International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-12-05
05:53 [Event][New]

Submission: 15 February 2013
Notification: 12 April 2013
From July 1 to July 3
Location: Brisbane, Australia

05:52 [Job][Update]

The Department of Computer and Information Security at Sejong University is looking for an Assistant Professor, starting in March 2013. Applicants must have a Ph.D. in computer science, computer engineering, or applied mathematics and must have research experiences in one of the followings: computer network and system security, software security, information security or cryptography.

The successful candidate will be responsible for the followings: teaching at least 5 courses a year at both the undergraduate and graduate level, student consulting, research, and other professional services.

Candidates with strong research background in the area of security andcryptography are encouraged to apply.

05:50 [Job][New]

The Department of Computer and Information Security at Sejong

University is looking for an Assistant Professor, starting in March

2013. Applicants must have a Ph.D. in computer science, computer

engineering, or applied mathematics and must have research experiences

in one of the followings: computer network and system security,

software security, information security or cryptography.

The successful candidate will be responsible for the followings:

teaching at least 5 courses a year at both the undergraduate and

graduate level, student consulting, research, and other professional

services.

Candidates with strong research background in the area of security and

cryptography are encouraged to apply.

2012-12-04
09:14 [Job][New]

The Department of Mathematical Sciences at Florida Atlantic University is seeking an Assistant Professor, starting in August 2013 to extend FAU\'s program in cryptology and information security. Florida Atlantic University has been designated a National Center of Academic Excellence in Information Assurance Research by NSA and the Department of Homeland Security. Applicants must possess a Ph.D. in mathematics or in a closely related area and an established research record in cryptology or information security. Responsibilities for this position include teaching at both the undergraduate and graduate level, research, and professional service. A successful candidate is expected to direct research at the graduate level.

The salary range is $60K -$70K. For additional information about the position, please contact us by email at search (at) math.fau.edu. Reviewing of applications will begin on January 15, 2013. The position will remain open until filled.

All applicants must complete the Faculty, Administrative, Managerial & Professional Position Application form available online through the Office of Human Resources at https://jobs.fau.edu. Please upload a letter of application, curriculum vitae, list of publications, and separate teaching and research statements in which you discuss your teaching philosophy and research aspirations.

Have three reference letters sent by email to spyros (at) fau.edu, Prof. Spyros S. Magliveras, Hiring Committee Chair, Mathematical Sciences Dept., Florida Atlantic University.

A background check will be required for the candidate selected for this position.

Florida Atlantic University is an Equal Opportunity/Equal Access Institution.

2012-12-01
01:17 [Pub][ePrint]

Implementation attacks pose a serious threat for the security of cryptographic devices and there are a multitude of countermeasures that are used to prevent them. Two countermeasures used in implementations of block ciphers to increase the complexity of such attacks are the use of dummy rounds and redundant computation with consistency checks to prevent fault attacks. In this paper we present several countermeasures based on the idea of infective computation. Our countermeasures ensure that a fault injected into a cipher, dummy, or redundant round will infect the ciphertext such that an attacker cannot derive any information on the secret key being used. This has one clear advantage: the propagation of faults prevents an attacker from being able to conduct any fault analysis on any corrupted ciphertexts. As a consequence, there is no need for any test at the end of an implementation to determine if a fault has been injected and a ciphertext can always be returned.

2012-11-30
16:17 [Pub][ePrint]

These are basically the lecture notes for the short course \"Applications of Combinatorics to Information-Theoretic Cryptography\", Central European University, Budapest, May-June 2012. With the objective of covering a full course on secret sharing, additional content will be added in subsequent versions of these lecture notes.

16:17 [Pub][ePrint]

We investigate a lattice construction method for the Coppersmith technique

for finding small solutions of a modular equation.

We consider its variant for simultaneous equations

and propose a method to construct a lattice

by combining lattices for solving single equations.

As applications,

we consider

(i) a new RSA cryptanalysis for multiple short secret exponents,

(ii) its partial key exposure situation,

and (iii) investigating the hardness of finding a certain amount of LSBs of the RSA secret exponent.

More precisely,

our algorithm can factor an RSA modulus from $\\ell \\ge 2$ pairs of RSA public exponents with the common modulus

corresponding to secret exponents smaller than $N^{(9\\ell -5)/(12\\ell + 4)}$,

which improves on the previously best known result $N^{(3\\ell-1)/(4\\ell+4)}$ by Sarkar and Maitra \\cite{SM10a,SM10b}.

