International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Algebraic Cryptanalysis of Wild McEliece Incognito, by Jean-Charles Faugère and Ayoub Otmani and Ludovic Perret and Frédéric de Portzamparc and Jean-Pierre Tillich

  A very popular trend in code-based cryptography is to decrease the

public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD),

or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact

public-key makes the key-recovery problem intrinsically much easier.

The gain on the public-key size induces an important security drop, which is as large as the compression factor $p$ on the public-key. The fundamental remark is that from the $k\\times n$ public generator matrix of a compact McEliece, one can construct a $k/p \\times n/p$ generator matrix which is -- from an attacker point of view -- as good as the initial public-key. We call this new smaller code the {\\it folded code}. Any key-recovery attack

can be deployed equivalently on this smaller generator matrix.

To mount the key-recovery in practice, we also improve the algebraic

technique of Faug\\`ere, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe

a so-called ``structural elimination\'\' which is a new algebraic manipulation which simplifies the key-recovery system.

As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature.

All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach.

In most cases, our attack takes few seconds (the harder case requires less than $2$ hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against r cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach

of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent

weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive

from the public key a much smaller public key corresponding to the folding of the original QM or QD code,

where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing

the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters.

21:17 [Pub][ePrint] Some Randomness Experiments on TRIVIUM, by Subhabrata Samajder and Palash Sarkar

  This paper develops two methods for exploring the structure of the stream cipher TRIVIUM.

We consider whether it is possible to compute the algebraic normal form (ANF) of such functions.

Since the key and the IV together make up 160 variables, doing this directly is not possible.

Instead, one can choose a subset of the key and IV variables of size $n$ and fix the other variables to constants.

As an application of this tool, we run some randomness experiments on the first output bit of TRIVIUM.

Three types of tests were conducted on full (and reduced) round TRIVIUM.

For the tests done, we fix a subset of $n$ key variables and vary the remaining $160 - n$ key and IV bit positions.

The first test tried to find polynomials which are non-random in some sense.

This is along the line of work done by Aumasson et. al. on their work on cube testers.

However, here we do not use any cube.

We try to find polynomials corresponding to the first output bit of TRIVIUM which are non-random.

Our experiments did reveal a number of polynomials which showed deviation from randomness.

The second test conducted checks the balancedness amongst the first $l$ output bits of TRIVIUM.

A proper statistical model for conducting such a test is proposed.

Tests results shows that the first $8$ output bits are unbalanced.

For the third test we consider $N$ random choices of the constant values keeping the $n$ key variables fixed.

A simple test of hypothesis is applied to detect possible non-randomness in the distributions.

Mostly, the results are negative.

In a few cases, the results seem to indicate the presence of possible non-randomness, though, nothing conclusive can be inferred from this test.

The symbolic computation tool developed here can conceivably be used for exploring other features of TRIVIUM.

Further, the idea behind the development of the tool can be used to build similar tools for other ciphers.

21:18 [Job][New] Professor in Cryptography (tenured) , Graz University of Technology, Austria, Europe


The Institute of Applied Information Processing, Faculty of Computer Science and Biomedical Engineering at Graz University of Technology is inviting applications for a tenured professor position in Cryptography.

We are looking for an excellent researcher and teacher who advances the design and analysis of modern cryptographic methods for security and privacy in relevant application areas. The applicant should reinforce or complement existing research strengths at Graz University of Technology.

The Institute for Applied Information Processing and Communications researches information security in a broad context. More than 50 researchers work in fields such as cryptography, e-identity, trusted computing, secure system architectures, RFID security, secure implementation of cryptographic algorithms, side-channel analysis, network security, privacy and formal methods for design and verification.

Graz University of Technology is committed to increasing the percentage of female scientists in teaching and research. Given applicants with equal qualifications, we give priority to women.

21:17 [Job][New] Tenure-Track Staff Member, CWI Amsterdam, NL, Europe

  CWI Amsterdam is looking for an excellent researcher in the area of cyber security, particularly the interface between mathematical cryptology and applied information security.

You have an excellent international research track record in cryptanalysis, with expertise in areas such as cryptographic hash functions, symmetric-key cryptography and side-channel attacks. Besides, you have broad scientific knowledge in cryptology, both in its theoretical, mathematical foundations as well as in its practical aspects, including design of algorithms, development of software, high-performance computing, industry standards and/or commercial products. You have a proven interest in applications of cryptology to practical information security (such as internet security) and you are willing to initiate or participate in research projects that relate to the Dutch cyber security policy.

As a researcher at CWI Amsterdam you are expected to perform fundamental and application-oriented research, to supervise Ph.D. students, to participate in or lead research projects together with other academic institutes or industry, and to acquire external funding. You are able to work as an independent researcher who can set his/her own research agenda, as demonstrated by previous post-doctoral work experience. You can connect to current research at CWI while at the same time bringing in substantial new expertise.

The Cryptology group operates on the interface between mathematics and computer science and

is currently focused on public-key cryptology, secure multi-party computation, quantum information theory and -cryptography, cryptanalysis and mathematical cryptology at large.

The group is affiliated with the Dutch mathematics research cluster “Discrete, Interactive and Algorithmic Mathematics, Algebra and Number Theory” (DIAMANT).

For more information about CWI, requirements, terms and conditions and how to apply, please vi

09:17 [Pub][ePrint] Expressive Attribute-Based Encryption with Constant-Size Ciphertexts from the Decisional Linear Assumption, by Katsuyuki Takashima

  We propose a key-policy attribute-based encryption (KP-ABE) scheme with constant-size ciphertexts, whose (selective) security is proven under the decisional linear (DLIN) assumption in the standard model. The access structure is expressive, that is given by non-monotone span programs. It also has fast decryption, i.e., a decryption includes only a constant number of pairing operations. As an application of our KP-ABE construction, we also propose a fully secure attribute-based signatures with constant-size secret (signing) key from the DLIN assumption. For achieving the above results, we employ a hierarchical reduction technique on dual pairing vector spaces (DPVS), where a high-level problem given on DPVS is used for proving the scheme security and then the security of the problem is reduced to that of the DLIN problem.

21:37 [Event][New] FDTC'14: Workshop on Fault Diagnosis and Tolerance in Cryptography 2014

  Submission: 23 May 2014
Notification: 27 June 2014
From September 23 to September 23
Location: Busan, Korea
More Information:

15:17 [Pub][ePrint] ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research, by Colin O\'Flynn and Zhizhang (David) Chen

  This paper introduces a complete side channel analysis toolbox, inclusive of the analog capture hardware, target device, capture software, and analysis software. The highly modular design allows use of the hardware and software with a variety of existing systems. The hardware uses a synchronous capture method which greatly reduces the required sample rate, while also reducing the data storage requirement, and improving synchronization of traces. The synchronous nature of the hardware lends itself to fault injection, and a module to generate glitches of programmable width is also provided. The entire design (hardware and software) is open-source, and maintained in a publicly available repository. Several long example capture traces are provided for researchers looking to evaluate standard cryptographic implementations.

15:17 [Pub][ePrint] Unified Oblivious-RAM: Improving Recursive ORAM with Locality and Pseudorandomness, by Ling Ren, Christopher Fletcher, Xiangyao Yu, Albert Kwon, Marten van Dijk, Srinivas Devadas

  Oblivious RAM (ORAM) is a cryptographic primitive that hides memory access patterns to untrusted storage. ORAM may be used in secure processors for encrypted computation and/or software protection. While recursive Path ORAM is currently the most practical ORAM for secure processors, it still incurs large performance and energy overhead and is the performance bottleneck of recently proposed secure processors.

In this paper, we propose two optimizations to recursive Path ORAM.

First, we identify a type of program locality in its operations to improve performance. Second, we use pseudorandom function to compress the position map. But applying these two techniques in recursive Path ORAM breaks ORAM security. To securely take advantage of the two ideas, we propose unified ORAM. Unified ORAM improves performance both asymptotically and empirically. Empirically, our experiments show that unified ORAM reduces data movement from ORAM by half and improves benchmark performance by 61% as compared to recursive Path ORAM.

15:17 [Pub][ePrint]


22:31 [Event][New]


22:30 [Event][New] Crypto: Crypto 2016 (tentative)

  From August 14 to August 18
Location: Santa Barbara, USA
More Information: