International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

19:17 [Pub][ePrint] A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems, by Alain Couvreur and Irene Márquez-Corbella and Ruud Pellikaan

  We give a polynomial time attack on the McEliece public key cryptosystem based on algebraic geometry codes. Roughly speaking, this attacks runs in $O(n^4)$ operations in $\\mathbb F_q$, where $n$ denotes the code length. Compared to previous attacks, allows to recover a decoding algorithm for the public key even for codes from high genus curves.

13:17 [Pub][ePrint] Cuckoo Cycle; a memory-hard proof-of-work system, by John Tromp

  we propose an elegant memory-hard proof-of-work system based on cuckoo hashing

04:48 [PhD][New] Claude Carlet

  Name: Claude Carlet

04:47 [PhD][New] Abdelaziz Elaabid: Side channel attacks: advanced experimentations on template attacks

  Name: Abdelaziz Elaabid
Topic: Side channel attacks: advanced experimentations on template attacks
Category: secret-key cryptography

Description: In the 90\'s, the emergence of new cryptanalysis methods revolutionized the security of cryptographic devices. These attacks are based on power consumption analysis, when the microprocessor is running the cryptographic algorithm. Especially, we analyse in this thesis some properties of the template attack, with examples from attacks against an unprotected ASIC implementation. We point out that the efficiency of template attacks can be unleashed by using a relevent power model, and we provide some practical improvements by the use of different signal processing techniques. Furthermore, we investigate the relevance of the theoretical framework on profiled SCAs presented by F.-X. Standaert et al. at Eurocrypt 2009. The analyse consists in a case-study based on side-channel measurements acquired experimentally from a hardwired cryptographic accelerator. Therefore, with respect to previous formal analyses carried out on software measurements or on simulated data, the investigations we describe are more complex, due to the underlying chip\'s architecture and to the large amount of algorithmic noise.In this context, we explore the appropriateness of different choices for the sensitive variables, and we show that a skilled attacker aware of the register transfers occurring during the cryptographic operations can select the most adequate distinguisher, thus increasing its success rate. The principal component analysis (PCA) is used to represent the templates in some dimensions, and we give a physical interpretation of the templates eigenvalues and eigenvectors. We introduce a method based on the thresholding of leakage data to accelerate the profiling or the matching stages. This method empowers an attacker, in that it saves traces when converging towards correct values of the secret. Concretely, we demonstrate a 5 times speed-up in the on-line phase of the attack. Also, it has been underlined that the various samples garnered during the same acquisition can carry complement[...]

04:47 [PhD][Update]


14:48 [Job][New] Postdoc in Cryptology, Technical University of Denmark, DTU

  Department of Applied Mathematics and Computer Science, Technical University of Denmark, would like to invite applications for a Postdoc position of 18 months, starting 1 April 2014 or soon thereafter. The topic of the project is lightweight cryptology, which regards scenarios involving strongly resource-constrained devices.

Candidates for the position should have a solid background in hardware design and automation and be able to work on the physical constraints and optimization of the hardware implementations or, alternatively, we will consider candidates with a strong cryptanalytic and mathematical background who are able to analyse the security of ciphers to be designed.

14:44 [Job][New] Post-Doc in Applied Cryptography, University of Trier, Germany

  The Chair for Information Security and Cryptography at the University of Trier, Germany, offers

a full-time position for a postdoctoral researcher

in a project funded by the German Research Foundation (DFG). The goal of the project is to develop methods for the modular analysis of real-world cryptographic protocols, such as TLS, SSH, WPA2, etc., based on the approach of universal composability, and to apply the developed methods to such protocols.

The position is available immediately, with an internationally competitive salary. The starting date is negotiable. Contracts can initially be offered for up to three years, with the perspective of an extension.

There are no teaching obligations.

The successful candidate must have a Master`s degree (or an equivalent degree) in Computer Science, Mathematics, or a related discipline, and have completed, or be near completion of a PhD degree relevant to the research area of the project. You should have a proven high level of analytical capability and mathematical skills. Good English skills are expected; knowledge of German is not required.

Applications will be considered until the position is filled.

