International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:17 [Pub][ePrint] Explicit Non-Malleable Codes Resistant to Permutations, by Shashank Agrawal and Divya Gupta and Hemanta K. Maji and Omkant Pandey and Manoj Prabhakaran

  The notion of non-malleable codes was introduced as a relaxation of standard error-correction and error-detection. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value.

In the information theoretic setting, although existence of such codes for various rich classes of tampering functions is known, explicit constructions exist only for highly structured family of tampering functions. Prior explicit constructions of non-malleable codes rely on the ``compartmentalized\'\' structure of the tampering function, i.e. the codeword is partitioned into {\\em a priori fixed} blocks and each block can {\\em only} be tampered independently. The prominent examples of this model are the family of bit-wise independent tampering functions and the split-state


We consider an infinitely large natural class of non-compartmentalized tampering functions. In our model, the tampering function can permute the bits of the encoding and (optionally) perturb them. In the information theoretic setting, we provide an {\\em explicit} and {\\em efficient}, {\\em rate-1} non-malleable code for {\\em multi-bit messages}.

Lack of explicit constructions of non-malleable codes for non-compartmentalized tampering functions severely inhibits their utility in cryptographic protocols. As a motivation for our construction, we show an application of non-malleable codes to cryptographic protocols. In an idealized setting, we show how string commitments can be based on one-bit commitments, if non-malleable codes exist. Further, as an example of a non-trivial use of non-malleable codes in standard cryptographic protocols (not in an idealized model), we show that if explicit non-malleable codes are obtained for a slightly larger class of tampering functions than we currently handle, one can obtain a very simple non-malleable commitment scheme, under somewhat strong assumptions.

12:17 [Pub][ePrint] Analysis of NORX, by Philipp Jovanovic and Samuel Neves and Jean-Philippe Aumasson

  This paper presents a thorough security analysis of the AEAD scheme NORX,

focussing on differential and rotational properties of the core permutation.

To examine its differential properties, we first introduce mathematical models

that describe differential propagation with respect to the non-linear operation

of NORX. Then we adapt the framework previously proposed for ARX designs,

which allows us to automatise the search for differentials and differential

characteristics. We give upper bounds on the differential probability of a

small number of steps of the NORX core permutation, and show how we found the

best characteristics for four rounds, which have probabilities of $2^{-584}$

($32$-bit) and $2^{-836}$ ($64$-bit), respectively. Finally, we discuss some

rotational properties of the core permutation which can be used as a basis for

future studies.

12:17 [Pub][ePrint] Index calculus in the trace zero variety, by Elisa Gorla and Maike Massierer

  We discuss how to apply Gaudry\'s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation.

12:17 [Pub][ePrint] Preimage attacks on Reduced-round Stribog, by Riham AlTawy and Amr M. Youssef

  In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. Specifically, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of $2^{448}$ and memory complexity of $2^{64}$. Additionally, we adopt a guess and determine approach to obtain a 6-round chunk separation that balances the available degrees of freedom and the guess size. The proposed chunk separation allows us to attack 6 out of 12 rounds with time and memory complexities of $2^{496}$ and $2^{112}$, respectively. Finally, employing $2^t$ multicollision, we show that preimages of the 5 and 6-round reduced hash function can be generated with time complexity of $2^{481}$ and $2^{505}$, respectively. The two preimage attacks have equal memory complexity of $2^{256}$.

12:17 [Pub][ePrint] Improved Differential Cryptanalysis of Round-Reduced Speck, by Itai Dinur

  Simon and Speck are families of lightweight block ciphers designed by the U.S. National Security Agency and published in 2013. Each of the families contains 10 variants, supporting a wide range of block and key sizes. Since the publication of Simon and Speck, several research papers analyzed their security using various cryptanalytic techniques. The best previously published attacks on all the 20 round-reduced ciphers are differential attacks, and are described in two papers (presented at FSE 2014) by Abed et al. and Biryukov et al.

In this paper, we focus on the software-optimized block cipher family Speck, and describe significantly improved attacks on all of its 10 variants. In particular, we increase the number of rounds which can be attacked by 1, 2, or 3, for 9 out of 10 round-reduced members of the family, while significantly improving the complexity of the previous best attack on the remaining round-reduced member. Our attacks use an untraditional key recovery technique for differential attacks, which resembles techniques typically used in attacks based on self-similarity.

Despite our significantly improved attacks, they do not seem to threaten the security of any member of Speck.

12:17 [Pub][ePrint] Efficient Quantum-Immune Keyless Signatures with Identity, by Ahto Buldas and Risto Laanoja and Ahto Truu

  We show how to extend hash-tree based data signatures to server-assisted personal digital signature schemes. The new signature scheme does not use trapdoor functions and is based solely on cryptographic hash functions and is thereby, considering the current state of knowledge, resistant to quantum computational attacks. In the new scheme, we combine hash-tree data signature (time- stamping) solutions with hash sequence authentication mechanisms. We show how to implement such a scheme in practice.

06:40 [Event][New] EC'15: Eurocrypt 2015

  From March 26 to April 30
Location: Sofia, Bulgaria
More Information:

05:00 [Job][New] Ph. D student, CEA SAS (Secure Architectures & Systems) Lab, France

  Pairing Based Cryptography (PBC) has recently been studied and developed to satisfy emerging industrial and societal needs such as user privacy, identity based encryption or efficient key establishment protocols. Research on PBC has mainly been focusing on the mathematical robustness of the proposed algorithms or on the latter\\\'s calculation times. Latest published results have shown that PBC is also vulnerable to physical attacks: research work carried by the Secure Architectures & Systems (SAS) lab of the CEA has shown that all the parts of a Pairing algorithm can be attacked using fault injections. The first objective of this thesis is to study, in the same way as the work done using fault attacks, the vulnerability of PBC to side channel analysis. Then efficient countermeasures shall be studied and tested in order to make PBC implementations immune against physical attacks (fault injections and side channel analysis).

12:17 [Pub][ePrint] Statistical weaknesses in 20 RC4-like algorithms and (probably) the simplest algorithm free from these weaknesses - VMPC-R, by Bartosz Zoltak

  We find statistical weaknesses in 20 RC4-like algorithms including the original RC4, RC4A, PC-RC4 and others.

This is achieved using a simple statistical test.

We found only one algorithm which was able to pass the test - VMPC-R.

This algorithm, being approximately three times more complex then RC4,

is probably the simplest RC4-like cipher capable of producing pseudo-random output.

18:17 [Pub][ePrint] Improved Leakage Model Based on Genetic Algorithm, by Zhenbin Zhang and Liji Wu

  The classical leakage model usually exploits the power of one single S-box, which is called divide and conquer. Taking DES algorithm for example, the attack on each S-box needs to search the key space of 2^6 in a brute force way. Besides, 48-bit round key is limited to the result correctness of each single S-box. In this paper, we put forward a new leakage model based on the power consumption of multi S-box. The implementation of this method is combined with genetic algorithm. In DES algorithm, we can establish leakage model based on the Hamming distance of summing up 8 S-boxes. The genetic algorithm can search the key space of 2^48 to complete the attack of 8 S-boxes at the same time intelligently. And we also experimentally validate the fact that the leakage model of 8 S-boxes can decrease about 60% number of traces which is needed in the classical based on one single S-box in time domain and it also decreases about 33% number of traces in frequency domain. The IC card which is used in experiment is the training card 8 provided by Riscure Company.

18:17 [Pub][ePrint] Statistical weaknesses in 20 RC-4 like algorithms and (probably) the simplest algorithm free from these weaknesses - VMPC-R, by Bartosz Zoltak

  We find statistical weaknesses in 20 RC-4 like algorithms including the original RC4, RC4A, PC-RC4 and others.

This is achieved using a simple statistical test.

We found only one algorithm which was able to pass the test - VMPC-R.

This algorithm, being approximately three times more complex then RC4,

is probably the simplest RC4-like cipher capable of producing pseudo-random output.