All constructions of general purpose indistinguishability obfuscation (IO) rely on either meta-assumptions that encapsulate an exponential family of assumptions (e.g., Pass, Seth and Telang, CRYPTO 2014 and Lin, EUROCRYPT 2016), or polynomial families of assumptions on graded encoding schemes with a high polynomial degree/multilinearity (e.g., Gentry, Lewko, Sahai and Waters, FOCS 2014). We present a new construction of IO, with a security reduction based on two assumptions: (a) a DDH-like assumption — called the joint-SXDH assumption — on constant degree graded en- codings, and (b) the existence of polynomial-stretch pseudorandom generators (PRG) in NC0. Our assumption on graded encodings is simple, has constant size, and does not require handling composite-order rings. This narrows the gap between the mathematical objects that exist (bilinear maps, from elliptic curve groups) and ones that suffice to construct general purpose indistinguishability obfuscation.

We give attacks on Feistel-based format-preserving encryption (FPE) schemes that succeed in message recovery (not merely distinguishing scheme outputs from random) when the message space is small. For $4$-bit messages, the attacks fully recover the target message using $2^{21}$ examples for the FF3 NIST standard and $2^{25}$ examples for the FF1 NIST standard. The examples include only three messages per tweak, which is what makes the attacks non-trivial even though the total number of examples exceeds the size of the domain. The attacks are rigorously analyzed in a new definitional framework of message-recovery security. The attacks are easily put out of reach by increasing the number of Feistel rounds in the standards.

One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the used re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Keymill---a side-channel resilient key generator (or re-keying function)---has been proposed, which is claimed to be inherently secure against side-channel attacks. In this work, however, we present a DPA attack on Keymill, which is based on the dynamic power consumption of a digital circuit that is tied to the $0\rightarrow1$ and $1\rightarrow0$ switches of its logical gates. Hence, the power consumption of the shift-registers used in Keymill depends on the $0\rightarrow1$ and $1\rightarrow0$ switches of its internal state. This information is sufficient to obtain the internal differential pattern (up to a small number of bits, which have to be brute-forced) of the 4 shift-registers of Keymill after the nonce (or $IV$) has been absorbed. This leads to a practical key-recovery attack on Keymill.

Key-homomorphic properties of cryptographic objects, i.e., homomorphisms on their key space, have proven to be useful, both from a theoretical as well as a practical perspective. Important cryptographic objects such as pseudorandom functions or (public key) encryption have been studied previously with respect to key-homomorphisms. Interestingly, however, signature schemes have not been explicitly investigated in this context so far. We close this gap and initiate the study of key-homomorphic signatures, which turns out to be an interesting and versatile concept. In doing so, we firstly propose a definitional framework for key-homomorphic signatures distilling various natural flavours of key-homomorphic properties. Those properties aim to classify existing signature schemes and thus allow to infer general statements about signature schemes from those classes by simply making black-box use of the respective properties. We apply our definitional framework to show elegant and simple compilers from classes of signature schemes admitting different types of key-homomorphisms to a number of other interesting primitives such as ring signature schemes, (universal) designated verifier signature schemes, simulation-sound extractable non-interactive zero-knowledge (NIZK) arguments, and multisignature schemes. Additionally, using the formalisms provided by our framework, we can prove a tight implication from single-user security to key-prefixed multi-user security for a class of schemes admitting a certain key-homomorphism. Finally, we discuss schemes that provide homomorphic properties on the message space of signatures under different keys in context of key-homomorphisms and present some first constructive results from key-homomorphic schemes.

Most cryptographic schemes are designed in a model where perfect secrecy of the secret key is assumed. In most physical implementations, however, some form of information leakage is inherent and unavoidable. To deal with this, a flurry of works showed how to construct basic cryptographic primitives that are resilient to various forms of leakage. Dodis et al. (FOCS '10) formalized and constructed leakage resilient one-way functions. These are one-way functions $f$ such that given a random image $f(x)$ and leakage $g(x)$ it is still hard to invert $f(x)$. Based on any one-way function, Dodis et al. constructed such a one-way function that is leakage resilient assuming that an attacker can leak any lossy function g of the input. In this work we consider the problem of constructing leakage resilient one-way functions that are secure with respect to arbitrary computationally hiding leakage (a.k.a auxiliary-input). We consider both types of leakage --- selective and adaptive --- and prove various possibility and impossibility results. On the negative side, we show that if the leakage is an adaptively-chosen arbitrary one-way function, then it is impossible to construct leakage resilient one-way functions. The latter is proved both in the random oracle model (without any further assumptions) and in the standard model based on a strong vector-variant of DDH. On the positive side, we observe that when the leakage is chosen ahead of time, there are leakage resilient one-way functions based on a variety of assumption.

The security analysis of Keccak, the winner of SHA-3, has attracted considerable interest. Recently, some attention has been paid to the analysis of keyed modes of Keccak sponge function. As a notable example, the most efficient key recovery attacks on Keccak-MAC and Keyak were reported at EUROCRYPT'15 where cube attacks and cubeattack- like cryptanalysis have been applied. In this paper, we develop a new type of cube distinguisher, the conditional cube tester, for Keccak sponge function. By imposing some bit conditions for certain cube variables, we are able to construct cube testers with smaller dimensions. Our conditional cube testers are used to analyse Keccak in keyed modes. For reduced-round Keccak-MAC and Keyak, our attacks greatly improve the best known attacks in key recovery in terms of the number of rounds or the complexity. Moreover, our new model can also be applied to keyless setting to distinguish Keccak sponge function from random permutation.We provide a searching algorithm to produce the most efficient conditional cube tester by modeling it as an MILP (mixed integer linear programming) problem. As a result, we improve the previous distinguishing attacks on Keccak sponge function significantly. Most of our attacks have been implemented and verified by desktop computers. Finally we remark that our attacks on the the reduced-round Keccak will not threat the security margin of Keccak sponge function.

We propose an efficient hardware architecture design & implementation of Advanced Encryption Standard (AES). The AES algorithm defined by the National Institute of Standard and Technology (NIST) of United States has been widely accepted. The cryptographic algorithms can be implemented with software or built with pure hardware. However Field Programmable Gate Arrays (FPGA) implementation offers quicker solution and can be easily upgraded to incorporate any protocol changes. This contribution investigates the AES encryption cryptosystem with regard to FPGA and Very High Speed Integrated Circuit Hardware Description language (VHDL). Optimized and Synthesizable VHDL code is developed for the implementation of 128- bit data encryption process. AES encryption is designed and implemented in FPGA, which is shown to be more efficient than published approaches. Xilinx ISE 12.3i software is used for simulation. Each program is tested with some of the sample vectors provided by NIST and output results are perfect with minimal delay. The throughput reaches the value of 1609Mbit/sec for encryption process with Device XC6vlx240t of Xilinx Virtex Family.

The unbalanced oil and vinegar signature scheme (UOV) is one of signature schemes whose public key is a set of multivariate quadratic forms. Recently, a new variant of UOV called Cubic UOV was proposed at Inscrypt 2015. It was claimed that the cubic UOV was more efficient than the original UOV and its security was enough. However, an equivalent secret key of the cubic UOV can be recovered easily. In this note, we describe how to recover it. After we posted the first version of this note, Duong et al. proposed two variants of Cubic UOV at ICISC 2016. We also explain their weakness in the second version.

In IMACC 2015 and Inscrypt 2015, Zhang and Tan proposed new vinegar-like variants of multivariate signature schemes. While their aims were to enhance the security of broken schemes, the security is much less than expected. In this note, we describe how to recover a public key of the original scheme.

The security of order-revealing encryption (ORE) has been unclear since its invention. Dataset characteristics for which ORE is especially insecure have been identified, such as small message spaces and low-entropy distributions. On the other hand, properties like one-wayness on uniformly-distributed datasets have been proved for ORE constructions. This work shows that more plaintext information can be extracted from ORE ciphertexts than was previously thought. We identify two issues: First, we show that when multiple columns of correlated data are encrypted with ORE, attacks can use the encrypted columns together to reveal more information than prior attacks could extract from the columns individually. Second, we apply known attacks, and develop new attacks, to show that the \emph{leakage} of concrete ORE schemes on non-uniform data leads to more accurate plaintext recovery than is suggested by the security theorems which only dealt with uniform inputs.

In 2009, Gentry proposed the first Fully Homomorphic Encryption (FHE) scheme, an extremely powerful cryptographic primitive that enables to perform computations, i.e., to evaluate circuits, on encrypted data without decrypting them first. This has many applications, in particular in cloud computing. In all currently known FHE schemes, encryptions are associated to some (non-negative integer) noise level, and at each evaluation of an AND gate, the noise level increases. This is problematic because decryption can only work if the noise level stays below some maximum level $L$ at every gate of the circuit. To ensure that property, it is possible to perform an operation called _bootstrapping_ to reduce the noise level. However, bootstrapping is time-consuming and has been identified as a critical operation. This motivates a new problem in discrete optimization, that of choosing where in the circuit to perform bootstrapping operations so as to control the noise level; the goal is to minimize the number of bootstrappings in circuits. In this paper, we formally define the _bootstrap problem_, we design a polynomial-time $L$-approximation algorithm using a novel method of rounding of a linear program, and we show a matching hardness result: $(L-\epsilon)$-inapproximability for any $\epsilon>0$.

Constrained pseudorandom functions (CPRF) are a fundamental extension of the notion of traditional pseudorandom functions (PRF). A CPRF enables a master PRF key holder to issue constrained keys corresponding to specific constraint predicates over the input domain. A constrained key can be used to evaluate the PRF only on those inputs which are accepted by the associated constraint predicate. However, the PRF outputs on the rest of the inputs still remain computationally indistinguishable from uniformly random values. A constrained verifiable pseudorandom function (CVPRF) enhances a CPRF with a non-interactive public verification mechanism for checking the correctness of PRF evaluations. A delegatable constrained pseudorandom function (DCPRF) is another extension which augments a CPRF to empower constrained key holders to delegate further constrained keys that allow PRF evaluations on inputs accepted by more restricted constraint predicates compared to ones embedded in their own constrained keys. Until recently, all the proposed constructions of CPRF’s and their extensions(i) either could handle only bounded length inputs, (ii) or were based on risky knowledge-type assumptions. In EUROCRYPT 2016, Deshpande et al. have presented a CPRF construction supporting inputs of unconstrained polynomial length based on indistinguishability obfuscation and injective pseudorandom generators, which they have claimed to be selectively secure. In this paper, we first identify a flaw in their security argument and resolve this by carefully modifying their construction and suitably redesigning the security proof. Our alteration does not involve any additional heavy duty cryptographic tools. Next, employing only standard public key encryption (PKE), we extend our CPRF construction, presenting the first ever CVPRF and DCPRF constructions that can handle inputs of unbounded polynomial length. Finally, we apply our ideas to demonstrate the first known attribute-based signature (ABS) scheme for general signing policies supporting signing attributes of arbitrary polynomial length.

