International Association
for Cryptologic Research

RFID technology is a system which uses radio frequency to transmit data. Data transmission between Tags and Readers is wireless which can be easily eavesdropped by adversary. Due to security and privacy reasons, various authentication protocols proposed. In this paper, we cryptanalyze two different RFID authentication protocols and it is shown that either of them have some weaknesses. In 2014, Chang et al. proposed a mutual authentication protocol for RFID technology based on EPC Class 1 Generation 2 standard. We show that their protocol is not safe regard to privacy and cannot repulse neither Traceability attack nor Forward Traceability attack. Also, in 2015, Pourpouneh et al. proposed a server-less authentication protocol. We discover that their protocol is not able to thwart security and privacy attacks such as Secret Parameter Reveal, Traceability and Forward Traceability. In addition, we robust the two schemes to defend those attacks which can protect RFID users against different threats. Then, analyzing of the protocols are compared with some state-of-art ones.

The literature on leakage-resilient cryptography contains various leakage models that provide different levels of security. In this work, we consider the \emph{bounded leakage} and the \emph{continual leakage} models. In the bounded leakage model (Akavia et al. -- TCC 2009), it is assumed that there is a fixed upper bound $L$ on the number of bits the attacker may leak on the secret key in the entire lifetime of the scheme. Alternatively, in the continual leakage model (Brakerski et al. -- FOCS 2010, Dodis et al. -- FOCS 2010), the lifetime of a cryptographic scheme is divided into ``time periods'' between which the scheme's secret key is updated. Furthermore, in its attack the adversary is allowed to obtain some bounded amount of leakage on the current secret key during each time period.

In the continual leakage model, a challenging problem has been to provide security against \emph{leakage on key updates}, that is, leakage that is a function not only of the current secret key but also the \emph{randomness used to update it}. We propose a new, modular approach to overcome this problem. Namely, we present a compiler that transforms any public-key encryption or signature scheme that achieves a slight strengthening of continual leakage resilience, which we call \emph{consecutive} continual leakage resilience, to one that is continual leakage resilient with leakage on key updates, assuming \emph{indistinguishability obfuscation} (Barak et al. --- CRYPTO 2001, Garg et al. -- FOCS 2013). Under the stronger assumption of \emph{public-coin differing-inputs obfuscation} (Ishai et al. -- TCC 2015) the leakage rate tolerated by our compiled scheme is essentially as good as that of the starting scheme. Our compiler is obtained by making a new connection between the problems of leakage on key updates and so-called ``sender-deniable'' encryption (Canetti et al. -- CRYPTO 1997), which was recently realized for the first time by Sahai and Waters (STOC 2014).

In the bounded leakage model, we develop a new approach to constructing leakage-resilient encryption from obfuscation, based upon the public-key encryption scheme from $\iO$ and punctured pseudorandom functions due to Sahai and Waters (STOC 2014). In particular, we achieve leakage-resilient public key encryption tolerating $L$ bits of leakage for any $L$ from $\iO$ and one-way functions. We build on this to achieve leakage-resilient public key encryption with optimal leakage rate of $1-o(1)$ based on public-coin differing-inputs obfuscation and collision-resistant hash functions. Such a leakage rate is not known to be achievable in a generic way based on public-key encryption alone. We then develop entirely new techniques to construct a new public key encryption scheme that is secure under (consecutive) continual leakage resilience (under appropriate assumptions), which we believe is of independent interest.

Chaum et al. have very recently introduced cMix as the first practical system that offers senders-receivers unlinkability at scale. cMix is claimed by its authors to be secure unless all nodes collude (or less than two senders are honest). We argue their assertion does not hold and sustain our statement by three different types of attacks: tagging attack, insider attack and passive attack. For each one, we discuss the settings that make it feasible and possible countermeasures.

Searchable Symmetric Encryption aims at making possible searching over an encrypted database stored on an untrusted server while keeping privacy of both the queries and the data, by allowing some small controlled leakage to the server. Recent works showed that dynamic schemes – in which the data is efficiently updatable – leaking some informations on updated keywords are subjects to devastating adaptative attacks breaking the queries’ privacy. The only way to thwart this attack is to design forward-private schemes whose update procedure does not leak if a newly inserted element matches previous search queries. This work proposes \Sigma o\phi o\varsigma as a forward-private SSE scheme with performance similar to existing less secure schemes, and that is conceptually simpler (and also more efficient) than previous forward-private constructions. In particular, it only relies on trapdoor permutations and does not use an ORAM-like construction. We also explain why \Sigma o\phi o\varsigma is an optimal point of the security/performance tradeoff for SSE. Finally, an implementation and evaluation results demonstrate its practical efficiency.

