International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Notes on Two Fully Homomorphic Encryption Schemes Without Bootstrapping, by Yongge Wang

  Last week, IACR ePrint archive posted two fully homomorphic encryption schemes

without bootstrapping. In this note, we show that these schemes are trivially insecure.

19:12 [Event][New] SBSeg 2015: XV Brazilian Symposium on Information and Computational Systems Security

  Submission: 30 June 2015
Notification: 31 August 2015
From November 9 to November 12
Location: Florianopolis - SC, Brazil
More Information:

09:17 [Pub][ePrint] Computing Individual Discrete Logarithms Faster in $GF(p^n)$, by Aurore Guillevic

  The Number Field Sieve (NFS) algorithm is the best known method to

compute discrete logarithms (DL) in large characteristic finite fields

$\\FF_{p^n}$, with $p$ large and $n \\geq 1$ small. This algorithm

comprises four steps: polynomial selection, relation collection,

linear algebra and finally, individual logarithm computation. The

first step outputs two numbers fields equipped with a map to

$\\FF_{p^n}$. After the relation collection and linear algebra

phases, the (virtual) logarithm of a subset of elements in each number

field is known. The fourth step computes a preimage in one number

field of the target element in $\\FF_{p^n}$. If one can write the

target preimage as a product of elements of known (virtual) logarithm,

then one can deduce the discrete logarithm of the target.

The traditional approach for the individual logarithm step can be

extremely slow, and it is too slow especially for

$n$ greater than 3. Its asymptotic complexity is $L_Q[1/3, c]$ with $c

\\geq 1.44$. We present a new preimage computation that provides a

dramatic improvement for individual logarithm computations for small

$n$, both in practice and in asymptotic running-time: we have

$L_Q[1/3, c]$ with $c = 1.14$ for $n=2,4$, $c = 1.26$ for $n=3,6$ and

$c = 1.34$ for $n=5$. Our method generalizes to any $n$; in particular

$c < 1.44$ for the two state-of-the-art variants of NFS for extension


09:17 [Pub][ePrint] Time-Lock Puzzles from Randomized Encodings, by Nir Bitansky and Shafi Goldwasser and Abhishek Jain and Omer Paneth and Vinod Vaikuntanathan and Brent Waters

  Time-lock puzzles, introduced by May, Rivest, Shamir and Wagner, is a mechanism for sending messages ``to the future\'\'. A sender

can quickly generate a puzzle with a solution $s$ that remains hidden until a moderately large amount of time $t$ has elapsed. The solution $s$ should be hidden from any adversary that runs in time significantly less than $t$, including resourceful parallel adversaries with polynomially many processors.

While the notion of time-lock puzzles has been around for 22 years, there has only been a *single* candidate proposed. Fifteen years ago, Rivest, Shamir and Wagner suggested a beautiful candidate time-lock puzzle based on the assumption that exponentiation modulo an RSA integer is an ``inherently sequential\'\' computation.

We show that various flavors of {\\em randomized encodings} give rise to time-lock puzzles of varying strengths, whose security can be shown assuming *the existence* of non-parallelizing languages, which are languages that require circuits of depth at least $t$ to decide, in the worst-case. The existence of such languages is necessary for the existence of time-lock puzzles.

We instantiate the construction with different randomized

encodings from the literature, where increasingly better efficiency is obtained based on increasingly stronger cryptographic assumptions, ranging from one-way functions to indistinguishability obfuscation. We also observe that time-lock puzzles imply one-way functions, and thus the reliance on some cryptographic assumption is necessary.

Finally, generalizing the above, we construct other types of puzzles such as *proofs of work* from randomized encodings and a

suitable worst-case hardness assumption (that is necessary for such puzzles to exist).

09:17 [Pub][ePrint] Higher-Order Differential Meet-in-The-Middle Preimage Attacks on SHA-1 and BLAKE, by Thomas Espitau and Pierre-Alain Fouque and Pierre Karpman

  At CRYPTO 2012, Knellwolf and Khovratovich presented a differential formulation of advanced meet-in-the-middle techniques for preimage attacks on hash functions. They demonstrated the usefulness of their approach by significantly improving the previously best known attacks on SHA-1 from CRYPTO~2009, increasing the number of attacked rounds from a 48-round one-block pseudo-preimage without padding and a 48-round two-block preimage without padding to a 57-round one-block preimage without padding and a 57-round two-block preimage with padding, out of 80 rounds for the full function.

