Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via
To receive your credentials via mail again, please click here.
You can also access the full news archive.
There are two known algorithms recovering original secret keys from noisy
At Crypto 2009, Heninger and Shacham proposed a method for the case
where an erroneous version of secret keys contains only erasures.
Subsequently, Henecka et al. proposed a method
for an erroneous version containing only errors at Crypto2010.
For physical attacks such as side-channel and cold boot attacks,
we need to study key recovery from a noisy secret key containing both erasures
In this paper, we propose a method to recover a secret key from such an
and analyze the condition for error and erasure rates so that
our algorithm succeeds in finding the correct secret key in polynomial time.
We also evaluate a theoretical bound to recover the secret key
and discuss to what extent our algorithm achieves this bound.
RFID mutual authentication protocol  that has recently
been analyzed in , , . In this letter, we first propose
a desynchronization attack that succeeds with probability
almost 1, which improves upon the 0.25 given by the attack
in . We also show that the bad properties of the proposed
permutation function can be exploited to disclose several
bits of the tag\'s secret (rather than just one bit as in ),
which increases the power of a traceability attack. Finally,
we show how to extend the above attack to run a full
disclosure attack, which requires to eavesdrop less protocol
runs than the attack described in  (i.e., 192
This forces smart-card manufacturers to carefully consider development of security mechanisms.
To accelerate this procedure, the use of power and electromagnetic simulator can be relevant and saves non negligible time.
Based on a high level simulator, we propose to use profiled abstract models to gain accuracy on the simulated traces.
These abstract models are obtained by profiling some parts of the target device which is physically available by the evaluator.
A consequence of our result is that, in the ROM, we obtain truly efficient non malleable NIZK proof systems essentially for free. Our definitions are sufficient for instantiating the Naor-Yung paradigm for CCA2-secure encryption, as well as a generic construction for signature schemes from hard relations and simulation-extractable NIZK proof systems. These two constructions are interesting as the former preserves both the leakage resilience and key-dependent message security of the underlying CPA-secure encryption scheme, while the latter lifts the leakage resilience of the hard relation to the leakage resilience of the resulting signature scheme.
This leaves us with the following interesting possibility: perhaps there exists a hash function that securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if it can fail for some computationally sound arguments. Indeed, the existence of such hash functions has been conjectured by Barak, Lindell and Vadhan (FOCS \'03), who also gave a seemingly reasonable and sufficient condition under which such hash functions exist. However, we do not have any provably secure construction of such hash functions, under any standard assumption such as the hardness of DDH, RSA, QR, LWE, etc.
In this work we give a broad black-box separation result, showing that the security of such hash functions cannot be proved under virtually any standard cryptographic assumption via a black-box reduction.
In this work, we continue this study. As our main result, we show that for many well studied interactive *proofs* (and arguments) the soundness of the Fiat-Shamir heuristic cannot be proven via a black-box reduction to any falsifiable assumption. Previously, the insecurity of this paradigm was exemplified only when applied to interactive arguments (as opposed to proofs).
Using similar techniques, we also show a black-box impossibility result for Micali\'s CS-proofs [FOCS\'94]. Namely, we prove that there exist PCPs such that for \"sufficiently hard\'\' NP languages, Micali\'s CS-proof cannot be proven sound via black-box reduction to any falsifiable assumption.
These results are obtained by extending the impossibility of two-message zero knowledge protocols due to Goldreich and Oren [J. Cryptology\'94].
2009 as an extension of IDEA to larger block sizes (256 and 512 bits for
the main instances WIDEA-4 and WIDEA-8) and key sizes (512 and 1024
bits), with a focus on using them to design a hash function. WIDEA is
based on the trusted IDEA design, and was expected to inherit its good
security properties. WIDEA-w is composed of w parallel copies of the
IDEA block cipher, with an MDS matrix to provide diffusion between them.
In this paper we present low complexity attacks on WIDEA based on
truncated differentials. We show a distinguisher for the full WIDEA
with complexity only 2^65, and we use the distinguisher in a
key-recovery attack with complexity w·2^68. We also show a collision
attack on WIDEA-8 if it is used to build a hash function using the
Merkle-Damgård mode of operation.
The attacks exploit the parallel structure of WIDEA and the limited
diffusion between the IDEA instances, using differential trails where
the MDS diffusion layer is never active. In addition, we use structures
of plaintext to reduce the data complexity.
We propose (and formally define) an extension of the model where, when an honest party detects cheating, it also receives a certificate that can be published and used to persuade other parties, without revealing any information about the honest party\'s input. In addition, malicious parties cannot create fake certificates in the attempt of framing innocents.
Finally, we construct a secure two-party computation protocol for any functionality $f$ that satisfies our definition, and our protocol is almost as efficient as the one of Aumann and Lindell. We believe that the fear of a public humiliation or even legal consequences vastly exceeds the deterrent given by standard covert security. Therefore, even a small value of the deterrent factor $\\epsilon$ will suffice in discouraging any cheating attempt.
As the overall complexity of covert security and the parameter $\\epsilon$ are inversely proportional to each other, we believe that the small price to pay to get the public verifiability property on top of covert security will be dominated by the efficiency gain obtained by using a smaller value $\\epsilon$.
LACS at the University of Luxembourg is looking for a post-doctoral researcher in the area of lightweight cryptography. The successful candidate will contribute to a research project entitled Applied Cryptography for the Internet of Things (ACRYPT), which is funded by the Fonds National de la Recherche (FNR). Besides conducting high-quality research, the tasks associated with this position include the co-supervision of a Ph.D. student and the dissemination of research results. The ACRYPT project is led by Prof. Alex Biryukov and expected to start in summer 2013.
Candidates must hold a Ph.D. degree (or be in the final stages of a Ph.D. program) in cryptography or a closely related discipline. Applications from researchers with experience in embedded systems security, network security, privacy/anonymity, or mobile/wireless security will also be considered. Preference will be given to candidates with a strong publication record including papers in top-tier crypto/security conference proceedings or journals. Candidates with an interest to conduct leading-edge research in one of the following areas are particularly encouraged to apply:
The position is offered on basis of a fixed-term contract for a duration of three years, which includes a probation period of six months. The monthly salary is roughly 3,600 € net (i.e. after deduction of taxes and social security contributions). Interested candidates are invited to submit their application by email to lacs.acrypt(at)gmail.com. The application material should contain a cover letter explaining the candidate\'s motivation and research interests, a detailed CV (including photo), a list of publications, copies of diploma certificates, and names and contact detai