The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital.

In this paper, we devise a method to improve the individual logarithm step by exploring certain subfield structure. Our technique is based on the extended tower number field sieve method and generalizes the idea used by Guillevic. The method achieves more significant improvement when the extension degree has a large proper factor. We also perform some experiments to illustrate our algorithm and confirm the result.

The information ratio of a secret sharing scheme $\Sigma$ measures the size of the largest share of the scheme, and is denoted by $\sigma(\Sigma)$. The optimal information ratio of an access structure $\Gamma$ is the infimum of $\sigma(\Sigma)$ among all schemes $\Sigma$ for $\Gamma$, and is denoted by $\sigma(\Gamma)$. The main result of this work is that for every two access structures $\Gamma$ and $\Gamma'$, $|\sigma(\Gamma)- \sigma(\Gamma')|\leq|\Gamma\cup\Gamma'|-|\Gamma\cap\Gamma'|$. As a consequence of this result, we see that close access structures admit secret sharing schemes with similar information ratio. We show that this property is also true for particular families of secret sharing schemes and models of computation, like the family of linear secret sharing schemes, span programs, Boolean formulas and circuits. In order to understand this property, we also study the limitations of the techniques for finding lower bounds on the information ratio and other complexity measures. We analyze the behavior of these bounds when we add or delete subsets from an access structure

Fully Homomorphic Encryption is a powerful cryptographic tool that enables performing arbitrary meaningful computations over encrypted data. Despite its evolution over the past 7 years, FHE schemes are still not suitable for practical use due to performance inefficiencies, where a simple operation can be performed in several seconds. In this paper, a new architecture for accelerating homomorphic function evaluation on FPGA is proposed. While ideas such as the small/large-CRT representation are reused from previous architectures, a modified version of the cached NTT algorithm is presented in this paper, allowing it to be efficiently computed in a multi-core environment. In order to compute an N-point NTT, the architecture consists of sqrt(N) cores, each capable of computing a sqrt(N)-point NTT, with a special purpose Network-on-Chip (NoC) for coefficient reordering. The proposed NoC enables reordering coefficients in time O(sqrt(N)), leading to an overall parallel NTT algorithm of time complexity O(sqrt(N)log(sqrt(N))). The architecture has been implemented on Xilinx Virtex 7 XC7V1140T FPGA. The design consumes 22% of the registers, 95% of the LUTs, 91% of the DSPs and 85% of the Block RAMs. The implementation performs 32-bit 2^(16)-point NTT algorithm in 23.8 us, achieving speed-up of 14x over the state of the art architecture in this crucial operation. The architecture has been evaluated by computing a block of each of the AES and SIMON-64/128 on the LTV and YASHE schemes. The proposed architecture can evaluate the AES circuit using the LTV scheme in 4 minutes, processing 2048 blocks in parallel, which leads to an amortized performance of 117 ms/block, which is the fastest performance reported to the best of our knowledge.

Proofs of Retrievability (POR) are cryptographic proofs which provide assurance to a single tenant (who creates tags using his secret material) that his files can be retrieved in their entirety. However, POR schemes completely ignore storage-efficiency concepts, such as multi-tenancy and data deduplication, which are being widely utilized by existing cloud storage providers. Namely, in deduplicated storage systems, existing POR schemes would incur an additional overhead for storing tenants’ tags which grows linearly with the number of users deduplicating the same file. This overhead clearly reduces the (economic) incentives of cloud providers to integrate existing POR/PDP solutions in their offerings. In this paper, we propose a novel storage-efficient POR, dubbed SPORT, which transparently supports multi-tenancy and data deduplication. More specifically, SPORT enables tenants to securely share the same POR tags in order to verify the integrity of their deduplicated files. By doing so, SPORT considerably reduces the storage overhead borne by cloud providers when storing the tags of different tenants deduplicating the same content.We show that SPORT resists against malicious tenants/cloud providers (and against collusion among a subset of the tenants and the cloud). Finally, we implement a prototype based on SPORT, and evaluate its performance in a realistic cloud setting. Our evaluation results show that our proposal incurs tolerable computational overhead on the tenants and the cloud provider.

