Indocrypt 2011, 11–14 December 2011, Chennai

How to participate:
How to contribute:
Call for papers
Accepted papers

Schedule (including slides)

Indocrypt 2011 began on Sunday 11 December 2011 and concluded on Wednesday 14 December 2011. Tutorials took place Sunday morning, Sunday afternoon, and Wednesday afternoon. Invited and contributed talks took place Monday, Tuesday, and Wednesday.

Videos of some talks are available from

Detailed schedule

11 Dec09:00–09:30Registration
09:30–11:00Tutorial: Dingledine: Tor and the Censorship Arms Race: Lessons Learned (part 1) (slides parts 1+2) (video part 1)
11:30–13:00Tutorial: Dingledine: Tor and the Censorship Arms Race: Lessons Learned (part 2) (slides parts 1+2) (video part 2)
14:30–16:00Tutorial: Lange: Elliptic curves for applications (part 1) (slides parts 1+2) (video part 1)
16:30–18:00Tutorial: Lange: Elliptic curves for applications (part 2) (slides parts 1+2) (video part 2)
12 Dec09:00–09:30Registration
10:00–11:00Refereed papers: Side channels, part 1
Saha, Mukhopadhyay, Chowdhury: PKDPA: an enhanced probabilistic differential power attack methodology
Nassar, Guilley, Danger: Formal analysis of the entropy/security trade-off in first-order masking countermeasures against side-channel attacks (slides)
11:30–13:00Refereed papers: Side channels, part 2
Clavier, Feix, Gagnerot, Rousselet, Verneuil: Square always exponentiation (slides)
Rebeiro, Poddar, Datta, Mukhopadhyay: An enhanced differential cache attack on CLEFIA for large cache lines
Sarkar: Partial key exposure: generalized framework to attack RSA (slides)
14:30–15:30Invited talk: Paar: The Yin and Yang Sides of Embedded Security (slides) (video)
16:00–18:00Refereed papers: Secret-key cryptography, part 1
Gorski, Knapke, List, Lucks, Wenzel: Mars Attacks! Revisited (slides)
Ågren, Johansson: Linear cryptanalysis of PRINTcipher—trails and samples everywhere (slides)
Aumasson, Naya-Plasencia, Saarinen: Practical attack on 8 rounds of the lightweight block cipher KLEIN (slides)
Nguyen, Robshaw, Wang: On related-key attacks and KASUMI: the case of A5/3 (slides)
18:00–19:00CRSI meeting
13 Dec09:30–10:30Invited talk: Anderson: Cryptology: where is the new frontier? (slides) (video)
11:00–13:00Refereed papers: Secret-key cryptography, part 2
Hong, Lee, Ma: Analysis of the parallel distinguished point tradeoff (slides)
Banik, Maitra, Sarkar: On the evolution of GGHN cipher (slides)
Sen Gupta, Chattopadhyay, Khalid: HiPAcc-LTE: an integrated high performance accelerator for 3GPP LTE stream ciphers (slides)
Habibi, Aref, Ma: Addressing flaws in RFID authentication protocols
14:30–16:00Refereed papers: Hash functions
Naya-Plasencia, Röck, Meier: Practical analysis of reduced-round Keccak (slides)
Mendel, Nad: Boomerang distinguisher for the SIMD-512 compression function (slides)
Kaps, Yalla, Surapathi, Habib, Vadlamudi, Gurung, Pham: Lightweight implementations of SHA-3 candidates on FPGAs (slides)
16:30–18:00Refereed papers: Pairings
D'Souza, Jao, Mironov, Pandey: Publicly verifiable secret sharing for cloud-based key management (slides)
Drylo: On constructing families of pairing-friendly elliptic curves with variable discriminant (slides)
Costello, Lauter, Naehrig: Attractive subfamilies of BLS curves for implementing high-security pairings (slides)
14 Dec09:30–10:30Invited talk: Rescorla: Stone Knives and Bear Skins: Why does the Internet run on pre-historic cryptography? (slides) (video)
11:00–12:30Refereed papers: Protocols
Maji, Prabhakaran: The limits of common coins: further results
Agrawal, Mehta, Srinathan: Secure message transmission in asynchronous directed graphs (slides)
Kuppusamy, Rangasamy, Stebila, Boyd, Nieto: Towards provably secure DoS-resilient key exchange protocol with perfect forward secrecy (slides)
14:00–15:30Tutorial: Gueron: Software Optimizations for Cryptographic Primitives on General Purpose x86_64 platforms (part 1) (slides)
16:00–17:30Tutorial: Gueron: Software Optimizations for Cryptographic Primitives on General Purpose x86_64 platforms (part 2) (slides)

Abstracts of invited talks

Ross Anderson, University of Cambridge, UK:
Cryptology: where is the new frontier?

