International Association
for Cryptologic Research

An authenticated encryption scheme is deemed secure (AE) if ciphertexts both look like random bitstrings and are unforgeable. AE is a much stronger notion than the traditional IND--CCA. One shortcoming of AE as commonly understood is its idealized, all-or-nothing decryption: if decryption fails, it will always provide the \\emph{same single} error message \\emph{and nothing more}. Reality often turns out differently: encode-then-encipher schemes often output decrypted ciphertext before verification has taken place whereas pad-then-MAC-then-encrypt schemes are prone to distinguishable verification failures due to the subtle interaction between padding and the MAC-then-encrypt concept. Three recent papers provided what appeared independent and radically different definitions to model this type of decryption leakage.

We reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour.

Camellia is a widely used block cipher, which has been selected as an international standard by ISO/IEC. In this paper, we consider a new family of dierentials of round-reduced Camellia-128 depending on dierent key subsets. There are totally 224 key subsets corresponding to 224 types of 8-round dierentials, which cover a fraction of 1- 1=2^{15} of the keyspace. And each type of 8-round dierential consists of 2^{43} dierentials. Combining with the multiple dierential attack techniques, we give the key-dependent multiple dierential attack on 10-round Camellia-128 with data complexity 2^{91} and time complexity 2^{113}. Furthermore, we propose a 7-round property for Camellia-192 and an 8-round property for Camellia-256, and then mount the meet-in-the-middle attacks on 12-round Camellia-192 and 13-round Camellia-256, with complexity of 2^{180} encryptions and 2^{232.7} encryptions, respectively. All these attacks start from the rst round in a single keysetting.

Conventional Cipher Feedback Mode (CFB) can allow the transmission unit to be shorter than the block-cipher length. Eventually, it causes no delay and even any message expansion unlike the ECB and CBC mode of operation where encryption cannot begin unless and until a complete block of full-length (say 64 bits) plain-text data is available. However, because of stalling during the block encryption, CFB cannot provide low latency, low jitter; these are two imperative properties in the sense of real-time cryptography. For that, it is important that the input stream should not wait for the key-stream to be generated; that means, key-streams are required to be arranged in advance, which cannot be expected in case of the conventional CFB mode. Besides, the conventional Cipher Feedback Mode is also incompetent for such real-time crypto systems, where the integrity of the message is also greatly desirable along with privacy. In this article, we propose a variant of Cipher Feedback Mode, called, Integrity-Aware, Parallelizable Cipher Feedback Mode (IAP-CFB), which can guarantee all the aforesaid requirements, such as, low latency, low jitter, privacy, and integrity assurance, etc.

Tweakable blockcipher (TBC) is an extension of standard blockcipher introduced by Liskov, Rivest and Wagner in 2002. TBC is a versatile building block for efficient symmetric-key cryptographic functions, such as authenticated encryption.

In this paper we study the problem of extending tweak of a given TBC of fixed-length tweak,

which is a variant of popular problem of converting a blockcipher into a TBC, i.e., blockcipher mode of operation.

The problem is particularly important for known dedicated TBCs since they have relatively short tweak.

We propose a simple and efficient solution, called XTX, for this problem.

XTX converts a TBC of fixed-length tweak into another TBC of arbitrarily long tweak, by extending the scheme of Liskov, Rivest and Wagner that converts a blockcipher into a TBC.

Given a TBC of $n$-bit block and $m$-bit tweak, XTX provides $(n+m)/2$-bit security while conventional methods provide $n/2$ or $m/2$-bit security.

We also show that XTX is even useful when combined with some blockcipher modes for building TBC having security beyond the birthday bound.

The purpose of this paper is to compare side-by-side the NTRU and BGV schemes in their non-scale invariant (messages in the lower bits), and their scale invariant (message in the upper bits) forms. The scale invariant versions are often called the FV and YASHE schemes. As an additional optimization, we also investigate the affect of modulus reduction on the scale-invariant schemes. We compare the schemes using the ``average case\'\' noise analysis presented by Gentry et al. In addition we unify notation and techniques so as to show commonalities between the schemes. We find that the BGV scheme appears to be more efficient for large plaintext moduli, whilst YASHE seems more efficient for small plaintext moduli (although the benefit is not as great as one would have expected).

