International Association
for Cryptologic Research

We give a new black-box transformation from any semantically secure encryption scheme into a non-malleable one which has a better rate than the best previous work of Coretti et al. (TCC 2016-A). We achieve a better rate by departing from the “matrix encoding” methodology used by previous constructions, and working directly with a single codeword. We also use a Shamir secret-share packing technique to improve the rate of the underlying error-correcting code.

Glitches represent a great danger for hardware implementations of cryptographic schemes. Their intrinsic random nature makes them difficult to tackle and their occurrence threatens side-channel protections. Although countermeasures aiming at structurally solving the problem already exist, they usually require some effort to be applied or introduce non-negligible overhead in the design. Our work addresses the gap between such countermeasures and the na{\"i}ve implementation of schemes being vulnerable in the presence of glitches. Our contribution is twofold: (1) we expand the mathematical framework proposed by Brzozowski and {\'E}sik \cite{FMSD:BrzEsi03} by meaningfully adding the notion of information leakage, (2) thanks to which we define a formal methodology for the analysis of vulnerabilities in combinatorial circuits when glitches are taken into account.

In this paper, we demonstrate that various cryptographic constructions--including ones for broadcast, attribute-based, and hierarchical identity-based encryption--can rely for security on only the static subgroup hiding assumption when instantiated in composite-order bilinear groups, as opposed to the dynamic q-type assumptions on which their security previously was based. This specific goal is accomplished by more generally extending the recent Deja Q framework (Chase and Meiklejohn, Eurocrypt 2014) in two main directions. First, by teasing out common properties of existing reductions, we expand the q-type assumptions that can be covered by the framework; i.e., we demonstrate broader classes of assumptions that can be reduced to subgroup hiding. Second, while the original framework applied only to asymmetric composite-order bilinear groups, we provide a reduction to subgroup hiding that works in symmetric (as well as asymmetric) composite-order groups. As a bonus, our new reduction achieves a tightness of log(q) rather than q.

{\sc Simon} is a family of lightweight block ciphers published by the U.S. National Security Agency (NSA) in 2013. Due to its novel and bit-based design, integral cryptanalysis on {\sc Simon} seems a tough job. At EUROCRYPT 2015 Todo proposed division property which is a generalized integral property, and he applied this technique to searching integral distinguishers of {\sc Simon} block ciphers by considering the left and right halves of {\sc Simon} independently. As a result, he found 11-round integral distinguishers for both {\sc Simon}48 and {\sc Simon}64. Recently, at FSE 2016 Todo \emph{et al.} proposed bit-based division property that considered each bit independently. This technique can find more accurate distinguishers, however, as pointed out by Todo \emph{et al.} the time and memory complexity is bounded by $ 2^n $ for an $ n$-bit block cipher. Thus, bit-based division property is only applicable to {\sc Simon}32.

In this paper we propose a new technique that achieves a trade-off between considering each bit independently and considering left and right halves as a whole, which is actually a trade-off between time-memory and the accuracy of the distinguishers. We proceed by splitting the state of {\sc Simon} into small pieces and study the division property propagations of circular shift and bitwise AND operations under the state partition. Moreover, we propose two different state partitions and study the influences of different partitions on the propagation of division property. We find that different partitions greatly impact the division property propagation of circular shift which will finally result in a big difference on the length of integral distinguishers. By using a tailored search algorithm for {\sc Simon}, we find 12-round integral distinguishers for {\sc Simon}48 and {\sc Simon}64 respectively, which improve Todo's results by one round for both variants.

Event date: 4 December to 7 December 2016
Submission deadline: 5 August 2016
Notification: 25 September 2016

Recently, Tewari and Gupta have proposed an ultralightweight RFID authentication protocol. In this paper, we consider the security of the proposed protocol and present a passive secret disclosure attack against it. The success probability of the attack is `1' while the complexity of the attack is only eavesdropping one session of the protocol. The presented attack has negligible complexity. We simulated our attack and verified its correctness.

Two main computational problems serve as security foundations of current fully homomorphic encryption schemes: Regev's Learning With Errors problem (LWE) and Howgrave-Graham's Approximate Greatest Common Divisor problem (AGCD). Our first contribution is a reduction from LWE to AGCD. As a second contribution, we describe a new AGCD-based fully homomorphic encryption scheme, which outperforms all prior AGCD-based proposals: its security does not rely on the presumed hardness of the so-called Sparse Subset Sum problem, and the bit-length of a ciphertext is only softO(lambda), where lambda refers to the security parameter.