We show attacks on five data-independent memory-hard functions (iMHF) that were submitted to the password hashing competition. Informally, an MHF is a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly lower energy and/or hardware cost than evaluating a single instance on a standard single-core architecture. Data-independent means the memory access pattern of the function is independent of the input; this makes iMHFs harder to construct than data-dependent ones, but the latter can be attacked by various side-channel attacks. Following [Alwen-Blocki'16], we capture the evaluation of an iMHF as a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of this DAG is a good measure for the cost of evaluating the iMHF on an ASIC. If n denotes the number of nodes of a DAG (or equivalently, the number of operations --- typically hash function calls --- of the underlying iMHF), its pebbling complexity must be close to n^2 for the iMHF to be memory-hard. We show that the following iMHFs are far from this bound: Rig.v2, TwoCats and Gambit can be attacked with complexity O(n^{1.75}); the data-independent phase of Pomelo (a finalist of the password hashing competition) and Lyra2 (also a finalist) can be attacked with complexity O(n^{1.83}) and O(n^{1.67}), respectively. For our attacks we use and extend the technique developed by [Alwen-Blocki'16], who show that the pebbling complexity of a DAG can be upper bounded in terms of its depth-robustness.

As lattice cryptography becomes more widely used in practice, there is an increasing need for further cryptanalytic effort and higher-confidence security estimates for its underlying computational problems. Of particular interest is a class of problems used in many recent implementations, namely, Learning With Errors (LWE), its more efficient ring-based variant Ring-LWE, and their ``deterministic error'' counterparts Learning With Rounding (LWR) and Ring-LWR. To facilitate such analysis, in this work we give a broad collection of challenges for concrete Ring-LWE and Ring-LWR instantiations over cyclotomics rings. The challenges cover a wide variety of instantiations, involving two-power and non-two-power cyclotomics; moduli of various sizes and arithmetic forms; small and large numbers of samples; and error distributions satisfying the bounds from worst-case hardness theorems related to ideal lattices, along with narrower errors that still appear to yield hard instantiations. We estimate the hardness of each challenge by giving the approximate Hermite factor and BKZ block size needed to solve it via lattice-reduction attacks. A central issue in the creation of challenges for LWE-like problems is that dishonestly generated instances can be much harder to solve than properly generated ones, or even impossible. To address this, we devise and implement a simple, non-interactive, publicly verifiable protocol which gives reasonably convincing evidence that the challenges are properly distributed, or at least not much harder than claimed.

We construct the first noninteractive protocols for several tasks related to private set intersection. We provide efficient protocols for three related problems, each motivated by a particular kind of genomic testing. Set intersection with labelling hides the intersecting set itself and returns only the labels of the common elements, thus allowing a genomics company to return diagnoses without exposing the IP of its database. Fuzzy matching with labelling extends this to allow matching at a particular Hamming distance, which solves the same problem but incorporates the possibility of genetic variation. Closest matching returns the item in the server's database closest to the client's query - this can be used for taxonomic classification. Our protocols are optimised for the matching of $k$-mers (sets of $k$-length strings) rather than individual nucleotides, which is particularly useful for representing the short reads produced by next generation sequencing technologies.

Hierarchical identity-based broadcast encryption (HIBBE) organizes the users in a tree-like structure in which they can delegate the decryption ability to their subordinates. In addition, the trusted third party (TTP) can reduce its burden because the users' secret keys can be generated in a distributed mechanism by users' supervisors. HIBBE enables encrypting a message for any arbitrary set of receivers, and only the chosen users and their supervisors are able to decrypt. To preserving the anonymity of the intended receivers, in this paper, for the first time, we propose an anonymous HIBBE scheme. The proposed scheme is constructed based on composite order bilinear maps. We formally define the anonymity against chosen identity vector set and chosen plaintext attack (Anon-CIVS-CPA), and prove that the proposed scheme provides this property. Performance evaluation shows the practical and deployable aspects of our proposed scheme. With the advantage of HIBBE, we enable hierarchical identity-based signature (HIBS) schemes to sign a message for a set of designated verifiers. This resulted in proposing a generic construction for the novel notion of hierarchical identity-based multi-designated verifiable signature (HIB-MDVS). We formally define HIB-MDVS's security against existential forgery under chosen message attack (EF-CMA), prove that the resulting HIB-MDVS is unforgeable, and finally show that it provides the anonymity of the intended verifiers.

Strong designated verifier signatures make the message authenticated only to a designated person called the designated verifier while privacy of the signer's identity is preserved. This primitive is useful in scenarios that authenticity, signer ambiguity and signer's privacy are required simultaneously such as electronic voting and tendering. To have quantum-attack-resistant strong designated verifier signatures as recommended in National Institute of Standards and Technology internal report (NISTIR 8105, dated April 2016), a provably secure code-based construction was proposed by Koochak Shooshtari et al. in 2016. In this paper, we show that this code-based candidate for strong designated verifier signa- tures does not have signer ambiguity or non-transferability, the main feature of strong designated verifier signatures. In addition, it is shown that it is not strongly unforgeable if a designated verifier transfers a signature to a third party. Then, a new proposal for strong designated verifier signatures based on coding theory is presented, and its security which includes strong unforgeability, signer ambiguity and privacy of the signer's identity properties is proved under Goppa Parameterized Bounded Decoding and the Goppa Code Distinguishing assumptions in the random oracle model.

This work presents the construction of intelligent algorithmic mechanism based on multidimensional view of intelligent reasoning, threat analytics, cryptographic solutions and secure multiparty computation. It is basically an attempt of the cross fertilization of distributed AI, algorithmic game theory and cryptography. The mechanism evaluates innate and adaptive system immunity in terms of collective, machine, collaborative, business and security intelligence. It also shows the complexity analysis of the mechanism and experimental results on three test cases: (a) intrusion detection, (b) adaptively secure broadcast and (c) health security.

We give one- and two-dimensional scalar multiplication algorithms for Jacobians of genus~2 curves that operate by projecting to Kummer surfaces, where we can exploit faster and more uniform pseudomultiplication, before recovering the proper "signed" output back on the Jacobian. This extends the work of Lopez and Dahab, Okeya and Sakurai, and Brier and Joye to genus 2, and also to two-dimensional scalar multiplication. The technique is especially interesting in genus 2, because Kummer surfaces can outperform comparable elliptic curve systems.

In this paper we study the feasibility of using homomorphic tallying in the Estonian Internet voting system. The paper analyzes the security benefits provided by homomorphic tallying, the costs introduced and the required changes to the voting system. We find that homomorphic tallying has several security benefits, such as improved ballot secrecy, public verifiability of the vote tallying server and the possibility for observers to recalculate the tally without compromising ballot secrecy. The use of modern elliptic curve cryptography allows homomorphic tallying to be implemented without a significant loss of performance.

Homomorphic encryption allows to make specific operations on private data which stays encrypted. While applications such as cloud computing require to have a practical solution, the encryption scheme must be secure. In this article, we detail and analyze in-depth the homomorphic encryption scheme proposed by Zhou and Wornell. From the analysis of the encryption scheme, we are able to mount three attacks. The first attack enables to recover a secret plaintext message broadcasted to multiple users. The second attack performs a chosen ciphertext key recovery attack and it was implemented and verified. The last attack is a related chosen plaintext decryption attack.

Physical Unclonable Function (PUF) is the hardware analog of a one-way function which can address hardware security issues such as device authentication, generating secret keys, producing seeds for Random Number Generators, etc. Traditional silicon PUFs are based on delay (Ring Oscillator PUFs and Arbiter PUFs) or memory structures (e.g, SRAM PUFs). In this paper, we propose the design of an aging resistant, lightweight and low-power analog PUF that exploits the susceptibility of Threshold Voltage (Vth) of MOSFETs to process variations. Analysis shows improvement in power consumption, reliability over device aging along with quality metrics like uniformity, reliability and uniqueness for a 64-bit key generation. For 1 GHz clock input, this design consumes 0.18W/bit power with 50 % uniqueness and 51% uniformity along with the independence of these metrics on technology nodes. Experimental results suggest 4% variation in reliability under temperature variation from -55C to 125C and 20% variation in supply voltage. Aging analysis further projects the independence of reliability over device aging.

This paper extends the choice available for secure real number implementations with two new contributions. We will consider the numbers represented in form $a-\varphi b$ where $\varphi$ is the golden ratio, and in form $(-1)^s\cdot2^e$ where $e$ is a fixed-point number. We develop basic arithmetic operations together with some frequently used elementary functions. All the operations are implemented and benchmarked on SHAREMIND secure multi-party computation framework. It turns out that the new proposals provide viable alternatives to standard floating- and fixed-point implementations from the performance/error viewpoint in various settings. However, the optimal choice still depends on the exact requirements of the numerical algorithm to be implemented.

Second-order side-channel attacks are used to break first-order masking protections. A practical reason which often limits the efficiency of second-order attacks is the temporal localisation of the leaking samples. Several leakage samples must be combined which means high computational power. For second-order attacks, the computational complexity is quadratic. At CHES '04, Waddle and Wagner introduced attacks with complexity $\mathcal{O}(n \log_2 n)$ on hardware traces, where $n$ is the window size, by working on traces auto-correlation. Nonetheless, the two samples must belong to the same window which is (normally) not the case for software implementations. In this article, we introduce preprocessing tools that improve the efficiency of bi-variate attacks (while keeping a complexity of $\mathcal{O}(n \log_2 n)$), even if the two samples that leak are far away one from the other (as in software). We put forward two main improvements. Firstly, we introduce a method to avoid loosing the phase information. Next, we empirically notice that keeping the analysis in the frequency domain can be beneficial for the attack. We apply these attacks in practice on real measurements, publicly available under the DPA Contest v4, to evaluate the proposed techniques. An attack using a window as large as 4000 points is able to reveal the key in only 3000 traces.

