International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

18:17 [Pub][ePrint] Squaring Algorithms with Delayed Carry Method and Efficient Parallelization, by Vladislav Kovtun and Andrew Okhrimenko

  Increasing amounts of information that needs to be protecting put in claims specific requirements for information security systems. The main goal of this paper is to find ways to increase performance of cryptographic transformation with public key by increasing performance of integers squaring. Authors use delayed carry mechanism and approaches of effective parallelization for Comba multiplication algorithm, which was previously proposing by authors. They use the idea of carries accumulation by addition products of multiplying the relevant machine words in columns. As a result, it became possible to perform addition of such products in the column independently of each other. However, independent accumulation of products and carries require correction of the intermediate results to account for the accumulated carries. Due to the independence of accumulation in the columns, it became possible to parallelize the process of products accumulation that allowed formulating several approaches. In this paper received theoretical estimates of the computational complexity for proposed squaring algorithms. Software implementations of algorithms in C++ allowed receiving practical results of the performance, which are not contrary to theoretical estimates. The authors first proposed applying the method of delayed carry and parallelization techniques for squaring algorithms, which was previously proposing for integer multiplication.

18:17 [Pub][ePrint] Attack On the Markov Problem, by James L. Adams

  In 2000 Ko gave potential hard problem is proposed called the Markov

problem. We give an algorithm, for certain parameters, for solution of the Markov problem. The Markov problem is related to the knot recognition problem. Hence we also a new algorithm the knot recognition problem. This knot recognition algorithm may be used for previously proposed cryptosystem that uses knots.

18:17 [Pub][ePrint] Implementation and improvement of the Partial Sum Attack on 6-round AES, by Francesco Aldà and Riccardo Aragona and Lorenzo Nicolodi and Massimiliano Sala

  The Partial Sum Attack is one of the most powerful attacks developed in the last 15

years against reduced-round versions of AES. We introduce a slight improvement to

the basic attack which lowers the number of chosen plaintexts needed to successfully

mount it. Our version of the attack on 6-round AES can be carried out completely

in practice, as we demonstrate providing a full implementation. We also detail the

structure of our implementation, showing the performances we achieve.

18:17 [Pub][ePrint] A Forgery Attack against PANDA-s, by Yu Sasaki and Lei Wang

  \\panda~is an authenticated encryption scheme designed by Ye {\\it et al.}, and submitted to the CAESAR competition.

The designers claim that \\pandas, which is one of the designs of the \\panda-family, provides 128-bit security in the nonce misuse model.

In this note, we describe our forgery attack against \\pandas.

Our attack works in the nonce misuse model.

It exploits the fact that the message processing function and the finalization function are identical,

and thus a variant of the length-extension attack can be applied.

We can find a tag for a pre-specified formatted message with 2 encryption oracle calls, $2^{64}$ computational cost, and negligible memory.

18:17 [Pub][ePrint] A Practical Universal Forgery Attack against PAES-8, by Yu Sasaki and Lei Wang

  \\paes~is an authenticated encryption scheme designed by Ye {\\it et al.},

and submitted to the CAESAR competition.

The designers claim that \\paese, which is one of the designs of the \\paes-family,

provides 128-bit security in the nonce misuse model.

In this note, we show our forgery attack against \\paese.

Our attack works in the nonce misuse model.

The attack exploits the slow propagation of message differences.

The attack is very close to the universal forgery attack.

As long as the target message is not too short, {\\it e.g.} more than 10 blocks (160 bytes),

a tag is forged only with $2^{11}$ encryption oracle calls, $2^{11}$ computational cost, and negligible memory.

18:13 [Job][New] Doctoral Students (and Post-Doc), Technische Universität Darmstadt, Germany

  The research group Computer Algebra and Cryptography at TU Darmstadt headed by Prof. Buchmann is looking for doctoral students. TU Darmstadt is a partner in the Center for Advanced Security Research Darmstadt CASED, one of the internationally leading research institutions in cyber security. The successful candidate will greatly benefit from the excellent CASED research environment.

The applicants are expected to hold a master degree in computer science, mathematics, or a related area and to have a background in cryptography.

(1) We look for a doctoral student in the area of lattice-based cryptography at the earliest possible date. Lattice-based cryptography is a very promising direction in cryptography offering both (presumably) quantum immunity and additional features, e.g., fully homomorphic encryption. We are interested in both cryptanalysis (the concrete hardness of lattice problems) and the construction of provably secure and practical lattice-based schemes.

Previous experience in algebra, number theory, the geometry of numbers, and/or lattice-based cryptography is advantageous. The successful candidate will work in a research team of several doctoral students led by Dr. Özgür Dagdelen.

Please send your application to lattice-position (at)

(2) We offer a three-year position (doctoral student or postdoc) in a research project funded by the German Science Foundation DFG. The goal of this project is to integrate the hash-based signature scheme XMSS, invented in Darmstadt, into crypto-based security solutions such as SSL/TLS, HTTPS, S/MIME in collaboration with the company Genua mbH in Kirchheim.

Postdocs are also encouraged to apply here. Previous experience in the area of the project is advantageous. The successful candidate will work in a research team dealing with cryptography and crypto-based security solutions.

