International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Cryptanalysis of Feistel Networks with Secret Round Functions, by Alex Biryukov and Gaëtan Leurent and Léo Perrin

  Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions.

When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called \\textit{yoyo game} which we improved using a heuristic based on particular cycle structures. The complexity of a complete recovery is equivalent to $O(2^{2n})$ encryptions where $n$ is the branch size. This attack can be used against 6- and 7-round Feistel Networks in time respectively $O(2^{n2^{n-1}+2n})$ and $O(2^{n2^{n}+2n})$. However when modular addition is used, this attack does not work. In this case, we use an optimized guess-and-determine strategy to attack 5 rounds with complexity $O(2^{n2^{3n/4}})$.

Our results are, to the best of our knowledge, the first recovery attacks against generic 5-, 6- and 7-round Feistel Networks.

09:17 [Pub][ePrint] A masked ring-LWE implementation, by Oscar Reparaz and Sujoy Sinha Roy and Frederik Vercauteren and Ingrid Verbauwhede

  Lattice-based cryptography has been proposed as a postquantum public-key cryptosystem. In this paper, we present a masked ring-LWE decryption implementation resistant to first-order side-channel attacks. Our solution has the peculiarity that the entire computation is performed in the masked domain. This is achieved thanks to a new, bespoke masked decoder implementation. The output of the ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. We have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-II FPGA, and have performed side channel analysis to confirm the soundness of our approach. The area of the protected architecture is around $2000$ LUTs, a $20\\%$ increase with respect to the unprotected architecture. The protected implementation takes $7478$ cycles to compute, which is only a factor $\\times2.6$ larger than the unprotected implementation.

09:17 [Pub][ePrint] The self-blindable U-Prove scheme by Hanzlik and Kluczniak is forgeable, by Eric Verheul and Sietse Ringers and Jaap-Henk Hoepman

  In \"A Short Paper on How to Improve U-Prove Using Self-Blindable Certificates\" by L. Hanzlik and K. Kluczniak (FC\'2014), an unlinkable version of the U-Prove attribute-based credential scheme is proposed. Unfortunately, the new scheme is forgeable: if sufficiently many users work together then they can construct new credentials, containing any set of attributes of their choice, without any involvement of the issuer. In this short paper we show how they can achieve this and we point out the error in the unforgeability proof.

09:17 [Pub][ePrint] Compositions of linear functions and applications to hashing, by Vladimir Shpilrain and Bianca Sosnovski

  Cayley hash functions are based on a simple idea of using a pair of

(semi)group elements, A and B, to hash the 0 and 1 bit, respectively, and then to hash an arbitrary bit string in the natural way, by using multiplication of elements in the (semi)group. In this paper, we focus on hashing with linear functions of one variable over F_p. The corresponding hash functions are very efficient, in particular, due to the fact that a linear function is determined by its values at two points. Thus, we show that hashing a bit string of length $n$ with our method requires just 2n multiplications in F_p, but with particular pairs of linear functions that we suggest, one does not need to perform any multiplications at all. We also give explicit lower bounds on the

length of collisions for hash functions corresponding to these particular pairs of linear functions over F_p.

09:17 [Pub][ePrint] DPA, Bitslicing and Masking at 1 GHz, by Josep Balasch and Benedikt Gierlichs and Oscar Reparaz and Ingrid Verbauwhede

  We present DPA attacks on an ARM Cortex-A8 processor running at 1 GHz. This high-end processor is typically found in portable devices such as phones and tablets. In our case, the processor sits in a single board computer and runs a full-fledged Linux operating system. The targeted AES implementation is bitsliced and runs in constant time and constant flow. We show that, despite the complex hardware and software, high clock frequencies and practical measurement issues, the implementation can be broken with DPA starting from a few thousand measurements of the electromagnetic emanation of a decoupling capacitor near the processor. To harden the bitsliced implementation against DPA attacks, we mask it using principles of hardware gate-level masking. We evaluate the security of our masked implementation against first-order and second-order attacks. Our experiments show that successful attacks require roughly two orders of magnitude more measurements.

09:17 [Pub][ePrint] Provable Virus Detection: Using the Uncertainty Principle to Protect Against Malware, by Richard J. Lipton and Rafail Ostrovsky and Vassilis Zikas

  Protecting software from malware injection is the holy grail of modern computer security. Despite intensive efforts by the scientific and engineering community, the number of successful attacks continues to increase.

