International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

00:17 [Pub][ePrint] Authenticated Key Exchange over Bitcoin, by Patrick McCorry and Siamak F. Shahandashti and Dylan Clarke and Feng Hao

  Bitcoin is designed to protect user anonymity (or pseudonymity) in a financial transaction, and has been increasingly adopted by major e-commerce websites such as Dell, Payal and Expedia. While the anonymity of Bitcoin transactions has been extensively studied, little attention has been paid to the security of post-transaction correspondence. In a commercial application, the merchant and the user often need to engage in follow-up correspondence after a Bitcoin transaction is completed, e.g., to acknowledge the receipt of payment, to confirm the billing address, to arrange the product delivery, to discuss refund and so on. Currently, such follow-up correspondence is typically done in plaintext via email with no guarantee on confidentiality. Obviously, leakage of sensitive data from the correspondence (e.g., billing address) can trivially compromise the anonymity of Bitcoin users. In this paper, we initiate the first study on how to realise end-to-end secure communication between Bitcoin users in a post-transaction scenario without requiring any trusted third party or additional authentication credentials. We first point out that none of the existing PKI-based or password-based AKE schemes are suitable for the purpose. Instead, our idea is to leverage the Bitcoin\'s append-only ledger as an additional layer of authentication between previously confirmed transactions. This naturally leads to a new category of AKE protocols that bootstrap trust entirely from the block chain. We call this new category ``Bitcoin-based AKE\'\' and present two concrete protocols: one is non-interactive with no forward secrecy, while the other is interactive with additional guarantee of forward secrecy. Finally, we present proof-of-concept prototypes for both protocols with experimental results to demonstrate their practical feasibility.

00:17 [Pub][ePrint] TinyLEGO: An Interactive Garbling Scheme for Maliciously Secure Two-party Computation, by Tore Kasper Frederiksen and Thomas P. Jakobsen and Jesper Buus Nielsen and Roberto Trifiletti

  This paper reports on a number of conceptual and technical contributions to the currently very lively field of two-party computation (2PC) based on garbled circuits. Our main contributions are as follows:

1. We propose a notion of an interactive garbling scheme, where the garbled circuit is

generated as an interactive protocol between the garbler and the evaluator. The garbled circuit is correct and privacy preserving even if one of the two parties was acting maliciously during garbling. The security notion is game based.

2. We show that an interactive garbling scheme combined with a Universally Composable (UC) secure oblivious transfer protocol can be used in a black-box manner to implement two-party computation (2PC) UC securely against a static and malicious adversary. The protocol abstracts many recent protocols for implementing 2PC from garbled circuits and will allow future designers of interactive garbling schemes to prove security with the simple game based definitions, as opposed to directly proving UC security for each new scheme.

3. We propose a new instantiation of interactive garbling by designing a new protocol in the LEGO family of protocols for efficient garbling against a malicious adversary. The new protocol is based on several new technical contributions and many optimizations, including a highly efficient UC commitment scheme. A theoretical evaluation of the efficiency shows that the instantiation is one to two orders of magnitude faster than the previously most efficient LEGO protocol and that it in general compares favorably to all existing garbling-based 2PC protocols for malicious adversaries.

00:17 [Pub][ePrint] New algorithm for the discrete logarithm problem on elliptic curves, by Igor Semaev

  A new algorithms for computing discrete logarithms on elliptic curves defined over finite fields is suggested. It is based on a new method to find zeroes of summation polynomials. In binary elliptic curves one is to solve a cubic system of Boolean equations. Under a first fall degree assumption

the regularity degree of the system is at most $4$. Extensive experimental data which supports the assumption is provided. An heuristic analysis suggests a new asymptotical complexity bound $2^{c\\sqrt{n\\ln n}}, c\\approx 1.69$ for computing discrete logarithms on an elliptic curve over a field of size $2^n$. For several binary elliptic curves recommended by FIPS the new method performs better than Pollard\'s.

00:17 [Pub][ePrint] Tagged One-Time Signatures: Tight Security and Optimal Tag Size, by Masayuki Abe and Bernardo David and Markulf Kohlweiss and Ryo Nishimaki and Miyako Ohkubo

  We present an efficient structure-preserving tagged one-time signature scheme with tight security reductions to the decision-linear assumption.

Our scheme features short tags consisting of a single group element and

gives rise to the currently most efficient structure-preserving signature scheme based on the decision-liner assumption with constant-size signatures of only 14 group elements, where the record-so-far was 17 elements.

To demonstrate the advantages of our scheme, we revisit the work by Hofheinz and Jager (CRYPTO 2012) and present the currently most efficient tightly secure public-key encryption scheme. We also obtain the first structure-preserving public-key encryption scheme featuring both tight security and public verifiability.

00:17 [Pub][ePrint] Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks, by Pierre-Alain Fouque and Thomas Vannet

  Dinur and Shamir have described cube attacks at EUROCRYPT \'09 and they have shown how efficient they are on the stream cipher Trivium up to 767 rounds. These attacks have been extended to distinguishers but since this seminal work, no better results on the complexity of key recovery attacks on Trivium have been presented. It appears that the time complexity to compute cubes is expensive and the discovery of linear superpoly also requires the computation of many cubes. In this paper, we increase the number of attacked initialization rounds by improving the time complexity of computing cube and we show attacks that go beyond this bound. We were able to find linear superpoly up to 784 rounds, which leads to an attack requiring $2^{39}$ queries. Using quadratic superpoly, we were also able to provide another attack up to 799 rounds which complexity is $2^{40}$ queries and $2^{62}$ for the exhaustive search part. To achieve such results, we find a way to reduce the density of the polynomials, we look for quadratic relations and we extensively use the Moebius transform to speed up computations for various purposes.

