International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Faster ECC over F_{2^571} (feat. PMULL), by Hwajeong Seo and Zhe Liu and Yasuyuki Nogami and Jongseok Choi and Howon Kim

  In this paper, we show efficient implementations of K-571 over ARMv8. We exploit an advanced 64-bit polynomial multiplication (PMULL) supported by ARMv8 for high speed multiplication and squaring operations. Particularly, multiplication is conducted with three terms of asymptotically faster Karatsuba multiplication. Inversion is constructed by using constant time Fermat-based inversion method. For high speed scalar multiplication, 4TNAF method is exploited which takes an advantage of simple doubling method. Finally, our method conducts ECDH over K-571 within 783,705 clock cycles. Our proposed method on ARMv8 improves the performance by a factor of 4.6 times than previous techniques on ARMv7.

15:03 [Job][New] Marie Sklodowska-Curie Research Fellows in Cryptography (Early Stage Researchers - 1 post), Ruhr-University Bochum

  The Cryptology Group at Ruhr-University Bochum (Horst-Goertz Institute) is seeking to recruit one Marie Sklodowska-Curie Research Fellows in Cryptography to start in October 2015, as part of the ECRYPT-NET project.

ECRYPT-NET is a research network of six universities and two companies that intends to develop advanced cryptographic techniques for the Internet of Things and the Cloud, and to create efficient and secure implementations of those techniques on a broad range of platforms. ECRYPT-NET is funded by a prestigious Marie Sklodowska-Curie ITN (Integrated Training Network) grant. The network will educate a group of 15 PhD students with a set of interdisciplinary skills in the areas of mathematics, computer science and electrical engineering. The training will be provided in an international context that includes Summer Schools, workshops and internships. Participants are expected to spend at least six months abroad with a network partner, or in one of the seven associated companies. We are looking for highly motivated candidates, ideally with background on cryptology and with proven research abilities.

One of the ECRYPT-NET ESR (Early Stage Researcher) positions will be based at Ruhr-University Bochum, to work on the project Fully Homomorphic Encryption - Design and Analysis.

We are looking for a candidate with a strong background in algorithmics and with a passion for cryptanalysis.

Marie Curie ITN eligibility criteria apply to this position.

Founded in 2001, the Horst-Görtz Institute at Ruhr-University Bochum is a world-leading interdisciplinary research center dedicated to research and education covering all aspects of IT security, with an excellent record of research in cryptography. The Horst-Görtz Institute has 15 professors and over 80 PhD students. It hosts the only German Research Training Group for Doctoral students in Cryptology.

16:49 [Job][New] Assistant/Associate Professor, Hangzhou Normal University, China

  The group for Cryptography and Network Security at Hangzhou Normal University, China chaired by Prof. Dr. Qi Xie is looking for two faculty members with strong crypto/security background. Candidates should have a PhD degree in mathematics, computer science, or related disciplines, be highly motivated with strong R&D capability and also a good team player, have good presentation and communication skills, be able to perform deep system-level investigations of security mechanisms. The candidates are expected to publish high-quality papers OR develop security-related projects. Any prior experience in cloud computing, e-health or WSN/VANETs security is certainly an asset..

Interested candidates please send CV to Qi Xie {qixie68 (at)}. The positions offer a competitive salary. All candidates will be contacted for further infomation.

09:17 [Pub][ePrint] KDM-Security via Homomorphic Smooth Projective Hashing, by Hoeteck Wee

  We present new frameworks for constructing public-key encryption schemes satisfying key-dependent message (KDM) security and that yield efficient, universally composable oblivious transfer (OT) protocols via the dual-mode cryptosystem framework of Peikert, Waters and Vaikuntanathan (Crypto 2008).

- Our first framework yields a conceptually simple and unified treatment of the KDM-secure schemes of Boneh et al. (Crypto 2008), Brakerski and Goldwasser (Crypto 2010) and Brakerski, Goldwasser and Kalai (TCC 2011) in the single-key setting.

- Using our second framework, we obtain new dual-mode cryptosystems based on the d-linear, quadratic residuocity and decisional composite residuocity assumptions.

Both of these frameworks build on the notion of smooth projective hashing introduced by Cramer and Shoup (Eurocrypt 2002), with the additional requirement that the hash function is homomorphic, as is the case for all known instantiations.

09:17 [Pub][ePrint] Oblivious Substring Search with Updates, by Tarik Moataz and Erik-Oliver Blass

  We are the first to address the problem of efficient oblivious substring search over encrypted data supporting updates. Our two new protocols SA-ORAM and ST-ORAM obliviously search for substrings in an outsourced set of n encrypted strings. Both protocols are efficient, requiring communication complexity that is only poly-logarithmic in n. Compared to a straightforward solution for substring search using recent \"oblivious data structures\" [30], we demonstrate that our tailored solutions improve communication complexity by a factor of logn. The idea behind SA-ORAM and ST-ORAM is to employ a new, hierarchical ORAM tree structure that takes advantage of data dependency and optimizes the size of ORAM blocks and tree height. Based on oblivious suffix arrays, SA-ORAM targets efficiency, yet does not allow updates to the outsourced set of strings. ST-ORAM, based on oblivious suffix trees, allows updates at the additional communications cost of a factor of loglogn. We implement and benchmark SA-ORAM to show its feasibility for practical deployments: even for huge datasets of 2^40 strings, an oblivious substring search can be performed with only hundreds of KBytes communication cost.