As intended by its name, Physically Unclonable Functions (PUFs) are considered as an ultimate solution to deal with insecure storage, hardware counterfeiting, and many other security problems. However, many different successful attacks have already revealed vulnerabilities of certain digital intrinsic PUFs. This paper demonstrates that legacy arbiter PUF and its popular extended versions (i.e., Feed-forward and XOR-enhanced) can be completely and linearly characterized by means of photonic emission analysis. Our experimental setup is capable of measuring every PUF-internal delay with a resolution of 6 picoseconds. Due to this resolution we indeed require only the theoretical minimum number of linear independent equations (i.e. physical measurements) to directly solve the underlying inhomogeneous linear system. Moreover, it is not required to know the actual PUF responses for our physical delay extraction. We present our practical results for an arbiter PUF implementation on a Complex Programmable Logic Device (CPLD) manufactured with a 180 nanometer process. Finally, we give an insight into photonic emission analysis of arbiter PUF on smaller chip architectures by performing experiments on a Field Programmable Gate Array (FPGA) manufactured with a 60 nanometer process.

Radio Frequency Identification (RFID) applications have spread all over the world and, in order to provide their security and privacy, researchers proposed different kind of protocols. In this paper, we analyzes the privacy of a new protocol, proposed by Yu-Jehn in 2015 which is based on Electronic Product Code Class1 Gener-ation 2 (EPC C1 G2) standard. By applying the OuafiPhan privacy model, we show that the Yu-Jehn protocol is vulnerable against traceability attack and forward traceability attack and it does not provide the privacy of RFID users. Then, to enhance the privacy of the analyzed protocol, an improved version of the protocol is proposed which eliminates the existing weaknesses of Yu-Jehn protocol.

For vectorial Boolean functions, the behavior of iteration has consequence in the diffusion property of the system.

We present a study on the diffusion property of iterated vectorial Boolean functions. The measure that will be of main interest here is the notion of the degree of completeness, which has been suggested by the NESSIE project.

We provide the first (to the best

of our knowledge) two constructions of $(n,n)$-functions having perfect diffusion property and optimal algebraic degree.

We also obtain the complete enumeration results for the constructed functions.

We prove that a (balanced) 10-round Feistel

network is indifferentiable from a random

permutation. In a previous seminal result,

Holenstein et al. had established

indifferentiability of Feistel at 14 rounds.

Our simulator achieves security $O(q^8/2^n)$

and query complexity $O(q^4)$, where $n$ is

half the block length, similarly to

the 14-round simulator of Holenstein et al.,

so that our result is a strict (and also the first)

improvement of that work.

Our simulator is very similar to a 10-round

simulator of Seurin that was subsequently

found to be flawed. Indeed, the main change

of our simulator is to switch to \"FIFO\" path

completion from \"LIFO\" path completion.

This relatively minor change results in an

overall significant paradigm shift, including a

conceptually simpler proof.

The paper is dealing with two important subclasses of plateaued functions: bent and semi-bent functions.

In the first part of the paper, we construct mainly bent and semi-bent functions in the Maiorana-McFarland class using Boolean functions having linear structures (linear translators) systematically. Although most of these results are rather direct applications of some recent results, using linear structures (linear translators) allows us to have certain flexibilities to control extra properties of these plateaued functions. In the second part of the paper, using the results of the first part and exploiting these flexibilities, we modify many secondary constructions. Therefore, we obtain new secondary constructions of bent and semi-bent functions not belonging to the Maiorana-McFarland class. Instead of using bent (semi-bent) functions as ingredients, our secondary constructions use only Boolean (vectorial Boolean) functions with linear structures (linear translators) which are very easy to choose. Moreover, all of them are very explicit and we also determine the duals of the bent functions in our constructions. We show how these linear structures should be chosen in order to satisfy the corresponding conditions coming from using derivatives and quadratic/cubic functions in our secondary constructions.

We revisit the question of constructing an ideal cipher

from a random oracle.

Coron et al.~(Journal of Cryptology, 2014) proved that a 14-round Feistel network using random,

independent,

keyed round functions

is indifferentiable from an ideal cipher, thus demonstrating the feasibility

of such a construction.

