International Association
for Cryptologic Research

An off-line electronic cash scheme is proposed that is suitable for

small payments. The approach is innovative, in that each coin may be

efficiently verified by the same or different merchants during payment. The scheme relies on a batch signature technique to efficiently sign and verify individually spent coins; coins may also be deposited in batch manner. The scheme outlined differs considerably from conventional micropayments schemes by servicing a number of cash-like properties, such as off-line processing, detection of double spent coins, and ability to spend at different merchants. Additionally, the scheme eliminates a number of processing overheads that are apparent to some existing micropayment schemes.

In the last years, much research work has been invested into the security analysis of key alternating ciphers in the random oracle model. These are pseudorandom permutations (PRPs), sometimes also called iterated Even-Mansour ciphers, which are defined by alternatingly adding $n$-bit sub-keys $k_i$ and calling public $n$-bit permutations $P_i$. Besides the fact, that results of this kind concern the fundamental questions of understanding the nature of pseudorandomness, a practical motivation for this study is that many modern block cipher designs correspond exactly to variants of iterated Even-Mansour ciphers.

In this paper, we study similar construction for pseudorandom functions (PRFs), where additionally the access to a public $n$-bit (one-way) function $F$ is allowed. In particular, we show a sharp $n/2$-security bound for the simplest possible construction $F(x\\oplus k)$ and a sharp $2/3\\cdot n$-bound for the $FP(1)$-construction $F(P(x\\oplus k)\\oplus k)$, both in the random oracle model. The latter result contrasts with a sharp bound of the same order for $P(P(x\\oplus k)\\oplus \\pi(k))\\oplus k$, recently proved by Chen et. al.

One practical motivation for our research is due to the fact that operation modes of key stream generator based (KSG-based) stream ciphers can be modeled in a very straightforward way by FP-constructions. Our research shows a way to save KSG inner state length by using operation modes, which yield provable security beyond the birthday bound against time-space-data tradeoff attacks. For instance, we demonstrate that a slight change in the operation mode of the Bluetooth cipher (adding the session key twice in the initialization phase) raises the security w.r.t. to generic time-space-data tradeoff attacks from $n/2$ to $2/3\\cdot n$, where $n$ denotes the KSG inner state length.

With the developments of mobile communication, networks and information technology, many new information service patterns and dissemination modes emerge with some security and privacy threats in access control, i.e., the ownership of data is separated from the administration of them, secondary/mutiple information distribution etc. Existing access control models, which are always proposed for some specific scenarios, are hardly to achieve fine-grained and adaptive access control. In this paper, we propose a novel Cyberspace-oriented Access Control model, termed as CoAC, which avoids the aforementioned threats by comprehensively considering some vital factors, such as the access requesting entity, general tense, access point, resource, device, networks, internet-based interactive graph and chain of resource transmission. By appropriately adjusting these factors, CoAC covers most of typical access control models and fulfills the requirements of new information service patterns and dissemination modes. We also present the administrative model of our proposed CoAC model and formally describe the administrative functions and methods used in the administrative model by utilizing Z-notation. Our CoAC is flexible and scalable, it can be further refined and expanded to figure out new opportunities and challenges in the upcoming access control techniques.

Elliptic Curve Cryptography (ECC) is a popular tool to construct public-key crypto-systems.

The security of ECC is based on the hardness of the elliptic curve discrete logarithm problem (ECDLP).

Implementing and analyzing the performance of the best known methods to solve the ECDLP is useful to assess the security of ECC and choose security parameters in practice.

We present a novel many-core hardware architecture implementing the parallel version of Pollard\'s rho algorithm

to solve the ECDLP. This architecture results in a speed-up of almost 300% compared to the state of the art and we use it to estimate the monetary cost of solving the Certicom ECCp-131 challenge using FPGAs.