10:17 [Pub][ePrint] Cryptanalysis of FIDES, by Itai Dinur and Jérémy Jean

  FIDES is a lightweight authenticated cipher, presented at CHES 2013.

The cipher has two version, providing either 80-bit or 96-bit

security. In this paper, we describe internal state-recovery attacks

on both versions of FIDES, and show that once we recover the internal

state, we can use it to immediately forge any message. Our attacks are

based on a guess-and-determine algorithm, exploiting the slow

diffusion of the internal linear transformation of FIDES. Our most

basic attacks have time complexities of 2^{75} and 2^{90} for FIDES-80

and FIDES-96, respectively, use a very small amount of memory, and

their most distinctive feature is their very low data complexity: the

attacks require at most 24 bytes of an arbitrary plaintext and its

corresponding ciphertext, in order to break the cipher with

probability 1. In addition to the basic attacks, we describe optimized

attacks which exploit additional data in order to reduce the time

complexities to 2^{73} and 2^{88} for FIDES-80 and FIDES-96,


01:17 [Pub][ePrint] Computing Discrete Logarithms in F_{3^{6*137}} using Magma , by Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodríguez-Henríquez

  We show that a Magma implementation of Joux\'s new L[1/4] algorithm

can be used to compute discrete logarithms in the 1303-bit finite field

F_{3^{6*137}} with very modest computational resources.

Our implementation illustrates the effectiveness of Joux\'s algorithm

for computing discrete logarithms in small-characteristic finite

fields which are not Kummer or twisted-Kummer extensions.

22:17 [Pub][ePrint] Masking and Leakage-Resilient Primitives: One, the Other(s) or Both?, by Sonia Belaïd, and Vincent Grosso and François-Xavier Standaert

  Securing cryptographic implementations against side-channel attacks is one of the most important challenges in modern cryptography. Many countermeasures have been introduced for this purpose, and analyzed in specialized security models. Formal solutions have also been proposed to extend the guarantees of provable security to physically observable devices. Masking and leakage-resilient cryptography are probably the most investigated and best understood representatives of these two approaches. Unfortunately, claims whether one, the other or their combination provides better security at lower cost remained vague so far. In this paper, we provide the first comprehensive treatment of this important problem. For this purpose, we analyze whether cryptographic implementations can be security-bounded, in the sense that the time complexity of the best side-channel attack is lower-bounded, independent of the number of measurements performed. Doing so, we first put forward a significant difference between stateful primitives such as leakage-resilient PRGs (that easily ensure bounded security), and stateless ones such as leakage-resilient PRFs (that hardly do). We then show that in practice, leakage-resilience alone provides the best security vs. performance tradeoff when bounded security is achievable, while masking alone is the solution of choice otherwise. That is, we highlight that~one (x)or the other approach should be privileged, which contradicts the usual intuition that physical security is best obtained by combining countermeasures.

Besides, our experimental results underline that despite defined in exactly the same way, the bounded leakage requirement in leakage-resilient PRGs and PRFs imply significantly different challenges for hardware designers. Namely, such a bounded leakage is much harder to guarantee for stateless primitives (like PRFs) than for statefull ones (like PRGs). As a result, constructions of leakage-resilient PRGs and PRFs proven under the same bounded leakage assumption, and instantiated with the same AES implementation, may lead to different practical security levels.

22:17 [Pub][ePrint] The Fourier Entropy-Influence conjecture holds for a log-density 1 class of cryptographic Boolean functions, by Sugata Gangopadhyay and Pantelimon Stanica

  We consider the Fourier Entropy-Influence (FEI) conjecture in the context of cryptographic Boolean functions. We show that the FEI conjecture is true for the functions satisfying the strict avalanche criterion, which forms a subset of asymptotic log--density~$1$ in the set of all Boolean functions. Further, we prove that the FEI conjecture is satisfied for plateaued Boolean functions, monomial algebraic normal form (with the best involved constant), direct sums, as well as concatenations of Boolean functions. As a simple consequence of these general results we find that each affine equivalence class of quadratic Boolean functions contains at least one function satisfying the FEI conjecture. Further, we propose some ``leveled\'\' FEI conjectures.