International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

18:17 [Pub][ePrint] Smart Security Management in Secure Devices, by Bruno Robisson, Michel Agoyan, Patrick Soquet, S\\\'ebastien Le Henaff, Franck Wajsb\\\"urt, Pirouz Bazargan-Sabet, Guillaume Phan

  Among other threats, secure components are subjected to physical attacks whose aim is to recover the secret information they store. Most of the work carried out to protect these components generally consists in developing protections (or countermeasures) taken one by one. But this ``countermeasure-centered\'\' approach drastically decreases the performance of the chip in terms of power, speed and availability. In order to overcome this limitation, we propose a complementary approach: smart dynamic management of the whole set of countermeasures embedded in the component. Two main specifications for such management are required in a real world application (for example, a conditional access system for Pay-TV): it has to provide capabilities for the chip to distinguish between attacks and normal use cases (without the help of a human being and in a robust but versatile way); it also has to be based on mechanisms which dynamically find a trade-off between security and performance.

In this article, a prototype which enables such security management is described. The solution is based on a double-processor architecture: one processor embeds a representative set of countermeasures (and mechanisms to define their parameters) and executes the application code. The second processor, on the same chip, applies a given security strategy, but without requesting sensitive data from the first processor. The chosen strategy is based on fuzzy logic reasoning to enable the designer to describe, using a fairly simple formalism, both the attack paths and the normal use cases. A proof of concept has been proposed for the smart card part of a conditional access for Pay-TV, but it could easily be fine-tuned for other applications.

18:17 [Pub][ePrint] Privacy-preserving Frequent Itemset Mining for Sparse and Dense Data, by Peeter Laud and Alisa Pankova

  Frequent itemset mining is a task that can in turn be used for other purposes such as associative rule mining. One problem is that the data may be sensitive, and its owner may refuse to give it for analysis in plaintext. There exist many privacy-preserving solutions for frequent itemset mining, but in any case enhancing the privacy inevitably spoils the efficiency. Leaking some less sensitive information such as data density might improve the efficiency. In this paper, we devise an approach that works better for sparse matrices and compare it to the related work that uses similar security requirements on similar secure multiparty computation platform.

18:17 [Pub][ePrint] Function-Hiding Inner Product Encryption, by Allison Bishop and Abhishek Jain and Lucas Kowalczyk

  We extend the reach of functional encryption schemes that are provably secure under simple assumptions against unbounded collusion to include function-hiding inner product schemes. Our scheme is a private key functional encryption scheme, where ciphertexts correspond to vectors $\\vec{x}$, secret keys correspond to vectors $\\vec{y}$, and a decryptor learns $\\langle \\vec{x}, \\vec{y} \\rangle$. Our scheme employs asymmetric bilinear maps and relies only on the SXDH assumption to satisfy a natural indistinguishability-based security notion where arbitrarily many key and ciphertext vectors can be simultaneously changed as long as the key-ciphertext dot product relationships are all preserved.

18:17 [Pub][ePrint] Decaf: Eliminating cofactors through point compression, by Mike Hamburg

  We propose a new unified point compression format for Edwards, Twisted Edwards and Montgomery curves over large-characteristic fields, which effectively divides the curve\'s cofactor by 4 at very little cost to performance. This allows cofactor-4 curves to efficiently implement prime-order groups.

18:17 [Pub][ePrint] Preprocessing-Based Verification of Multiparty Protocols with Honest Majority, by Peeter Laud and Alisa Pankova

  This paper presents a generic method for turning passively secure protocols into protocols secure against covert attacks, adding an offline preprocessing and a cheap post-execution verification phase. The execution phase, after which the computed result is already available to the parties, has only negligible overhead.

Our method uses shared verification based on precomputed multiplication triples. Such triples are often used to make the protocol execution itself faster, but in this work we make use of these triples especially for verification. The verification preserves the privacy guarantees of the original protocol, and it can be straightforwardly applied to protocols over finite rings, even if the same protocol performs its computation over several distinct rings at once.

