International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

05:12 [Job][New] Senior Member Technical Staff II-Security Engineering, Cryptography Research Inc. (CRI) San Francisco,California

  Responsibilities for this position include:

• Using, enhancing and developing cutting edge analysis techniques to perform side-channel leakage assessments of customer products and prototypes across a wide range of form factors and algorithms

• Documenting and/or publishing innovations in side-channel analysis and staying current with analysis techniques developed by other researchers

• Incorporating new analysis techniques and tools into CRI’s DPA Workstation product

• DPA Training: Instruct existing and prospective DPA countermeasure licensees and DPA workstation customers on topics related to DPA

• Authoring whitepapers, training material and tutorials on side-channel analysis and countermeasures

Qualifications: Education, Experience, Skills, Etc.


• MS/Ph.D in Electrical Engineering or Computer Science

• 3+ years experience in performing DPA on a range of real-world systems, form factors and algorithms, including experience with developing DPA test fixtures for embedded devices, setting up scopes and measurement apparatus, and applying signal processing and DPA techniques on the collected traces

• Exceptional C/C++ skills, working knowledge of Matlab or other signal processing tools, knowledge of multiple scripting languages

• Good written, oral and presentation skills – this position will require technical interactions with customers


• A strong record of scientific publications in the area of side-channel analysis and countermeasures and tamper resistance

• Experience with DPA-resistance certification

• Background in cryptography, tamper resistance (including fault analysis), signal processing or statistics

• Experience with embedded systems

06:17 [Pub][ePrint] Faster Pairing Computation on Jacobi quartic Curves with High-Degree Twists, by Liangze Li and Hongfeng Wu and Fan Zhang

  In this paper, we propose an elaborate geometric approach to explain the group law on Jacobi quartic curves which are seen as the intersection of two quadratic surfaces in space. Using the geometry

interpretation we construct the Miller function. Then we present explicit formulae for the addition and doubling steps in Miller\'s algorithm to compute Tate pairing on Jacobi quartic curves. Both the addition step and doubling step of our formulae for Tate pairing computation on Jacobi curves are faster than previously proposed ones.

Finally, we present efficient formulas for Jacobi quartic curves with twists of degree 4 or 6. For twists of degree 4, both the addition steps and doubling steps in our formulas are faster than the fastest result on Weierstrass curves. For twists of degree 6, the addition steps of our formulae are faster than the fastest result on Weierstrass curves.

15:17 [Pub][ePrint] Rotational cryptanalysis of round-reduced Keccak, by Pawel Morawiecki and Josef Pieprzyk and Marian Srebrny

  In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST\'s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-f[1600] permutation --- the main building block of Keccak hash function.

15:17 [Pub][ePrint] Constrained Search for a Class of Good S-Boxes with Improved DPA Resistivity, by Bodhisatwa Mazumdar and Debdeep Mukhopadhyay and Indranil Sengupta

  In FSE 2005, \\emph{transparency order} was proposed as a parameter

for the robustness of S-boxes to \\emph{Differential Power Analysis} (DPA):lower \\emph{transparency order} implying more resistance. However most cryptographically strong Boolean functions have been found to have high \\emph{transparency order}. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low \\emph{transparency order}, the total search space for $(n,n)$-bit Boolean functions being as large as $n2^{2^n}$. In this paper we characterize \\emph{transparency order} for various classes of Boolean functions by computing the upper and lower bounds of \\emph{transparency order} for both

even and odd numbers of variables. The transparency order is defined in terms of \\emph{diffusion} properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of S-box for which bias of probability of S-box output bit deviates from the value of 0.5. The \\emph{transparency order} is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of \\emph{propagation characteristics}, \\emph{autocorrelation

spectra} of the S-box function $F$ is a more qualifying candidate in deciding the characteristics of \\emph{transparency order}. The relations developed to characterize \\emph{transparency order} aid in our constrained random generation and search of a class of

balanced $8\\times8$ S-boxes with \\emph{transparency order} upper bounded by 7.8, \\emph{nonlinearity} in range $(104,110)$ and \\emph{absolute indicator values} of \\emph{GAC}

in range $(48,88)$.

15:17 [Pub][ePrint] New Non-Interactive Zero-Knowledge Subset Sum, Decision Knapsack And Range Arguments, by Helger Lipmaa and Bingsheng Zhang

  We propose two basic NIZK arguments, one for Hadamard product of two vectors, and another one for a shift of a vector. The first argument is based on the corresponding argument of Lipmaa (TCC 2012), but makes use of Fast Fourier Transform and Pippenger\'s multi-exponentiation algorithm to achieve quasilinear (as opposed quadratic) computational complexity. The shift argument seems to be novel.

