International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-10-10
15:17 [Pub][ePrint] Elliptic and Hyperelliptic Curves: a Practical Security Analysis, by Joppe W. Bos and Craig Costello and Andrea Miele

  Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. For the first time, we perform a systematic security assessment of elliptic curves and hyperelliptic curves of genus~2, by incorporating all of the known optimizations. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.



15:17 [Pub][ePrint] FlexDPDP: FlexList-based Optimized Dynamic Provable Data Possession, by Ertem Esiner and Adilet Kachkeev and Samuel Braunfeld and Alptekin K\\\"up\\c{c}\\\"u and \\\"Oznur \\\"Ozkasap

  With popularity of cloud storage, efficiently proving the integrity of data stored at an untrusted server has become significant. Authenticated Skip Lists and Rank-based Authenticated Skip Lists (RBASL) have been used in cloud storage to provide support for provable data update operations. In a dynamic file scenario, an RBASL falls short when updates are not proportional to a fixed block size; such an update to the file, however small, may translate to O(n) many block updates to the RBASL, for a file with n blocks.

To overcome this problem, we introduce FlexList: Flexible Length-Based Authenticated Skip List. FlexList translates even variable-size updates to O(u) insertions, removals, or modifications, where u is the size of the update divided by the block size. We present various optimizations on the four types of skip lists (regular, authenticated, rank-based authenticated, and FlexList). We compute one single proof to answer multiple (non-)membership queries and obtain efficiency gains of 35%, 35% and 40% in terms of proof time, energy, and size, respectively. We also deployed our implementation of FlexDPDP (DPDP with FlexList instead of RBASL) on PlanetLab, demonstrating that FlexDPDP performs comparable to the most efficient static storage scheme (PDP), while providing dynamic data support.





2013-10-08
22:35 [Job][New] PhD Scholarship, Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, UK

  The Government Communications Headquarters (GCHQ) in Cheltenham has agreed in principle to sponsor a PhD/Doctoral Studentship at CSIT, Queens University Belfast in the area of Detection, Mitigation and Prevention of Emerging Application Layer DDoS Attacks.

This GCHQ-sponsored PhD studentship provides funding for 3.5 years and can commence as soon as possible. GCHQ will cover the costs of university fees and will provide an annual stipend to the student corresponding to the National Minimum Stipend (currently £13,590 per annum) plus an additional sum of £7,000 per annum (both tax free). For comparison this is equivalent to approx. £26,555 annual salary. A further £5k of funding will also be available per annum for travel to conferences, collaborative partners, and GCHQ visits. The studentship is only open to UK nationals and the successful candidate will be required to spend in the region of 2 - 4 weeks per year at GCHQ headquarters in Cheltenham. To be considered for this studentship, candidates must therefore be prepared to undergo GCHQ\\\'s security clearance procedures.



2013-10-07
14:17 [Job][New] Tenured, Tenure-track Faculty positions, Sejong University, Seoul, Korea

  The Department of Computer and Information Security at Sejong University, Seoul, South Korea invites applications for a tenure-track faculty position in all levels (full professor, associate professor, assistant professor) from Computer and Information Security. Those who have an outstanding research record in applicant\\\'s own research area are encouraged to apply.

Applicant must have a doctoral degree in computer science or in a related field and must provide 4 necessary documents. (See below URL) Applicants must also arrange for three recommendation letters and send them to isdpt (at) sejong.ac.kr

The application deadline is Oct. 18, 2013 5 p.m. KST (UTC+9). To ensure full consideration, application documents and recommendation letters should be received no later than this date.

Successful candidate is expected to establish an independent research program while contributing to Department\\\'s teaching program in undergraduate and graduate level. Chosen candidate is expected to start his/her duty in Mar. 1, 2014.

Apply online at http://facultyjob.sejong.ac.kr/2013/index.html



14:16 [Job][New] Researcher (postdoc) in Cryptography (or Quantum Crypto), Institute of Computer Science, University of Tartu, Estonia, EU

  The Cryptography group at the University of Tartu, Estonia, is looking for a researcher (postdoc) in cryptography, preferably with strengths on one of the following topics:

  • Theory of cryptography
  • Quantum cryptography
  • Mathematics (applied to cryptography)
  • Verification
  • Any other area that complements the existing team

The Cryptography group in Tartu (senior members: Dominique Unruh, Helger Lipmaa, Sven Laur) does research on a variety of cryptography related topic, such as quantum cryptography, verification, foundations of cryptography, cryptographic protocols, e-voting, etc. On the coding theory side, we also have Vitaly Skachek.

Researchers at U Tartu are full faculty members. Salary is 2000 euro (cost of living in Estonia is quite low, see e.g. http://www.expatistan.com/cost-of-living), with an employment contract for three years.

A successful candidate should:

  • Hold a phd degree
  • Have a strong background in cryptography or a relevant related field
  • Have an international publication record at outstanding venues

To apply, please submit the following documents (by email):

  • Letter of motivation
  • Research plan
  • Two letters of reference (make sure they reach us by the application deadline)
  • Curriculum vitae
  • Publication list
  • Phd degree

Deadline for applications: 1 November 2013

Do not hesitate to contact us in case of questions.