Left unresolved is the best possible efficiency of the transformation.

We improve upon the result of Coron et al.\\ and show that

10 rounds suffice.

In this paper we study a parity check based countermeasure proposed by Chen et al. that thwarts their attack by detecting byte fault injection during the AES key schedule process.

We provide a generalization of their approach that allows to derive parity equations for every AES sizes not given by the authors. We analyze why Chen et al. countermeasure does not properly works. Doing so we are able to extend the coverage of the fault detection to the full expanded key. Finally we suggest optimizations that reduce memory and computation costs, and propose an adaptation to a more general fault model.

Strongly unforgeable signature schemes provide a more stringent security guarantee than the standard existential unforgeability. It requires that not only forging a signature on a new message is hard, it is infeasible as well to produce a new signature on a message for which the adversary has seen valid signatures before. Strongly unforgeable signatures are useful both in practice and as a building block in many cryptographic constructions.

This work investigates a generic transformation that compiles any existential-unforgeable scheme into a strongly unforgeable one, which was proposed by Teranishi et al. and was proven in the classical random-oracle model. Our main contribution is showing that the transformation also works against quantum adversaries in the quantum random-oracle model. We develop proof techniques such as adaptively programming a quantum random-oracle in a new setting, which could be of independent interest. Applying the transformation to an existential-unforgeable signature scheme due to Cash et al., which can be shown to be quantum-secure assuming certain lattice problems are hard for quantum computers, we get an efficient quantum-secure strongly unforgeable signature scheme in the quantum random-oracle model.

The security of many cryptographic schemes and protocols rests on the conjectured computational intractability of the discrete logarithm problem in some group of prime order. Such schemes and protocols require domain parameters that specify and a specific generator g. In this paper we consider the problem of computing information on the domain parameters from public keys selected uniformly at random from .

We show that it is not possible to compute any information on the generator g regardless of the number of public keys observed.

In the case of elliptic curves E(GF(p)) or E(GF(2^n)) on short Weierstrass form, or E(K) on Edwards form, twisted Edwards form or Montgomery form, where K is a non-binary field, we show how to compute the domain parameters excluding the generator from four keys on affine form.

Hence, if the domain parameters excluding the generator are to be kept private, points may not be transmitted on affine form. It is an open question whether point compression is a sufficient requirement.

Regardless of whether points are transmitted on affine or compressed form, it is in general possible to create a distinguisher for the domain parameters, excluding the generator, both in the case of the elliptic curve groups previously mentioned, and in the case of multiplicative subgroups of GF(p).

We propose that a good method for preventing all of the above attacks may be to use blinding schemes, and suggest new applications for existing blinding schemes originally designed for steganographic applications.

Together with its great advantages, cloud storage brought many interesting security issues to our attention. Since 2007, with the first efficient storage integrity protocols Proofs of Retrievability (PoR) of Juels and Kaliski, and Provable Data Possession (PDP) of Ateniese et al., many researchers worked on such protocols. The first proposals worked for static or limited dynamic data, whereas later proposals enabled fully dynamic data integrity and retrievability.

Since the beginning, the difference between PDP and PoR models were greatly debated. Most notably, it was thought that dynamic PoR (DPoR) is harder than dynamic PDP (DPDP). Historically this was true: The first DPDP scheme was shown by Erway et al. in 2009, whereas the first DPoR scheme was created by Cash et al. in 2013. We show how to obtain DPoR from DPDP and PDP, together with erasure codes, making us realize that even though we did not know it, in 2009 we already could have had a DPoR solution.

We propose a general framework for constructing DPoR schemes. Our framework encapsulates all known DPoR schemes as its special cases. We further show practical and interesting optimizations that enable even better performance than Chandran et al. and Shi et al. constructions. For the first time, we show how to obtain audit bandwidth for DPoR that is independent of the data size, and how the client can greatly speed up updates with O(λ√n) local storage (where n is the number of blocks, and λ is the security parameter), which corresponds to less than 3 MB for 10 GB outsourced data, and can easily be obtained in today\'s smart phones, let alone computers.