The Discrete Logarithm Problem over Prime Fields can be transformed to a Linear Multivariable Chinese Remainder Theorem.

We define a new mode of operation for block encryption which in addition to assuring confidentiality also assures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware CBC (IACBC), requires a total of m + log m block encryptions on a plaintext of length m blocks. The well known CBC (cipher block chaining) mode requires m block encryptions. The second pass of computing the MAC essentially requires additional m block encryptions. We also show a lower bound of \Omega(log m) additional block encryptions for any reasonably modeled (linear) scheme which assures message integrity along with confidentiality.

MDS matrices are used as building blocks of diffusion layers in block ciphers, and XOR count is a metric that estimates the hardware implementation cost. In this paper we report the minimum value of XOR counts of $4 \times 4$ MDS matrices over $\mathbb{F}_{2^4}$ and $\mathbb{F}_{2^8}$, respectively. We give theoretical constructions of Toeplitz MDS matrices and show that they achieve the minimum XOR count. We also prove that Toeplitz matrices cannot be both MDS and involutory. Further we give theoretical constructions of $4 \times 4$ involutory MDS matrices over $\mathbb{F}_{2^4}$ and $\mathbb{F}_{2^8}$ that have the best known XOR counts so far: for $\mathbb{F}_{2^4}$ our construction gives an involutory MDS matrix that actually improves the existing lower bound of XOR count, whereas for $\mathbb{F}_{2^8}$, it meets the known lower bound.

Homomorphic signatures (HS) allow evaluation of signed messages by producing a signature on a function of messages signed by the same key. Motivated by the vast potential of applications, we initiate the study of multi-key HS (M-HS) which allows evaluation of signatures under different keys. We also study other multi-key extensions, namely, hierarchical HS (M-HiHS) for delegation of signing power over message sub-spaces, and key-message-HS (M-KMHS) for evaluation of signatures under different keys with respect to both keys and messages. We thus also introduce the concept of key-homomorphism in signatures, which leads to the notion of multi-key key-HS (M-KHS) for evaluation of signatures with respect to keys only.

Notion-wise, our result shows that M-HS can act as a central notion since all its seemingly different extensions are all equivalent. In particular, this suggests that key-homomorphism and message-homomorphism in signatures are identical in nature. As a sample application, we show that M-KHS implies decentralized attribute-based signatures (D-ABS). Our work also provides the first (leveled) fully KHS and the first (D-)ABS for circuits from standard assumptions.

Surprisingly, there is a huge gap between homomorphism in a single space and in two spaces. Indeed all existing (leveled) fully homomorphic signature schemes support only a single signer. In the multi-space setting, we construct M-HS from any adaptive zero-knowledge succinct non-interactive argument of knowledge (ZK-SNARK) (and other standard assumptions). We also show that two-key HS implies functional signatures. Our study equips the literature with a suite of signature schemes allowing different kinds of flexible evaluations.

In this paper, we propose a two-round dynamic multi-cast key distribution (DMKD) protocol under the star topology with a central authentication server. Users can share a common session key without revealing any information of the session key to the server, and can join/leave to/from the group at any time even after establishing the session key. Our protocol is scalable because communication and computation costs of each user are independent from the number of users. Also, our protocol is still secure if either private key or session-specific randomness of a user is exposed. Furthermore, time-based backward secrecy is guaranteed by renewing the session key for every time period even if the session key is exposed. We introduce the first formal security definition for DMKD under the star topology in order to capture such strong exposure resilience and time-based backward secrecy. We prove that our protocol is secure in our security model in the standard model.

Temasek Laboratories at National University of Singapore, Singapore is seeking highly motivated professionals interested in conducting research in the area of post-quantum cryptography.

Applicants are expected to have a PhD degree in Mathematics/Computer Science/Engineering and a strong background in algebra or number theory.

Preferred candidates are expected to be proficient in C/C++ language, a team worker and able to conduct independent research.

Interested candidates will kindly email their CV to Dr Chik How Tan tsltch (at) nus.edu.sg.

Review of applications will start immediately until position is filled.

Closing date for applications: 15 October 2016

The security research team at Visa research has openings for research scientists at all levels with expertise in areas such as, cryptography and cryptanalysis, user and data privacy, payments and cryptocurrencies, and distributed systems/cloud computing security. For more information visit our website: http://research.visa.com/

Interested candidates should kindly email their CV to research (at) visa (dot) com with the subject line Security Research Position.

Closing date for applications: 30 November 2016