Many cryptographic schemes have been established based on the hardness of lattice problems. For the asymptotic efficiency, ideal lattices

in the ring of cyclotomic integers are suggested to be used in most such schemes. On the other hand in computational algebraic number theory one of the main problem

is called principle ideal problem (PIP). Its goal is to find a generators of any principle ideal in the ring of algebraic integers in any number field. In this paper we establish a polynomial time reduction from approximate shortest lattice vector problem for principle ideal lattices to their PIP\'s in many cyclotomic integer rings. Combining with the polynomial time quantum algorithm for PIP of arbitrary number fields, this implies that some approximate SVP problem for principle ideal lattices within a polynomial factor in some cyclotomic integer rings can be solved by polynomial time quantum algorithm.

Secure two-party parallel coin-flipping is a cryptographic functionality that allows two mutually distrustful parties to agree on a common random bit-string of a certain target length. In coin-flipping into-a-well, one party learns the bit-string and then decides whether to abort or to allow the other party to learn it. It is well known that this functionality can be securely achieved in the ideal/real simulation paradigm, using commitment schemes that are simultaneously extractable (X) and equivocable (Q).

This paper presents two new constant-round simulatable coin-flipping protocols, based explicitly on one or a few X-commitments of short seeds and a Q-commitment of a short hash, independently of the large target length. A pseudo-random generator and a collision-resistant hash function are used to combine the separate X and Q properties (associated with short bit-strings) into a unified X&Q property amplified to the target length, thus amortizing the cost of the base commitments. In this way, the new protocols are significantly more efficient than an obvious batching or extension of coin-flippings designed (in the same security setting) for short bit-strings and based on inefficient X&Q commitments.

The first protocol, simulatable with rewinding, deviates from the traditional coin-flipping template in order to improve simulatability in case of unknown adversarial probabilities of abort, without having to use a X&Q commitment scheme. The second protocol, one-pass simulatable, derives from a new construction of a universally composable X&Q commitment scheme for large bit-strings, achieving communication-rate asymptotically close to 1. Besides the base X and Q commitments, the new commitment scheme only requires corresponding collision-resistant hashing, pseudo-random generation and application of a threshold erasure code. Alternative constructions found in recent work with comparable communication complexity require explicit use of oblivious transfer and use different encodings of the committed value.

In this paper, we propose a noise-free symmetric fully homomorphic encryption (FHE) based on matrices over noncommutative rings. The scheme is secure against chosen plaintext attacks based on the factorization problem of matrices over noncommutative rings as well as the hardness of an overdefined system of multivariate polynomial equations over the given non-commutative algebraic structure. Meanwhile, the new proposal is efficient in terms of computational cost and the sizes of plaintext/ciphertext. On the basis of this framework, a verifiable FHE is proposed, where the receiver can check the validity of ciphertexts. Furthermore, any attacker fails to construct a valid ciphertext without making query of encryption oracle, then the verifiable FHE scheme maybe secure against non-adaptively chosen ciphertext attacks (IND-CCA1).

An important attack on multi-power RSA ($N=p^rq$) was introduced by Sarkar in 2014, by extending the small private exponent attack of Boneh and Durfee on classical RSA. In particular, he showed that $N$ can be factored efficiently for $r=2$ with private exponent $d$ satisfying $d

Ring signatures and group signatures are prominent cryptographic primitives offering a combination of privacy and authentication. They enable individual users to anonymously sign messages on behalf of a group of users. In ring signatures, the group, i.e.\\ the ring, is chosen in an ad hoc manner by the signer. In group signatures, group membership is controlled by a group manager.

Group signatures additionally enforce accountability by providing the group manager with a secret tracing key that can be used to identify the otherwise anonymous signer when needed.

Accountable ring signatures, introduced by Xu and Yung (CARDIS 2004), bridge the gap between the two notions. They provide maximal flexibility in choosing the ring, and at the same time maintain accountability by supporting a designated opener that can identify signers when needed.

We revisit accountable ring signatures and offer a formal security model for the primitive. Our model offers strong security definitions incorporating protection against maliciously chosen keys and at the same time flexibility both in the choice of the ring and the opener.