HMAC and its variant NMAC are the most popular approaches to

deriving a MAC (and more generally, a PRF) from a cryptographic hash

function. Despite nearly two decades of research, their exact

security still remains far from understood in many different

contexts. Indeed, recent works have re-surfaced interest for {\\em

generic} attacks, i.e., attacks that treat the compression

function of the underlying hash function as a black box.

Generic security can be proved in a model where the underlying

compression function is modeled as a random function -- yet, to

date, the question of proving tight, non-trivial bounds on the

generic security of HMAC/NMAC even as a PRF remains a challenging

open question.

In this paper, we ask the question of whether a small modification

to HMAC and NMAC can allow us to exactly characterize

the security of the resulting constructions, while only

incurring little penalty with respect to efficiency. To this end,

we present simple variants of NMAC and HMAC, for which we prove

tight bounds on the generic PRF security, expressed in terms of

numbers of construction and compression function queries necessary

to break the construction. All of our constructions are obtained via

a (near) {\\em black-box} modification of NMAC and HMAC, which can be

interpreted as an initial step of key-dependent message

pre-processing.

While our focus is on PRF security, a further attractive feature of

our new constructions is that they clearly defeat all recent generic

attacks against properties such as state recovery and universal

forgery. These exploit properties of the so-called ``functional

graph\'\' which are not directly accessible in our new constructions.

Fault injection attacks are a real-world threat to cryptosystems, in particular asymmetric cryptography.

In this paper, we focus on countermeasures which guarantee the integrity of the computation result, hence covering most existing and future faults attacks.

Namely, we study the modular extension protection scheme in previously existing and newly contributed countermeasures on elliptic curve scalar multiplication (ECSM) algorithms.

We find that problems undermine existing countermeasures but we are able to solve some of them.

We show the genericity of our contributed variant of modular extension countermeasure and formally prove its correctness and security:

the fault non-detection probability is inversely proportional to the security parameter.

Finally, we implement an ECSM protected with our countermeasure on an ARM Cortex-M4 microcontroller.

A systematic fault injection campaign for several values of the security parameter confirms our theoretical prediction and the security of the obtained implementation and provides figures for practical performance.

In CT-RSA 2010, Kan Yasuda has shown that the sum of two independent Encrypted CBC (ECBC) MACs is a secure PRF with security beyond birthday bound. It was mentioned in the abstract of the paper that ``no proof of security above the birthday bound $(2^{n/2})$ has been known for the sum of CBC MACs\" (where $n$ is the tag size in bits). Kan Yasuda\'s paper did not consider the sum of actual CBC outputs and hence the PRF-security of the same has been left open. In this paper, we solve this problem by proving the beyond birthday security of sum of two CBC MACs. As a tool to prove this result, we develope a generalization of the result of S. Lucks from EUROCRYPT 2000 that the sum of two secure PRPs is a secure PRF. We extend this to the case when the domain and the range of the permutations may have some restrictions. Finally, we also lift the birthday bound of NI2 MAC construction (the bound was proven in CRYPTO 2014 by Gazi et al.) to beyond birthday by a small change in the existing construction.

This paper demonstrates new technique for managing revocation in the context of

attribute-based encryption (ABE) and presents two selectively secure directly revocable ABE (RABE)

constructions

- supporting decryption policies realizable by polynomial size Boolean circuits of arbitrary fan-out

and

- featuring compactness in the sense that the number of revocation controlling components in

ciphertexts and decryption keys are constant.

In fact, our RABE schemes are the first to achieve these parameters. Both our constructions utilize

multilinear maps. The size of public parameter in our first construction is linear to the maximum

number of users supported by the system while in the second construction we reduce it to logarithmic.

The Kupyna hash function was approved as the new Ukrainian standard DSTU 7564:2014 in 2015. Main requirements for it were both high security level and good performance of software implementation on general-purpose 64-bit CPUs. The new hash function uses Davies-Meyer compression function based on Even-Mansour cipher construction. Kupyna is built on the transformations of the Kalyna block cipher (Ukrainian standard DSTU 7624:2014). In this paper we present the adapted English translated specification of the Kupyna hash function as it is described in the national standard of Ukraine.