Based on the new basic arguments, we propose a NIZK argument for subset sum. This seems to be the only known (direct) sublinear NIZK argument for some other NP-complete language than Circuit-SAT\\@. Moreover, it is significantly more efficient than the known sublinear Circuit-SAT arguments by Groth (Asiacrypt 2010) and Lipmaa. In addition, we show that the new arguments can be used to speed up the recent range argument by Chaabouni, Lipmaa and Zhang (FC 2012). Finally, we combine the subset sum argument and the range argument to propose a direct sublinear NIZK argument for another NP-complete language, decision knapsack.

15:17 [Pub][ePrint] Faster batch forgery identification, by Daniel J. Bernstein and Jeroen Doumen and Tanja Lange and Jan-Jaap Oosterwijk

  Batch signature verification detects whether a batch of signatures contains any forgeries. Batch forgery identification pinpoints the location of each forgery. Existing forgery-identification schemes vary in their strategies for selecting subbatches to verify (individual checks, binary search, combinatorial designs, etc.) and in their strategies for verifying subbatches. This paper exploits synergies between these two levels of strategies, reducing the cost of batch forgery identification for elliptic-curve signatures.

15:17 [Pub][ePrint] Dynamic Proofs of Retrievability via Oblivious RAM, by David Cash and Alptekin Kupcu and Daniel Wichs

  Proofs of retrievability allow a client to store her data on a remote server (``in the cloud\'\') and periodically execute an efficient audit protocol to check that all of the data is being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass.

Starting with the work of Juels and Kaliski (CCS \'07), all prior solutions to this problem crucially assume that the client data is static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to `lose\' any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient.

Overcoming this limitation was left as the main open problem by all prior works.

In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols is only polylogarithmic in the size of the client\'s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data lock are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.

12:17 [Pub][ePrint] Private Top-k Aggregation Protocols, by Myungsun Kim and Abedelaziz Mohaisen and Jung Hee Cheon and Yongdae Kim

  In this paper, we revisit the private top-κ data aggregation problem. First we formally define the problem\'s security requirements as both data and user privacy goals. To achieve both goals, and to strike a balance between efficiency and functionality, we devise a novel cryptographic construction that comes in two schemes; a fully decentralized simple construction and its practical and semi-decentralized variant. Both schemes are provably secure in the semi-honest model. We analyze the computational and communi- cation complexities of our construction, and show that it is much more efficient than the existing protocols in the literature.

12:17 [Pub][ePrint] Efficient Implementation of RSA Algorithm with MKE, by Sami A. Nagar and Dr. Saad Alshamma

  The aim of this paper is to improve the implementation of RSA algorithm in some certain situations. This improvement is based on the ideas of H. Ren-Junn, S. Feng-Fu, Y. Yi-Shiung and C. Chia-Yao and allows us to speed up the transmission of data between various nodes in networks. We realized our idea in the C{\\#} language and in the database that was created by SQL Server 2008 R2. Identical database must be used in all networks gateways. The special protocol (RSA Handshake Database Protocol) was designed for controlling the creation of this database. Each gateway, that runs a RSA-Key Generations Offline procedure, is controlled according to specific issues and necessaries. This stage is called RSA-Key Generations Offline. We propose the new method for exchanging values of the keys among gateways. Roughly speaking gateways exchange indexes (Indexes Exchange) that refer to fields that contain the values of public and private keys.

12:17 [Pub][ePrint] A Comparison of Perfect Table Cryptanalytic Tradeoff Algorithms, by Ga Won Lee and Jin Hong

  Analyses of three major time memory tradeoff algorithms were presented by a recent paper in such a way that facilitates comparisons of the algorithm performances at arbitrary choices of the algorithm parameters. The algorithms considered there were the classical Hellman tradeoff and the non-perfect table versions of the distinguished point method and the rainbow table method. This paper adds the perfect table versions of the distinguished point method and the rainbow table method to the list, so that all the major tradeoff algorithms may now be compared against each other.

The algorithm performance information provided by this and the preceding paper is aimed at making practical comparisons possible. Comparisons that take both the cost of pre-computation and the efficiency of the online phase into account, at parameters that achieve a common success rate, can now be carried out with ease. Comparisons can be based on the expected execution complexities rather than the worst case complexities, and details such as the effects of false alarms and various storage optimization techniques need no longer be ignored.

A large portion of this paper is allocated to accurately analyzing the execution behavior of the perfect table distinguished point method. In particular, we obtain a closed-form formula for the average length of chains associated with a perfect distinguished point table.

12:17 [Pub][ePrint] 2048XKS - A Software Oriented High Security Block Cipher, by Dieter Schmidt

  The block cipher 2048XKS is a derivative of the block ciphers 1024 and 1024XKS, which in turn used the block ciphers MMB, SAFER, and Blowfish as building blocks. The block cipher 2048XKS has a block size of 2048 bis and a key length of 4096 bits and 8192 bits, respectively. 2048XKS is a Substition-Permutation-Network (SPN). It is designed for 32 bit microprocessors with a hardware integer multiplier.