2013-10-06
21:24 [Event][New] CECC14: Central European Conference on Cryptology

  Submission: 15 March 2014
From May 21 to May 23
Location: Budapest, Hungary
More Information: http://www.renyi.hu/conferences/cecc14




2013-10-05
15:17 [Pub][ePrint] Four Measures of Nonlinearity, by Joan Boyar and Magnus Find and Rene Peralta

  Cryptographic applications, such as hashing, block ciphers and stream ciphers, make use of functions which are simple by some criteria (such as circuit implementations), yet hard to invert almost everywhere. A necessary condition for the latter property is to be ``sufficiently distant\'\' from linear, and cryptographers have proposed several measures for this distance. In this paper, we show that four common measures, nonlinearity, algebraic degree, annihilator immunity, and multiplicative complexity, are incomparable in the sense that for each pair of measures, $\\mu_1,\\mu_2$, there exist functions $f_1,f_2$ with $\\mu_1(f_1)> \\mu_1(f_2)$ but $\\mu_2(f_1)< \\mu_2(f_2)$. We also present new connections between two of these measures. Additionally, we give a lower bound on the multiplicative complexity of collision-free functions.



15:17 [Pub][ePrint] Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64, by Itai Dinur and Orr Dunkelman and Nathan Keller and Adi Shamir

  In this paper, we describe new techniques in meet-in-the-middle attacks. Our basic technique is called a \\emph{linear key sieve} since it exploits as filtering conditions linear dependencies between key bits that are guessed from both sides of the attack. This should be contrasted with related previous attacks, which only exploited

a \\emph{linear state sieve} (i.e., linear dependencies between state bits that are computed from

both sides of the attack). We apply these techniques to the lightweight block cipher LED-64, and improve some of the best known attacks on step-reduced variants of this cipher in all attack models. As a first application of the linear key sieve, we describe a chosen plaintext attack on 2-step LED-64, which reduces the time complexity of the

best previously published attack on this variant from $2^{56}$ to $2^{48}$. Then, we present the first attack on 2-step LED-64 in the \\emph{known plaintext model}. In this attack, we show for the first time that the splice-and-cut technique (which inherently requires chosen messages) can also be applied in the known plaintext model, and we use the linear key sieve in order to obtain an attack with the same time complexity as our chosen plaintext attack. Finally, we describe a related-key attack on 3-step LED-64 which improves the best previously published attack (presented at Asiacrypt 2012) in all the complexity parameters of time/data/memory from $2^{60}$ to $2^{49}$. As our first two single-key attacks, the related-key attack is also based on the linear key sieve, but it uses additional techniques in differential meet-in-the-middle which are interesting in their own right.



15:17 [Pub][ePrint] Universal security; from bits and mips to pools, lakes -- and beyond, by Arjen K. Lenstra, Thorsten Kleinjung, Emmanuel Thomé

  The relation between cryptographic key lengths and security depends on the cryptosystem used. This leads to confusion and to insecure parameter choices. In this note a universal security measure is proposed that puts all cryptographic primitives on the same footing, thereby making it easier to get comparable security across the board.



15:17 [Pub][ePrint] SCARE of Secret Ciphers with SPN Structures, by Matthieu Rivain and Thomas Roche

  Side-Channel Analysis (SCA) is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering (SCARE) considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design --{\\it e.g.} the substitution box(es)-- assuming that the rest of the cipher is known. Moreover, these attacks are often based on idealized leakage assumption where the adversary recovers noise-free side-channel information. In this paper, we address these limitations and describe a generic SCARE attack that can recover the full secret design of any iterated block cipher with common structure. Specifically we consider the family of Substitution-Permutation Networks with either a classical structure (as the AES) or with a Feistel structure. Based on a simple and usual assumption on the side-channel leakage we show how to recover all parts of the design of such ciphers. We then relax our assumption and describe a practical SCARE attack that deals with noisy side-channel leakages.



15:17 [Pub][ePrint] Detection of Algebraic Manipulation in the Presence of Leakage, by Hadi Ahmadi and Reihaneh Safavi-Naini

  We investigate the problem of algebraic manipulation detection (AMD) over a communication channel that partially leaks information to an adversary. We assume the adversary is computationally unbounded and there is no shared key or correlated randomness between the sender and the receiver. We introduce leakage-resilient (LR)-AMD codes to detect algebraic manipulation in this model.

We consider two leakage models. The first model, called \\emph{linear leakage}, requires the adversary\'s uncertainty (entropy) about the message (or encoding randomness) to be a constant fraction of its length. This model can be seen as an extension of the original AMD study by Cramer et al. \\cite{CDFPW08} to when some leakage to the adversary is allowed. We study \\emph{randomized strong} and \\emph{deterministic weak} constructions of linear (L)LR-AMD codes. We derive lower and upper bounds on the redundancy of these codes and show that known optimal (in rate) AMD code constructions can serve as optimal LLR-AMD codes. In the second model, called \\emph{block leakage}, the message consists of a sequence of blocks and at least one block remains with uncertainty that is a constant fraction of the block length. We focus on deterministic block (B)LR-AMD codes. We observe that designing optimal such codes is more challenging: LLR-AMD constructions cannot function optimally under block leakage. We thus introduce a new optimal BLR-AMD code construction and prove its security in the model.

We show an application of LR-AMD codes to tampering detection over wiretap channels. We next show how to compose our BLR-AMD construction, with a few other keyless primitives, to provide both integrity and confidentiality in transmission of messages/keys over such channels. This is the best known solution in terms of randomness and code redundancy. We discuss our results and suggest directions for future research.