International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

20:19 [Job][New] Visiting assistant professor, Department of Mathematical Sciences, University of Cincinnati

  The Department of Mathematical Sciences at the University of Cincinnati is seeking applicants for several Visiting Assistant Professorships in mathematics or statistics. Appointments will begin on August 15th, 2015 and will initially be for one year, with the possibility of renewal for a second year. Teaching load will nominally be two (3-4 credit) undergraduate courses per semester. Candidates must have a PhD in mathematics or statistics by the start date. The Department of Mathematical Sciences is dedicated to excellence in both research and teaching. The department has a graduate program offering MS and PhD degrees in mathematics and statistics. The department is looking for candidates with high-quality teaching and research and a strong potential for collaboration in areas of expertise of current faculty including cryptography, in particular, post-quantum cryptography. If you are interested, please apply immediately and contact: dingji (at)

20:18 [Job][New] Marie Sklodowska-Curie Research Fellows in Cryptography (Early Stage Researchers – 2 posts), University of Bristol

  ECRYPT-NET is a research network of 6 universities and 2 companies that intends to develop advanced cryptographic techniques for the Internet of Things and the Cloud and to create efficient and secure implementations of those techniques on a broad range of platforms. ECRYPT-NET is funded by a prestigious Marie Sk?odowska-Curie ITN (Integrated Training Network) grant. The network will educate a group of 15 PhD students with a set of interdisciplinary skills in the areas of mathematics, computer science and electrical engineering. The training will be provided in an international context,that includes Summer Schools, workshops, internships, and complementary skills. Participants are expected to spend at least 6 months abroad in a network partner or in one of the 7 associated companies. We are looking for highly motivated candidates with a strong academic track record, ideally with some background on cryptology and with proven research abilities.

We offer an exciting working environment in an international network with top scientists that is geared towards cutting-edge research. The financial conditions are very attractive. The project offers an opportunity to travel and interact with other PhD students and scientists all over Europe. Candidates may have resided in the host country for a most 1 year in the 3 years preceding the application. They can have at most 2 years of research experience at the doctoral level.

The Cryptography and Information Security Group at Bristol are offering two ESR positions:

1) Leakage Resilience From Lattices:

2) MPC using FHE and Oblivious Transfer:

Marie Curie ITN eligibility criteria apply to both of these positions.

09:17 [Pub][ePrint] Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices, by Vadim Lyubashevsky and Thomas Prest

  A procedure for sampling lattice vectors is at the heart of many lattice constructions, and the algorithm of Klein (SODA 2000) and Gentry, Peikert, Vaikuntanathan (STOC 2008) is currently the one that produces the shortest vectors. But due to the fact that its most time-efficient (quadratic-time) variant requires the storage of the Gram-Schmidt basis, the asymptotic space requirements of this algorithm are the same for general and ideal lattices. The main result of the current work is a series of algorithms that ultimately lead to a sampling procedure producing the same outputs as the Klein/GPV one, but requiring only linear-storage when working on lattices used in ideal-lattice cryptography. The reduced storage directly leads to a reduction in key-sizes by a factor of $\\Omega(d)$, and makes cryptographic constructions requiring lattice sampling much more suitable for practical applications.

At the core of our improvements is a new, faster algorithm for computing the Gram-Schmidt orthogonalization of a set of vectors that are related via a linear isometry. In particular, for a linear isometry r:R^d --> R^d which is computable in time $O(d)$ and a d-dimensional vector $b$, our algorithm for computing the orthogonalization of $(b,r(b),r^2(b),...,r^{d-1}(b))$ uses $O(d^2)$ floating point operations. This is in contrast to $O(d^3)$ such operations that are required by the standard Gram-Schmidt algorithm. This improvement is directly applicable to bases that appear in ideal-lattice cryptography because those bases exhibit such ``isometric structure\'\'. The above-mentioned algorithm improves on a previous one of Gama, Howgrave-Graham, Nguyen (EUROCRYPT 2006) which used different techniques to achieve only a constant-factor speed-up for similar lattice bases. Interestingly, our present ideas can be combined with those from Gama et al. to achieve an even an larger practical speed-up.

We next show how this new Gram-Schmidt algorithm can be applied towards lattice sampling in quadratic time using only linear space. The main idea is that rather than pre-computing and storing the Gram-Schmidt vectors, one can compute them ``on-the-fly\'\' while running the sampling algorithm. We also rigorously analyze the required arithmetic precision necessary for achieving negligible statistical distance between the outputs of our sampling algorithm and the desired Gaussian distribution. The results of our experiments involving NTRU lattices show that the practical performance improvements of our algorithms are as predicted in theory.

05:36 [Job][New] Ph.D. student, Rochester Institute of Technology

  We are looking for outstanding candidates for a Ph.D. position at Rochester Institute of Technology. The potential candidates need to have strong interest in cryptographic engineering, and one or more of the following sub-areas: ECC software/hardware implementations, side-channel attacks, and post-quantum cryptography.

Please send your application to Mehran Mozaffari Kermani (mmkeme (-at-) and Reza Azarderakhsh (rxaeec (-at-) via e-mail. Applications should contain a CV, a short letter of motivation, copies of transcripts and certificates, and (if possible) names of references.

09:17 [Pub][ePrint] Meet-in-the-Middle Attacks and Structural Analysis of Round-Reduced PRINCE, by Patrick Derbez and Léo Perrin

  NXP Semiconductors and its academic partners challenged the

cryptographic community with finding practical attacks on the block

cipher they designed, PRINCE. Instead of trying to attack as many

rounds as possible using attacks which are usually impractical

despite being faster than brute-force, the challenge invites

cryptographers to find practical attacks and encourages them to

actually implement them.

In this paper, we present new attacks on round-reduced PRINCE including the ones which won the challenge in the

6 and 8-round categories --- the highest for which winners were

identified. Our first attacks rely on a meet-in-the-middle approach and break up to 10 rounds of the cipher.

We also describe heuristic methods we used to find practical SAT-based and differential attacks.

Finally, we also present an analysis of the cycle structure of the

internal rounds of PRINCE leading both to a low complexity

distinguisher for 4-round PRINCE-core and an alternative

representation of the cipher valid in particular contexts and which

highlights, in this cases, a poor diffusion.

09:17 [Pub][ePrint] Differential Analysis and Meet-in-the-Middle Attack against Round-Reduced TWINE, by Alex Biryukov, Patrick Derbez and Léo Perrin

  TWINE is a recent lightweight block cipher based on a Feistel

structure. We first present two new attacks on TWINE-128

reduced to 25 rounds that have a slightly higher overall complexity than the 25-round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity.

Then, we introduce alternative representations of both the round

function of this block cipher and of a sequence of 4 rounds. LBlock,

another lightweight block cipher, turns out to exhibit the same

behaviour. Then, we illustrate how this alternative representation

can shed new light on the security of TWINE by deriving high

probability iterated truncated differential trails covering 4 rounds

with probability $2^{-16}$.

The importance of these is shown by combining different

truncated differential trails to attack 23-rounds TWINE-128 and by

giving a tighter lower bound on the high probability of some

differentials by clustering differential characteristics following

one of these truncated trails. A comparison between these high

probability differentials and those recently found in a variant of

LBlock by Leurent highlights the importance of considering the whole

distribution of the coefficients in the difference distribution

table of a S-Box and not only their maximum value.

09:17 [Pub][ePrint] Espresso: A Stream Cipher for 5G Wireless Communication Systems, by Elena Dubrova and Martin Hell

  The demand for more efficient ciphers is a likely to sharpen with new generation of products and applications. Previous cipher designs typically focused on optimizing only one of the two parameters - hardware size or speed, for a given security level. In this paper, we present a methodology for designing a class of stream ciphers which takes into account both parameters simultaneously. We combine the advantage of the Galois configuration of NLFSRs, short propagation delay, with the advantage of the Fibonacci configuration of NLFSRs, which can be analyzed formally. According to our analysis, the presented stream cipher Espresso is the fastest among the ciphers below 1500 GE, including Grain-128 and Trivium.

09:17 [Pub][ePrint] Compactly Hiding Linear Spans: Tightly Secure Constant-Size Simulation-Sound QA-NIZK Proofs and Applications, by Benoit Libert and Thomas Peters and Marc Joye and Moti Yung

  Quasi-adaptive non-interactive zero-knowledge (QA-NIZK) proofs is a powerful paradigm, suggested recently by Jutla and Roy (Asiacrypt\'13), which is motivated by the Groth-Sahai seminal techniques for efficient non-interactive zero-knowledge (NIZK) proofs. In this paradigm, the common reference string may depend on specific language parameters, a fact that allows much shorter proofs in important cases. It even makes certain standard model applications competitive with the Fiat-Shamir heuristic in the Random Oracle idealization (such QA-NIZK proofs were recently optimized to constant size by Jutla and Roy (Crypto\'14) and Libert et al. (Eurocrypt\'14) for the important case of proving that a vector of group elements belongs to a linear subspace). While, e.g., the QA-NIZK arguments of Libert et al. provide unbounded simulation-soundness and constant proof length, their simulation-soundness is only loosely related to the underlying assumption (with a gap proportional to the number of adversarial queries) and it is unknown how to alleviate this limitation without sacrificing efficiency. Here, we deal with the basic question of whether and to what extent we can simultaneously optimize the proof size and the tightness of security reductions, allowing for important applications with tight security (which are typically to date quite lengthy) to be of shorter size. In this paper, we resolve this question by describing a novel simulation-sound QA-NIZK argument showing that a vector $\\vec{v} \\in \\G^n$ belongs to a subspace of rank $t

09:17 [Pub][ePrint] Reliable Message Transmission under Partial Knowledge, by Aris Pagourtzis and Giorgos Panagiotakos and Dimitris Sakavalas

  A fundamental primitive in distributed computing is Reliable Message Transmission (RMT), which refers to the task of correctly sending a message from a party to another, despite the presence of byzantine corruptions. In this work we address the problem in the general adversary model of Hirt and Maurer, which subsumes earlier models such as the global or local threshold adversaries. Regarding the topology knowledge, we employ the recently introduced Partial Knowledge Model [13], which encompasses both the full knowledge and the ad hoc model; the latter assumes knowledge of the local neighborhood only.

Our main contributions are: (a) a necessary and sufficient condition for achieving RMT in the partial knowledge model with a general adversary; in order to show sufficiency, we propose a protocol that solves RMT whenever this is possible, therefore the protocol is unique (cf.[14]), and (b) a study of efficiency in the special case of the ad hoc network model; we present a

unique protocol scheme that is fully polynomial for a class of instances, if there exists any fully polynomial protocol for RMT on the decomposition of this class to instances of a certain basic topology.

To obtain our results we employ, among others, an operation on adversary structures, an appropriate notion of separator in unreliable networks, and a self-reducibility property of the RMT problem.

09:17 [Pub][ePrint] Internal Differential Boomerangs: Practical Analysis of the Round-Reduced Keccak-f Permutation, by Jeremy Jean and Ivica Nikolic

  We introduce internal differential boomerang distinguisher as a combination of internal differentials and classical boomerang distinguishers. The new boomerangs can be successful against cryptographic primitives having high-probability round-reduced internal differential characteristics. The internal differential technique, which follow the evolution of differences between parts of the state, is particularly meaningful for highly symmetric functions like the inner permutation Keccak-f of the hash functions defined in the future SHA-3 standard.

We find internal differential and standard characteristics for three to four rounds of Keccak-f, and with the use of the new technique, enhanced with a strong message modification, show practical distinguishers for this permutation.

Namely, we need $2^{12}$ queries to distinguish 7 rounds of the permutation starting from the first round, and approximately $2^{18}$ queries to distinguish 8 rounds starting from the fourth round.

Due to the exceptionally low complexities, all of our results have been completely verified with a computer implementation of the analysis.

09:17 [Pub][ePrint] Practical Attacks on the Round-reduced PRINCE, by Pawel Morawiecki

  The PRINCE cipher is the result of a cooperation between the Technical University of Denmark (DTU), NXP Semiconductors and the Ruhr University Bochum. The cipher was designed to reach an extremely low-latency encryption and instant response time. PRINCE has already gained a lot of attention from the academic community, however, most of the attacks are theoretical, usually with very high time or data complexity. Our work helps to fill the gap in more practically oriented attacks, with more realistic scenarios and complexities. We present new attacks, up to 7 rounds, relying on integral and higher-order differential cryptanalysis.