The Fiat-Shamir transformation is the most efficient construction of non-interactive zero-knowledge proofs. This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making a commitment. The strong variant then hashes both the commitment and the statement to be proved, whereas the weak variant hashes only the commitment. This minor change yields dramatically different security guarantees: in situations where malicious provers can select their statements adaptively, the weak Fiat-Shamir transformation yields unsound/unextractable proofs. Yet such settings naturally occur in systems when zero-knowledge proofs are used to enforce honest behavior. We illustrate this point by showing that the use of the weak Fiat-Shamir transformation in the Helios cryptographic voting system leads to several possible security breaches: for some standard types of elections, under plausible circumstances, malicious parties can cause the tallying procedure to run indefinitely and even tamper with the result of the election. On the positive side, we define a form of adaptive security for zero-knowledge proofs in the random oracle model (essentially simulation-sound extractability), and show that a variant which we call strong Fiat-Shamir yields secure non-interactive proofs. This level of security was assumed in previous works on Helios and our results are then necessary for these analyses to be valid. Additionally, we show that strong proofs in Helios achieve non-malleable encryption and satisfy ballot privacy, improving on previous results that required CCA security.

We present KangarooTwelve, a fast and secure arbitrary output-length hash function aiming at a higher speed than the FIPS 202's SHA-3 and SHAKE functions. While sharing many features with SHAKE128, like the cryptographic primitive, the sponge construction, the eXtendable Output Function (XOF) and the 128-bit security strength, KangarooTwelve offers two major improvements over its standard counterpart. First it has a built-in parallel mode that efficiently exploits multi-core or SIMD instruction parallelism for long messages, without impacting the performance for short messages. Second, relying on the cryptanalysis results on Keccak over the past ten years, we tuned its permutation to require twice less computation effort while still offering a comfortable safety margin. By combining these two changes KangarooTwelve consumes less than 0.55 cycles/byte for long messages on the latest Intel's SkylakeX architectures. The generic security of KangarooTwelve is guaranteed by the use of Sakura encoding for the tree hashing and of the sponge construction for the compression function.

In this paper, we present the first systematic investigation of data remanence effects on an intrinsic Static Random Access Memory Physical Unclonable Function (SRAM PUF) implemented on a commercial off-the-shelf (COTS) device in a temperature range between -110° C and -40° C. Although previous studies investigated data remanence in SRAMs only at temperatures above -50° C, our experimental results clearly indicate that the extended temperature region we examine has dramatic effects on the security of intrinsic SRAM PUFs. We propose a number of different attacks and experimentally verify that data remanence effects can be exploited successfully to attack intrinsic SRAM PUFs on a COTS device, where the (micro)processor and the SRAM reside on the same die. Our experimental attack writes a bit-string to memory and freezes the device. Due to data remanence effects the attacker-known bit-string remains in memory and is subsequently read out by the bootloader to generate the PUF response. In this way, the attacker is able to construct a forged secret key by manipulating the PUF response. Finally, we also discuss and assess potential countermeasures against the attacks we examine.

In this paper, we describe a new information-theoretic protocol (and a computationally-secure variant) for secure {\em three}-party computation with an honest majority. The protocol has very minimal computation and communication; for Boolean circuits, each party sends only a single bit for every AND gate (and nothing is sent for XOR gates). Our protocol is (simulation-based) secure in the presence of semi-honest adversaries, and achieves privacy in the client/server model in the presence of malicious adversaries. On a cluster of three 20-core servers with a 10Gbps connection, the implementation of our protocol carries out over \textit{1.3 million} AES computations per second, which involves processing over \textit{7 billion gates per second}. In addition, we developed a Kerberos extension that replaces the ticket-granting-ticket encryption on the Key Distribution Center (KDC) in MIT-Kerberos with our protocol, using keys/ passwords that are shared between the servers. This enables the use of Kerberos while protecting passwords. Our implementation is able to support a login storm of over 35,000 logins per second, which suffices even for very large organizations. Our work demonstrates that high-throughput secure computation is possible on standard hardware.

In this note, the polar decomposition of binary fields of even extension degree is used to reduce the evaluation of the Walsh transform of binomial Boolean functions to that of Gauss sums. In the case of extensions of degree four times an odd number, an explicit formula involving a Kloosterman sum is conjectured, proved with further restrictions, and supported by extensive experimental data in the general case. In particular, the validity of this formula is shown to be equivalent to a simple and efficient characterization for bentness previously conjectured by Mesnager.

We formalize a cryptographic primitive called functional commitment (FC) which can be viewed as a generalization of vector commitments (VCs), polynomial commitments and many other special kinds of commitment schemes. A non-interactive functional commitment allows committing to a message in such a way that the committer has the flexibility of only revealing a function $F(M)$ of the committed message during the opening phase. We provide constructions for the functionality of linear functions, where messages consist of vectors of $n$ elements over some domain $\mathcal{D}$ (e.g., $\vec{m} = (m_1,\ldots,m_n) \in \mathcal{D}^n$) and commitments can later be opened to a specific linear function $\sum_{i=1}^n m_i x_i = y \in \mathcal{R}$ of the vector coordinates. An opening for a function $F: \mathcal{D}^n \rightarrow \mathcal{R}$ thus generates a witness for the fact that $F(\vec{m})$ indeed evaluates to $y$. One security requirement is called \emph{function binding} and requires that it be infeasible open a commitment to two different evaluations $y,y'$ for the same function $F$. We propose a construction of functional commitment (FC) for linear functions based on constant-size assumptions in composite order groups endowed with a bilinear map. The construction has commitments and openings of constant size (i.e., independent of $n$ or function description) and is \emph{perfectly hiding} -- the underlying message is information theoretically hidden. Our security proofs build on the Déjà Q framework of Chase and Meiklejohn (Eurocrypt 2014) and its extension by Wee (TCC 2016) to encryption primitives, thus relying on constant-size subgroup decisional assumptions. We show that FCs for linear functions are sufficiently powerful to solve four open problems. They, first, imply polynomial commitments,and, then, give cryptographic accumulators (i.e., an algebraic hash function which makes it possible to efficiently prove that some input belongs to a hashed set). In particular, specializing our FC construction leads to the first pairing-based polynomial commitments and accumulators for large universes, known to achieve security under simple assumptions. We also substantially extend our pairing-based accumulator to handle subset queries which requires a non-trivial extension of the Déjà Q framework.

These lecture notes survey some of the main ideas and tech- niques used in cryptographic voting systems. The write-up is geared to- wards readers with little knowledge of cryptography and it focuses on the broad principles that guide the design and analysis of cryptographic systems, especially the need for properly designed security models. We use a system proposed by Fujioka, Okamoto and Ohta as starting example to introduce some basic building blocks and desirable security properties. We then slowly build towards a comprehensive description of the Helios voting system, one of the few systems deployed in practice and briefly discuss a few of its security properties.

Location management is a key component of cellular networks. From a privacy perspective, however, it is also a major weakness: location management empowers the network operator to track users. In today's public and scientific discussion, the centralized storage of location data is mostly taken as a fact, and users are expected to trust the network operator. ANOTEL presents a novel, clean-slate approach of location management in cellular networks that challenges this assumption. We developed a design that is able to route calls to users who move through cellular networks, without violating their location privacy. We evaluate our approach using simulations and a practical user tracking algorithm.

This paper proposes a public-key cryptosystem and a short password encryption mode, where traditional hardness assumptions are replaced by specific refinements of the CAPTCHA concept called Decisional and Existential CAPTCHAs. The public-key encryption method, achieving 128-bit security, typically requires from the sender to solve one CAPTCHA. The receiver does not need to resort to any human aid. A second symmetric encryption method allows to encrypt messages using very short passwords shared between the sender and the receiver. Here, a simple 5-character alphanumeric password provides sufficient security for all practical purposes. We conjecture that the automatic construction of Decisional and Existential CAPTCHAs is possible and provide candidate ideas for their implementation.

We propose a new protocol for two-party computation, secure against malicious adversaries, that is significantly faster than prior work in the single-execution setting (i.e., non-amortized and with no pre-processing). In particular, for computational security parameter $\kappa$ and statistical security parameter $\rho$, our protocol uses only $\rho$ garbled circuits and $O(\kappa)$ public-key operations, whereas previous work with the same number of garbled circuits required either $O(\rho n + \kappa)$ public-key operations (where n is the input/output length) or a second execution of a secure-computation sub-protocol. Our protocol can be based on the decisional Diffie-Hellman assumption in the standard model. We implement our protocol to evaluate its performance. With $\rho = 40$, our implementation securely computes an AES evaluation in 65 ms over a local-area network using a single thread without any pre-computation, 22x faster than the best prior work in the non-amortized setting. The relative performance of our protocol is even better for functions with larger input/output lengths.

Authenticated key exchange (AKE) protocol is an important cryptographic primitive that assists communicating entities, who are communicating over an insecure network, to establish a shared session key to be used for protecting their subsequent communication. Lattice-based cryptographic primitives are believed to provide resilience against attacks from quantum computers. An efficient AKE protocol with smaller module over ideal lattices is constructed in this paper, which nicely inherits the design idea of the excellent high performance secure Diffie-Hellman protocol. Under the hard assumption of ring learning with errors (RLWE) hard assumption, the security of the proposed protocol is proved in the Bellare-Rogaway model.

We present a general notion of channel for cryptographic purposes, which can model either a (classical) physical channel or the consequences of a cryptographic protocol, or any hybrid. We consider {\em simultaneous secrecy and reliability amplification} for such channels. We show that simultaneous secrecy and reliability amplification is not possible for the most general model of channel, but, at least for some values of the parameters, it is possible for a restricted class of channels that still includes both standard information-theoretic channels and keyless cryptographic protocols. Even in the restricted model, we require that for the original channel, the failure chance for the attacker must be a factor $c$ more than that for the intended receiver. We show that for any $c > 4 $, there is a one-way protocol (where the sender sends information to the receiver only) which achieves simultaneous secrecy and reliability. From results of Holenstein and Renner (\emph{CRYPTO'05}), there are no such one-way protocols for $c < 2$. On the other hand, we also show that for $c > 1.5$, there are two-way protocols that achieve simultaneous secrecy and reliability. We propose using similar models to address other questions in the theory of cryptography, such as using noisy channels for secret agreement, trade-offs between reliability and secrecy, and the equivalence of various notions of oblivious channels and secure computation.

The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being considered by the IRTF (Internet Research Task Force) as a new de-facto standard for password hashing. An older version (Argon2i-A) of the same algorithm was chosen as the winner of the recent Password Hashing Competition. An important competitor to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs, Boneh and Schechter. A key security desiderata for any such algorithm is that evaluating it (even using a custom device) requires a large amount of memory amortized across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of theoretical attacks against Argon2i-A and BH. While these attacks yield large asymptotic reductions in the amount of memory, it was not, a priori, clear if (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3) if they can be effectively instantiated against any algorithm under realistic hardware constrains. In this work we answer all three of these questions to the affirmative for all three algorithms. It is also the first work to analyze the security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe asymptotic deficiencies in its security. Next we introduce several novel heuristics for improving the attack's concrete memory efficiency even when on-chip memory bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A, Argon2i-B and BH instances and measure the resulting memory consumption for various practical parameter ranges and for a variety of upperbounds on the amount of parallelism available to the attacker. Finally we describe, implement and test a new heuristic for applying the Alwen-Blocki attack to functions employing a technique developed by Corrigan-Gibs et al. for improving concrete security of memory-hard functions. We analyze the collected data and show the effects various parameters have on the memory consumption of the attack. In particular, we can draw several interesting conclusions about the level of security provided by these functions. \begin{itemize} \item For the Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must be instantiated with more than 10 passes on memory. The current IRTF proposal calls even just 6 passes as the recommended ``paranoid'' setting. \item More generally, the parameter selection process in the proposal is flawed in that it tends towards producing parameters for which the attack is successful (even under realistic constraints on parallelism). \item The technique of Corrigan-Gibs for improving security can also be overcome by the Alwen-Blocki attack under realistic hardware constraints. \item On a positive note, both the asymptotic and concrete security of Argon2i-B seem to improve on that of Argon2i-A. \end{itemize}

Recently, Alkim, Ducas, Pöppelmann, and Schwabe proposed a Ring-LWE-based key exchange protocol called NewHope (Usenix Securitz 2016) and illustrated that this protocol is very efficient on large Intel processors. Their paper also claims that the parameter choice enables efficient implementation on small embedded processors. In this paper we show that these claims are actually correct and present NewHope software for the ARM Cortex-M family of 32-bit microcontrollers. More specifically, our software targets the low-end Cortex-M0 and the high-end Cortex-M4 processor from this family. Our software starts from the C reference implementation by the designers of NewHope and then carefully optimizes subroutines in assembly. In particular, compared to best results known so far, our NTT implementation achieves a speedup of almost a factor of 2 on the Cortex-M4. Our Cortex-M0 NTT software slightly outperforms previously best results on the Cortex-M4, a much more powerful processor. In total, the server side of the key exchange executes in only 1,476,101 cycles on the M0 and only 834,524 cycles on the M4; the client side executes in 1,760,837 cycles on the M0 and 982,384 cycles on the M4.

We put forward a new framework that makes it possible to re-write and/or compress the content of any number of blocks in decentralized services exploiting the blockchain technology. As we argue, there are several reasons to prefer an editable blockchain, spanning from the necessity to remove improper content and the possibility to support applications requiring re-writable storage, to "the right to be forgotten". Our approach generically leverages so-called chameleon hash functions (Krawczyk and Rabin, NDSS '00), which allow to efficiently determine hash collisions given a secret trapdoor information. We detail how to integrate a chameleon hash function in virtually any blockchain-based technology, for both cases where the power of redacting the blockchain content is in the hands of a single trusted entity and where such a capability is distributed among several distrustful parties (as is the case in Bitcoin). We also report on a proof-of-concept implementation of a redactable blockchain, building on top of Nakamoto's Bitcoin core. The implementation only requires minimal changes to the way current client software interprets information stored in the blockchain and to the current blockchain, block, or transaction structures. Moreover, our experiments show that the overhead imposed by a redactable blockchain is small compared to the case of an immutable one.

Recent results show that the current implementation of Helios, a practical e-voting protocol, does not ensure independence of the cast votes, and demonstrate the impact of this lack of independence on vote privacy. Some simple fixes seem to be available and security of the revised scheme has been studied with respect to symbolic models. In this paper we study the security of Helios using computational models. Our first contribution is a model for the property known as ballot privacy that generalizes and extends several existing ones. Using this model, we investigate an abstract voting scheme (of which the revised Helios is an instantiation) built from an arbitrary encryption scheme with certain functional properties. We prove, generically, that whenever this encryption scheme falls in the class of voting-friendly schemes that we define, the resulting voting scheme provably satisfies ballot privacy. We explain how our general result yields cryptographic security guarantees for the revised version of Helios (albeit from non-standard assumptions). Furthermore, we show (by giving two distinct constructions) that it is possible to construct voting-friendly encryption, and therefore voting schemes, using only standard cryptographic tools. We detail an instantiation based on ElGamal encryption and Fiat-Shamir non-interactive zero-knowledge proofs that closely resembles Helios and which provably satisfies ballot privacy.

The classic notion of history-independence guarantees that if a data structure is ever observed, only its current contents are revealed, not the history of operations that built it. This powerful concept has applications, for example, to e-voting and data retention compliance, where data structure histories should be private. The concept of weak history-independence (WHI) assumes only a single observation will ever occur, while strong history-independence (SHI) allows for multiple observations at arbitrary times. WHI constructions tend to be fast, but provide no repeatability, while SHI constructions provide unlimited repeatability, but tend to be slow. We introduce auditable data structures, where an auditor can observe data structures at arbitrary times (as in SHI), but we relax the unrealistic restriction that data structures cannot react to observations, since in most applications of history-independence, data owners know when observations have occurred. We consider two audit scenarios—secure topology, where an auditor can observe the contents and pointers of a data structure, and secure implementation, where an auditor can observe the memory layout of a data structure. We present a generic template for auditable data structures and, as a foundation for any auditable data structure, an Auditable Memory Manager (AMM), which is an efficient memory manager that translates any auditable data structure with a secure topology into one with a secure implementation. We give a prototype implementation that provides empirical evidence that the worst-case time running times of our AMM are 45× to 8,300× faster than those of a well-known SHI memory manager. Thus, auditable data structures provide a practical way of achieving time efficiency, as in WHI, while allowing for multiple audits, as in SHI.

MANTIS is a lightweight tweakable block cipher recently published at CRYPTO 2016. In addition to the full 14-round version, MANTIS-7, the designers also propose an aggressive 10-round version, MANTIS-5. The security claim for MANTIS-5 is resistance against "practical attacks", defined as related-tweak attacks with data complexity $2^d$ less than $2^{30}$ chosen plaintexts (or $2^{40}$ known plaintexts), and computational complexity at most $2^{126-d}$. We present a key-recovery attack against MANTIS-5 with $2^{28}$ chosen plaintexts and a computational complexity of about $2^{38}$ block cipher calls, which violates this claim. Our attack is based on a family of differential characteristics and exploits several properties of the lightweight round function and tweakey schedule. To verify the validity of the attack, we also provide a practical implementation which recovers the full key in about 1 core hour using $2^{30}$ chosen plaintexts.

We present a probabilistic polynomial-time reduction from the lattice Bounded Distance Decoding (BDD) problem with parameter 1/($\sqrt{2}\cdot\gamma$) to the unique Shortest Vector Problem (uSVP) with parameter $\gamma$ for any $\gamma>1$ that is polynomial in the lattice dimension $n$. It improves the BDD to uSVP reductions of [Lyubashevsky and Micciancio, CRYPTO, 2009] and [Liu, Wang, Xu and Zheng, Inf. Process. Lett., 2014], which rely on Kannan's embedding technique. The main ingredient to the improvement is the use of Khot's lattice sparsification [Khot, FOCS, 2003] before resorting to Kannan's embedding, in order to boost the uSVP parameter.

In this paper, we analyzed an extreme case of lightweight block cipher design in terms of security and efficiency. To do this, we proposed ELiF block cipher family which has one of the smallest hardware area in a fully serial design. We also defined ELiF to be flexible and scalable so that it can be implemented for real life applications with different scenarios such as fixed key implementations. We also gave hardware implementation results for different implementation settings to show its efficiency and flexibility. Because of its flexible implementation properties, ELiF family of ciphers are suitable for systems with asymmetric computation powers such as RFID reader and tags. We made theoretical and experimental analysis for various block sizes. Using the results for small block lengths, we estimated minimum number of rounds that the cipher becomes secure depending on the block size.

In this paper, we propose a generic method to construct involutory binary matrices from a three round Feistel scheme with a linear round function. We prove bounds on the maximum achievable branch number (BN) and the number of fixed points of our construction. We also define two families of efficiently implementable round functions to be used in our method. The usage of these families in the proposed method produces matrices achieving the proven bounds on branch numbers and fixed points. Moreover, we show that BN of the transpose matrix is the same with the original matrix for the function families we defined. Some of the generated matrices are \emph{Maximum Distance Binary Linear} (MDBL), i.e. matrices with the highest achievable BN. The number of fixed points of the generated matrices are close to the expected value for a random involution. Generated matrices are especially suitable for utilising in bitslice block ciphers and hash functions. They can be implemented efficiently in many platforms, from low cost CPUs to dedicated hardware.

We describe a lightweight algorithm performing whole-network authentication in a distributed way. This protocol is more efficient than one-to-one node authentication: it results in less communication, less computation, and overall lower energy consumption. The proposed algorithm is provably secure, and achieves zero-knowledge authentication of a network in a time logarithmic in the number of nodes.

Hierarchical identity-based encryption (HIBE) can be extended to revocable HIBE (RHIBE) if a private key of a user can be revoked when the private key is revealed or expired. Previously, many selectively secure RHIBE schemes were proposed, but it is still unsolved problem to construct an adaptively secure RHIBE scheme. In this work, we propose two RHIBE schemes in composite-order bilinear groups and prove their adaptive security under simple static assumptions. To prove the adaptive security, we use the dual system encryption framework, but it is not simple to use the dual system encryption framework in RHIBE since the security model of RHIBE is quite different with that of HIBE. We show that it is possible to solve the problem of the RHIBE security proof by carefully designing hybrid games.

Ateniese et al. introduced the Provable Data Possession (PDP) model in 2007. Following that, Erway et al. adapted the model for dynamically updatable data, and called it the Dynamic Provable Data Possession (DPDP) model. The idea is that a client outsources her files to a server, and later on challenges the server to obtain a proof that her data is kept intact. During recent years, many schemes have been proposed for this purpose, all following a similar framework. We analyze in detail the exact requirements of dynamic data outsourcing schemes regarding security and efficiency, and propose a general framework for constructing such schemes that encompasses existing DPDP-like schemes as different instantiations. We show that a dynamic data outsourcing scheme can be constructed given black-box access to an implicitly-ordered authenticated data structure (that we define). Moreover, for blockless verification efficiency, a homomorphic verifiable tag scheme is also needed. We investigate the requirements and conditions these building blocks should satisfy, using which one can easily check applicability of a given building block for dynamic data outsourcing. Finally, we provide a comparison among different building blocks.

Nowadays the decentralized transaction ledger functionality implemented through the blockchain technology is at the highest international interest because of the prospects both on opportunities and risks. There are a number of advantages inherently embedded in blockchain-based systems, and a pletora of new applications and services relying on concepts and technologies inspired by those of Bitcoin are emerging. But at the same time some weaknesses and limitations are evident, and we argue that they stem mainly from the fact that the blockchain is managed through mining. In this work we pointed out the unsustainability of mining in case of massive large-scale blockchain-based system. Moreover, after isolating the basic concepts behind mining, we sketched possible alternatives for the maintenance of blockchain-based systems. We considered security issues, incentives, as well as competitive and collaborative opportunities, and we proposed a framework of concepts and algorithms to implement blockchain-based systems for different contexts.

Private set intersection (PSI) refers to a special case of secure two-party computation in which the parties each have a set of items and compute the intersection of these sets without revealing any additional information. In this paper we present improvements to practical PSI providing security in the presence of {\em malicious} adversaries. Our starting point is the protocol of Dong, Chen \& Wen (CCS 2013) that is based on Bloom filters. We identify a bug in their malicious-secure variant and show how to fix it using a cut-and-choose approach that has low overhead while simultaneously avoiding one the main computational bottleneck in their original protocol. We also point out some subtleties that arise when using Bloom filters in malicious-secure cryptographic protocols. We have implemented our PSI protocols and report on its performance. Our improvements reduce the cost of Dong et al.'s protocol by a factor of $14-110\times$ on a single thread. When compared to the previous fastest protocol of De Cristofaro et al., we improve the running time by $8-24\times$. For instance, our protocol has an online time of 14 seconds and an overall time of 2.1 minutes to securely compute the intersection of two sets of 1 million items each.

In this paper, we introduce new methods for releasing differentially private graphs. Our techniques are based on a new way to distribute noise among edges weights. More precisely, we rely on the addition of noise whose amplitude is edge-calibrated and optimize the distribution of the privacy budget among subsets of edges. The generic privacy framework that we propose can capture all privacy notions introduced so far in the literature to release graphs in a differentially private manner. Furthermore, experimental results on real datasets show that our methods outperform the standard existing techniques, in particular in terms of the preservation of utility. In addition, these experiments show that our mechanisms guarantee epsilon-differential privacy for a reasonable level of privacy epsilon, while preserving the spectral information of the input graph.

Recently, many new classes of differentially $4$-uniform permutations have been constructed. However, it is difficult to decide whether they are CCZ-inequivalent or not. In this paper, we propose a new notion called "Projected Differential Spectrum". By considering the properties of the projected differential spectrum, we find several relations that should be satisfied by CCZ-equivalent functions. Based on these results, we mathematically prove that any differentially $4$-uniform permutation constructed in \cite{CTTL} by {C.Carlet, D.Tang, X.Tang, et al.,} is CCZ-inequivalent to the inverse function. We also get two interesting results with the help of computer experiments. The first one is a proof that any permutation constructed in \cite{CTTL} is CCZ-inequivalent to a function which is the summation of the inverse function and any Boolean function on $\gf_{2^{2k}}$ when $4\le k\le 7$. The second one is a differentially $4$-uniform permutation on $\gf_{2^6}$ which is CCZ-inequivalent to any function in the aforementioned two classes.

The cube attack is an algebraic attack that allows an adversary to extract low degree polynomial equations from the targeted cryptographic primitive. This work applies the cube attack to a reduced round version of ACORN, a candidate cipher design in the CAESAR cryptographic competition. The cube attack on 477 initialization rounds of ACORN can recover the 128 bit key with a total attack complexity of about $2^{35}$. We have also shown that linear equations relating the initial state of the full version of ACORN can be be easily generated which can lead to state recovery attack with an attack complexity of about $2^{72.8}$.

The amount of digital data that requires long-term protection of integrity, authenticity, and confidentiality grows rapidly. Examples include electronic health records, genome data, and tax data. In this paper we present the secure storage system LINCOS, whichprovides protection of integrity, authenticity, and confidentiality in the long-term, i.e., for an indefinite time period. It is the first such system. It uses the long-term integrity scheme COPRIS, which is also presented here and is the first such scheme that does not leak any information about the protected data. COPRIS uses information-theoretic hiding commitments for confidentiality-preserving integrity and authenticity protection. LINCOS uses proactive secret sharing for confidential storage of secret data. We also present implementations of COPRIS and LINCOS. A special feature of our LINCOS implementation is the use of quantum key distribution and one-time pad encryption for information-theoretic private channels within the proactive secret sharing protocol. The technological platform for this is the Tokyo QKD Network, which is one of worlds most advanced networks of its kind. Our experimental evaluation establishes the feasibility of LINCOS and shows that in view of the expected progress in quantum communication technology, LINCOS is a promising solution for protecting very sensitive data in the cloud.

We introduce a Markov-model-based framework for Moving Target Defense (MTD) analysis. The framework allows modeling of a broad range of MTD strategies, provides general theorems about how the probability of a successful adversary defeating an MTD strategy is related to the amount of time/cost spent by the adversary, and shows how a multi-level composition of MTD strategies can be analyzed by a straightforward combination of the analysis for each one of these strategies. Within the proposed framework we define the concept of security capacity which measures the strength or effectiveness of an MTD strategy: the security capacity depends on MTD specific parameters and more general system parameters. We apply our framework to two concrete MTD strategies.

The software performance of cryptographic schemes is an important factor in the decision to include such a scheme in real-world protocols like TLS, SSH or IPsec. In this paper, we develop a benchmarking framework to perform software performance measurements on authenticated encryption schemes. In particular, we apply our framework to independently benchmark the 29 remaining 2$^\text{nd}$ round candidates of the CAESAR competition. Many of these candidates have multiple parameter choices, or deploy software optimised versions raising our total number of benchmarked implementations to 232. We illustrate our results in various diagrams and hope that our contribution helps developers to find an appropriate cipher in their selection choice.

Digital signatures are one of the most important cryptographic primitives. In this work we construct an information-theoretically secure signature scheme which, unlike prior schemes, enjoys a number of advantageous properties such as short signature length and high generation efficiency, to name two. In particular, we extend symmetric-key message authentication codes (MACs) based on universal hashing to make them transferable, a property absent from traditional MAC schemes. Our main results are summarised as follows. - We construct an unconditionally secure signature scheme which, unlike prior schemes, does not rely on a trusted third party or anonymous channels. In our scheme, a sender shares with each of the remaining protocol participants (or recipients) a set of keys (or hash functions) from a family of universal hash functions. Also, the recipients share with each other a random portion of the keys that they share with the sender. A signature for a message is a vector of tags generated by applying the hash functions to the message. As such, our scheme can be viewed as an extension of MAC schemes, and therefore, the practical implementation of our scheme is straightforward. - We prove information-theoretic security of our scheme against forging, repudiation, and non-transferability. - We compare our schemes with existing both "classical" (not employing quantum mechanics) and quantum unconditionally secure signature schemes. The comparison shows that our new scheme has a number of unparalleled advantages over the previous schemes. - Finally, although our scheme does not rely on trusted third parties, we discuss this, showing that having a trusted third party makes our scheme even more attractive.

In this paper I propose the fully homomorphic public-key encryption(FHPKE) scheme with zero norm noises that is based on the discrete logarithm assumption(DLA) and computational Diffie-Hellman assumption(CDH) of multivariate polynomials on octonion ring. Since the complexity for enciphering and deciphering become to be small enough to handle, the cryptosystem runs fast.

Several cryptographic methods have been developed based on the difficulty to determine the set of solutions of a polynomial system over a given field. We build a polynomial ideal whose algebraic set is related to the set of isomorphisms between two graphs. The problem {\sc isomorphism}, posed in the context of Graph Theory, has been extensively used in zero knowledge authentication protocols. Thus, any cryptographic method based on {\sc isomorphism} can be translated into an equivalent method based on the problem of finding rational points in algebraic sets associated to polynomial ideals.

Many data-driven personalized services require that private data of users is scored against a trained machine learning model. In this paper we propose a novel protocol for privacy-preserving classification of decision trees, a popular machine learning model in these scenarios. Our solutions are composed out of building blocks, namely a secure comparison protocol, a protocol for obliviously selecting inputs, and a protocol for evaluating polynomials. By combining some of the building blocks for our decision tree classification protocol, we also improve previously proposed solutions for classification of support vector machines and logistic regression models. Our protocols are information theoretically secure and, unlike previously proposed solutions, do not require modular exponentiations. We show that our protocols for privacy-preserving classification lead to more efficient results from the point of view of computational and communication complexities. We present accuracy and runtime results for 7 classification benchmark datasets from the UCI repository.

Threshold secret sharing is a protocol that allows a dealer to share a secret among $n$ players so that any coalition of $t$ players learns nothing about the secret, but any $t+1$ players can reconstruct the secret in its entirety. Robust secret sharing (RSS) provides the additional guarantee that even if $t$ malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret. When $t < \frac{n}{3}$, Shamir sharing is known to be robust, and when $t > \frac{n}{2}$, RSS is known to be impossible, but for $\frac{n}{3} < t < \frac{n}{2}$ much less is known. When $\frac{n}{3} < t < \frac{n}{2}$ previous RSS protocols could either achieve optimal share size with inefficient (exponential time) reconstruction procedures, or sub-optimal share size with polynomial time reconstruction. In this work, we construct a simple RSS protocol for $t = \left( \frac{1}{2} - \epsilon\right)n$ that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of $O(\kappa + \log n)$, and reconstruction succeeds except with probability at most $2^{-\kappa}$. This provides a partial solution to a problem posed by Cevallos et al. in Eurocrypt 2012. Namely, when $t = \left( \frac{1}{2} - O(1) \right)n$ we show that the share size in RSS schemes do not require an overhead that is linear in $n$. Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC '89) and Cevallos et al. (Eurocrypt '12) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the $n$ players as nodes in an expander graph, each player only checks its neighbors in the expander graph. When $t = \left\{ \frac{1}{2} - O(1) \right\}n$, the concurrent, independent work of Cramer et al. (Eurocrypt '15) shows how to achieve shares that \emph{decrease} with the number of players using completely different techniques.

Oblivious transfer protocol is an important cryptographic primitive having numerous applications and particularly playing an essential role in secure multiparty computation protocols. On the other hand existing oblivious transfer protocols are based on computationally expensive public-key operations which remains the main obstacle for employing such protocols in practical applications. In this paper a novel approach for designing oblivious transfer protocols is introduced based on the idea of replacing public-key operations by white-box cryptography techniques. As a result oblivious transfer protocols based on white-box cryptography run several times faster and require less communication bandwidth compared with the existing protocols.

Over the past decade, the hybrid lattice reduction and meet-in-the middle attack (called the Hybrid Attack) has been used to evaluate the security of many lattice-based cryprocraphic schemes such as NTRU, NTRU prime, BLISS, and more. However, unfortunately none of the previous analyses of the Hybrid Attack is entirely satisfactory: they are based on simplifying assumptions that may distort the security estimates. Such simplifying assumptions include setting probabilities equal to $1$, which, for the parameter sets we analyze in this work, are in fact as small as $2^{-80}$. Many of these assumptions lead to underestimating the scheme's security. However, some lead to security overestimates, and without further analysis, it is not clear which is the case. Therefore, the current security estimates against the Hybrid Attack are not reliable and the actual security levels of many lattice-based schemes are unclear. In this work we present an improved runtime analysis of the Hybrid Attack that gets rid of incorrect simplifying assumptions. Our improved analysis can be used to derive reliable and accurate security estimates for many lattice-based schemes. In addition, we reevaluate the security against the Hybrid Attack for the NTRU, NTRU prime, and R-BinLWEEnc encryption schemes as well as for the BLISS and GLP signature schemes. Our results show that there exist both security over- and underestimates in the literature. Our results further show that the common claim that the Hybrid Attack is the best attack on all NTRU parameter sets is in fact a misconception based on incorrect analyses of the attack.

In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.

RFID technology is a system which uses radio frequency to transmit data. Data transmission between Tags and Readers is wireless which can be easily eavesdropped by adversary. Due to security and privacy reasons, various authentication protocols proposed. In this paper, we cryptanalyze two different RFID authentication protocols and it is shown that either of them have some weaknesses. In 2014, Chang et al. proposed a mutual authentication protocol for RFID technology based on EPC Class 1 Generation 2 standard. We show that their protocol is not safe regard to privacy and cannot repulse neither Traceability attack nor Forward Traceability attack. Also, in 2015, Pourpouneh et al. proposed a server-less authentication protocol. We discover that their protocol is not able to thwart security and privacy attacks such as Secret Parameter Reveal, Traceability and Forward Traceability. In addition, we robust the two schemes to defend those attacks which can protect RFID users against different threats. Then, analyzing of the protocols are compared with some state-of-art ones.

The literature on leakage-resilient cryptography contains various leakage models that provide different levels of security. In this work, we consider the \emph{bounded leakage} and the \emph{continual leakage} models. In the bounded leakage model (Akavia et al. -- TCC 2009), it is assumed that there is a fixed upper bound $L$ on the number of bits the attacker may leak on the secret key in the entire lifetime of the scheme. Alternatively, in the continual leakage model (Brakerski et al. -- FOCS 2010, Dodis et al. -- FOCS 2010), the lifetime of a cryptographic scheme is divided into ``time periods'' between which the scheme's secret key is updated. Furthermore, in its attack the adversary is allowed to obtain some bounded amount of leakage on the current secret key during each time period. In the continual leakage model, a challenging problem has been to provide security against \emph{leakage on key updates}, that is, leakage that is a function not only of the current secret key but also the \emph{randomness used to update it}. We propose a new, modular approach to overcome this problem. Namely, we present a compiler that transforms any public-key encryption or signature scheme that achieves a slight strengthening of continual leakage resilience, which we call \emph{consecutive} continual leakage resilience, to one that is continual leakage resilient with leakage on key updates, assuming \emph{indistinguishability obfuscation} (Barak et al. --- CRYPTO 2001, Garg et al. -- FOCS 2013). Under the stronger assumption of \emph{public-coin differing-inputs obfuscation} (Ishai et al. -- TCC 2015) the leakage rate tolerated by our compiled scheme is essentially as good as that of the starting scheme. Our compiler is obtained by making a new connection between the problems of leakage on key updates and so-called ``sender-deniable'' encryption (Canetti et al. -- CRYPTO 1997), which was recently realized for the first time by Sahai and Waters (STOC 2014). In the bounded leakage model, we develop a new approach to constructing leakage-resilient encryption from obfuscation, based upon the public-key encryption scheme from $\iO$ and punctured pseudorandom functions due to Sahai and Waters (STOC 2014). In particular, we achieve leakage-resilient public key encryption tolerating $L$ bits of leakage for any $L$ from $\iO$ and one-way functions. We build on this to achieve leakage-resilient public key encryption with optimal leakage rate of $1-o(1)$ based on public-coin differing-inputs obfuscation and collision-resistant hash functions. Such a leakage rate is not known to be achievable in a generic way based on public-key encryption alone. We then develop entirely new techniques to construct a new public key encryption scheme that is secure under (consecutive) continual leakage resilience (under appropriate assumptions), which we believe is of independent interest.

Chaum et al. have very recently introduced cMix as the first practical system that offers senders-recipients unlinkability at scale. cMix is claimed by its authors to be secure unless all nodes collude. We argue their assertion does not hold for the basic description of the protocol and sustain our statement by two different types of attacks: tagging attack and insider attack. For each one, we discuss the settings that make it feasible and possible countermeasures. By this, we highlight the necessity of implementing additional mechanisms that at first have been overlooked or have only been mentioned as additional features.

Searchable Symmetric Encryption aims at making possible searching over an encrypted database stored on an untrusted server while keeping privacy of both the queries and the data, by allowing some small controlled leakage to the server. Recent work shows that dynamic schemes -- in which the data is efficiently updatable -- leaking some information on updated keywords are subject to devastating adaptative attacks breaking the privacy of the queries. The only way to thwart this attack is to design \emph{forward private} schemes whose update procedure does not leak if a newly inserted element matches previous search queries. This work proposes ${\Sigma o\phi o\varsigma}$ as a forward private SSE scheme with performance similar to existing less secure schemes, and that is conceptually simpler (and also more efficient) than previous forward private constructions. In particular, it only relies on trapdoor permutations and does not use an ORAM-like construction. We also explain why ${\Sigma o\phi o\varsigma}$ is an optimal point of the security/performance tradeoff for SSE. Finally, an implementation and evaluation results demonstrate its practical efficiency.

The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital. In this paper, we devise a method to improve the individual logarithm step by exploring subfield structures. Our method is based on the extended tower number field sieve algorithm, and achieves more significant improvement when the extension degree has a large proper factor. We also perform some experiments to illustrate our algorithm and confirm the result.

The information ratio of a secret sharing scheme $\Sigma$ is the ratio between the length of the largest share and the length of the secret, and it is denoted by $\sigma(\Sigma)$. The optimal information ratio of an access structure $\Gamma$ is the infimum of $\sigma(\Sigma)$ among all schemes $\Sigma$ with access structure $\Gamma$, and it is denoted by $\sigma(\Gamma)$. The main result of this work is that for every two access structures $\Gamma$ and $\Gamma'$, $|\sigma(\Gamma)-\sigma(\Gamma')|\leq |\Gamma\cup\Gamma'|-|\Gamma\cap\Gamma'|$. We prove it constructively. Given any secret sharing scheme $\Sigma$ for $\Gamma$, we present a method to construct a secret sharing scheme $\Sigma'$ for $\Gamma'$ that satisfies that $\sigma(\Sigma')\leq \sigma(\Sigma)+|\Gamma\cup\Gamma'|-|\Gamma\cap\Gamma'|$. As a consequence of this result, we see that \emph{close} access structures admit secret sharing schemes with similar information ratio. We show that this property is also true for particular classes of secret sharing schemes and models of computation, like the family of linear secret sharing schemes, span programs, Boolean formulas and circuits. In order to understand this property, we also study the limitations of the techniques for finding lower bounds on the information ratio and other complexity measures. We analyze the behavior of these bounds when we add or delete subsets from an access structure.

In this paper, a new architecture for accelerating homomorphic function evaluation on FPGA is proposed. A parallel cached NTT algorithm with an overall time complexity O(sqrt(N)log(sqrt(N)) is presented. The architecture has been implemented on Xilinx Virtex 7 XC7V1140T FPGA. achieving a 60% utilization ratio. The implementation performs 32-bit 2^(16)-point NTT algorithm in 23.8 us, achieving speed-up of 2x over the state of the art architectures. The architecture has been evaluated by computing a block of each of the AES and SIMON-64/128 on the LTV and YASHE schemes. The proposed architecture can evaluate the AES circuit using the LTV scheme in 4 minutes, processing 2048 blocks in parallel, which leads to an amortized performance of 117 ms/block, which is the fastest performance reported to the best of our knowledge.

Proofs of Retrievability (POR) are cryptographic proofs which provide assurance to a single tenant (who creates tags using his secret material) that his files can be retrieved in their entirety. However, POR schemes completely ignore storage-efficiency concepts, such as multi-tenancy and data deduplication, which are being widely utilized by existing cloud storage providers. Namely, in deduplicated storage systems, existing POR schemes would incur an additional overhead for storing tenants’ tags which grows linearly with the number of users deduplicating the same file. This overhead clearly reduces the (economic) incentives of cloud providers to integrate existing POR/PDP solutions in their offerings. In this paper, we propose a novel storage-efficient POR, dubbed SPORT, which transparently supports multi-tenancy and data deduplication. More specifically, SPORT enables tenants to securely share the same POR tags in order to verify the integrity of their deduplicated files. By doing so, SPORT considerably reduces the storage overhead borne by cloud providers when storing the tags of different tenants deduplicating the same content.We show that SPORT resists against malicious tenants/cloud providers (and against collusion among a subset of the tenants and the cloud). Finally, we implement a prototype based on SPORT, and evaluate its performance in a realistic cloud setting. Our evaluation results show that our proposal incurs tolerable computational overhead on the tenants and the cloud provider.

A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2n + \omega(log n). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length.