In this work, we exploit further the differential view of meet-in-the-middle techniques and generalize it to higher-order differentials. Despite being an important technique dating from the mid-90\'s, this is the first time higher-order differentials have been applied to meet-in-the-middle preimages. We show that doing so may lead to significant improvements to preimage attacks on hash functions with a simple linear message expansion. We extend the number of attacked rounds on SHA-1 to give a 62-round one-block preimage without padding, a 56-round one-block preimage with padding, and a

62-round two-block preimage with padding. We also apply our framework to the more recent SHA-3 finalist BLAKE and its newer variant BLAKE2, and give an attack for a 2.75-round preimage with padding, and a 7.5-round pseudo-preimage on the compression function.

09:17 [Pub][ePrint] Key-Recovery Attacks on ASASA, by Brice Minaud and Patrick Derbez and Pierre-Alain Fouque and Pierre Karpman

  The ASASA construction is a new design scheme introduced at ASIACRYPT 2014 by Biruykov, Bouillaguet and Khovratovich. Its versatility was illustrated by building two public-key encryption schemes, a secret-key scheme, as well as super S-box subcomponents of a white-box scheme. However one of the two public-key cryptosystems was recently broken at CRYPTO 2015 by Gilbert, Plût and Treger.

As our main contribution, we propose a new algebraic key-recovery attack able to break at once the secret-key scheme as well as the remaining public-key scheme, in time complexity 2^63 and 2^39 respectively (the security parameter is 128 bits in both cases).

Furthermore, we present a second attack of independent interest on the same public-key scheme, which heuristically reduces the problem of breaking the scheme to an LPN instance with tractable parameters. This allows key recovery in time complexity 2^56.

Finally, as a side result, we outline a very efficient heuristic attack on the white-box scheme, which breaks instances claiming 64 bits of security under one minute on a desktop computer.

06:10 [Event][New] Mycrypt 2016: Int'l Conference on Cryptology & Malicious Security hosted in Malaysia

  Submission: 15 April 2016
Notification: 1 August 2016
From December 1 to December 2
Location: Kuala Lumpur, Malaysia
More Information:

21:17 [Pub][ePrint] Efficient Key Extraction from the Primary Side of a Switched-Mode Power Supply, by Sami Saab, Andrew Leiserson, and Michael Tunstall

  In this paper we detail techniques that can be used to analyze and attack an AES implementation on an FPGA from the primary (i.e., external) side of a switched-mode power supply. Our attack only requires measurements of the duty cycle of the power supply, and then increases the signal-to-noise ratio (SNR) though averaging, deconvolution and wavelet based detrending. The result is an exploitable source of leakage that allows a secret key to be determined from low-frequency power measurements. The techniques and procedures provide a general approach to performing differential power analysis (DPA) from a single point of information for any single hypothesized intermediate value, suggesting their potential for improving other types of side-channel analysis as well.

15:20 [Job][New] Three Post-Doc positions, SICS Swedish ICT

  The Security Lab at Swedish Institute of Computer Science (SICS) in Lund and Stockholm is looking for talent post doc researchers in computer and network security. The positions are for 18 months with a monthly salary of 35.000 SEK and the positions can be filled in either Lund or Stockholm. Starting dates are flexible but not later than October 1, 2015. The suitable candidates will work in our EU H2020 financed research projects devoted to 5G security with focus on identity and key management, SDN security as well as in security for Platform as a Service (PaaS) systems (See also the following project page:

The security Lab at SICS was established in 2009. Since then it has grown from 1 to 12 people. The research is directed toward secure systems design in close co-operation with above leading Swedish companies in the IT and telecommunications businesses as well as Swedish universities such as Royal Institute of Technology in Stockholm and Lund University. The group is active in the areas of embedded systems security, cloud security, access control and communications security. The security lab at SICS consists for the moment of 6 senior researchers (PhD), 3 PhD students and 3 junior researchers with MSc degrees in computer science.

Applicants interested in the positions should provide the following information in pdf format with the application:

- Application letter

- CV

- Transcript of grades

- Publications list

- 3-5 selected full text publications

15:19 [Event][New] MyCRYPT2016: Int'l Conference on Cryptology & Malicious Security hosted in Malaysia

  Submission: 15 April 2016
Notification: 1 August 2016
From December 1 to December 2
Location: Kuala Lumpur, Malaysia
More Information:

03:03 [Event][New] MyCRYPT2016: International Conference on Cryptology & Malicious Security

  Submission: 15 April 2016
Notification: 1 August 2016
From December 1 to December 2
Location: Kuala Lumpur, Malaysia
More Information: