presented that satisfy one of these two properties but not both.

Our construction achieves maximum versatility by allowing multiple authorities to control the key distribution for an exponential number of attributes. In addition, the ciphertext policies of our system are sufficiently expressive and overcome the restriction

that ``each attribute is used only once\'\' that constrained previous constructions. Besides versatility, another goal of our work is to increase efficiency and practicality. As a result,

we use the significantly faster prime order bilinear groups rather than composite order groups. The construction is non-adaptively secure in the random oracle model under a non-interactive q-type assumption, similar to one used in prior works. Our work

extends existing ``program-and-cancel\'\' techniques to prove security and introduces two new techniques of independent interest for other ABE constructions. We provide an implementation and some benchmarks of our construction in Charm, a programming framework developed for rapid prototyping of cryptographic primitives.