We give a generic construction using standard tools.

We give a highly efficient instantiation of our generic construction in the random oracle model by meticulously combining Camenisch\'s group signature scheme (CRYPTO 1997) with a generalization of the one-out-of-many proofs of knowledge by Groth and Kohlweiss (EUROCRYPT 2015). Our instantiation yields signatures of logarithmic size (in the size of the ring) while relying solely on the well-studied decisional Diffie-Hellman assumption.

In the process, we offer a number of optimizations for the recent Groth and Kohlweiss one-out-of-many proofs, which may be useful for other applications.

Accountable ring signatures imply traditional ring and group signatures. We therefore also obtain highly efficient instantiations of those primitives with signatures shorter than all existing ring signatures as well as existing group signatures relying on standard assumptions.

Malicious cryptography is about using cryptography for cyber attacks. We have already seen applications of malicious cryptography in so-called ransomware. Sophisticated attackers may want to use cryptography to hide an attack, the target of the attack, the source of the attack or to protect attack infrastructure (botnets).

The project goal is not to design sophisticated malware, but to understand the possible threats that we need to defend against.

Two lightweight block cipher families, SIMON and SPECK, have been proposed by researchers from the NSA recently. In this paper, we introduce Simeck, a new family of lightweight block ciphers that combines the good design components from both SIMON and SPECK, in order to devise even more compact and efficient block ciphers. For Simeck32/64, we can achieve 505 GEs (before the Place and Route phase) and 549 GEs (after the Place and Route phase), with the power consumption of 0.417 $\\mu W$ in CMOS 130nm ASIC, and 454 GEs (before the Place and Route phase) and 488 GEs (after the Place and Route phase), with the power consumption of 1.292 $\\mu W$ in CMOS 65nm ASIC. Furthermore, all of the instances of Simeck are smaller than the ones of hardware-optimized cipher SIMON in terms of area and power consumption in both CMOS 130nm and CMOS 65nm techniques. In addition, we also give the security evaluation of Simeck with respect to many traditional cryptanalysis methods, including differential attacks, linear attacks, impossible differential attacks, meet-in-the-middle attacks, and slide attacks. Overall, all of the instances of Simeck can satisfy the area, power, and throughput requirements in passive RFID tags.

As a sophisticated mechanism for secure fine-grained access control, ciphertext-policy attribute-based encryption (CP-ABE) is a highly promising solution for commercial applications such as cloud computing. However, there still exists one major issue awaiting to be solved, that is, the prevention of key abuse. Most of the existing CP-ABE systems missed this critical functionality, hindering the wide utilization and commercial application of CP-ABE systems to date. In this paper, we address two practical problems about the key abuse of CP-ABE: (1) The key escrow problem of the semi-trusted authority; and, (2) The malicious key delegation problem of the users. For the semi-trusted authority, its misbehavior (i.e., illegal key (re-)distribution) should be caught and prosecuted. And a user, his/her malicious behavior (i.e., illegal key sharing) need be traced. We affirmatively solve these two key abuse problems by proposing the first accountable authority CP-ABE with white-box traceability that supports policies expressed in any monotone access structures. Moreover, we provide an auditor to judge publicly whether a suspected user is guilty or is framed by the authority.

The Diffie-Hellman problem as a cryptographic primitive plays an important role in modern cryptology. The Bit Security or Hard-Core Bits of Diffie-Hellman problem in arbitrary finite cyclic group is a long-standing open problem in cryptography. Until now, only few groups have been studied. Hyperelliptic curve cryptography is an alternative to elliptic curve cryptography. Due to the recent cryptanalytic results that the best known algorithms to attack hyperelliptic curve cryptosystems of genus $g

We offer two, 3-year Ph.D. scholarships in area of design and cryptanalysis of authenticated encryption schemes.

Working place: Kielce, POLAND

In the second part of the scholarship timeline, it may be possible to continue research in Australia, under supervision of Josef Pieprzyk, QUT, Brisbane.

Submission: 2 October 2015
Notification: 22 November 2015
From February 22 to February 26
Location: Rockley, Christ Church, Barbados
More Information: http://fc16.ifca.ai/

We proposed a new secure oblivious transfer protocol from indistinguishability obfuscation in this paper. Our main technical tool

is the candidate indistinguishability obfuscation introduced in [1] and

a dual-mode cryptosystem proposed in [2]. Following their steps, we

presents a new k-out-of-l oblivious transfer protocol, its realization from

DDH is described in this paper, in which we combined indistinguishability obfuscation with the dual-mode cryptosystem. The security of our

scheme mainly relies on the indistinguishability of the obf-branches ( corresponding to the two modes in dual-mode model). Our paper explores

a new way for the application of indistinguishability obfuscation.

In this paper, we first demonstrate a new Differential Power Analysis (DPA) attack technique against the Grain family of stream ciphers (Grain v1 and Grain-128) by resynchronizing the cipher multiple times with the same value of the secret \\emph{key} and randomly generated different initialization vectors (IVs). Subsequently, we develop a combined side channel and fault analysis attack strategy targeting various fault attack countermeasures for the Grain cipher family.

We considered clock glitch induced faults occurring in practice for a hardware implementation of the cipher to devise our novel attack technique. Our proposed combined attack strategy works well even if the \\emph{useful} ciphertexts are not available to the adversary.

Further, the power trace classifications of a Grain cipher implementation on SASEBO G-II standard side channel evaluation board is shown in order to validate our proposed attack against the cipher.

The captured power traces were analyzed using Least Squares Support Vector Machine (LS-SVM) learning algorithm based multiclass classifiers to classify the power traces into the respective

Hamming distance (HD) classes. To extract power samples with high information about HD classes, Signal-to-noise ratio (SNR) metric

was chosen for feature selection. The experimental results of power trace classifications of test set showed a high success rate of $98\\%$ when the five largest SNR sample instants over a clock cycle were chosen as features. Our proposed attack strategy can also be extended to other stream cipher designs based on Fibonacci

configured shift registers.

We recall why linear codes with complementary duals (LCD codes) play a role in counter-measures to passive and active side-channel analyses on embedded cryptosystems. The rate and the minimum distance of such LCD codes must be as large as possible. We investigate primary constructions of such codes, in particular with cyclic codes, specifically with generalized residue codes, and we study their idempotents. We study those secondary constructions which preserve the LCD property, and we characterize conditions under which codes obtained by puncturing, shortening or extending codes, or obtained by the Plotkin sum, can be LCD.

Structure-preserving signatures (SPS) are pairing-based signatures

where all the messages, signatures and public keys are group elements, with

numerous applications in public-key cryptography. We present new,

simple and improved SPS constructions under standard assumptions via a

conceptually different approach. Our constructions significantly

narrow the gap between existing constructions from standard assumptions

and optimal schemes in the generic group model.

The negation map can be used to speed up the computation of elliptic curve discrete logarithms using either the baby-step-giant-step algorithm (BSGS) or Pollard rho. Montgomery\'s simultaneous modular inversion can also be used to speed up Pollard rho when running many walks in parallel. We generalize these ideas and exploit the fact that for any two elliptic curve points $X$ and $Y$, we can efficiently get $X-Y$ when we compute $X+Y$. We apply these ideas to speed up the baby-step-giant-step algorithm. Compared to the previous methods, the new methods can achieve a significant speedup for computing elliptic curve discrete logarithms.

Another contribution of our paper is to give an analysis of the average-case running time of Bernstein and Lange\'s ``grumpy giants and a baby\'\' algorithm, and also to consider this algorithm in the case of groups with efficient inversion.

Our conclusion is that, in the fully-optimised context, both the interleaved BSGS and grumpy-giants algorithms have superior average-case running time compared with Pollard rho.