International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

13:17 [Pub][ePrint] Self-bilinear Map on Unknown Order Groups from Indistinguishability Obfuscation and Its Applications, by Takashi Yamakawa and Shota Yamada and Goichiro Hanaoka and Noboru Kunihiro

  A self-bilinear map is a bilinear map where the domain and target groups are identical. In this paper, we introduce a self-bilinear map with auxiliary information which is a weaker variant of a self-bilinear map, construct it based on indistinguishability obfuscation and prove that a useful hardness assumption holds with respect to our construction under the factoring assumption. From our construction, we obtain a multilinear map with interesting properties: the level of multilinearity is not bounded in the setup phase, and representations of group elements are compact, i.e., their size is independent of the level of multilinearity. This is the first construction of a multilinear map with these properties. Note, however, that to evaluate the multilinear map, auxiliary information is required. As applications of our multilinear map, we construct multiparty non-interactive key-exchange and distributed broadcast encryption schemes where the maximum number of users is not fixed in the setup phase. Besides direct applications of our self-bilinear map, we show that our technique can also be used for constructing somewhat homomorphic encryption based on indistinguishability obfuscation and the Phi-hiding assumption.

13:17 [Pub][ePrint] Block-wise Non-Malleable Codes, by Nishanth Chandran and Vipul Goyal and Pratyay Mukherjee and Omkant Pandey and Jalaj Upadhyay

  Non-malleable codes, introduced by Dziembowski, Pietrzak, and Wichs (ICS \'10), provide the guarantee that if a codeword $c$ of a message $m$, is modified by a tampering function $f$ to $c\'$, then $c\'$ either decodes to $m$ or to ``something unrelated\" to $m$. It is known that non-malleable codes cannot exist for the class of all tampering functions and hence a lot of work has focused on explicitly constructing such codes against a large and natural class of tampering functions. One such popular, but restricted, class is the so-called \\emph{split-state} model in which the tampering function operates on different parts of the codeword \\emph{independently}.

In this work, we remove the above restriction by considering a stronger adversarial model that we call the {\\em block-wise tampering} model. In this model, the adversary can tamper every block of the codeword, with the only restriction being that he can tamper every block at most once. As an example, if a codeword $c = (c_1,c_2)$, then the first tampering function $f_1$ could produce a tampered part $c_1\'=f_1(c_1)$ and the second tampering function $f_2$ could produce $c_2\' = f_2(c_1,c_2)$ which can depend on {\\em both} $c_2$ and $c_1$. An example is when the blocks are being sent one by one and the adversary must temper and send the first block before the second block comes along.

- Surprisingly, defining non-malleability in the block-wise tampering model is challenging. Our first contribution is that of providing a relaxed, yet meaningful definition of non-malleability for this model. Unfortunately, we show, that even this notion is impossible to achieve in the information-theoretic setting (i.e., when the tampering functions can be unbounded) and we must turn our attention towards computationally bounded adversaries.

- Next, we provide an interesting connection between block-wise non-malleable codes and non-malleable commitments. We show that any block-wise non-malleable code can be converted into a non-malleable (wrt opening) commitment. In the other direction, we show that any non-interactive non-malleable (wrt opening) commitment can be used to construct a block-wise non-malleable code (with $2$ blocks).

- While the above transformation gives us a construction of a block-wise non-malleable code, it is based on the highly non-standard assumption of adaptive one-way functions (which can only be realized based on assumptions such as Oracle DDH). As our main result, we show, how to construct a block-wise non-malleable code from any sub-exponentially hard one-way permutations. Our techniques, quite surprisingly, also give rise to a non-malleable commitment scheme (secure against so-called synchronizing adversaries), in which {\\em only} the committer sends messages. We believe this result to be of independent interest.

17:15 [Job][New] Full-time PhD or Postdoc positions in the area of Wireless Sensor Networks (WSN) Security , University of Mannheim, Germany

  The positions is funded by the German Research Foundation (DFG) in the project WSNSec (Wireless Sensor Network Security), being a collaboration with Universtiy of Erlangen-Nuremberg.


This position ocuses on the theoretical aspects of WSNSec:

- Formalization of attacker models and security goals

- Cryptanalysis of existing cryptographic protocols

- Development of provably secure cryptographic protocols


The candidate should have the following qualifications:

• Master degree (or an equivalent degree) in Mathematics, Computer Science or a related discipline

• Experience in cryptography

• Knowledge in the modeling and formal analysis of cryptographic protocols is helpful, but not required

15:34 [Event][New] HSIPC'15: The Scientific World Journal: Special Issue on Physical Cryptanalysis

  Submission: 24 April 2015
Notification: 17 July 2015
From January 1 to September 11
More Information:

10:18 [Job][Update] Postdoc Positions in Cloud-Computing and Storage Security, IBM Research - Zurich

  Postdoc Positions in Cloud-Computing and Storage Security

The cloud storage and cloud solutions security research teams at IBM Research - Zurich are looking for outstanding researchers to strengthen their activities covering security mechanisms for storage systems and cloud computing. Topics include cryptographic schemes addressing privacy and authenticity, software-defined storage systems, and distributed secure protocols.

The successful candidate will hold a PhD in computer science or a related field, with an excellent record of publications and other accomplishments in the field. A good understanding of cryptographic techniques and a strong background in storage systems, file systems, databases, distributed systems and operating systems is beneficial. Candidates must have a strong desire and proven ability to conduct research independently, invent new ideas, implement them in real systems, and publish the results of their work.

The highly motivated, creative individual will join a multi-disciplinary research team to design and implement advanced mechanisms for protecting cloud computing and storage systems.

IBM is committed to diversity at the workplace. With us, you will find an open, multicultural environment. Excellent, flexible working arrangements enable both women and men to strike the desired balance between their professional development and their personal lives.

Multiple positions are available with starting dates in 2015. For obtaining more information about the topic, please contact: Dr. Christian Cachin and mention \\\"Cloud security position\\\" in the subject line.

There is no specific closing date, even though the form here asks for a date.

To apply, please send your CV including contact information for two references by email to: cloudsec (at)

IBM Research - Zurich

07:00 [Job][New] Ph.D., DOCOMO Communications Lab. Europe GmbH, Munich

  Designed and developed solutions that will allow for seamless multimedia service provisioning and transparently and securely using heterogeneous network technologies.

- Researched for various cryptographic algorithms.

- Recommended a combination of AES and RSA algorithms for encrypted data transmission between chat client peers of a secure chat communication over a messenger.

- Designed and implemented the cryptographic algorithm and the messenger prototype using Java platform.

- Made use of Java for developing the messenger GUI, event handling in GUI through implementing Interfaces, establishing connection between server and client.

04:17 [Pub][ePrint] Inner Product Masking Revisited, by Josep Balasch and Sebastian Faust and Benedikt Gierlichs

  Masking is a popular countermeasure against side channel attacks. Many practical works use Boolean masking because of its simplicity, ease of implementation and comparably low performance overhead. Some recent works have explored masking schemes with higher algebraic complexity and have shown that they provide more security than Boolean masking at the cost of higher overheads. In particular, masking based on the inner product was shown to be practical, albeit not efficient, for a small security parameter, and at the same time provable secure in the domain of leakage resilient cryptography for a large security parameter. In this work we explore a security versus efficiency tradeoff and provide an improved and tweaked inner product masking. Our practical security evaluation shows that it is less secure than the original inner product masking but more secure than Boolean masking. Our performance evaluation shows that our scheme is only four times slower than Boolean masking and more than two times faster than the original inner product masking. Besides the practical security analysis we prove the security of our scheme and its masked operations in the threshold probing model.

04:17 [Pub][ePrint] Provably weak instances of Ring-LWE, by Yara Elias and Kristin E. Lauter and Ekin Ozman and Katherine E. Stange

  The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been proposed as hard problems to form the basis for cryptosystems, and various security reductions to hard lattice problems have been presented. So far these problems have been stated for general (number) rings but have only been closely examined for cyclotomic number rings. In this paper, we state and examine the Ring-LWE problem for general number rings and demonstrate provably weak instances of Ring-LWE. We construct an explicit family of number fields for which we have an efficient attack. We demonstrate the attack in both theory and practice, providing code and running times for the attack. The attack runs in time linear in q, where q is the modulus.

