International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Analysis and Improvement of the Generic Higher-Order Masking Scheme of FSE 2012, by Arnab Roy and Srinivas Vivek

  Masking is a well-known technique used to prevent block cipher implementations from side-channel attacks. Higher-order side channel attacks (e.g. higher-order DPA attack) on widely used block cipher like AES have motivated the design of efficient higher-order masking schemes. Indeed, it is known that as the masking order increases, the difficulty of side-channel attack increases exponentially. However, the main problem in higher-order masking is to design an efficient and secure technique for S-box computations in block cipher implementations. At FSE 2012, Carlet et al. proposed a generic masking scheme that can be applied to any S-box at any order. This is the first generic scheme for efficient software implementations. Analysis of the running time, or \\textit{masking complexity}, of this scheme is related to a variant of the well-known problem of efficient exponentiation (\\textit{addition chain}), and evaluation of polynomials.

In this paper we investigate optimal methods for exponentiation

in $\\mathbb{F}_{2^{n}}$ by studying a variant of addition chain,

which we call \\textit{cyclotomic-class addition chain}, or \\textit{CC-addition chain}. Among several interesting properties, we prove lower bounds on min-length CC-addition

chains. We define the notion of \\GFn-polynomial chain, and use it to count the number of \\textit{non-linear} multiplications required while evaluating polynomials over $\\mathbb{F}_{2^{n}}$. We also give a lower bound on the length of such a chain for any polynomial. As a consequence, we show that a lower bound for the masking complexity of DES S-boxes is three, and that of PRESENT S-box is two. We disprove a claim previously made by Carlet et al. regarding min-length CC-addition chains. Finally, we give a polynomial evaluation method, which results into an improved masking scheme (compared to the technique of Carlet et al.) for DES S-boxes. As an illustration we apply this method to several other S-boxes and show significant improvement for them.

21:17 [Pub][ePrint] Using Bleichenbacher\'s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA, by Elke De Mulder and Michael Hutter and Mark E. Marson and Peter Pearson

  In this paper we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. We confirmed our attack by extracting the entire signing key using a 5-bit nonce leak from 4000 signatures.

21:17 [Pub][ePrint] STES: A Stream Cipher Based Low Cost Scheme for Securing Stored Data, by Debrup Chakraborty and Cuauhtemoc Mancillas-Lopez and Palash Sarkar

  The problem of securing data present on USB memories and SD cards has not been adequately addressed in the cryptography literature. While the formal notion of a tweakable enciphering scheme (TES) is well accepted as the proper primitive for secure data storage, the real challenge is to design a low cost TES which can perform at the data rates of the targeted memory devices. In this work, we provide the first answer to this problem. Our solution, called STES, combines a stream cipher with a XOR universal hash function. The security

of STES is rigorously analyzed in the usual manner of provable security approach. By carefully defining appropriate variants of the multi-linear hash function and the pseudo-dot product based

hash function we obtain controllable trade-offs between area and throughput. We combine the hash function with the recent hardware oriented stream ciphers, namely Mickey, Grain and Trivium. Our implementations are targeted towards two low cost FPGAs -- Xilinx Spartan~3 and Lattice ICE40. Simulation results demonstrate

that the speed of encryption/decryption matches the data rates of different USB and SD memories. We believe that our work opens up the possibility of actually putting FPGAs within controllers of such memories to perform low-level in-place encryption.

03:17 [Pub][ePrint] Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based, by Craig Gentry and Amit Sahai and Brent Waters

  We describe a comparatively simple fully homomorphic encryption (FHE) scheme based on the learning with errors (LWE) problem. In previous LWE-based FHE schemes, multiplication is a complicated and expensive step involving \"relinearization\". In this work, we propose a new technique for building FHE schemes that we call the \"approximate eigenvector\" method. In our scheme, for the most part, homomorphic addition and multiplication are just matrix addition and multiplication. This makes our scheme both asymptotically faster and (we believe) easier to understand.

In previous schemes, the homomorphic evaluator needs to obtain the user\'s \"evaluation key\", which consists of a chain of encrypted secret keys. Our scheme has no evaluation key. The evaluator can do homomorphic operations without knowing the user\'s public key at all, except for some basic parameters. This fact helps us construct the first identity-based FHE scheme. Using similar techniques, we show how to compile a recent attribute-based encryption scheme for circuits by Gorbunov et al. into an attribute-based FHE scheme that permits data encrypted under the same index to be processed homomorphically.

21:14 [Event][New] Analyzing Animal Vocal Communication Sequences

  Submission: 24 June 2013
From October 21 to October 23
Location: Knoxville, USA
More Information:

18:17 [Pub][ePrint] On the Security of the TLS Protocol: A Systematic Analysis, by Hugo Krawczyk and Kenneth G. Paterson and Hoeteck Wee

  TLS is the most widely-used cryptographic protocol on the Internet. It comprises the TLS Handshake Protocol, responsible for authentication and key establishment, and the TLS Record Protocol, which takes care of subsequent use of those keys to protect bulk data. TLS has proved remarkably stubborn to analysis using the tools of modern cryptography. This is due in part to its complexity and its flexibility. In this paper, we present the most complete analysis to date of the TLS Handshake protocol and its application to data encryption (in the Record Protocol). We show how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. The security notion we achieve is a variant of the ACCE notion recently introduced by Jager et al. (Crypto \'12). Our approach enables us to analyse multiple different key establishment methods in a modular fashion, including the first proof of the most common deployment mode that is based on RSA PKCS #1v1.5 encryption, as well as Diffie-Hellman modes. Our results can be applied to settings where mutual authentication is provided and to the more common situation where only server authentication is applied.