18:17 [Pub][ePrint] Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts, by Ahmed Kosba and Andrew Miller and Elaine Shi and Zikai Wen and Charalampos Papamanthou

  Emerging smart contract systems over decentralized cryp-

tocurrencies allow mutually distrustful parties to transact

safely with each other without trusting a third-party inter-

mediary. In the event of contractual breaches or aborts, the

decentralized blockchain ensures that other honest parties

obtain commesurate remuneration. Existing systems, how-

ever, lack transactional privacy. All transactions, including

flow of money between pseudonyms and amount trasacted,

are exposed in the clear on the blockchain.

We present Hawk, a decentralized smart contract system

that does not store financial transactions in the clear on

the blockchain, thus retaining transactional privacy from the

public\'s view. A Hawk programmer can write a private smart

contract in an intuitive manner without having to implement

cryptography, and our compiler automatically generates an

efficient cryptographic protocol where contractual parties in-

teract with the blockchain, using cryptographic primitives

such as succint zero-knowledge proofs.

To formally define and reason about the security of our

protocols, we are the first to formalize the blockchain model

of secure computation. The formal modeling is of indepen-

dent interest. We advocate the community to adopt such a

formal model when designing interesting applications atop

decentralized blockchains.

18:17 [Pub][ePrint] Quantum Cryptanalysis of NTRU, by Scott Fluhrer

  This paper explores some attacks that someone with a Quantum Computer may be able to perform against NTRUEncrypt, and in particular NTRUEncrypt as implemented by the publicly available library from Security Innovation. We show four attacks that an attacker with a Quantum Computer might be able to perform against encryption performed by this library. Two of these attacks recover the private key from the public key with less effort than expected; in one case taking advantage of how the published library is implemented, and the other, an academic attack that works against four of the parameter sets defined for NTRUEncrypt. In addition, we also show two attacks that are able to recover plaintext from the ciphertext and public key with less than expected effort. This has potential implications on the use of NTRU within TOR, as suggested by Whyte and Schanck

18:17 [Pub][ePrint] EdDSA for more curves, by Daniel J. Bernstein and Simon Josefsson and Tanja Lange and Peter Schwabe and Bo-Yin Yang

  The original specification of EdDSA was suitable only for finite fields Fq with q mod 4 = 1. The main purpose of this document is to extend EdDSA to allow finite fields Fq with any odd q. This document also extends EdDSA to support prehashing, i.e., signing the hash of a message.

09:17 [Forum] [2015 Reports] Re: 2015/650 It looks like not secure by Oleksandr Kazymyrov

  It seems like a guessing. Do you have a formal prove of "... for each 8-bit word x of the state/input plaintext there is a mapping (although secret) to another word y of the ciphertext, independently from the adjacent words."? From: 2015-05-07 09:03:21 (UTC)

03:17 [Forum] [2015 Reports] 2015/650 It looks like not secure by movax

  I have had a brief look into that "new cipher", and it seems to me that it is weak. The reason is that for each 8-bit word x of the state/input plaintext there is a mapping (although secret) to another word y of the ciphertext, independently from the adjacent words. This is true if we remove the very first and the very last arithmetic addition modulo 2^64, and it is true for the full version with a very high probability (probability of the carry bit). The mapping x->y of each word can be seen as an S-box for that individual mapping, and it is constant for the same key/iv setup. After roughly 256+ known pairs plaintext-ciphertext the mapping is then revealed (even without having to derive the secret key, although this might also be possible with a little more thinking). From: 2015-05-07 00:27:07 (UTC)

18:42 [Job][New] Ph.D. student in Crypto-Finance, Cybersecurity and Privacy, University of Luxembourg

  The University of Luxembourg is offering a Ph.D. student position in one of the topics:

  • cryptofinance, cryptocurrencies
  • anonymity and privacy
  • cybersecurity

Applicants interested in symmetric cryptography, authenticated encryption will be also considered.


  • An M.Sc. in Computer Science or Applied Mathematics (some background in Economics/Finance is a plus)
  • GPA > 85%
  • Fluent written and verbal communication skills in English are mandatory.

We offer international research environment and competitive salary. The position is available from the 1-October 2015. Applications will be considered upon receipt, therefore applying before the deadline is encouraged.