09:17 [Pub][ePrint] Cryptanalysis of Feistel Networks with Secret Round Functions, by Alex Biryukov and Gaëtan Leurent and Léo Perrin

  Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions.

When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called \\textit{yoyo game} which we improved using a heuristic based on particular cycle structures. The complexity of a complete recovery is equivalent to $O(2^{2n})$ encryptions where $n$ is the branch size. This attack can be used against 6- and 7-round Feistel Networks in time respectively $O(2^{n2^{n-1}+2n})$ and $O(2^{n2^{n}+2n})$. However when modular addition is used, this attack does not work. In this case, we use an optimized guess-and-determine strategy to attack 5 rounds with complexity $O(2^{n2^{3n/4}})$.

Our results are, to the best of our knowledge, the first recovery attacks against generic 5-, 6- and 7-round Feistel Networks.

09:17 [Pub][ePrint] A masked ring-LWE implementation, by Oscar Reparaz and Sujoy Sinha Roy and Frederik Vercauteren and Ingrid Verbauwhede

  Lattice-based cryptography has been proposed as a postquantum public-key cryptosystem. In this paper, we present a masked ring-LWE decryption implementation resistant to first-order side-channel attacks. Our solution has the peculiarity that the entire computation is performed in the masked domain. This is achieved thanks to a new, bespoke masked decoder implementation. The output of the ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. We have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-II FPGA, and have performed side channel analysis to confirm the soundness of our approach. The area of the protected architecture is around $2000$ LUTs, a $20\\%$ increase with respect to the unprotected architecture. The protected implementation takes $7478$ cycles to compute, which is only a factor $\\times2.6$ larger than the unprotected implementation.

09:17 [Pub][ePrint] The self-blindable U-Prove scheme by Hanzlik and Kluczniak is forgeable, by Eric Verheul and Sietse Ringers and Jaap-Henk Hoepman

  In \"A Short Paper on How to Improve U-Prove Using Self-Blindable Certificates\" by L. Hanzlik and K. Kluczniak (FC\'2014), an unlinkable version of the U-Prove attribute-based credential scheme is proposed. Unfortunately, the new scheme is forgeable: if sufficiently many users work together then they can construct new credentials, containing any set of attributes of their choice, without any involvement of the issuer. In this short paper we show how they can achieve this and we point out the error in the unforgeability proof.

09:17 [Pub][ePrint] Compositions of linear functions and applications to hashing, by Vladimir Shpilrain and Bianca Sosnovski

  Cayley hash functions are based on a simple idea of using a pair of

(semi)group elements, A and B, to hash the 0 and 1 bit, respectively, and then to hash an arbitrary bit string in the natural way, by using multiplication of elements in the (semi)group. In this paper, we focus on hashing with linear functions of one variable over F_p. The corresponding hash functions are very efficient, in particular, due to the fact that a linear function is determined by its values at two points. Thus, we show that hashing a bit string of length $n$ with our method requires just 2n multiplications in F_p, but with particular pairs of linear functions that we suggest, one does not need to perform any multiplications at all. We also give explicit lower bounds on the

length of collisions for hash functions corresponding to these particular pairs of linear functions over F_p.

09:17 [Pub][ePrint] DPA, Bitslicing and Masking at 1 GHz, by Josep Balasch and Benedikt Gierlichs and Oscar Reparaz and Ingrid Verbauwhede

  We present DPA attacks on an ARM Cortex-A8 processor running at 1 GHz. This high-end processor is typically found in portable devices such as phones and tablets. In our case, the processor sits in a single board computer and runs a full-fledged Linux operating system. The targeted AES implementation is bitsliced and runs in constant time and constant flow. We show that, despite the complex hardware and software, high clock frequencies and practical measurement issues, the implementation can be broken with DPA starting from a few thousand measurements of the electromagnetic emanation of a decoupling capacitor near the processor. To harden the bitsliced implementation against DPA attacks, we mask it using principles of hardware gate-level masking. We evaluate the security of our masked implementation against first-order and second-order attacks. Our experiments show that successful attacks require roughly two orders of magnitude more measurements.

09:17 [Pub][ePrint] Provable Virus Detection: Using the Uncertainty Principle to Protect Against Malware, by Richard J. Lipton and Rafail Ostrovsky and Vassilis Zikas

  Protecting software from malware injection is the holy grail of modern computer security. Despite intensive efforts by the scientific and engineering community, the number of successful attacks continues to increase.

We have a breakthrough novel approach to provably detect malware injection. The key idea is to use the very insertion of the malware itself to allow for the systems to detect it. This is, in our opinion, close in spirit to the famous Heisenberg Uncertainty Principle. The attackers, no matter how clever, no matter when or how they insert their malware, change the state of the system they are attacking. This fundamental idea is a game changer. And our system does not rely on heuristics; instead, our scheme enjoys the unique property that it is proved secure in a formal and precise mathematical sense and with minimal and realistic CPU modification achieves strong provable security guarantees. Thus, we anticipate our system and formal mathematical security treatment to open new directions in software protection.