Twenty years ago, the crypto community was relatively homogeneous, with the people who went to Crypto and Eurocrypt spanning everything from theory to applications. Now it's much more diverse, with several underlying bodies of theory (from complexity to protocol analysis) and a great variety of applications. Where should a young researcher focus?

Doing good cryptographic engineering to support complex socio-technical systems is hard, and I will discuss three examples. First, payment protocols such as EMV (which is just being adopted in India) and the more recent work in mobile wallets, have a major problem in managing complexity. Second, infrastructure protection such as DNSSEC and BGPSEC is a good thing but often runs up against a lack of deployment incentives. Finally, the UEFI proposal for authenticated boot revives many of the questions of trust that were previously discussed during the crypto wars, during the debate over "Trusted Computing", and in the context of SSL CAs. The lesson is that the security and cryptology research communities in India should engage with the policy and economic implications of our field. Although India's situation may be different from America's or Europe's, many of the same issues of trust, control, innovation and privacy will surely come round again and again. What's more, good research tends to come from real problems; researchers who engage with the real world can spot these more quickly.

Christof Paar, Ruhr Universität Bochum, Germany:
The Yin and Yang Sides of Embedded Security

Through the prevalence of interconnected embedded systems, the vision of pervasive computing has become reality over the last few years. As part of this development, embedded security has become an increasingly important issue in a multitude of applications. Examples include the Stuxnet virus, which has allegedly delayed the Iranian nuclear program, killer applications in the consumer area like iTunes or Amazon's Kindle, the business models of which rely heavily on IP protection, and even medical implants like pace makers and insulin pumps that allow remote configuration. These examples show the destructive and constructive aspects of modern embedded security. For us embedded security researchers, the following definition of yin and yang can be useful for resolving this seemingly conflict: "The concept of yin yang is used to describe how polar opposites or seemingly contrary forces are interconnected and interdependent in the natural world, and how they give rise to each other in turn." (OK, the "natural world" part is not a 100% fit here.) In this presentation I will talk about some of our research projects over the last few years which dealt with both the yin and yang aspect of embedded security.

In 1-2 generations of automobiles, car2car and car2infrastructure communication will be available for driver-assistance and comfort applications. The emerging car2x standards call for strong security features. The large number of data of up to several 1000 incoming messages per second, the strict cost constraints, and the embedded environment makes this a challenging task. We show how an extremely high-performance digital signature engine was realized using low-cost FPGAs. Our signature engine is currently widely used in field trials in the USA. The next case study addresses the other end of the performance spectrum, namely lightweight cryptography. PRESENT, one of the smallest known ciphers which can be realized with as few as 1000 gates. The cipher was designed for extremely cost and power constrained applications such as RFID tags which can be used, e.g., as a tool for anti-counterfeiting of spare parts, or for other low-power applications. PRESENT is currently being standardized by ISO.

As "yang examples" of our research we will show how two devices with very large deployment in the real world can be broken using physical attacks. First, we show a recent attack against a modern contactless smart card equipped with 3DES. The card is widely used in authentication and payment systems. The second attack breaks the bit stream encryption of current FPGAs. These are reconfigurable hardware devices which are popular in many digital systems. We were able to extract AES and 3DES key from a single power-up of the reconfiguration process. Once the key has been recovered, an attacker can clone, reverse engineer and alter a presumingly secure hardware design.

Eric Rescorla, RTFM, Inc., USA:
Stone Knives and Bear Skins: Why does the Internet run on pre-historic cryptography?

While cryptography has advanced greatly since since 2001, Internet security protocols have not. Here is a list of the algorithms that are used in common SSL/TLS stacks:

  • RSA in PKCS#1 1.5 mode (1993)
  • MD5 (1982)
  • SHA-1 (1993)
  • DES (1976) and AES (2001) in CBC mode (with chained IVs)
  • RC4 (1987, leaked 1994)
The situation is similar for other protocols such as IPsec and S/MIME. Without exception, all of these algorithms have known deficiencies, and in many cases these deficiencies have led to practical or semi-practical attacks. Despite this, implementors and users have responded either by ignoring these issues or by adding layers of countermeasures to the attacks which are presently known. Even when new protocols are designed—for instance the IETF's new JSON secure message format—designers often select older algorithms over newer, more secure ones. In this talk, we explore how we got into this situation, how to get out, and if we even want to.


This is version 2013.10.01 of the schedule.html web page.