International Association
for Cryptologic Research

\\textsc{Simon} is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts\' attention and varity of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on.

In this paper, we give improved linear attack on all versions of \\textsc{Simon} with dynamic key-guessing techniques, which was proposed to improve the differential attack on \\textsc{Simon} recently.

By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function accroding the property of AND operation, we can guess different subkeys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step.

As a result, 23-round \\textsc{Simon}32/64, 24-round \\textsc{Simon}48/72, 25-round \\textsc{Simon}48/96, 30-round \\textsc{Simon}64/96, 31-round \\textsc{Simon}64/128, 37-round \\textsc{Simon}96/96, 38-round \\textsc{Simon}96/144, 49-round \\textsc{Simon}128/128, 51-round \\textsc{Simon}128/192 and 53-round \\textsc{Simon}128/256 can be attacked.

The linear attacks on most versions of \\textsc{Simon} are the best attacks among all cryptanalysis results on these variants known up to now. However, this does not shake the security of \\textsc{Simon} family with full rounds.

We continue the research in \\cite{jans1991} to construct de Bruijn sequences from feedback shift registers (FSRs) that contains only very short cycles. Firstly, we suggest another way to define the representative of a cycle. Compared with the definition in \\cite{jans1991}, this definition can greatly improve the performance of the cycle joining algorithm. Then we construct a large class of nonlinear FSRs that contains only very short cycles. The length of the cycles in these $n$-stage FSRs are less than $2n$. Based on these FSRs, $O(2^{\\frac{n}{2}-\\mathrm{log} n})$ de Bruijn sequences of order $n$ are constructed. To generate the next bit in the de Bruijn sequence from the current state, it requires only $2n$ bits of storage and less than $2n$ FSR shifts.

Oblivious RAM (ORAM) is a tool proposed to hide access pattern leakage, and there has been a lot of progress in the efficiency of ORAM schemes; however, less attention has been paid to study the applicability of ORAM for cloud applications such as symmetric searchable encryption (SSE). Although, searchable encryption is one of the motivations for ORAM research, no in-depth study of the applicability of ORAM to searchable encryption exists as of June 2015. In this work, we initiate the formal study of using ORAM to reduce the access pattern leakage in searchable encryption.

We propose four new leakage classes and develop a systematic methodology to study the applicability of ORAM to SSE. We develop a worst-case communication baseline for SSE. We show that completely eliminating leakage in SSE is impossible. We propose single keyword schemes for our leakage classes and show that either they perform worse than streaming the entire outsourced data (for a large fraction of queries) or they do not provide meaningful reduction in leakage. We present detailed evaluation using the Enron email corpus and the complete English Wikipedia corpus.

In this paper, we propose a universal hardware API for authenticated ciphers, which can be used in any future implementations of authenticated ciphers submitted to the CAESAR competition. A common interface and communication protocol would help in reducing any potential biases, and would make the comparison in hardware more reliable and fair. By design, our proposed API is equally suitable for hardware implementations of authenticated ciphers developed manually (at the register-transfer level), and those obtained using high-level synthesis tools. Our implementation of the proposed interface and communication protocol includes universal, open-source pre processing and post-processing units, common for all CAESAR candidates. Apart from the full documentation, examples, and the source code of the pre-processing and post-processing units, we are making available in public domain a) a universal testbench to verify the functionality of any CAESAR candidate implemented using the GMU hardware API, b) a Python script used to automatically generate test vectors for this testbench, c) VHDL wrappers used to determine the maximum clock frequency

and the resource utilization of all implementations, and d) RTL VHDL source codes of high-speed implementations of AES and the Keccak Permutation F. We hope that the existence of these resources will substantially reduce the time necessary to develop hardware implementations of all CAESAR candidates for the purpose of evaluation, comparison, and future deployment in real products.

Among other threats, secure components are subjected to physical attacks whose aim is to recover the secret information they store. Most of the work carried out to protect these components generally consists in developing protections (or countermeasures) taken one by one. But this ``countermeasure-centered\'\' approach drastically decreases the performance of the chip in terms of power, speed and availability. In order to overcome this limitation, we propose a complementary approach: smart dynamic management of the whole set of countermeasures embedded in the component. Two main specifications for such management are required in a real world application (for example, a conditional access system for Pay-TV): it has to provide capabilities for the chip to distinguish between attacks and normal use cases (without the help of a human being and in a robust but versatile way); it also has to be based on mechanisms which dynamically find a trade-off between security and performance.

In this article, a prototype which enables such security management is described. The solution is based on a double-processor architecture: one processor embeds a representative set of countermeasures (and mechanisms to define their parameters) and executes the application code. The second processor, on the same chip, applies a given security strategy, but without requesting sensitive data from the first processor. The chosen strategy is based on fuzzy logic reasoning to enable the designer to describe, using a fairly simple formalism, both the attack paths and the normal use cases. A proof of concept has been proposed for the smart card part of a conditional access for Pay-TV, but it could easily be fine-tuned for other applications.

Frequent itemset mining is a task that can in turn be used for other purposes such as associative rule mining. One problem is that the data may be sensitive, and its owner may refuse to give it for analysis in plaintext. There exist many privacy-preserving solutions for frequent itemset mining, but in any case enhancing the privacy inevitably spoils the efficiency. Leaking some less sensitive information such as data density might improve the efficiency. In this paper, we devise an approach that works better for sparse matrices and compare it to the related work that uses similar security requirements on similar secure multiparty computation platform.

We extend the reach of functional encryption schemes that are provably secure under simple assumptions against unbounded collusion to include function-hiding inner product schemes. Our scheme is a private key functional encryption scheme, where ciphertexts correspond to vectors $\\vec{x}$, secret keys correspond to vectors $\\vec{y}$, and a decryptor learns $\\langle \\vec{x}, \\vec{y} \\rangle$. Our scheme employs asymmetric bilinear maps and relies only on the SXDH assumption to satisfy a natural indistinguishability-based security notion where arbitrarily many key and ciphertext vectors can be simultaneously changed as long as the key-ciphertext dot product relationships are all preserved.

We propose a new unified point compression format for Edwards, Twisted Edwards and Montgomery curves over large-characteristic fields, which effectively divides the curve\'s cofactor by 4 at very little cost to performance. This allows cofactor-4 curves to efficiently implement prime-order groups.

This paper presents a generic method for turning passively secure protocols into protocols secure against covert attacks, adding an offline preprocessing and a cheap post-execution verification phase. The execution phase, after which the computed result is already available to the parties, has only negligible overhead.

Our method uses shared verification based on precomputed multiplication triples. Such triples are often used to make the protocol execution itself faster, but in this work we make use of these triples especially for verification. The verification preserves the privacy guarantees of the original protocol, and it can be straightforwardly applied to protocols over finite rings, even if the same protocol performs its computation over several distinct rings at once.

Emerging smart contract systems over decentralized cryp-

tocurrencies allow mutually distrustful parties to transact

safely with each other without trusting a third-party inter-

mediary. In the event of contractual breaches or aborts, the

decentralized blockchain ensures that other honest parties

obtain commesurate remuneration. Existing systems, how-

ever, lack transactional privacy. All transactions, including

flow of money between pseudonyms and amount trasacted,

are exposed in the clear on the blockchain.

We present Hawk, a decentralized smart contract system

that does not store financial transactions in the clear on

the blockchain, thus retaining transactional privacy from the

public\'s view. A Hawk programmer can write a private smart

contract in an intuitive manner without having to implement

cryptography, and our compiler automatically generates an

efficient cryptographic protocol where contractual parties in-

teract with the blockchain, using cryptographic primitives

such as succint zero-knowledge proofs.

To formally define and reason about the security of our

protocols, we are the first to formalize the blockchain model

of secure computation. The formal modeling is of indepen-

dent interest. We advocate the community to adopt such a

formal model when designing interesting applications atop

decentralized blockchains.

This paper explores some attacks that someone with a Quantum Computer may be able to perform against NTRUEncrypt, and in particular NTRUEncrypt as implemented by the publicly available library from Security Innovation. We show four attacks that an attacker with a Quantum Computer might be able to perform against encryption performed by this library. Two of these attacks recover the private key from the public key with less effort than expected; in one case taking advantage of how the published library is implemented, and the other, an academic attack that works against four of the parameter sets defined for NTRUEncrypt. In addition, we also show two attacks that are able to recover plaintext from the ciphertext and public key with less than expected effort. This has potential implications on the use of NTRU within TOR, as suggested by Whyte and Schanck

The original specification of EdDSA was suitable only for finite fields Fq with q mod 4 = 1. The main purpose of this document is to extend EdDSA to allow finite fields Fq with any odd q. This document also extends EdDSA to support prehashing, i.e., signing the hash of a message.

It seems like a guessing. Do you have a formal prove of "... for each 8-bit word x of the state/input plaintext there is a mapping (although secret) to another word y of the ciphertext, independently from the adjacent words."? From: 2015-05-07 09:03:21 (UTC)

I have had a brief look into that "new cipher", and it seems to me that it is weak. The reason is that for each 8-bit word x of the state/input plaintext there is a mapping (although secret) to another word y of the ciphertext, independently from the adjacent words. This is true if we remove the very first and the very last arithmetic addition modulo 2^64, and it is true for the full version with a very high probability (probability of the carry bit). The mapping x->y of each word can be seen as an S-box for that individual mapping, and it is constant for the same key/iv setup. After roughly 256+ known pairs plaintext-ciphertext the mapping is then revealed (even without having to derive the secret key, although this might also be possible with a little more thinking). From: 2015-05-07 00:27:07 (UTC)

The University of Luxembourg is offering a Ph.D. student position in one of the topics:

• cryptofinance, cryptocurrencies
• anonymity and privacy
• cybersecurity

Applicants interested in symmetric cryptography, authenticated encryption will be also considered.

Profile:

• An M.Sc. in Computer Science or Applied Mathematics (some background in Economics/Finance is a plus)
• GPA > 85%
• Fluent written and verbal communication skills in English are mandatory.

We offer international research environment and competitive salary. The position is available from the 1-October 2015. Applications will be considered upon receipt, therefore applying before the deadline is encouraged.

* The Chair for Security in Distributed Systems, computer science Hochschule Offenburg, Germany, offers a full-time PhD positions:

* The position involves research in the area of IT-security within the project PAL SAaaS \'Building Triangular Trust for Secure Cloud Auduting\' in cooperation with the University of Mannheim (Prof. Dr. Frederik Armknecht).

The successful candidate is expected to contribute to research in IT-Security and applied cryptography for Cloud Security.

Besides other cloud security related aspects topics of interest for the open positions are

- application of homomorphic cryptographic primitives for secure cloud storage,

- applying the above schemes to the auditing process for cloud services.

* The position is available from August on and is fully funded. The salary scale is TV-L E13.

The gross income depends on the candidate\'s experience level. At the lowest level it corresponds to approx. 40,000 EUR per year.

* Contracts are offered for three years.

* She or he is given the possiblity to carry out a Ph.D.

* The successful candidate should have a Master\'s degree in Computer Science, Mathematics, Information Security, or a related field.

Deep Knowledge in cryptography is not a must but an asset.

* The deadline for applications is July 20, 2015. However, late applications will be considered until the position is filled.

Please send your application with reference number to Prof. Dr. Dirk Westhoff (dirk DOT westhoff AT hs-offenburg DOT de).

The traditional fault analysis techniques developed over the past decade rely on a fault

model, a rigid assumption about the nature of the fault. A practical challenge for all faults attacks is to identify a fault injection method that achieves the presumed fault model.

In this paper, we analyze a class of more recently proposed fault analysis techniques,

which adopt a biased fault model. Biased fault attacks enable

a more flexible fault model, and are therefore easier to adopt to practice.

The purpose of our analysis is to evaluate the relative efficiency of several recently proposed biased-fault attacks, including Fault Sensitivity Analysis (FSA), Non-Uniform Error Value Analysis (NUEVA), Non-Uniform Faulty Value Analysis (NUFVA), and Differential Fault Intensity Analysis (DFIA).

We compare the relative performance of each technique in a common framework, using a common circuit and using a common fault injection method. We show that, for an identical circuit and an identical fault injection method, the number of faults per attack greatly varies according with the analysis technique.

In particular, DFIA is more efficient than FSA, and FSA is more efficient than both NUEVA and NUFVA. In terms of number of fault injections until full key disclosure, for a typical case, FSA uses 8x more faults than DFIA, and NUEVA uses 33x more faults than DFIA. Hence, the post-processing technique selected in a biased-fault attack has a significant impact on the probability of a successful attack.

Registration for CRYPTO 2015 is now open (https://www.iacr.org/conferences/crypto2015/registration.html), which makes it a good time to let you know about a few important updates.

Paper delivery of the Journal of Cryptology is now *opt-in*. If you would like to receive hard-copy JoC editions, you must update your membership info. You can update proactively via the membership info form (https://secure.iacr.org/membership/members/update.html) or when paying your membership dues for 2016 during conference registration. If you have already paid your membership dues for 2016 you can still opt in and pay at a later time.

We have made some changes in how IACR membership records are stored internally. As a result, there is a small chance you will be asked to reset your password when authenticating. You will need access to the email address of record associated with your membership. If you experience problems, please contact the membership secretary at database@iacr.org.

We introduce a coding theoretic criterion for

Yamamoto\'s strong security

of the ramp secret sharing scheme.

After that, by using it, we show the strong security of

the strongly multiplicative

ramp secret sharing proposed by Chen et al. in 2008.

Direct Anonymous Attestation (DAA) has been studied for applying to mobile devices based on ARM TrustZone. However, current solutions bring in extra performance overheads and security risks when adapting existing DAA schemes originally designed for PC platform. In this paper, we propose a complete and efficient DAA scheme (DAA-TZ) specifically designed for mobile devices using TrustZone. By considering the application scenarios, DAA-TZ extends the interactive model of original DAA and provides anonymity for a device and its user against remote service providers. The proposed scheme requires only one-time switch of TrustZone for signing phase and elaborately takes pre-computation into account. Consequently, the frequent on-line signing just needs at most three exponentiations on elliptic curve. Moreover, we present the architecture for trusted mobile devices. The issues about key derivation and sensitive data management relying on a root of trust from SRAM Physical Unclonable Function (PUF) are discussed. We implement a prototype system and execute DAA-TZ using MNT and BN curves with different security levels. The comparison result and performance evaluation indicate that our scheme meets the demanding requirement of mobile users in respects of both security and efficiency.