09:30 [Conf][Crypto] Report on SAC 2012


The Conference on the Selected Areas in Cryptography in 2012 (SAC 2012) was held at University of Windsor, Windsor, Canada on August 15-16, 2012.

SAC 2012 received 87 submissions. Each submission was reviewed by at least three reviewers. 24 papers were selected for publication in the proceedings and acceptance rate was 24/87=27.6%. Two invited talks were given by Vincent Rijmen (KU Leuven) and Ian Goldberg (University of Waterloo) on the topics "Extracts from the SHA-3 competition" and "Privacy Enhancing Technologies for the Internet", respectively.

A digital version of the pre-proceedings was provided to the 55 attendees. Revised versions of the accepted papers were published in the LNCS 7707 by Springer. Most presentation slides for the technical sessions including the invited talks can be found on the conference website at

The program co-chairs were Lars R. Knudsen and Huapeng Wu, who wish to thank the sponsors of SAC 2012, including the Vice President (Research) Office, Faculty of Engineering, and the Department of Electrical and Computer Engineering, University of Windsor for their enthusiastic and generous support.

03:47 [Event][New] PQCrypto 2014: 6th International Conference on Post-Quantum Cryptography

  From October 1 to October 3
Location: Waterloo, Canada
More Information:

16:48 [Conf][Crypto] Report on Crypto 2012


Crypto 2012 was held August 19-23 on the beautiful campus of the University of California, Santa Barbara. The Program Co-chairs were Rei Safavi-Naini and Ran Canetti, and the General Chair was Yiqun Lisa Yin.

A total of 225 papers were submitted, and 48 were accepted for publication, a record number for IACR flagship conferences. For the Best Paper Award, the PC overwhelmingly selected “Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks and Combinatorial Search Problems” by Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir.

There were two invited talks and one tutorial session at the conference. Professor Jonathan Zittrain from Harvard gave a talk entitled “The End of Crypto”. Dr. Ernie Brickell from Intel spoke about “Recent Advances and Existing Research Questions in Platform Security”. Professor Adam Smith from Penn State delivered a tutorial on “Pinning Down ‘Privacy’ in Statistical Databases”. Dan Bernstein and Tanja Lange co-chaired yet another entertaining Rump Session. Almost all of the talks were video recorded. These videos, along with author's slides and full versions of the papers, are available on the conference program webpage.

Generous donations were given by five industry sponsors Google, Microsoft Research, Qualcomm, RIM, and Voltage Security, as well as the Marconi Fund. In addition, the conference applied and received a special funding of $10,000 from the National Science Foundation (NSF). With all the financial support, stipends were offered to over 40 students, both domestic and international.

The Chairs of Crypto 2012 were very grateful for the wonderful work of Sally Vito and the UCSB conference services staff.

12:36 [Pub] IACR Publication Reform - Open Discussion

  At the ePrint forum (, there is currently a discussion going on about possible changes to the IACR publication system.
Some of the latest postings:
  • Assigning Papers to Talks (cbw)
  • Some issues + Counter proposal (Orr)
  • Change is needed, but slow change is important (lindell)
  • How to handle resubmissions? (ivandamgard)
  • Questions (nigel)
You can access the full text at the link given above.
In case you want to contribute, you need to request a login/password via the same link.

08:53 [Conf] Report on Inscrypt 2012


Inscrypt 2012, Nov. 28-30, 2012 in Beijing, China

The 8th China International Conference on Information Security and Cryptology was held at Beijing International Convention Center, Nov. 28 - Nov. 30, 2012, Beijing, China. See for the web-site.

The program co-chairs were Miroslaw Kutylowski and Moti Yung, and the general chair was Dongdai Lin. Inscrypt 2012 received 73 submissions from 24 countries, and 23 were selected for presentation at the conference. These accepted papers, after revision, appeared in the conference post-proceeding which was published as Lecture Notes in Computer Science vol. 7763.

Two invited talks were given by Jung Hee Cheon (Seoul National University) and Goichiro Hanaoka (AIST) on the topics "Open Questions for the Discrete Logarithm" and "Toward Shorter Ciphertext in ElGamal-type CCA-secure Public Key Encryption", respectively. Additionally, the conference was featured with two tutorials given by Junfeng Fan (KU Leuven) and Miroslaw Kutylowski (Wroclaw University of Technology) on the topics "Cryptographic hardware: design for low power, low area and security against physical attacks" and "Electronic Personal Identity Documents", respectively.

The conference banquet was a traditional Chinese one, with Chinese rice wine (Baijiu) served. The registration fee was 450 USD for regular and 350 USD for full-time student. About 90 attendees enjoyed the 3-day conference sessions and Beijing in winter.