International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

10:17 [Pub][ePrint] Automated Dynamic Cube Attack on Block Ciphers: Cryptanalysis of SIMON and KATAN, by Zahra Ahmadian and Sahram Rasoolzadeh and Mahmoud Salmasizadeh and Mohammad Reza Aref

  A few work has ever been performed in cryptanalysis of block ciphers using cube attacks. This paper presents a new framework for an efficient key recovery attack on block ciphers based on cube technique. In this method, a cube tester is positioned at the middle of the cipher which is extended in two directions over the maximum possible upper and lower rounds, given that some subkey bits are guessed. It is shown that an automated algorithm for this dynamic cube attack on block ciphers can be realized. Furthermore, we show its effectiveness on two lightweight block ciphers KATAN and SIMON. Our results shows that this method can break 117 and 152 out of 254 rounds of KATAN-32 in non-full-codebook and full-codebook attack scenarios, respectively. In the case of SIMON32/64, we succeed to cryptanalyse 16 and 18 out of 32 rounds, by the same scenarios. Both results show that although this method does not outperform all the existing attacks on these two ciphers, it can absolutely compete with the well-established and mature methods of cryptanalysis of block ciphers, such as linear, differential and meet in

the middle attack families.

10:17 [Pub][ePrint] Parallel (probable) lock-free HashSieve: a practical sieving algorithm for the SVP, by Artur Mariano and Thijs Laarhoven and Christian Bischof

  In this paper, we assess the practicability of HashSieve, a recently proposed sieving algorithm for the Shortest Vector Problem (SVP) on lattices, on multi-core shared memory systems. To this end, we devised a parallel implementation that scales well, and is based on a probable lock-free system to handle concurrency. The probable lock-free system, implemented with spin-locks and compare-and-swap operations, acts, likely, as a lock-free mechanism, since threads block only when strictly required and chances are that they are not required to block, because resource contention is very low. With our implementation, we were able to solve the SVP on an arbitrary lattice in dimension 96, in less than 17.5 hours, using 16 physical cores. The least squares fit of the execution times of our implementation, in seconds, lies between $2^{(0.32n-15)}$ or $2^{(0.33n-16)}$, which indicates that sieving algorithms are indeed way more practical than believed.

10:17 [Pub][ePrint] High Performance Lattice-based CCA-secure Encryption, by Rachid El~Bansarkhani and Johannes Buchmann

  Lattice-based encryption schemes still suffer from a low message throughput per ciphertext. This is mainly due to the fact that the underlying schemes do not tap the full potentials of LWE. Many constructions still follow the one-time-pad approach considering LWE instances as random vectors added to a message, most often encoded bit vectors. Recently, at Financial Crypto 2015 El Bansarkhani et al. proposed a novel encryption scheme based on the A-LWE assumption (Augmented LWE), where data is embedded into the error term without changing its target distributions. By this novelty it is possible to encrypt much more data as compared to the traditional one-time-pad approach and it is even possible to combine both concepts. In this paper we revisit this approach and propose amongst others several algebraic techniques in order to significantly improve the message throughput per ciphertext. Furthermore, we give a thorough security analysis as well as an efficient implementation of the CCA1-secure encryption scheme instantiated with the most efficient trapdoor construction. In particular, we attest that it even outperforms the CPA-secure encryption scheme from Lindner and Peikert presented at CT-RSA 2011.

15:33 [Event][New] IEEE CNS 2015: 3rd IEEE Conference on Communications and Network Security

  Submission: 24 April 2015
Notification: 29 June 2015
From September 28 to September 30
Location: Florence, Italy
More Information:

15:32 [Event][New] ARES: 10th International Conference on Availability, Reliability and Security

  Submission: 2 March 2015
Notification: 11 May 2015
From August 24 to August 28
Location: Toulouse, France
More Information:

15:31 [Event][New] ECC: Workshop on Elliptic Curve Cryptography Standards

  Submission: 15 March 2015
Notification: 10 April 2015
From June 11 to June 12
Location: Gaithersburg, USA
More Information:

10:17 [Pub][ePrint] Aggregate Pseudorandom Functions and Connections to Learning, by Aloni Cohen and Shafi Goldwasser and Vinod Vaikuntanathan

  In the first part of this work, we introduce a new type of pseudo-random function for which ``aggregate queries\'\' over exponential-sized sets can be efficiently answered. An example of an aggregate query may be the product of all function values

belonging to an exponential-sized interval, or the sum of all function values on points for which a polynomial time predicate holds. We show how to use algebraic properties of underlying

classical pseudo random functions, to construct aggregatable pseudo random functions for a number of classes of aggregation queries under cryptographic hardness assumptions. On the flip side, we show that certain aggregate queries are impossible to support.

In the second part of this work, we show how various extensions of pseudo-random functions considered recently in the cryptographic literature, yield impossibility results for various extensions of machine learning models, continuing a line of investigation originated by Valiant and Kearns in the 1980s and 1990s. The extended pseudo-random functions we address include constrained pseudo random functions, aggregatable pseudo random functions, and pseudo random functions secure under related-key attacks.

19:17 [Pub][ePrint] On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks, by Christoph Dobraunig and Maria Eichlseder and Stefan Mangard and Florian Mendel

  At AFRICACRYPT 2010 and CARDIS 2011, fresh re-keying schemes to counter side-channel and fault attacks were introduced. The idea behind those schemes is to shift the main burden of side-channel protection to a re-keying function $g$ that is easier to protect than the main block cipher. This function produces new session keys based on the secret master key and random nonces for every block of message that is encrypted. In this paper, we present a generic chosen-plaintext key-recovery attack on both fresh re-keying schemes. The attack is based on two observations: Since session key collisions for the same message are easy to detect, it is possible to recover one session key with a simple time-memory trade-off strategy; and if the re-keying function is easy to invert (such as the suggested multiplication constructions), the attacker can use the session key to recover the master key. The attack has a complexity of about $2 \\cdot 2^{n/2}$ (instead of the expected $2^n$) for an $n$-bit key. For the typically employed block cipher AES-128, this would result in a key-recovery attack complexity of only $2^{65}$. If weaker primitives like 80-bit PRESENT are used, even lower attack complexities are possible.

19:17 [Pub][ePrint] Suit up! Made-to-Measure Hardware Implementations of Ascon, by Hannes Gro{\\ss} and Erich Wenger and Christoph Dobraunig and Christoph Ehrenh{\\\"o}fer

  Having ciphers that provide confidentiality and authenticity, that are fast in software and efficient in hardware, these are the goals of the CAESAR authenticated encryption competition. In this paper, the promising CAESAR candidate Ascon is implemented in hardware and optimized for different typical applications to fully explore Ascon\'s design space. Thus, we are able to present hardware implementations of Ascon suitable for RFID tags, Wireless Sensor Nodes, Embedded Systems, and applications that need maximum performance. For instance, we show that an Ascon implementation with a single unrolled round transformation is only 7 kGE large, but can process up to 5.5 Gbit/sec of data (0.75 cycles/byte), which is already enough to encrypt a Gigabit Ethernet connection. Besides, Ascon is not only fast and small, it can also be easily protected against DPA attacks. A threshold implementation of Ascon just requires about 8 kGE of chip area, which is only 3.1 times larger than the unprotected low-area optimized implementation.

19:17 [Pub][ePrint] Cryptographically Secure CRC for Lightweight Message Authentication, by Elena Dubrova and Mats Näslund and Göran Selander and Fredrik Lindqvist

  A simple and practical hashing scheme based on Cyclic Redundancy Check (CRC) is presented. Similarly to previously proposed cryptographically secure CRCs, the presented one detects both, random and malicious, errors without increasing bandwidth. However, we use a product of irreducible polynomials instead of a single irreducible polynomial for generating the CRC. This is an advantage since smaller irreducible polynomials are easier to compute. The price we pay is that the probability that two different messages map into the same CRC increases. We provide a detailed quantitative analysis of the achieved security as a function of message and CRC sizes. The presented method seems to be particularly attractive for the authentication of short messages.

19:17 [Pub][ePrint] Faster software for fast endomorphisms, by Billy Bob Brumley

  GLV curves (Gallant et al.) have performance advantages over standard elliptic curves, using half the number of point doublings for scalar multiplication. Despite their introduction in 2001, implementations of the GLV method have yet to permeate widespread software libraries. Furthermore, side-channel vulnerabilities, specifically cache-timing attacks, remain unpatched in the OpenSSL code base since the first attack in 2009 (Brumley and Hakala) even still after the most recent attack in 2014 (Benger et al.). This work reports on the integration of the GLV method in OpenSSL for curves from 160 to 256 bits, as well as deploying and evaluating two side-channel defenses. Performance gains are up to 51%, and with these improvements GLV curves are now the fastest elliptic curves in OpenSSL for these bit sizes.