International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Provably Secure Concurrent Error Detection Against Differential Fault Analysis, by Xiaofei Guo, Debdeep Mukhopadhyay and Ramesh Karri

  Differential fault analysis (DFA) poses a significant threat to Advanced Encryption Standard (AES). It has been demonstrated that DFA can use only a single faulty ciphertext to reveal the secret key of AES in an average of 230 computation. Traditionally, concurrent error

detection (CED) is used to protect AES against DFA. However, we emphasize that conventional CED assumes a uniform distribution of faults, which is not a valid assumption in the context of DFA. In contrast, we show practical examples which highlight that an attacker

can inject specific and exploitable faults, thus threatening existing CED. This paper brings to the surface a new CED approach for cryptography, aimed at providing provable security by detecting all possible DFA-exploitable faults, which is a small subset of the entire fault space. We analyze the fault coverage of conventional CED against DFA-exploitable faults, and we find that the fault coverage of most of these techniques are significantly lower than

the one they claimed. We stress that for security, it is imperative that CED should provide 100% fault coverage for DFA-exploitable faults. We further propose an invariance-based CED which provides 100% provable security against all known DFA of AES.

15:17 [Pub][ePrint] Bellcore attack in practice, by Andrey Sidorenko and Joachim van den Berg and Remko Foekema and Michiel Grashuis and Jaap de Vos

  In this paper we analyze practical aspects of the differential fault attack on RSA published by Boneh, Demillo and Lipton from Bellcore. We focus on the CRT variant, which requires only one faulty signature to be entirely broken provided that no DFA countermeasures are in use. Usually the easiest approach for the attacker is to introduce a fault in one of the two RSA-CRT exponentiations. These are time-consuming and often clearly visible in the power profiles. However, protection of the exponentiations against faults does not always circumvent the Bellcore attack. Our goal is to investigate and classify other possible targets of the attack.

15:17 [Pub][ePrint] Security weakness in the Proof of Storage with Deduplication, by Youngjoo Shin, Junbeom Hur, Kwangjo Kim

  Achieving both security and efficiency is the challenging issue for a data outsourcing service in the cloud computing.

Proof of Storage with Deduplication (POSD) is the first solution that addresses the issue for the cloud storage. However, the validity of the POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of the scheme

under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improvement of the POSD scheme to mitigate our attack.

15:17 [Pub][ePrint] New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation, by Shweta Agrawal and Vipul Goyal and Abhishek Jain and Manoj Prabhakaran and Am

  We consider the client-server setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easily motivated from an application standpoint. There are important special cases for which positive results are known - such as concurrent zero knowledge protocols - and it has been an open question explicitly asked, for instance, by Lindell [J. Cryptology\'08] - whether other natural functionalities such as Oblivious Transfer (OT) are possible in this setting.

In this work:

1. We resolve this open question by showing that unfortunately, even in this very limited concurrency setting, broad new impossibility results hold, ruling out not only OT, but in fact all nontrivial asymmetric functionalities. Our new negative results hold even if the inputs of all honest parties are fixed in advance, and the adversary receives no auxiliary information.

2. Along the way, we establish a new unconditional completeness result for asymmetric functionalities, where we characterize functionalities that are non-interactively complete secure against active adversaries. When we say that a functionality F is non-interactively complete, we mean that every other asymmetric functionality can be realized by parallel invocations of several copies of F, with no other communication in any direction. Our result subsumes a completeness result of Kilian [STOC\'00] that uses protocols which require additional interaction in both directions.

15:17 [Pub][ePrint] Resource-based Corruptions and the Combinatorics of Hidden Diversity, by Juan Garay and David Johnson and Aggelos Kiayias and Moti Yung

  In the setting of cryptographic protocols, the corruption of a party has traditionally been viewed as a simple, uniform and atomic operation, where the adversary decides to get control over a party and this party immediately gets corrupted. In this paper, motivated by the fact that different players may require different resources to get corrupted, we put forth the notion of {\\em resource-based corruptions}, where the adversary must invest some resources in order to do so.