For partial key exposure situation,

we also can factor the modulus if

$\\beta - \\delta/2 + 1/4 < (3\\ell-1)(3\\ell + 1)$,

where $\\beta$ and $\\delta$ are bit-lengths $/n$ of the secret exponent and its exposed LSBs,

respectively.

Particularly, letting $\\beta=1$, which means that the secret exponent is full-sized,

the necessary amount of exposed bits is $[5/2 - 2(3\\ell -1)/(3\\ell +1)]n$, which is less than $n$ for $\\ell \\ge 3$.

Suppose we have an algorithm that recovers the above amount of $d$ from $e$ and $N$ satisfying $e\\approx N$.

We showed that $N$ can be factored

in polynomial time in $\\log N$ under a heuristic assumption that the Coppersmith technique works.

When $\\ell$ becomes large, the necessary amount becomes $0.5 n$ bits.

Hence, we conclude that recovering the lower half of LSBs of $d$ is polynomial time equivalent to the factoring

under the heuristic assumption.

From the last result,

we propose {\\it a half-amount conjecture}

that roughly, factoring RSA modulus is polynomial-time equivalent to

any continued bits of secret information such as $p,q,d,p+q$ and $p-q$

(or $d_p$ and $d_q$ for RSA-CRT).

It is supported from several results, e.g.,

Coppersmith \\cite{Co96b} shows that recovering the upper half of $p$ is equivalent to factoring.

16:17 [Pub][ePrint]

In this paper we present a rather new approach to apply mixed-integer optimization to the cryptanalysis of cryptographic primitives. We focus on the stream cipher Trivium, that has been recommended by the eSTREAM stream cipher project, and the lightweight block cipher Ktantan. Using these examples we explain how the problem of solving a non-linear multivariate Boolean equation system can be formulated as a mixed-integer linear programming problem. Our main focus is the formulation of the mixed-integer programming model (MIP model), which includes amongst others the choice of a conversion method to convert the Boolean equations into equations over the reals, different guessing strategies and the selection of binary variables. We apply the commercial solver Cplex to our problems. The results and further possible features of the approach are discussed.

16:17 [Pub][ePrint]

Recently, several important block ciphers are considered to

be broken by the bruteforce-like cryptanalysis, with a time complexity

faster than exhaustive key search by going over the entire key space but performing less than a full encryption for each possible key. Motivated by this observation, we describe a meet-in-the-middle attack that can always be successfully mounted against any practical block ciphers with success probability one. The data complexity of this attack is the smallest according to the unicity distance. The time complexity can be written as $2^k(1-\\epsilon)$ where $\\epsilon > 0$ for all block ciphers. Previously, the security bound that is commonly accepted is the length k of the given master key. From our result we point out that actually this k-bit security is always overestimated and can never be reached due to the inevitable key bits loss. No amount of clever design can prevent it, but increments of the number of rounds can reduce this key loss as much as possible. We give more insight in the problem of the upper bound of eective key bits in block ciphers, and show a more accurate bound. A suggestion about the relation between the key size and block size is given. That is, when the number of rounds is xed, it is better to take a key size equal to the block size. Moreover, eective key bits of many well-known block ciphers are calculated and analyzed, which also conrm their lower security margin than thought before.

2012-11-29
10:17 [Pub][ePrint]

We revisit the notions of robustness introduced by Abdalla, Bellare, and Neven (TCC 2010). One of the main motivations for the introduction of strong robustness for public-key encryption (PKE) by Abdalla et al. to prevent certain types of attack on Sako\'s auction protocol. We show, perhaps surprisingly, that Sako\'s protocol is still vulnerable to attacks exploiting robustness problems in the underlying PKE scheme, even when it is instantiated with a \\emph{strongly} robust scheme. This demonstrates that current notions of robustness are insufficient even for one of its most natural applications. To address this and other limitations in existing notions, we introduce a series of new robustness notions for PKE and explore their relationships. In particular, we introduce \\emph{complete} robustness, our strongest new notion of robustness, and give a number of constructions for completely robust PKE schemes.

08:12 [Event][New]

Submission: 20 March 2013
Notification: 20 April 2013
From May 9 to May 10
Location: Konya, Turkey