A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously.

We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2n + \omega(log n). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length.

The proceedings for FSE 2016 are now available via SpringerLink. Through our agreement with Springer, IACR members can access these proceedings for free by logging into this access page. FSE 2016 is the last proceedings of FSE to be published through Springer, as FSE is transitioning to a conference-journal hybrid whose papers will be published in the new Transactions on Symmetric Cryptology.

Faculty position (Full Professor, W3) for Computer Science, with a focus on "IT Security, Privacy, and Cryptography"

CISPA, the Center for IT-Security, Privacy, and Accountability at Saarland University in Germany is searching for excellent applicants with a strong international standing from all areas of IT Security, Privacy, and Cryptography.

Applicants are expected to display outstanding scientific research abilities, management skills, as well as excellent teaching skills and a strong dedication towards teaching. The scientific qualification should be especially proven by publications at the leading international IT-Security Conferences. University courses for Master’s studies and at the Graduate School are taught in English. The chosen applicant is expected to participate actively in the development of CISPA.

Closing date for applications: 12 August 2016

Contact: Prof. Dr. Michael Backes

Full Professor at Saarland University

Director of the Center for IT-Security, Privacy, and Accountability

Campus E 9 1, 66123 Saarbrücken, Germany

Email: backes (at) cispa.saarland

Phone: +49 681 302-3249

More information: https://www.cispa.saarland/education/careers/faculty-W1107/

The chair for cryptography at the Friedrich-Alexander-University in Nuremberg has an opening for an excellent and highly motivated Postdocs. Possible research interests of our group include (but are not limited to) Cryptographic protocols, secure two/multi-party computation, verifiable computation, functional signatures, cryptography based on hardware assumptions, cryptocurrencies, and foundations. We investigate these topics both from a theoretical and applied perspective.

Postdocs applicants are expected to have a PhD in cryptography or related areas, excellence in research proven for example by publications in IACR conferences and workshops CRYPTO, EUROCRYPT, ASIACRYPT, TCC, PKC,... or IT security venues like IEEE S&P, ACM CCS, NDSS, USENIX Security,….

Postdoc applicants should contact Dominique Schröder at bewerbungen-inf13 (at) lists.cs.fau.de and send the common application material in a single PDF file (i.e., CV, names of three references, a brief statement of research interests and experience.)

Starting date is negotiable. We are offering an internationally competitive salary. Review of applications starts immediately until the position is filled.

Closing date for applications: 31 August 2016

Contact: Dominique Schröder

Old website: www.ca.cs.uni-saarland.de

The Computer Architecture and Security Laboratory in the Electrical Engineering department at Yale University has an opening for a researcher to be involved with exciting work on computer architecture and hardware security, focusing on FPGA prototyping. We are looking for motivated candidates with experience in:

* FPGAs and Verilog or VHDL programming

* Altera hardware and IP cores knowledge is desired, but not required

* Cryptography

Closing date for applications: 31 December 2016

Contact: Jakub Szefer

More information: http://caslab.eng.yale.edu/joinourteam

Post-doctoral fellow position in Department of Computer and Information Communications Engineering at Hongik University in the field of information security including cryptography for at least two year appointment. Applicants should have their Ph.D degrees within five years as of June 30, 2016.

Please email with subject ‘Postdoc position’ statement of research, CV, recommendation letters or referees, and copies of 3 most significant publications to sohwang (at) hongik.ac.kr

Closing date for applications: 12 August 2016

Contact: Professor Seong Oun Hwang at sohwang (at) hongik.ac.kr

More information: http://shinan.hongik.ac.kr/~sohwang/index_e.htm

The Department of Computing and Software at McMaster University in Hamilton, Ontario, Canada, invites applications for a 27-month postdoctoral researcher position in the area of post-quantum cryptography under the supervision of Dr. Douglas Stebila, to begin October 2016.

The successful applicant will have strong experience in one or more forms of post-quantum cryptography (lattice-based, code-based, isogenies, multivariate quadratic, or hash-based signatures). Applicants with either theoretical skills or practical implementation skills are welcome. Applicants must be cleared to graduate from their PhD program by the commencement of the position.

This research is part of a project whose overall goal is to develop practical post-quantum cryptography for the Internet and other applications, and is funded by an NSERC Discovery Accelerator Supplement award.

The researcher will be expected to teach one undergraduate course in each of the two years of the contract, and will have the opportunity to participate in the co-supervision of Masters or PhD students. There is also the potential to participate in industry collaborations.

McMaster University is one of Canada\'s top universities, ranked 4th in Canada and 96th in the world in the 2015 Academic Ranking of World Universities. Hamilton is Canada\'s 9th largest city and is located in the Greater Toronto Area, less than an hour to downtown Toronto by public transit. Hamilton is located along the Niagara escarpment, with more than 100 waterfalls in the city limits, and lots of outdoor activities in the many nearby parks and conservation areas.

Applications should include a CV, names of three references, and a brief statement of research interests and experience, and must be submitted online (http://www.workingatmcmaster.ca/careers/: Job ID # 9483).

Closing date for applications: 25 August 2016

Contact: Dr. Douglas Stebila (stebilad (at) mcmaster.ca)

More information: http://www.workingatmcmaster.ca/careers/

Eurocrypt 2017 is the 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology. Eurocrypt 2017 is one of the three flagship conferences of the International Association for Cryptologic Research (IACR), and is organized by the Crypto Group at ENS Paris.

Eurocrypt 2017 will be held on April 30-May 4, 2017 in Paris at Maison de la Mutualité, which is located right in the center of Paris, within walking distance of Notre Dame. EuroS&P 2017 will also take place in Paris at the UPMC Jussieu Campus (about 10 minutes walk away) during April 26-28, which is right before EUROCRYPT 2017. The affiliated events will be organized jointly with EuroS&P on April 29-30, 2017, at the UPMC Jussieu Campus.

Proposals are solicited for affiliated events to be held in conjunction with EuroS&P and EUROCRYPT 2017. Each affiliated event provides a forum to address a specific topic at the forefront of security or cryptography research. This includes workshops, tutorials, etc. that can be annual events, one time events, or aperiodic.

Important Dates for Affiliated Events

Event proposal deadline: August 12, 2016
Acceptance notification: August 26, 2016
Affiliated event dates: April 29-30, 2017

Provided Services

The EuroS&P and EUROCRYPT organizers provide only the following services to associated events:

• Conference room with projector
• Coffee during 3 coffee breaks (8-9am, 10:30-11am, and 3:30-4:00pm)
• Registration (small, fixed fee, covering the rooms and coffee)

The EuroS&P and EUROCRYPT organizers do not provide lunch, dinner, proceedings, website, etc, but affiliated event organizers can arrange such things directly, if needed. Please use the last page of the submission form to mention any special requests your event might have.

Required Information for Proposing Event

Filling in the form below requires the following information:

• Name and acronym of the event
• Main affiliation (EuroS&P or EUROCRYPT)
• Type of event (Workshop, Tutorial, etc.)
• Abstract and Target audience
• Expected number of participants (e.g. a range)
• Will the event have a public call for contributions
• Will the event have proceedings
• List of event organizers and Contact email
• Expected event duration (up to 2 days) and the preferred date
• Information about past event instances
• Any special requests or additional information

Submission Form

Please submit event proposals using the following web form: http://goo.gl/forms/6JUV5DsV4DGKGzLy1. Please direct any questions to eurocrypt2017@iacr.org

Kalyna is an SPN-based block cipher that was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine. In this paper, we focus on the key-recovery attacks on reduced-round Kalyna-128/256 and Kalyna-256/512 with meet-in-the-middle method. The differential enumeration technique and key-dependent sieve technique which are popular to analyze AES are used to attack them. Using the key-dependent sieve technique to improve the complexity is not an easy task, we should build some tables to achieve this. Since the encryption procedure of Kalyna employs a pre- and post-whitening operations using addition modulo $2^{64}$ applied on the state columns independently, we carefully study the propagation of this operation and propose an addition plaintext structure to solve this. For Kalyna-128/256, we propose a 6-round distinguisher, and achieve a 9-round (out of total 14-round) attack. For Kalyna-256/512, we propose a 7-round distinguisher, then achieve an 11-round (out of total 18-round) attack. As far as we know, these are currently the best results on Kalyna-128/256 and Kalyna-256/512.

Despite much study, the computational complexity of differential privacy remains poorly understood. In this paper we consider the computational complexity of accurately answering a family $Q$ of statistical queries over a data universe $X$ under differential privacy. A statistical query on a dataset $D \in X^n$ asks "what fraction of the elements of $D$ satisfy a given predicate $p$ on $X$?'' Dwork et al. (STOC'09) and Boneh and Zhandry (CRYPTO'14) showed that if both $Q$ and $X$ are of polynomial size, then there is an efficient differentially private algorithm that accurately answers all the queries, and if both $Q$ and $X$ are exponential size, then under a plausible assumption, no efficient algorithm exists.

We show that, under the same assumption, if either the number of queries or the data universe is of exponential size, then there is no differentially private algorithm that answers all the queries. Specifically, we prove that if one-way functions and indistinguishability obfuscation exist, then:

1) For every $n$, there is a family $Q$ of $\tilde{O}(n^7)$ queries on a data universe $X$ of size $2^d$ such that no $\poly(n,d)$ time differentially private algorithm takes a dataset $D \in X^n$ and outputs accurate answers to every query in $Q$.

2) For every $n$, there is a family $Q$ of $2^d$ queries on a data universe $X$ of size $\tilde{O}(n^7)$ such that no $\poly(n,d)$ time differentially private algorithm takes a dataset $D \in X^n$ and outputs accurate answers to every query in $Q$.

In both cases, the result is nearly quantitatively tight, since there is an efficient differentially private algorithm that answers $\tilde{\Omega}(n^2)$ queries on an exponential size data universe, and one that answers exponentially many queries on a data universe of size $\tilde{\Omega}(n^2)$.

Our proofs build on the connection between hardness results in differential privacy and traitor-tracing schemes (Dwork et al., STOC'09; Ullman, STOC'13). We prove our hardness result for a polynomial size query set (resp., data universe) by showing that they follow from the existence of a special type of traitor-tracing scheme with very short ciphertexts (resp., secret keys), but very weak security guarantees, and then constructing such a scheme.

We show how to transform any semantically secure encryption scheme into a non-malleable one, with a black-box construction that achieves a quasi-linear blow-up in the size of the ciphertext. This improves upon the previous non-black-box construction of Pass, Shelat and Vaikuntanathan (Crypto '06). Our construction also extends readily to guarantee non-malleability under a bounded-CCA2 attack, thereby simultaneously improving on both results in the work of Cramer et al. (Asiacrypt '07).

Our construction departs from the oft-used paradigm of re-encrypting the same message with different keys and then proving consistency of encryption. Instead, we encrypt an encoding of the message; the encoding is based on an error-correcting code with certain properties of reconstruction and secrecy from partial views, satisfied, e.g., by a Reed-Solomon code.

The accuracy and the fast convergence of a leakage model are both essential components for the efficiency of side-channel analysis. Thus for efficient leakage estimation an evaluator is requested to pick a Probability Density Function (PDF) that constitutes the optimal trade-off between both aspects. In the case of parametric estimation, Gaussian templates are a common choice due to their fast convergence, given that the actual leakages follow a Gaussian distribution (as in the case of an unprotected device). In contrast, histograms and kernel-based estimations are examples for non-parametric estimation that are capable to capture any distribution (even that of a protected device) at a slower convergence rate. With this work we aim to enlarge the statistical toolbox of a side-channel evaluator by introducing new PDF estimation tools that fill the gap between both extremes. Our tools are designed for parametric estimation and can efficiently characterize leakages up to the fourth statistical moment. We show that such an approach is superior to non-parametric estimators in contexts where key-dependent information in located in one of those moments of the leakage distribution. Furthermore, we successfully demonstrate how to apply our tools for the (worst-case) information-theoretic evaluation on masked implementations with up to four shares, both in a profiled and non-profiled attack scenario. We like to remark that this flexibility capturing information from different moments of the leakage PDF can provide very valuable feedback for hardware designers to their task to evaluate the individual and combined criticality of leakages in their (protected) implementations.