International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:12 [Job][New] Research Scientist / Senior Researcher, NEC Laboratories Europe, Heidelberg, Germany

  This position in the Laboratories’ Security Group involves research in the areas of Cloud Security, Device Security, SDN Security and Software Security. Our work ranges from foundational research and IPR creation to prototype development for transfer to NEC products and services.

Applicants are sought with an in-depth understanding in at least two of the following areas:

  • Security technologies and protocols, including applied cryptography and privacy enhancing technologies
  • Distributed systems and protocols, especially secure management of distributed resources e.g. IoT devices, software, services and data
  • Operating system internals and software development including experience with programming languages, such as Java, Scala or C/C++

We are looking for individuals with excellent research skills and a passion to create new technologies. We expect that the applicant holds a master’s or doctorate degree with several years of professional experience in research and development in the security area, and has an excellent publication track record. The applicant should also have a very good background in Computer Science.

15:12 [Job][New] PhD Position in Side-Channel Analysis and Secure Implementation, Worcester Polytechnic Institute, USA

  I am looking for highly motivated and qualified candidates to fill two PhD positions for research in applied cryptography and side channel analysis. Topics include:

  • Side channel analysis and countermeasures

  • Cache-based Cross-VM attacks; analysis and countermeasures

  • Secure and efficient cryptographic implementations

Candidates should have a degree in electronics, computer science or applied mathematics with strong interest in algorithms and signal processing. Prior experience in side channel analysis and embedded software or hardware design is an asset.

We offer a competitive salary and an international cutting-edge research program in an attractive working environment. WPI is a highly-ranked research university in the Boston area, and offers the opportunity to collaborate with world-class faculty and students in a collegial environment. We maintain close connections with surrounding universities and private companies.

17:43 [News] IACR Response to Australia's Defence Trade Controls Act


Dear IACR members,

The Australian government has recently enacted its Defence Trade Controls Act (DTCA) which places export controls on cryptographic technologies. As it contains no exemption for ordinary research & teaching, the act apparently criminalizes the scholarly activities of our Australian colleagues.

The IACR has drafted a petition in response to this legislation ( If you are an IACR member, we encourage you to add your signature. With enough support, we hope to contribute to an improvement to the situation in Australia.

As this is the first petition hosted by the IACR, we welcome your feedback. Please send comments to

00:17 [Forum] [2015 Reports] Re: 2015/650 It looks like not secure by movax

  Hello Roman Oliynykov and others, I have double checked my concerns, and I have to confess that you are right, and I was wrong. Indeed, the linear transformation is not per-word, as it seemed to me from the brief look, but per-column. However, how did you create your S-boxes? From: 2015-05-07 21:41:08 (UTC)

18:17 [Pub][ePrint] Secure Multi-Party Shuffling, by Mahnush Movahedi and Jared Saia and Mahdi Zamani

  In secure multi-party shuffling, multiple parties, each holding an input, want to agree on a random permutation of their inputs while keeping the permutation secret. This problem is important as a primitive in many privacy-preserving applications such as anonymous communication, location-based services, and electronic voting.

Known techniques for solving this problem suffer from poor scalability, load-balancing issues, trusted party assumptions, and/or weak security guarantees.

In this paper, we propose an unconditionally-secure protocol for multi-party shuffling that scales well with the number of parties and is load-balanced. In particular, we require each party to send only a polylogarithmic number of bits and perform a polylogarithmic number of operations while incurring only a logarithmic round complexity. We show security under universal composability against up to about n/3 fully-malicious parties. We also provide simulation results showing that our protocol improves significantly over previous work. For example, for one million parties, when compared to the state of the art, our protocol reduces the communication and computation costs by at least three orders of magnitude and slightly decreases the number of communication rounds.

18:17 [Pub][ePrint] Communication Complexity of Conditional Disclosure of Secrets and Attribute-Based Encryption., by Romain Gay and Iordanis Kerenidis and Hoeteck Wee

  We initiate a systematic treatment of the communication complexity of conditional disclosure of

secrets (CDS), where two parties want to disclose a secret to a third party if and only if their respective inputs

satisfy some predicate. We present a general upper bound and the first non-trivial lower bounds for conditional

disclosure of secrets. Moreover, we achieve tight lower bounds for many interesting setting of parameters for

CDS with linear reconstruction, the latter being a requirement in the application to attribute-based encryption.

In particular, our lower bounds explain the trade-off between ciphertext and secret key sizes of several existing

attribute-based encryption schemes based on the dual system methodology.

18:17 [Pub][ePrint] Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-guessing Techniques, by Huaifeng Chen and Xiaoyun Wang

  \\textsc{Simon} is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts\' attention and varity of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on.

In this paper, we give improved linear attack on all versions of \\textsc{Simon} with dynamic key-guessing techniques, which was proposed to improve the differential attack on \\textsc{Simon} recently.

By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function accroding the property of AND operation, we can guess different subkeys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step.

As a result, 23-round \\textsc{Simon}32/64, 24-round \\textsc{Simon}48/72, 25-round \\textsc{Simon}48/96, 30-round \\textsc{Simon}64/96, 31-round \\textsc{Simon}64/128, 37-round \\textsc{Simon}96/96, 38-round \\textsc{Simon}96/144, 49-round \\textsc{Simon}128/128, 51-round \\textsc{Simon}128/192 and 53-round \\textsc{Simon}128/256 can be attacked.

The linear attacks on most versions of \\textsc{Simon} are the best attacks among all cryptanalysis results on these variants known up to now. However, this does not shake the security of \\textsc{Simon} family with full rounds.

18:17 [Pub][ePrint] De Bruijn Sequences from Nonlinear Feedback Shift Registers, by Ming Li and Dongdai Lin

  We continue the research in \\cite{jans1991} to construct de Bruijn sequences from feedback shift registers (FSRs) that contains only very short cycles. Firstly, we suggest another way to define the representative of a cycle. Compared with the definition in \\cite{jans1991}, this definition can greatly improve the performance of the cycle joining algorithm. Then we construct a large class of nonlinear FSRs that contains only very short cycles. The length of the cycles in these $n$-stage FSRs are less than $2n$. Based on these FSRs, $O(2^{\\frac{n}{2}-\\mathrm{log} n})$ de Bruijn sequences of order $n$ are constructed. To generate the next bit in the de Bruijn sequence from the current state, it requires only $2n$ bits of storage and less than $2n$ FSR shifts.

18:17 [Pub][ePrint] The Fallacy of Composition of Oblivious RAM and Searchable Encryption, by Muhammad Naveed

  Oblivious RAM (ORAM) is a tool proposed to hide access pattern leakage, and there has been a lot of progress in the efficiency of ORAM schemes; however, less attention has been paid to study the applicability of ORAM for cloud applications such as symmetric searchable encryption (SSE). Although, searchable encryption is one of the motivations for ORAM research, no in-depth study of the applicability of ORAM to searchable encryption exists as of June 2015. In this work, we initiate the formal study of using ORAM to reduce the access pattern leakage in searchable encryption.

We propose four new leakage classes and develop a systematic methodology to study the applicability of ORAM to SSE. We develop a worst-case communication baseline for SSE. We show that completely eliminating leakage in SSE is impossible. We propose single keyword schemes for our leakage classes and show that either they perform worse than streaming the entire outsourced data (for a large fraction of queries) or they do not provide meaningful reduction in leakage. We present detailed evaluation using the Enron email corpus and the complete English Wikipedia corpus.

18:17 [Pub][ePrint] GMU Hardware API for Authenticated Ciphers, by Ekawat Homsirikamol and William Diehl and Ahmed Ferozpuri and Farnoud Farahmand and Malik Umar Sharif and Kris Gaj

  In this paper, we propose a universal hardware API for authenticated ciphers, which can be used in any future implementations of authenticated ciphers submitted to the CAESAR competition. A common interface and communication protocol would help in reducing any potential biases, and would make the comparison in hardware more reliable and fair. By design, our proposed API is equally suitable for hardware implementations of authenticated ciphers developed manually (at the register-transfer level), and those obtained using high-level synthesis tools. Our implementation of the proposed interface and communication protocol includes universal, open-source pre processing and post-processing units, common for all CAESAR candidates. Apart from the full documentation, examples, and the source code of the pre-processing and post-processing units, we are making available in public domain a) a universal testbench to verify the functionality of any CAESAR candidate implemented using the GMU hardware API, b) a Python script used to automatically generate test vectors for this testbench, c) VHDL wrappers used to determine the maximum clock frequency

and the resource utilization of all implementations, and d) RTL VHDL source codes of high-speed implementations of AES and the Keccak Permutation F. We hope that the existence of these resources will substantially reduce the time necessary to develop hardware implementations of all CAESAR candidates for the purpose of evaluation, comparison, and future deployment in real products.