Our attack is based on the attack on Poly-LWE which was presented in [EHL]. We extend the EHL-attack to apply to a larger class of number fields, and show how it applies to attack Ring-LWE for a heuristically large class of fields. Certain Ring-LWE instances can be transformed into Poly-LWE instances without distorting the error too much, and thus provide the first weak instances of the Ring-LWE problem. We also provide additional examples of fields which are vulnerable to our attacks on Poly-LWE, including power-of-2 cyclotomic fields, presented using the minimal polynomial of $\\zeta_{2^n} \\pm 1$.

04:17 [Pub][ePrint] Dynamic Searchable Symmetric Encryption with Minimal Leakage and Efficient Updates on Commodity Hardware, by Attila A. Yavuz and Jorge Guajardo

  Dynamic Searchable Symmetric Encryption (DSSE) enables a client to perform keyword queries and update operations on the encrypted file collections. DSSE has several important applications such as

privacy-preserving data outsourcing for computing clouds. In this paper, we developed a new parallelizable DSSE scheme that achieves the highest privacy among all compared alternatives with low information leakage, non-interactive and efficient updates, compact client storage, low server storage for large file-keyword pairs with an easy design and implementation. Our scheme achieves these desirable properties with a very simple data structure (i.e., a bit matrix supported with two static hash tables) that enables efficient yet secure search/update operations on it. We formally prove that our scheme is secure (in random oracle model) and demonstrated that it is fully practical with large number of file-keyword pairs even with an implementation on simple hardware configurations.

04:17 [Pub][ePrint] TRACING ATTACKS ON U-PROVE WITH REVOCATION MECHANISM, by Lucjan Hanzlik and Przemys{\\l}aw Kubiak and Miros{\\l}aw Kuty{\\l}owski

  Anonymous credential systems have to provide strong privacy protection. A user presenting anonymous credentials may prove his (chosen) attributes without leaking informations about his identity. In this paper we consider U-Prove -- one of the major commercial anonymous credential systems.

We show that the efficient revocation mechanism designed for U-Prove enables a system provider to efficiently trace the users\' activities. Namely, the Revocation Authority run the system provider may execute the U-Prove protocol in a malicious way so that:

(a) the deviations from the protocol remain undetected,

(b) the Revocation Authority becomes aware of each single authentication of a user in the whole system and can link them (regardless which attributes are disclosed by the user against the verifiers),

(c) can link presentation tokens with the corresponding token issuing procedure (under some conditions).

Thereby, the system described in the technical drafts of U-Prove does not protect privacy of a user unless one can unconditionally trust the system provider. In fact, a malicious system provider may convert the Revocation Authority into a ``Big Brother\'\' installation.

04:17 [Pub][ePrint] sHMQV: An Efficient Key Exchange Protocol for Power-limited Devices, by Shijun Zhao and Qianying Zhang

  In this paper we focus on designing authenticated key exchange protocols for practical scenarios where the party consists of a powerful but untrusted host (e.g., PC, mobile phone, etc) and a power-limited but trusted device (e.g., Trusted Platform Module, Mobile Trusted Module, Smart Card, etc). HMQV and (s,r)OAKE protocols are the state-of-the-art in the integrity of security and efficiency. However, we find that they are not suitable for the above scenarios as all (or part) of the online exponentiation computations must be performed in the power-limited trusted devices, which makes them inefficient for the deployment in practice.

To overcome the above inefficiency, we propose a variant of HMQV protocol, denoted sHMQV, under some new design rationales which bring the following advantages: 1) eliminating the validation of the ephemeral public keys, which costs one exponentiation; 2) the power-limited trusted device only performs one exponentiation, which can be pre-computed offline; 3) all the online exponentiation computations can be performed in the powerful host. The above advantages make sHMQV enjoy better performance than HMQV and (s,r)OAKE, especially when deployed in the scenarios considered in this paper. We finally formally prove the security of sHMQV in the CK model.