International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:08 [Job][New] Post-Doc, EPFL, Switzerland

  The Laboratory for Security and Cryptography (LASEC) at EPFL is hiring a post doctoral researcher. Applicants are encouraged to apply to job_lasec (at) by sending a detailed CV and a research plan.

LASEC is active in research on cryptography and security. More specifically, our main interests currently span (but are not limited to) the following:

  • hardware implementation and embedded systems,

  • homomorphic and functional encryption,

  • provable security.

We strongly encourage the application by researchers who have proved

excellence in one of these domains.

The selection of applicants will be made on a competitive basis.

Besides conducting top-quality research, postdocs are required to

participate the the lab activities such as training students at all levels,

running projects, fund raising, etc.

EPFL is a top-ranked research and teaching institution that attracts

some of the best intellects in the world. EPFL offers excellent

facilities, environment, and salaries. EPFL\\\'s campus is a multi

cultural, idyllic spot overlooking Lake Geneva and facing the Alps.

Information about EPFL:

08:54 [Job][New] 3 Phd Students in Trustworthy Hardware/Hardware Security, New York University Polytechnic School of Engineering, USA, North America

  3 PhD Fellowships in the area of hardware Security. A strong background in VLSI Design, Nano-electronics. VLSI Testing, Reliability, Security. Highly competitive, 4-year guaranteed fellowships are available.

19:17 [Pub][ePrint] Automatic Search for Differential Trails in ARX Ciphers (Extended Version), by Alex Biryukov and Vesselin Velichkov

  We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui\'s algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui\'s algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations. The source code of the tool is publicly available as part of a larger toolkit for the analysis of ARX at the following address: .

16:17 [Pub][ePrint] Detecting Hidden Leakages, by Amir Moradi and Sylvain Guilley and Annelie Heuser

  Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

16:17 [Pub][ePrint] A Study of Goldbach\'s conjecture and Polignac\'s conjecture equivalence issues, by Jian Ye and Chenglian Liu

  The famous Goldbach\'s conjecture and Polignac\'s conjecture are two of all unsolved problems in the field of number theory today. As well known, the Goldbach\'s conjecture and the Polignac\'s conjecture are equivalent. Most of the literatures does not introduce about internal equivalence in Polignac\'s conjecture. In this paper, we would like to discuss the internal equivalence to the Polignac\'s conjecture, say $T_{2k}(x)$ and $T(x)$ are equivalent. Since $T_{2k}\\sim T(x)\\sim 2c\\cdot \\frac{x}{(\\ln x)^{2}}$, we rewrite and re-express to $T(x)\\sim T_{4}(x)\\sim T_{8}(x)\\sim T_{16}(x)\\sim T_{32}(x)\\sim T_{2^{n}}(x)\\sim 2c\\cdot \\frac{x}{(\\ln x)^{2}}$. And then connected with the Goldbach\'s conjecture. Finally, we will point out the important prime number symmetry role of play in these two conjectures.

16:17 [Pub][ePrint] A generic view on trace-and-revoke broadcast encryption schemes, by Dennis Hofheinz and Christoph Striecks

  At Eurocrypt 2011, Wee presented a generalization of threshold public key encryption, threshold signatures, and revocation schemes arising from threshold extractable hash proof systems. In particular, he gave instances of his generic revocation scheme from the DDH assumption (which led to the Naor-Pinkas revocation scheme), and from the factoring assumption (which led to a new revocation scheme). We expand on Wee\'s work in two directions:

(a) We propose threshold extractable hash proof instantiations from the \"Extended Decisional Diffie-Hellman\" (EDDH) assumption due to Hemenway and Ostrovsky (PKC 2012). This in particular yields EDDH-based variants of threshold public key encryption, threshold signatures, and revocation schemes. In detail, this yields a DCR-based revocation scheme.

(b) We show that our EDDH-based revocation scheme allows for a mild form of traitor tracing (and, thus, yields a new trace-and-revoke scheme). In particular, compared to Wee\'s factoring-based scheme, our DCR-based scheme has the advantage that it allows to trace traitors.

16:17 [Pub][ePrint] How to Keep a Secret: Leakage Deterring Public-key Cryptography, by Aggelos Kiayias and Qiang Tang

  How is it possible to prevent the sharing of cryptographic

functions? This question appears to be fundamentally hard to address

since in this setting the owner of the key {\\em is} the adversary:

she wishes to share a program or device that (potentially only

partly) implements her main cryptographic functionality. Given that

she possesses the cryptographic key, it is impossible for her to be

{\\em prevented} from writing code or building a device that uses

that key. She may though be {\\em deterred} from doing so.

We introduce {\\em leakage-deterring} public-key cryptographic

primitives to address this problem. Such primitives have the feature

of enabling the embedding of owner-specific private data into the

owner\'s public-key so that given access to {\\em any} (even

partially functional) implementation of the primitive, the recovery

of the data can be facilitated. We formalize the notion of

leakage-deterring in the context of encryption, signature, and

identification and we provide efficient generic constructions that

facilitate the recoverability of the hidden data while retaining

privacy as long as no sharing takes place.

16:17 [Pub][ePrint] A new attack on RSA with a composed decryption exponent, by Abderrahmane Nitaj and Mohamed Ould Douh

  In this paper, we consider an RSA modulus $N=pq$, where the prime factors $p$, $q$ are of the same size. We present an attack on RSA when the decryption exponent $d$ is in the form $d=Md_1+d_0$ where $M$ is a given positive integer and $d_1$ and $d_0$ are two suitably small unknown integers. In 1999, Boneh and Durfee~\\cite{BODU} presented an attack on RSA when $d

16:17 [Pub][ePrint] Ultralightweight cryptography for passive RFID system, by Umar Mujahid, M.Najam-ul-islam, Jameel Ahmed

  RFID (Radio Frequency Identification) is one of the most growing technologies among the pervasive systems. Non line of sight capability makes RFID systems much faster than its other contending systems such as barcodes and magnetic taps etc. But there are some allied security apprehensions with RFID systems. RFID security has been acquired a lot of attention in last few years as evinced by the large number of publications (over 2000).

In this paper, a brief survey of eminent ultralightweight authentication protocols has been presented & then a four-layer security model, which comprises of various passive and active attacks, has been proposed. Cryptanalysis of these protocols has also been performed under the implications of the proposed security model

16:17 [Pub][ePrint] Weakness of Several Identity-based Tripartite Authenticated Key Agreement Protocols, by Xi-Jun Lin and Lin Sun

  Key agreement allows multi-parties exchanging public information to create a common secret key that is known only to those entities over an insecure network. In recent years, several identity-based authenticated key agreement protocols have been proposed. In this study, we analyze three identity-based tripartite authenticated key agreement protocols.

After the analysis, we found that these protocols do not possess the desirable security attributes.

16:17 [Pub][ePrint] Pushing the Limit of Non-Profiling DPA using Multivariate Leakage Model, by Suvadeep Hajra and Debdeep Mukhopadhyay

  Profiling power attacks like Template attack and Stochastic attack optimize their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling Differential Power Analysis (DPA) attacks, since integration of the leakage of a higher SNR sample point with the leakage of lower SNR sample point might result in a decrease in the overall performance. One of the few successful multivariate approaches is the application of Principal Component Analysis (PCA) for non-profiling DPA. However, PCA also performs sub-optimally in the presence of high noise. In this paper, a multivariate model for an FPGA platform is introduced for improving the performances of non-profiling DPA attacks. The introduction of the proposed model

greatly increases the success rate of DPA attacks in the presence of high noise. The experimental results on both simulated power traces and real power traces are also provided as an evidence.