Kalyna is an SPN-based block cipher that was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine. In this paper, we focus on the key-recovery attacks on reduced-round Kalyna-128/256 and Kalyna-256/512 with meet-in-the-middle method. The differential enumeration technique and key-dependent sieve technique which are popular to analyze AES are used to attack them. Using the key-dependent sieve technique to improve the complexity is not an easy task, we should build some tables to achieve this. Since the encryption procedure of Kalyna employs a pre- and post-whitening operations using addition modulo $2^{64}$ applied on the state columns independently, we carefully study the propagation of this operation and propose an addition plaintext structure to solve this. For Kalyna-128/256, we propose a 6-round distinguisher, and achieve a 9-round (out of total 14-round) attack. For Kalyna-256/512, we propose a 7-round distinguisher, then achieve an 11-round (out of total 18-round) attack. As far as we know, these are currently the best results on Kalyna-128/256 and Kalyna-256/512.

A central problem in differential privacy is to accurately answer a large family $Q$ of statistical queries over a data universe $X$. A statistical query on a dataset $D \in X^n$ asks ``what fraction of the elements of $D$ satisfy a given predicate $p$ on $X$?'' Ignoring computational constraints, it is possible to accurately answer exponentially many queries on an exponential size universe while satisfying differential privacy (Blum et al., STOC'08). Dwork et al. (STOC'09) and Boneh and Zhandry (CRYPTO'14) showed that if both $Q$ and $X$ are of polynomial size, then there is an efficient differentially private algorithm that accurately answers all the queries. They also proved that if $Q$ and $X$ are both exponentially large, then under a plausible assumption, no efficient algorithm exists. We show that, under the same assumption, if either the number of queries or the data universe is of exponential size, then there is no differentially private algorithm that answers all the queries. Specifically, we prove that if one-way functions and indistinguishability obfuscation exist, then: 1) For every $n$, there is a family $Q$ of $\tilde{O}(n^7)$ queries on a data universe $X$ of size $2^d$ such that no $poly(n,d)$ time differentially private algorithm takes a dataset $D \in X^n$ and outputs accurate answers to every query in $Q$. 2) For every $n$, there is a family $Q$ of $2^d$ queries on a data universe $X$ of size $\tilde{O}(n^7)$ such that no $poly(n,d)$ time differentially private algorithm takes a dataset $D \in X^n$ and outputs accurate answers to every query in $Q$. In both cases, the result is nearly quantitatively tight, since there is an efficient differentially private algorithm that answers $\tilde{\Omega}(n^2)$ queries on an exponential size data universe, and one that answers exponentially many queries on a data universe of size $\tilde{\Omega}(n^2)$. Our proofs build on the connection between hardness results in differential privacy and traitor-tracing schemes (Dwork et al., STOC'09; Ullman, STOC'13). We prove our hardness result for a polynomial size query set (resp., data universe) by showing that they follow from the existence of a special type of traitor-tracing scheme with very short ciphertexts (resp., secret keys), but very weak security guarantees, and then constructing such a scheme.

We show how to transform any semantically secure encryption scheme into a non-malleable one, with a black-box construction that achieves a quasi-linear blow-up in the size of the ciphertext. This improves upon the previous non-black-box construction of Pass, Shelat and Vaikuntanathan (Crypto '06). Our construction also extends readily to guarantee non-malleability under a bounded-CCA2 attack, thereby simultaneously improving on both results in the work of Cramer et al. (Asiacrypt '07). Our construction departs from the oft-used paradigm of re-encrypting the same message with different keys and then proving consistency of encryption. Instead, we encrypt an encoding of the message; the encoding is based on an error-correcting code with certain properties of reconstruction and secrecy from partial views, satisfied, e.g., by a Reed-Solomon code.

The accuracy and the fast convergence of a leakage model are both essential components for the efficiency of side-channel analysis. Thus for efficient leakage estimation an evaluator is requested to pick a Probability Density Function (PDF) that constitutes the optimal trade-off between both aspects. In the case of parametric estimation, Gaussian templates are a common choice due to their fast convergence, given that the actual leakages follow a Gaussian distribution (as in the case of an unprotected device). In contrast, histograms and kernel-based estimations are examples for non-parametric estimation that are capable to capture any distribution (even that of a protected device) at a slower convergence rate. With this work we aim to enlarge the statistical toolbox of a side-channel evaluator by introducing new PDF estimation tools that fill the gap between both extremes. Our tools are designed for parametric estimation and can efficiently characterize leakages up to the fourth statistical moment. We show that such an approach is superior to non-parametric estimators in contexts where key-dependent information in located in one of those moments of the leakage distribution. Furthermore, we successfully demonstrate how to apply our tools for the (worst-case) information-theoretic evaluation on masked implementations with up to four shares, both in a profiled and non-profiled attack scenario. We like to remark that this flexibility capturing information from different moments of the leakage PDF can provide very valuable feedback for hardware designers to their task to evaluate the individual and combined criticality of leakages in their (protected) implementations.

Schemes for secure outsourcing of client data with search capability are being increasingly marketed and deployed. In the literature, schemes for accomplishing this efficiently are called Searchable Encryption (SE). They achieve high efficiency with provable security by means of a quantifiable leakage profile. However, the degree to which SE leakage can be exploited by an adversary is not well understood. To address this, we present a characterization of the leakage profiles of in-the-wild searchable encryption products and SE schemes in the literature, and present attack models based on an adversarial server’s prior knowledge. Then we empirically investigate the security of searchable encryption by providing query recovery and plaintext recovery attacks that exploit these leakage profiles. We term these 'leakage-abuse attacks' and demonstrate their effectiveness for varying leakage profiles and levels of server knowledge, for realistic scenarios. Amongst our contributions are realistic active attacks which have not been previously explored.

Recently in two independent papers, Albrecht, Bai and Ducas and Cheon, Jeong and Lee presented two very similar attacks, that allow to break NTRU with larger parameters and GGH Multinear Map without zero encodings. They proposed an algorithm for recovering the NTRU secret key given the public key which apply for large NTRU modulus, in particular to Fully Homomorphic Encryption schemes based on NTRU. Hopefully, these attacks do not endanger the security of the NTRUE NCRYPT scheme, but shed new light on the hardness of this problem. The basic idea of both attacks relies on decreasing the dimension of the NTRU lattice using the multiplication matrix by the norm (resp. trace) of the public key in some subfield instead of the public key itself. Since the dimension of the subfield is smaller, the dimension of the lattice decreases, and lattice reduction algorithm will perform better. Here, we revisit the attacks on NTRU and propose another variant that is simpler and outperforms both of these attacks in practice. It allows to break several concrete instances of YASHE, a NTRU-based FHE scheme, but it is not as efficient as the hybrid method of Howgrave-Graham on concrete parameters of NTRU. Instead of using the norm and trace, we propose to use the multiplication by the public key in some subring and show that this choice leads to better attacks. We &#8730; can then show that for power of two cyclotomic fields, the time complexity is polynomialFinally, we show that, under heuristics, straightforward lattice reduction is even more efficient, allowing to extend this result to fields without non-trivial subfields, such as NTRU Prime. We insist that the improvement on the analysis applies even for relatively small modulus ; though if the secret is sparse, it may not be the fastest attack. We also derive a tight estimation of security for (Ring-)LWE and NTRU assumptions. when $q=2^{\Omega(\sqrt{n \log \log n})}$.

Cryptocurrencies like Bitcoin have proven to be a phenomenal success. Bitcoin-like systems use proof-of-work mechanism which is therefore considered as 1-hop blockchain, and their security holds if the majority of the computing power is under the control of honest players. However, this assumption has been seriously challenged recently and Bitcoin-like systems will fail when this assumption is broken. We propose the first provably secure 2-hop blockchain by combining proof-of-work (first hop) and proof-of-stake (second hop) mechanisms. On top of Bitcoin's brilliant ideas of utilizing the power of the honest miners, via their computing resources, to secure the blockchain, we further leverage the power of the honest users/stakeholders, via their coins/stake, to achieve this goal. The security of our blockchain holds if the honest players control majority of the {\em collective} resources (which consists of both computing power and stake). That said, even if the adversary controls more than 50\% computing power, the honest players still have the chance to defend the blockchain via honest stake.

Most masking schemes used as a countermeasure against side-channel analysis attacks require an extensive amount of fresh random bits on the fly. This is burdensome especially for lightweight cryptosystems. Threshold implementations (TIs) that are secure against firstorder attacks have the advantage that fresh randomness is not required if the sharing of the underlying function is uniform. However, finding uniform realizations of nonlinear functions that also satisfy other TI properties can be a challenging task. In this paper, we discuss several methods that advance the search for uniformly shared functions for TIs. We focus especially on three-share implementations of quadratic functions due to their low area footprint. Our methods have low computational complexity even for 8-bit Boolean functions.

This paper describes highly-optimized AES-{128, 192, 256}-CTR assembly implementations for the popular ARM Cortex-M3 and M4 embedded microprocessors. These implementations are about twice as fast as existing implementations. Additionally, we provide the fastest bitsliced constant-time and masked implementations of AES-128-CTR to protect against timing attacks, power analysis and other (first-order) side-channel attacks. All implementations, including an architecture-specific instruction scheduler and register allocator, which we use to minimize expensive loads, are released into the public domain.

Lattice sieving is asymptotically the fastest approach for solving the shortest vector problem (SVP) on Euclidean lattices. All known sieving algorithms for solving SVP require space which (heuristically) grows as $2^{0.2075 n + o(n)}$, where $n$ is the lattice dimension. In high dimensions, the memory requirement becomes a limiting factor for running these algorithms, making them uncompetitive with enumeration algorithms, despite their superior asymptotic time complexity. We generalize sieving algorithms to solve SVP with less memory. We consider reductions of tuples of vectors rather than pairs of vectors as existing sieve algorithms do. For triples, we estimate that the space requirement scales as $2^{0.1887 n + o(n)}$. The naive algorithm for this triple sieve runs in time $2^{0.5661 n + o(n)}$. With appropriate filtering of pairs, we reduce the time complexity to $2^{0.4812 n + o(n)}$ while keeping the same space complexity. We further analyze the effects of using larger tuples for reduction, and conjecture how this provides a continuous tradeoff between the memory-intensive sieving and the asymptotically slower enumeration.

Elliptic Curve Cryptography (ECC) has gained much recognition over the last decades and has established itself among the well known public-key cryptography schemes, not least due its smaller key size and relatively lower computational effort compared to RSA. The wide employment of Elliptic Curve Cryptography in many different application areas has been leading to a variety of implementation types and domains ranging from pure software approaches over hardware implementations to hardware/software co-designs. The following review provides an overview of state of the art hardware implementations of ECC, specifically in regard to their targeted design goals. In this context the suitability of the hardware/software approach in regard to the security challenges opposed by the low-end embedded devices of the Internet of Things is briefly examined. The paper also outlines ECC’s vulnerability against quantum attacks and references one possible solution to that problem.

We study the question of how to build "compilers" that transform a unilaterally authenticated (UA) key-exchange protocol into a mutually-authenticated (MA) one. We present a simple and efficient compiler and characterize the UA protocols that the compiler upgrades to the MA model, showing this to include a large and important class of UA protocols. The question, while natural, has not been studied widely. Our work is motivated in part by the ongoing work on the design of TLS 1.3, specifically the design of the client authentication mechanisms including the challenging case of post-handshake authentication. Our approach supports the analysis of these mechanisms in a general and modular way, in particular aided by the notion of "functional security" that we introduce as a generalization of key exchange models and which may be of independent interest.

In the crypto community, it is widely acknowledged that any cryptographic scheme that is built with no countermeasure against side-channel analysis (SCA) can be easily broken. In this paper, we challenge this intuition. We investigate a novel approach in the design of cryptographic primitives that promotes inherent security against side-channel analysis without using redundant circuits. We propose Keymill, a new keystream generator that is immune against SCA attacks. Security of the proposed scheme depends on mixing key bits in a special way that expands the size of any useful key hypothesis to the full entropy, which enables SCA-security that is equivalent to the brute force. Doing so, we do not propose a better SCA countermeasure, but rather a new one. The current solution focuses exclusively on side-channel analysis and works on top of any unprotected block cipher for mathematical security. The proposed primitive is generic and can turn any block cipher into a protected mode using only 775 equivalent NAND gates, which is almost half the area of the best countermeasure available in the literature.

The security of SHA-3 against different kinds of attacks are of vital importance for crypto systems with SHA-3 as the security engine. In this paper, we look into the differential fault analysis of SHA-3, and this is the first work to conquer SHA3-224 and SHA3-256 using differential fault analysis. Comparing with one existing related work, we relax the fault models and make them realistic for different implementation architectures. We analyze fault propagation in SHA-3 under such single-byte fault models, and propose to use fault signatures at the observed output for analysis and secret retrieval. Results show that the proposed method can effectively identify the injected single-byte faults, and then recover the whole internal state of the input of last round $\chi$ operation ($\chi^{22}_i$) for both SHA3-224 and SHA3-256.

This paper presents MQDSS, the first signature scheme with a security reduction based on the problem of solving a multivariate system of quadratic equations (MQ problem). In order to construct this scheme we give a new security reduction for the Fiat-Shamir transform from a large class of $5$-pass identification schemes and show that a previous attempt from the literature to obtain such a proof does not achieve the desired goal. We give concrete parameters for MQDSS and provide a detailed security analysis showing that the resulting instantiation MQDSS-31-64 achieves $128$ bits of post-quantum security. Finally, we describe an optimized implementation of MQDSS-31-64 for recent Intel processors with full protection against timing attacks and report benchmarks of this implementation.

We prove the related-key security of the Iterated Even-Mansour cipher under broad classes of related key derivation (RKD) functions. Our result extends the classes of RKD functions considered by Farshim and Procter (FSE, 15). Moreover, we present a far simpler proof which uses techniques similar to those used by Cogliati and Seurin (EUROCRYPT, 15) in their proof that the four-round Even-Mansour cipher is secure against XOR related-key attacks---a special case of our result and the result of Farshim and Proctor. Finally, we give a concrete example of a class of RKD functions covered by our result which does not satisfy the requirements given by Farshim and Procter and prove that the three-round Even-Mansour cipher is secure against this class of RKD functions.

Erasable memory is an important resource for designing practical cryptographic protocols that are secure against adaptive attacks. Many practical memory devices such as solid state drives, hard disks, or file systems are not perfectly erasable because a deletion operation leaves traces of the deleted data in the system. A number of methods for constructing a large erasable memory from a small one, e.g., using encryption, have been proposed. Despite the importance of erasable memory in cryptography, no formal model has been proposed that allows one to formally analyse such memory constructions or cryptographic protocols relying on erasable memory. The contribution of this paper is three-fold. First, we provide a formal model of erasable memory. A memory device allows a user to store, retrieve, and delete data, and it is characterised by a leakage function defining the extent to which erased data is still accessible to an adversary. Second, we investigate how the erasability of such memories can be amplified. We provide a number of constructions of memories with strong erasability guarantees from memories with weaker guarantees. One of these constructions of perfectly erasable memories from imperfectly erasable ones can be considered as the prototypical application of Canetti et al.'s All-or-Nothing Transform (AoNT). Motivated by this construction, we propose some new and better AoNTs that are either perfectly or computationally secure. These AoNTs are of possible independent interest. Third, we show (in the constructive cryptography framework) how the construction of erasable memory and its use in cryptographic protocols (for example to achieve adaptive security) can naturally be composed to obtain provable security of the overall protocol.

The single cycle T-function is a particular permutation function with complex algebraic structures, maximum period and efficient implementation in software and hardware. In this paper, on the basis of existing methods, we present a new construction using a class of single cycle T-functions meeting certain conditions to construct a family of new single cycle T-functions, and we also give the numeration lower bound for the newly constructed single cycle T-functions.

One of the key questions in contemporary applied cryptography is whether there exist an efficient algorithm for solving the discrete logarithm problem in elliptic curves. The primary approach for this problem is to try to solve a certain system of polynomial equations. Current attempts try to solve them directly with existing software tools which does not work well due to their very loosely connected topology and illusory reliance on degree falls. A deeper reflection on what makes systems of algebraic equations efficiently solvable is missing. In this paper we propose a new approach for solving this type of polynomial systems which is radically different than current approaches. We carefully engineer systems of equations with excessively dense topology obtained from a complete clique/biclique graphs and hypergraphs and unique special characteristics. We construct a sequence of systems of equations with a parameter K and argue that asymptotically when K grows the system of equations achieves a high level of saturation with lim_{K\to\infty} F/T = 1 which allows to reduce the "regularity degree" and makes that polynomial equations over finite fields may become efficiently solvable.

Silent Text, the instant messaging application by the company Silent Circle, provides its users with end-to-end encrypted communication on the Blackphone and other smartphones. The underlying protocol, SCimp, has received many extensions during the update to version 2, but has not been subjected to critical review from the cryptographic community. In this paper, we analyze both the design and implementation of SCimp by inspection of the documentation (to the extent it exists) and code. Many of the security properties of SCimp version 1 are found to be secure, however many of the extensions contain vulnerabilities and the implementation contains bugs that affect the overall security. These problems were fed back to the SCimp maintainers and some bugs were fixed in the code base. In September 2015, Silent Circle replaced SCimp with a new protocol based on the Signal Protocol.

``Mirror Theory'' is the theory that evaluates the number of solutions of affine systems of equalities (=) and non equalities ($\neq$) in finite groups. It is deeply related to the security and attacks of many generic cryptographic secret key schemes, for example random Feistel schemes (balanced or unbalanced), Misty schemes, Xor of two pseudo-random bijections to generate a pseudo-random function etc. In this paper we will assume that the groups are abelian. Most of time in cryptography the group is $((\mathbb{Z}/2\mathbb{Z})^n, \oplus)$ and we will concentrate this paper on these cases. We will present here general definitions, some theorems, and many examples and computer simulations.

Bitcoin owes it success to the fact that transactions are transparently recorded in the blockchain, a global public ledger that removes the need for trusted parties. While Bitcoin has achieved remarkable success, recording every transaction in the blockchain causes privacy, latency, and scalability issues. Building on recent proposals for "micropayment channels" --- two party associations that use the ledger only for dispute resolution --- we introduce techniques for constructing anonymous payment channels. Our proposals allow for secure, instantaneous and private payments that substantially reduce the storage burden on the payment network. Specifically, we introduce three channel proposals, including a technique that allows payments via an untrusted intermediary. Most importantly, each of our proposals can be instantiated efficiently using well-studied techniques.

Over the past few years, the microprocessor industry has introduced accelerated cryptographic capabilities through instruction set extensions. Although powerful and resistant to side-channel analysis such as cache and timing attacks, these instructions do not implicitly protect against power-based side-channel attacks, such as DPA. This paper provides a specific example with Intel's AES-NI cryptographic instruction set extensions, detailing a DPA, along with results, showing two ways to extract AES keys by simply placing a magnetic field probe beside two capacitors on a motherboard hosting an Intel Core i7 Ivy Bridge microprocessor. Based on the insights of the DPA, methods are then presented on how to mitigate the leaks, in software, providing a dial for diverting the optimal amount of resources required for a prescribed security requirement.

We show that the scheme [IEEE TPDS, 25(1), 2014, 222-233] fails, because the introduced similarity scores do not represent the true similarities between the indexing vectors and the querying vector. The returned documents by the cloud server are not indeed related to the queried keywords.

We remark that the scheme [IEEE TPDS, 27(1), 2016, 40-50] is flawed because the group manager cannot complete his computational task in the registration phase. Actually, they have misunderstood the concept of public key which is usually associated with an asymmetric encryption algorithm. Besides, the mechanism that the group manager has to re-encrypt all data stored in the cloud after a member is revoked, is somewhat infeasible because of its inefficiency.

HANUMAN is a mode of operation of a keyless cryptographic permutation for nonce-based authenticated encryption with associated data, included among the modes bundled in the PRIMATEs candidate in the currently ongoing CAESAR competition. HANUMAN is a sponge-like mode whose design and security argument are inspired by the SpongeWrap construction. We identify a flaw in the domain separation of HANUMAN, and show how to exploit it to efficiently produce ciphertext forgeries.

Existing cloud storage systems obtain the data in its plaintext form and perform conventional (server-side) deduplication mechanisms. However, disclosing the data to the cloud can potentially threaten the security and privacy of users, which is of utmost importance for a real-world cloud storage. This can be solved by secure deduplication mechanisms which enables the user to encrypt the data on the client-side (or via an encryption-as-a-service module) before uploading it to the cloud storage. Conventional client-side encryption solutions unfortunately make the deduplication more challenging. Privacy-preserving public auditing schemes, on the other hand, is also crucial because the clients outsource their data to the cloud providers and then permanently deletes the data from their local storages. In this paper, we consider the problem of secure deduplication over encrypted data stored in the cloud while supporting a privacy-preserving public auditing mechanism.We show that existing solutions cannot support both goals simultaneously due to the conflict of their security and efficiency requirements. In this respect, we present an efficient and secure deduplication scheme that supports client-side encryption and privacy-preserving public auditing. We finally show that our scheme provides better security and efficiency with respect to the very recently proposed existing schemes.