We have a breakthrough novel approach to provably detect malware injection. The key idea is to use the very insertion of the malware itself to allow for the systems to detect it. This is, in our opinion, close in spirit to the famous Heisenberg Uncertainty Principle. The attackers, no matter how clever, no matter when or how they insert their malware, change the state of the system they are attacking. This fundamental idea is a game changer. And our system does not rely on heuristics; instead, our scheme enjoys the unique property that it is proved secure in a formal and precise mathematical sense and with minimal and realistic CPU modification achieves strong provable security guarantees. Thus, we anticipate our system and formal mathematical security treatment to open new directions in software protection.

09:17 [Pub][ePrint] Towards Provably-Secure Remote Memory Attestation, by Alexandra Boldyreva and Taesoo Kim and Richard Lipton and Bogdan Warinschi

  We initiate the study of provably secure remote memory attestation. We present two protocols offering various efficiency and security trade-offs that detect the presence of injected malicious code in remotely- stored heap memory. While our solutions offer protection only against a specific class of attacks, our novel formal security definitions are general enough to cover a wide range of attacks and settings, and should be useful for further research on the subject.

19:30 [Job][New] PhD student, Université Paris 7, France

  Industry-funded PhD student at the crossroads of security and cryptography with an emphasis on efficient implementations and protocol design, notably for payment applications. Ideally, the successful applicant will have solid programming and maths skills and a creative mindset.

09:17 [Pub][ePrint] Linear Cryptanalysis of Reduced-Round SIMECK Variants, by Nasour Bagheri

  SIMECK is a family of 3 lightweight block ciphers designed by Yang et al. They

follow the framework used by Beaulieu et al. from the United States National Security Agency

(NSA) to design SIMON and SPECK. A cipher in this family with K-bit key and N-bit block is

called SIMECKN=K.We show that the security of this block cipher against linear cryptanalysis

is not as good as its predecessors SIMON. More precisely, while the best known linear attack

for SIMON32/64, using algorithm 1 of Matsui, covers 13 rounds we present a linear attack in

this senario which covers 14 rounds of SIMECK32/64. Similarly, using algorithm 1 of Matsui,

we present attacks on 19 and 22 rounds of SIMECK48/96 and SIMECK64/128 respectively,

compare them with known attacks on 16 and 19 rounds SIMON48/96 and SIMON64/128

respectively. In addition, we use algorithm 2 of Matsui to attack 18, 23 and 27 rounds of

SIMECK32/64, SIMECK48/96 and SIMECK64/128 respectively, compare them with known

attacks on 18, 19 and 21 rounds SIMON32/64, SIMON48/96 and SIMON64/128 respectively.

09:17 [Pub][ePrint] Towards Secure Cryptographic Software Implementation Against Side-Channel Power Analysis Attacks, by Pei Luo and Liwei Zhang and Yunsi Fei and A. Adam Ding

  Side-channel attacks have been a real threat against many critical embedded systems that rely on cryptographic algorithms as their security engine. A commonly used algorithmic countermeasure, random masking, incurs large execution delay and resource overhead. The other countermeasure, operation shuffling or permutation, can mitigate side-channel leakage effectively with minimal overhead. In this paper, we target utilizing the independence among operations in cryptographic algorithms and randomizing their execution order. We design a tool to automatically detect such independence between statements at the source code level and devise an algorithm for automatic operation shuffling. We test our algorithm on the new SHA3 standard, Keccak. Results show that the tool has effectively implemented operation-shuffling to reduce the side-channel leakage significantly, and therefore can guide automatic secure cryptographic software implementations against differential power analysis attacks.

09:17 [Pub][ePrint] Efficient Asynchronous Accumulators for Distributed PKI, by Leonid Reyzin and Sophia Yakoubov

  Cryptographic accumulators are a tool for compact set representation and secure set membership proofs. When an element is added to a set by means of an accumulator, a membership witness is generated. This witness can later be used to prove the membership of the element. Typically, the membership witness has to be synchronized with the accumulator value, and to be updated every time another element is added to the accumulator. In this work we propose an accumulator that, unlike any prior scheme, does not require strict synchronization.

In our construction a membership witness needs to be updated only a logarithmic number times in the number of subsequent element additions. Thus, an out-of-date witness can be easily made current. Vice versa, a verifier with an out-of-date accumulator value can still verify a current membership witness. These properties make our accumulator construction uniquely suited for use in distributed applications, such as blockchain-based public key infrastructures.