Please send your application to ha

17:17 [Event][New] RFIDsec'14 Asia: 2014 Workshop on RFID Security

  Submission: 6 July 2014
Notification: 6 August 2014
From November 27 to November 28
Location: Hualien, Taiwan
More Information:

17:15 [Job][New] Post-Doc, University of Versailles-St-Quentin-en-Yvelines, France

  The UVSQ-Continental \\\"High Tech Low Cost\\\" Industrial Chair ( offers a full-time position for a postdoctoral researcher in Applied Cryptography

The project is related to automotive cyber security threats, vulnerabilities, and risk mitigation/countermeasures. More specifically, the overall goal will be to analyze, develop and improve cryptographic algorithms and protocols for in-vehicle embedded device.

The position is available immediately, with an internationally competitive salary. The starting date is negotiable. The initial contract can be offered until December 31st, 2014, with the perspective of an extension.

There are no teaching obligations.

The successful candidate must have a Master\\\'s degree (or an equivalent degree) in Computer Science, Mathematics, or a related discipline, and have completed, or be near completion of a PhD degree in cryptography. Good English skills are expected; knowledge of French is not required.

Applications will be considered until the position is filled.

21:17 [Pub][ePrint] Offline Dictionary Attack on Password Authentication Schemes using Smart Cards, by Ding Wang and Ping Wang

  The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals in this area, namely, Hsieh-Leu\'s scheme and Wang\'s PSCAV scheme. We demonstrate that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim\'s password when getting temporary access to the victim\'s smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang\'s original protocol security model, reveals a new and realistic attacking scenario and gives rise to the strongest adversary model so far (Note that Wang\'s PSCAV scheme is secure within its own but weak security model). In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

21:17 [Pub][ePrint] A Little Honesty Goes a Long Way: The Two-Tier Model for Secure Multiparty Computation, by Juan A. Garay and Ran Gelles and David S. Johnson and Aggelos Kiayias and Moti Yung

  Secure multiparty computation (MPC) as a service is becoming a tangible reality. In such a service, a population of clients wish to utilize a set of servers to delegate privately and reliably a given computation on their inputs. MPC protocols have a number of desired properties including tolerating active misbehavior by some of the servers and guaranteed output delivery. A fundamental result is that in order to achieve the above, an honest majority among servers is necessary. There are settings, however, where this condition might be

overly restrictive, making it important to investigate models where this impossibility result can be circumvented, allowing secure computation to be performed even when the number of malicious participants outweighs the number of honest participants.

To this end, we introduce the two-tier model for MPC, where a set of $m$ parties that are guaranteed to be honest (the first tier) remains \"hidden\" within a set of $n-m$ servers which are of dubious trustworthiness (the second tier), and where the objective is to perform MPC withstanding a number of active misbehaviors that is larger than $m/2$. Indeed, assuming $\\alpha n$ of the second-tier servers are dishonest (where $\\alpha\\in (0,1)$), we present an MPC protocol that can withstand up to $(1-\\epsilon)(1-\\alpha)n/2$ additional faults, for any $\\epsilon>0$ and $m = \\omega(\\log n)$. Somewhat surprisingly, this allows the total number of faulty parties to exceed $n/2$ across both tiers.

We demonstrate that the two-tier model naturally arises in various settings, as in the case, for example, of a resource-constrained service provider wishing to utilize a pre-existing set of servers.

21:17 [Pub][ePrint] Algebraic Cryptanalysis of Wild McEliece Incognito, by Jean-Charles Faugère and Ayoub Otmani and Ludovic Perret and Frédéric de Portzamparc and Jean-Pierre Tillich

  A very popular trend in code-based cryptography is to decrease the

public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic (QC), quasi-dyadic (QD),

or quasi-monoidic (QM) matrices. We show that the very same reason which allows to construct a compact

public-key makes the key-recovery problem intrinsically much easier.

The gain on the public-key size induces an important security drop, which is as large as the compression factor $p$ on the public-key. The fundamental remark is that from the $k\\times n$ public generator matrix of a compact McEliece, one can construct a $k/p \\times n/p$ generator matrix which is -- from an attacker point of view -- as good as the initial public-key. We call this new smaller code the {\\it folded code}. Any key-recovery attack

can be deployed equivalently on this smaller generator matrix.

To mount the key-recovery in practice, we also improve the algebraic

technique of Faug\\`ere, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe

a so-called ``structural elimination\'\' which is a new algebraic manipulation which simplifies the key-recovery system.

As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature.

All the parameters of CFS-signatures based on QD/QM codes that have been proposed can be broken by this approach.

In most cases, our attack takes few seconds (the harder case requires less than $2$ hours). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against r cryptographic challenges proposed for QD and QM encryption schemes, but there are still some parameters that have been proposed which are out of reach

of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent

weakness arising from Goppa codes with QM or QD symmetries. It is possible to derive

from the public key a much smaller public key corresponding to the folding of the original QM or QD code,

where the reduction factor of the code length is precisely the order of the QM or QD group used for reducing

the key size. To summarize, the security of such schemes are not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters.