International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Probabilistic Signature Based Framework for Differential Fault Analysis of Stream Ciphers, by Santanu Sarkar and Prakash Dey and Avishek Adhikari and Subhamoy Maitra

  Differential Fault Attack (DFA) has received serious attention in cryptographic literature and very recently

such attacks have been mounted against several popular stream ciphers for example Grain v1, MICKEY 2.0

and Trivium, that are parts of the eStream hardware profile. The basic idea of the fault attacks consider

injection of faults and the most general set-up should consider faults at random location and random time.

Then one should identify the exact location and the exact timing of the fault (as well as multi bit faults) with the help of fault signatures.

In this paper we consider this most general set-up and solve the problem of fault attack under a general framework,

where probabilistic signatures are exploited. Our ideas subsume all the existing DFAs against the Grain family,

MICKEY 2.0 and Trivium. In the process we provide improved fault attacks for all the versions of Grain family and also

for MICKEY 2.0 (the attacks against Trivium are already quite optimal and thus there is not much scope to improve).

Our generalized method can also take care of the cases where certain parts of the keystream bits are missing

for authentication purpose. In particular, we show that the unsolved problem of identifying the faults

in random time for Grain 128a can be solved in this manner. Our techniques can easily be applied to mount fault

attack on any stream cipher of similar kind.

21:17 [Pub][ePrint] A flaw in a theorem about Schnorr signatures, by Daniel R. L. Brown

  An alleged theorem of Neven, Smart and Warinschi (NSW) about the

security of Schnorr signatures seems to have a flaw described in

this report.

Schnorr signatures require representation of an element in a

discrete logarithm group as a hashable bit string. This report

describes a defective bit string representation of elliptic curve

points. Schnorr signatures are insecure when used with this

defective representation. Nevertheless, the defective

representation meets all the conditions of the NSW theorem.

Of course, a natural representation of an elliptic curve group

element would not suffer from this major defect. So, the NSW

theorem can probably be fixed.

21:17 [Pub][ePrint] Equivoe-T: Transposition Equivocation Cryptography, by Gideon Samid

  Plaintext is mixed with AI-generated dis-information which binds the cryptanalyst to an irreducible set of mutually exclusive plausible plaintext candidates.

As impractical as Vernam \"One Time Pad\" cipher has been, it\'s security strategy: equivocation is fundamentally superior to the prevailing strategy: intractability. Intractability erodes, equivocation endures. Alas, Vernam was an overkill. Equivocation works even if only a few plaintext candidates are left as an irreducible set, which is what Equivoe-T offers.

The AI engine builds decoys off the plaintext such that each decoy has a counter-meaning, or at least an off-meaning per the guarded plaintext, while claiming at least threshold plausibility to \"pump\" entropy into the irreducible field of plaintext candidates.

Equivoe-T uses a complete transposition algorithm that guarantees the existence of a key that matches any two arbitrarily selected permutations of the n transposed elements. Therefore every decoy qualifies as a plaintext. The transposed elements may be words, letters, a mix, or otherwise. n can be selected to add intractability to the built-in equivocation since the key space grows fast (|Ktransposition| = n!).

21:17 [Pub][ePrint] Near Collision Side Channel Attacks, by Baris Ege and Thomas Eisenbarth and Lejla Batina

  Side channel collision attacks are a powerful method to exploit side channel leakage. Otherwise than a few exceptions, collision attacks usually combine leakage from distinct points in time, making them inherently bivariate. This work introduces the notion of near collisions to exploit the fact that values depending on the same sub-key can have similar while not identical leakage. We show how such knowledge can be exploited to mount a key recovery attack. The presented approach has several desirable features when compared to other state-of-the-art collision attacks:

Near collision attacks are truly univariate. They have low requirements on the leakage functions, since they work well for leakages that are linear in the bits of the targeted intermediate state. They are applicable in the presence of masking countermeasures if there exist distinguishable leakages, as in the case of leakage squeezing.

Results are backed up by a broad range of simulations for unprotected and masked implementations, as well as an analysis of the measurement set provided by DPA Contest v4.

12:17 [Pub][ePrint] The Norwegian Internet Voting Protocol: A new Instantiation, by Kristian Gjøsteen and Anders Smedstuen Lund

  The Norwegian government ran trials of internet remote voting during the 2011 municipal elections and the 2013 parliamentary elections. From a simplified version of the voting protocol used there, the essential cryptographic operations of the voting protocol has been put together into a cryptosystem in which one can build the voting protocol on top of.

This paper proposes a new instantiation of the underlying cryp- tosystem, improving our confidence in the security of the cryptosys- tem. The new instantiation is mostly similar to a previously defined instantiation, but allows parts of the security proof to be significantly improved.

12:17 [Pub][ePrint] The Iterated Random Permutation Problem with Applications to Cascade Encryption, by Brice Minaud and Yannick Seurin

  We introduce and study the iterated random permutation problem, which asks how hard it is to distinguish, in a black-box way, the r-th power of a random permutation from a uniformly random permutation of a set of size N. We show that this requires Omega(N) queries (even for a two-sided, adaptive adversary). As a direct application of this result, we show that cascading a block cipher with the same key cannot degrade its security (as a pseudorandom permutation) more than negligibly.

21:56 [Job][New] Intern Software Developer (Cryptography), CloudFlare Inc.


CloudFlare is looking for a cryptography intern!

CloudFlare is expanding its global footprint. In order to keep our network secure we are investing in technologies to improve the security of our key management infrastructure. We are looking for an ambitious intern to help kickstart one of our cryptographic projects.


  • Experience in the theory and implementation of standard cryptographic primitives (AES, RSA, ECC)

  • Extensive development experience in C and/or Go

  • A deep understanding of reverse engineering techniques

  • An unquenchable thirst for understanding and mitigating cryptographic attack vectors

  • Outside-the-box thinking and self-starter attitude

    Bonus requirements:

  • Experience with the cryptol programming language

  • Experience with LLVM or other compiler technology

  • Knowledge of the theory and implementation of white-box cryptography

    Internship length: 4-6 months.

    Sound like somewhere you’d thrive? If so, then we’d love to hear from you. Send us your resume and a short paragraph introducing yourself. Please include a brief description of how you solved a customer problem or enhanced a customer\'s understanding of a technical service.

    CloudFlare is a security company. All prospective employees will be subject to an extensive background check.

    CloudFlare is an equal opportunity employer and does not discriminate against any employee or applicant on the basis of age, color, disability, gender, national origin, race, religion, sexual orientation, veteran status, or any classification protected by federal, state, or local law.

  • 21:56 [Event][New] Conference on Mathematics of Cryptography

      From August 31 to September 3
    Location: Irvine, CA, USA
    More Information:

    15:17 [Pub][ePrint] Low Space Complexity CRT-based Bit-Parallel GF(2^n) Polynomial Basis Multipliers for Irreducible Trinomials, by Jiajun Zhang and Haining Fan

      By selecting the largest possible value of k ∈ (n/2,2n/3], we further reduce the AND and XOR gate complexities of the CRT-based hybrid parallel GF(2^n) polynomial pasis multipliers for the irreducible trinomial f = u^n + u^k + 1 over GF(2): they are always less than those of the current fastest parallel multipliers - quadratic multipliers, i.e., n^2 AND gates and n^2−1 XOR gates. Our experimental results show that among the 539 values of n ∈ [5,999] such that f is irreducible for some k ∈ [2,n−2], there are 317 values of n such that k ∈ (n/2,2n/3]. For these irreducible trinomials, the AND and XOR gate complexities of the CRT-based hybrid multipliers are reduced by 15.3% on average. Especially, for the 124 values of such n, the two kinds of multipliers have the same time complexity, but the space complexities are reduced by 15.5% on average. As a comparison, the previous CRT-based multipliers consider the case k ∈ [2,n/2], and the improvement rate is only 8.4% on average.

    15:17 [Pub][ePrint] Algebraic partitioning: Fully compact and (almost) tightly secure cryptography, by Dennis Hofheinz

      We describe a new technique for conducting ``partitioning arguments\'\'. Partitioning arguments are a popular way to prove the security of a cryptographic scheme. For instance, to prove the security of a signature scheme, a partitioning argument could divide the set of messages into ``signable\'\' messages for which a signature can be simulated during the proof, and ``unsignable\'\' ones for which any signature would allow to solve a computational problem. During the security proof, we would then hope that an adversary only requests signatures for signable messages, and later forges a signature for an unsignable one.

    In this work, we develop a new class of partitioning arguments from simple assumptions. Unlike previous partitioning strategies, ours is based upon an algebraic property of the partitioned elements (e.g., the signed messages), and not on their bit structure. This allows to perform the partitioning efficiently in a ``hidden\'\' way, such that already a single ``slot\'\' for a partitioning operation in the scheme can be used to implement many different partitionings sequentially, one after the other. As a consequence, we can construct complex partitionings out of simple basic (but algebraic) partitionings in a very space-efficient way.

    As a demonstration of our technique, we provide the first signature and public-key encryption schemes that achieve the following properties simultaneously: they are (almost) tightly secure under a simple assumption, and they are fully compact (in the sense that parameters, keys, and signatures, resp.~ciphertexts only comprise a constant number of group elements).

    15:17 [Pub][ePrint] Fault Cryptanalysis of CHES 2014 Symmetric Infective Countermeasure, by Alberto Battistello and Christophe Giraud

      Fault injection has become over the years one of the most dangerous threats for embedded devices such as smartcards. It is thus mandatory for any embedded system to implement efficient protections against this hazard. Among the various countermeasures suggested so far, the idea of infective computation seems fascinating, probably due to its aggressive strategy. Originally conceived to protect asymmetric cryptosystems, infective computation has been recently adapted to symmetric systems. This paper investigates the security of a new symmetric infective countermeasure suggested at CHES 2014. By noticing that the number of executed rounds is not protected, we develop four different attacks allowing one to efficiently recover the secret key of the underlying cryptosystem by using any of the three most popular fault models used in literature.