00:17 [Pub][ePrint] Recovering Short Generators of Principal Ideals in Cyclotomic Rings, by Ronald Cramer and Léo Ducas and Chris Peikert and Oded Regev

  A handful of recent cryptographic proposals rely on the conjectured hardness of the following problem in the ring of integers of a cyclotomic number field: given a basis of an ideal that is guaranteed to have a \"rather short\" generator, find such a generator. In the past year, Bernstein and Campbell-Groves-Shepherd have sketched potential attacks against this problem. Most notably, the latter authors claimed a quantum polynomial-time algorithm (alternatively, replacing the quantum component with an algorithm of Biasse and Fieker would yield a classical subexponential-time algorithm). A key claim of Campbell et al. is that one step of their algorithm--namely, decoding the log-unit lattice of the ring to recover a short generator from an arbitrary one--is efficient (whereas the standard approach takes exponential time). However, very few convincing details were provided to substantiate this claim, and as a result it has met with some skepticism.

In this work, we remedy the situation by giving a rigorous theoretical and practical confirmation that the log-unit lattice is indeed efficiently decodable, in cyclotomics of prime-power index. The proof consists of two main technical contributions: the first is a geometrical analysis, using tools from analytic number theory, of the canonical generators of the group of cyclotomic units. The second shows that for a wide class of typical distributions of the short generator, a standard lattice-decoding algorithm can recover it, given any generator.

18:41 [Job][New] Assistant/Associate Professor, Innopolis University, Kazan, Russian Federation

  Innopolis University (Kazan, Russia), the first Russian university focused on information technology, is seeking highly qualified faculty members for the Department of Computer Science. Recruited faculty members will deliver undergraduate and graduate programs to high quality Russian students, who have strong preparation in math and science. Future faculty members will also be responsible for building and leading research groups. The initial appointment is a 5-year contract, which is renewed every 2 years on a rolling basis with expectation for tenure. Senior academics are invited to spend a sabbatical leave at Innopolis University on negotiable conditions.

Applicants of all ranks specializing in computer science, and particularly in information security systems, and game development and entertainment are encouraged to apply.

Successful candidates must have academic qualifications at doctoral level from an internationally recognized educational and research institution, excellent English communication skills (all instruction at IU is in English), and a proven research track record.

Innopolis University offers a competitive salary and an attractive benefits package including paid vacation, housing allowance (based on the rank and family size), relocation allowance, home leave travel (twice per year), paid health care coverage, educational allowance for dependent children, and Russian language classes allowance.

The start-up package will include funding for two PhD students and additional discretionary funds for research.

For more information about the position and how to apply, please go to

18:40 [Event][New] WISA'15: The 16th International Workshop on Information Security Applications

  Submission: 20 June 2015
Notification: 25 July 2015
From August 20 to August 22
Location: Jeju Island, Korea
More Information:

18:39 [Event][New] MIST'15: The 7th ACM CCS International Workshop on Managing Insider Security Threats

  Submission: 8 June 2015
Notification: 19 July 2015
From October 12 to October 16
Location: Denver, USA
More Information:

18:38 [Event][New] Cryptology2016: 5th International Cryptology and Information Security Conference 2016

  Submission: 15 December 2015
Notification: 15 March 2016
From May 31 to June 2
Location: Kota Kinabalu, Sabah, Malaysia
More Information:

17:10 [News] 2015 IACR Fellows announced


The IACR has selected 6 new members to be recognized as Fellows of the IACR. The 2015 Fellows are (in alphabetical order):

  • Ernie Brickell, for founding the Journal of Cryptology, for industrial implementations supporting privacy, and for contributions to secret sharing, attestation, and the cryptanalysis of knapsack-based cryptosystems.
  • Joe Kilian, for ingenious contributions to areas including primality testing, secure computation, oblivious transfer, interactive proofs, zero knowledge, and watermarking.
  • Kaisa Nyberg, for fundamental contributions to the design and analysis of block ciphers, for contributions to mobile phone security, and for service to the IACR.
  • Tatsuaki Okamoto, for theoretical and practical contributions to areas including encryption, signatures, identification, elliptic-curve cryptosystems, zero knowledge, and electronic cash, and for service to the IACR.
  • Bart Preneel, for outstanding service to the IACR, for numerous research contributions, for sustained educational leadership, and for effectively leading the European cryptologic research community.
  • Tal Rabin, for contributions to the theory of multiparty computation, encryption, and signatures, and for leadership on cryptographic research within industry.

In 2004, the IACR established the IACR Fellows Program to recognize outstanding IACR members for technical and professional contributions that:

  • Advance the science, technology, and practice of cryptology and related fields;
  • Promote the free exchange of ideas and information about cryptology and related fields;
  • Develop and maintain the professional skill and integrity of individuals in the cryptologic community;
  • Advance the standing of the cryptologic community in the wider scientific and technical world and promote fruitful relationships between the IACR and other scientific and technical organizations.
In general, two broad categories of accomplishment will be considered: technical contributions and distinguished service to the cryptologic community. Fellows are expected to be "model citizens" of the cryptologic community, and thus most of them will have demonstrated sustained and significant accomplishment in both categories, but a very small number may be chosen for unique and crucial accomplishment in one category only.

More information about the Fellows program, including the list of all Fellows, can be found at