International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:05 [PhD][New] Christophe Clavier

  Name: Christophe Clavier

12:05 [PhD][New] Hans Dobbertin: Verfeinerungsmonoide, Vaught Monoide und Boolesche Algebren

  Name: Hans Dobbertin
Topic: Verfeinerungsmonoide, Vaught Monoide und Boolesche Algebren
Category: (no category)

12:04 [PhD][New] Benoit Feix

  Name: Benoit Feix

12:03 [PhD][New] Pouyan Sepehrdad: Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives

  Name: Pouyan Sepehrdad
Topic: Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives
Category: secret-key cryptography


Symmetric cryptographic primitives such as block and stream ciphers are the building blocks in many cryptographic \r\nprotocols. Having such blocks which provide provable security against various types of attacks is often hard. On the \r\nother hand, if possible, such designs are often too costly to be implemented and are usually ignored by practitioners.\r\nMoreover, in RFID protocols or sensor networks, we need lightweight and ultra-lightweight algorithms. Hence, \r\ncryptographers often search for a fair trade-off between security and usability depending on the application. Contrary \r\nto public key primitives, which are often based on some hard problems, security in symmetric key is often based on some\r\nheuristic assumptions. Often, the researchers in this area argue that the security is based on the confidence level the \r\ncommunity has in their design. Consequently, everyday symmetric protocols appear in the literature and stay secure \r\nuntil someone breaks them. In this thesis, we evaluate the security of multiple symmetric primitives against statistical \r\nand algebraic attacks. This thesis is composed of two distinct parts:


In the first part, we investigate the security of RC4 stream cipher against statistical attacks. We focus on its applications \r\nin WEP and WPA protocols. We revisit the previous attacks on RC4 and optimize them. In fact, we propose a framework\r\non how to deal with a pool of biases for RC4 in an optimized manner. During this work, we found multiple new weaknesses \r\nin the corresponding applications. We show that the current best attack on WEP can still be improved. We compare our \r\nresults with the state of the art implementation of the WEP attack on Aircrack-ng program and improve its success rate.\r\nNext, we propose a theoretical key recovery and distinguishing attacks on WPA, which cryptographically break the protocol. \r\nWe perform an extreme amount of experiments to make sure that the proposed theor[...]

12:03 [PhD][New] Vincent Verneuil: Elliptic curve cryptography and security of embedded devices

  Name: Vincent Verneuil
Topic: Elliptic curve cryptography and security of embedded devices
Category: implementation


Elliptic curve based cryptosystems are nowadays increasingly used in protocols involving public-key cryptography. This is particularly true in the context of embedded devices which are subject to strong cost, resources, and efficiency constraints, since elliptic curve cryptography requires significantly smaller key sizes compared to other cryptosystems such as RSA.


The following study focuses in the first part on secure and efficient implementation of elliptic curve cryptography in embedded devices, especially smart cards. Designing secure implementations requires to take into account physical attacks which can target embedded devices. These attacks include in particular side-channel analysis which may infer information on a secret key manipulated from a component by monitoring how it interacts with its environment, and fault analysis in which an adversary can disturb the normal functioning of a device with the same goal.


In the second part of this thesis, we study these attacks and their impact on the implementation of the most used public-key cryptosystems. In particular, we propose new analysis techniques and new countermeasures for these cryptosystems, together with specific attacks on the AES block cipher.


12:03 [PhD][New] Joern-Marc Schmidt: Implementation Attacks - Manipulating Devices to Reveal Their Secrets

  Name: Joern-Marc Schmidt
Topic: Implementation Attacks - Manipulating Devices to Reveal Their Secrets
Category: implementation

Description: Nowadays, embedded systems and smart cards are part of everyday life. With the proliferation of these devices the need for security increases. In order to meet this demand, cryptographic algorithms are applied. However, for implementations of such algorithms on mobile devices, not only the security from a cryptanalytical point of view, i.e. in a black box model, is important. This is because the practical realization of a theoretically secure algorithm can be insecure.

\r\n\r\nAn adversary with physical access to the device can benefit from its characteristics or influence its behavior. Methods that measure the properties of a device are passive implementation attacks. In contrast to passive methods, active implementation attacks try to manipulate the computation and benefit from the erroneous results. These methods are called fault attacks.

\r\n\r\nIn this thesis, we discuss the theory of implementation attacks as well as their practical realizations. New attacks and algorithmic countermeasures are presented. We show how to attack RSA implementations that make use of the square and multiply algorithm by manipulating the program flow. The attack is expanded to work on ECC and ECDSA. In order to protect devices against such attacks, we developed a countermeasure that secures the program flow of RSA and ECC implementations by an implicitly calculated program signature. Moreover, we present a probing attack on AES and discuss the problem of an untrusted external memory.

\r\n\r\nFurthermore, we describe our setups for different practical attacks. The possibilities range from low-cost methods using equipment for about 50 Euro up to high-end attacks, involving a focused ion beam (FIB). In particular, we performed non-invasive spike and glitch attacks, semi-invasive optical and electromagnetic fault induction, as well as an invasive chemical attack. In addition, we used a FIB for chip modification attacks.

\r\n\r\nMoreover, we applied fault i[...]

12:00 [PhD][New] Karim Belabas

  Name: Karim Belabas

11:59 [PhD][New] Marc Stevens: Attacks on Hash Functions and Applications

  Name: Marc Stevens
Topic: Attacks on Hash Functions and Applications
Category: secret-key cryptography

Description: Cryptographic hash functions compute a small fixed-size hash value for any given message. A main application is in digital signatures which require that it must be hard to find collisions, i.e., two different messages that map to the same hash value. In this thesis we provide an analysis of the security of the cryptographic hash function standards MD5 and SHA-1 that have been broken since 2004 due to so called identical-prefix collision attacks. In particular, we present more efficient identical-prefix collision attacks on both MD5 and SHA-1 that improve upon the literature. Furthermore, we introduce a new more flexible attack on MD5 and SHA-1 called the chosen-prefix collision attack that allows significantly more control over the two colliding messages. Moreover, we have proven that our new attack on MD5 poses a realistic threat to the security of everyday applications with our construction of a rogue Certification Authority (CA). Our rogue CA could have enabled the total subversion of secure communications with any website -- if we had not purposely crippled it. Finally, we have introduced an efficient algorithm to detect whether a given message was generated using an identical-prefix or chosen-prefix collision attack on MD5 or SHA-1.[...]

11:59 [PhD][New] Benne de Weger

  Name: Benne de Weger

11:57 [PhD][New] Ronald Cramer

  Name: Ronald Cramer

11:56 [PhD][New] Eike Kiltz: Complexity Theoretic Lower Bounds on Cryptographic Functions

  Name: Eike Kiltz
Topic: Complexity Theoretic Lower Bounds on Cryptographic Functions
Category: foundations