If the adversary has full information about the system configuration then resource-based corruptions would provide no fundamental difference from the standard corruption model. However, in a resource ``anonymous\'\' setting, in the sense that such configuration is hidden from the adversary, much is to be gained in terms of efficiency and security.

We showcase the power of such {\\em hidden diversity} in the context of secure multiparty computation (MPC) with resource-based corruptions and prove that it can effectively be used to circumvent known impossibility results. Specifically, if $OPT$ is the corruption budget that violates the completeness of MPC (the case when half or more of the players are corrupted), we show that if hidden diversity is available, the completeness of MPC can be made to hold against an adversary with as much as a $B\\cdot OPT$ budget, for any constant $B>1$. This result requires a suitable choice of parameters (in terms of number of players and their hardness to corrupt), which we provide and further prove other tight variants of the result when the said choice is not available. Regarding efficiency gains, we show that hidden diversity can be used to force the corruption threshold to drop from 1/2 to 1/3, in turn allowing the use of much more efficient (information-theoretic) MPC protocols.

We achieve the above through a series of technical contributions:

o The modeling of the corruption process in the setting of cryptographic protocols through {\\em corruption oracles} as well as the introduction of a notion of reduction to relate such oracles;

o the abstraction of the corruption game as a combinatorial problem and its analysis; and, importantly,

o the formulation of the notion of {\\em inversion effort preserving} (IEP) functions which is a type of direct-sum property, and the property of {\\em hardness indistinguishability}. While hardness indistinguishability enables the dissociation of parties\' identities and the resources needed to corrupt them, IEP enables the discretization of adversarial work into corruption tokens,

all of which may be of independent interest.

05:31 [Event][New] CCH: 14th Cryptologic History Symposium

  Submission: 1 February 2013
Notification: 1 June 2013
From October 10 to October 11
Location: Laurel, Maryland, USA
More Information:

05:12 [Job][New] Senior Principal Engineer- Secure Hardware Design , Cryptography Research Inc. (CRI) San Francisco, California


• Serve as a highly visible industry expert on tamper-resistance and DPA countermeasures

• Design and implement DPA-resistant hardware blocks suitable for a variety of applications and device form factors

• Guide customers implementing DPA countermeasures and tamper resistance into their products and systems

• Consult with customers regarding their DPA-resistance certification needs

• Develop tools and training material around methodologies for DPA resistant hardware design

• Author whitepapers and technical papers related to tamper resistance, side-channel analysis and countermeasures

• Provide customer training on DPA


• 8+ years of experience in tamper resistant hardware design and at least 5 years of experience in developing DPA resistant hardware and products that use algorithms such as DES, 3DES, AES, RSA and ECC.

• Deep knowledge of the statistics of DPA, sources of information leakage in hardware and engineering tradeoffs between different countermeasure choices

• Experience with getting multiple products evaluated for DPA resistance at EAL 5+

• External recognition as an expert in the area of tamper resistance, side-channel analysis and countermeasures, via publications, industry panels, contributions to standards working groups, etc.

• Very high degree of skill with Verilog (or VHDL) and digital design

• In depth understanding of front-end ASIC design flows, including design, simulation, synthesis and timing analysis

• Hardware development experience in UNIX/Linux environments, and with shell/perl scripting

• Excellent interpersonal, presentation and documentation skills

• MS/Ph.D in Electrical Engineering

Pluses: Experience in the following areas

• Mixed mode and analog simulations for assessing DPA resistance at the design stage

• Develo

05:12 [Job][New] Senior Member Technical Staff II-Security Engineering, Cryptography Research Inc. (CRI) San Francisco,California

  Responsibilities for this position include:

• Using, enhancing and developing cutting edge analysis techniques to perform side-channel leakage assessments of customer products and prototypes across a wide range of form factors and algorithms

• Documenting and/or publishing innovations in side-channel analysis and staying current with analysis techniques developed by other researchers

• Incorporating new analysis techniques and tools into CRI’s DPA Workstation product

• DPA Training: Instruct existing and prospective DPA countermeasure licensees and DPA workstation customers on topics related to DPA

• Authoring whitepapers, training material and tutorials on side-channel analysis and countermeasures

Qualifications: Education, Experience, Skills, Etc.


• MS/Ph.D in Electrical Engineering or Computer Science

• 3+ years experience in performing DPA on a range of real-world systems, form factors and algorithms, including experience with developing DPA test fixtures for embedded devices, setting up scopes and measurement apparatus, and applying signal processing and DPA techniques on the collected traces

• Exceptional C/C++ skills, working knowledge of Matlab or other signal processing tools, knowledge of multiple scripting languages

• Good written, oral and presentation skills – this position will require technical interactions with customers


• A strong record of scientific publications in the area of side-channel analysis and countermeasures and tamper resistance

• Experience with DPA-resistance certification

• Background in cryptography, tamper resistance (including fault analysis), signal processing or statistics

• Experience with embedded systems

06:17 [Pub][ePrint] Faster Pairing Computation on Jacobi quartic Curves with High-Degree Twists, by Liangze Li and Hongfeng Wu and Fan Zhang

  In this paper, we propose an elaborate geometric approach to explain the group law on Jacobi quartic curves which are seen as the intersection of two quadratic surfaces in space. Using the geometry

interpretation we construct the Miller function. Then we present explicit formulae for the addition and doubling steps in Miller\'s algorithm to compute Tate pairing on Jacobi quartic curves. Both the addition step and doubling step of our formulae for Tate pairing computation on Jacobi curves are faster than previously proposed ones.

Finally, we present efficient formulas for Jacobi quartic curves with twists of degree 4 or 6. For twists of degree 4, both the addition steps and doubling steps in our formulas are faster than the fastest result on Weierstrass curves. For twists of degree 6, the addition steps of our formulae are faster than the fastest result on Weierstrass curves.

15:17 [Pub][ePrint] Rotational cryptanalysis of round-reduced Keccak, by Pawel Morawiecki and Josef Pieprzyk and Marian Srebrny

  In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST\'s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-f[1600] permutation --- the main building block of Keccak hash function.

15:17 [Pub][ePrint] Constrained Search for a Class of Good S-Boxes with Improved DPA Resistivity, by Bodhisatwa Mazumdar and Debdeep Mukhopadhyay and Indranil Sengupta

  In FSE 2005, \\emph{transparency order} was proposed as a parameter

for the robustness of S-boxes to \\emph{Differential Power Analysis} (DPA):lower \\emph{transparency order} implying more resistance. However most cryptographically strong Boolean functions have been found to have high \\emph{transparency order}. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low \\emph{transparency order}, the total search space for $(n,n)$-bit Boolean functions being as large as $n2^{2^n}$. In this paper we characterize \\emph{transparency order} for various classes of Boolean functions by computing the upper and lower bounds of \\emph{transparency order} for both

even and odd numbers of variables. The transparency order is defined in terms of \\emph{diffusion} properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of S-box for which bias of probability of S-box output bit deviates from the value of 0.5. The \\emph{transparency order} is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of \\emph{propagation characteristics}, \\emph{autocorrelation

spectra} of the S-box function $F$ is a more qualifying candidate in deciding the characteristics of \\emph{transparency order}. The relations developed to characterize \\emph{transparency order} aid in our constrained random generation and search of a class of

balanced $8\\times8$ S-boxes with \\emph{transparency order} upper bounded by 7.8, \\emph{nonlinearity} in range $(104,110)$ and \\emph{absolute indicator values} of \\emph{GAC}

in range $(48,88)$.