International Association
for Cryptologic Research

SIMON and SPECK family ciphers have attracted the attention of cryptographers all over the world since proposed by NSA in June, 2013. At CHES 2015, Simeck, a new block cipher inspired from both SIMON and SPECK is proposed, which is more compact and efficient. However, the security evaluation on Simeck against zero correlation linear cryptanalysis seems missing from the specification. The main focus of this paper is to fill this gap and evaluate the security level on Simeck against zero correlation linear cryptanalysis. According to our study, 11/13/15 rounds zero correlation linear distinguishers on Simeck32/48/64 are proposed respectively, then zero correlation linear cryptanalysis on 20/24/27 rounds Simeck32/48/64 are firstly proposed. As far as we know, for Simeck32, our result is the best result to date.

In this paper we present a novel solution to address the problem of potential malicious circuitry on FPGA. This method is based on an a technique of structure extraction which consider the infection of an all lot. This structure is related to the design (place and route, power grid\\dots) of the integrated circuits which composes the lot. In case of additional circuitry this design will be modify and the extracted structure will be affected. After developing the extraction techniques we present a methodology to insert detection of hardware trojan and counterfeit in different IC manufacturing steps. At last an application example using 30 FPGA boards validate our extraction method. Finally, statistical tools are then applied on the experimental results to distinguish a genuine lot from an infected one and confirm the potential of detection the extracted structure.

Functional encryption (FE) enables sophisticated control over decryption rights in a

multi-user scenario, while functional signature (FS) allows to enforce complex constraints on signing

capabilities. This paper introduces the concept of functional signcryption (FSC) that aims to

provide the functionalities of both FE and FS in an unified cost-effective primitive. FSC provides

a solution to the problem of achieving confidentiality and authenticity simultaneously in digital

communication and storage systems involving multiple users with better efficiency compared to a

sequential implementation of FE and FS. We begin by providing formal definition of FSC and formulating

its security requirements. Next, we present a generic construction of this challenging primitive

that supports arbitrary polynomial-size signing and decryption functions from known cryptographic

building blocks, namely, indistinguishability obfuscation (IO) and statistically simulation-sound noninteractive

zero-knowledge proof of knowledge (SSS-NIZKPoK). Finally, we exhibit a number of representative

applications of FSC: (I) We develop the first construction of attribute-based signcryption

(ABSC) supporting signing and decryption policies representable by general polynomial-size circuits

from FSC. (II) We show how FSC can serve as a tool for building SSS-NIZKPoK system and IO, a

result which in conjunction with our generic FSC construction can also be interpreted as establishing

an equivalence between FSC and the other two fundamental cryptographic primitives.

The Internet Engineering Task Force (IETF) is currently developing the next version of the Transport Layer Security (TLS) protocol, version 1.3. The transparency of this standardization process allows comprehensive cryptographic analysis of the protocols prior to adoption, whereas previous TLS versions have been scrutinized in the cryptographic literature only after standardization. Here we look at two related, yet slightly different candidates which were in discussion for TLS 1.3 at the point of writing of the main part of the paper in May 2015, called draft-ietf-tls-tls13-05 and draft-ietf-tls-tls13-dh-based.

We give a cryptographic analysis of the primary ephemeral Diffie-Hellman-based handshake protocol, which authenticates parties and establishes encryption keys, of both TLS 1.3 candidates. We show that both candidate handshakes achieve the main goal of providing secure authenticated key exchange according to an augmented multi-stage version of the Bellare-Rogaway model. Such a multi-stage approach is convenient for analyzing the design of the candidates, as they establish multiple session keys during the exchange.

An important step in our analysis is to consider compositional security guarantees. We show that, since our multi-stage key exchange security notion is composable with arbitrary symmetric-key protocols, the use of session keys in the record layer protocol is safe. Moreover, since we can view the abbreviated TLS resumption procedure also as a symmetric-key protocol, our compositional analysis allows us to directly conclude security of the combined handshake with session resumption.

We include a discussion on several design characteristics of the TLS 1.3 drafts based on the observations in our analysis.

Cloud data owners encrypt their documents before outsourcing to provide their privacy. They could determine a search control policy and delegate the ability of search token generation to the users whose attributes satisfy the search control policy. Verifiable attribute-based keyword search (VABKS) where the users can also verify the accuracy of cloud functionality is one of such schemes. In this paper, the first generic construction for VABKS is proposed. To this end, the notion of hierarchical identity-based multi-designated verifier signature (HIB-MDVS) has been introduced and existential forgery under chosen message attack (EF-CMA) is formally defined for its unforgeability. Furthermore, anonymity against chosen identity vector set and chosen plaintext attack (Anon-CIVS-CPA) has been defined as the security definition of hierarchical identity-based broadcast encryption (HIBBE) in a formal way. The proposed construction is built in a modular structure by using HIBBE, HIB-MDVS, and Bloom filter as the building blocks. We prove that the security of proposed construction is based on the unforgeability of HIB-MDVS and the anonymity of HIBBE. Finally, the concept of verifiable ranked keyword search will be introduced and a construction of this primitive will be presented which is based on proposed VABKS.

All statistical analysis of symmetric key attacks use the central limit theorem to approximate the distribution

of a sum of random variables using the normal distribution. Expressions for data complexity using such an approach are

{\\em inherently approximate}. In contrast, this paper takes a rigorous approach to analysing attacks on block ciphers.

In particular, no approximations are used. Expressions for upper bounds on the data complexities of several basic and advanced

attacks are obtained. The analysis is based on the hypothesis testing framework. Probabilities of Type-I and Type-II errors

are upper bounded using standard tail inequalities. In the cases of single linear and differetial cryptanalysis, the Chernoff bound

is used. For the cases of multiple linear and multiple differential cryptanalysis, the theory of martingales is required. A

Doob martingale satisfying the Lipschitz condition is set up so that the Azuma-Hoeffding inequality can be applied. This allows

bounding the error probabilities and obtaining expressions for data complexities. We believe that our method provides important

results for the attacks considered here and more generally, the techniques that we develop have much wider applicability.

Nowadays, most smartphones come pre-equipped with location (GPS) sensing capabilities, allowing developers to create a wide variety of location-aware applications and services. While location awareness provides novel features and functionality, it opens the door to many privacy nightmares. In many occasions, however, users do not need to share their actual location, but to determine whether they are in proximity to others, which is practically one bit of information. Private proximity protocols allow this functionality without any further information leakage. In this work we introduce a novel protocol which is far more efficient than the current state of the art and bases its security on lattice-based cryptography.

This paper analyzes the authenticated encryption algorithm ACORN, a candidate in the CAESAR cryptographic competition. We identify weaknesses in the state update function of ACORN which result in collisions in the internal state of ACORN. This paper shows that for

a given set of key and initialization vector values we can construct two distinct input messages which result in a collision in the ACORN internal state. Using a standard PC the collision can be found almost instantly when the secret key is known.

Cloud providers are realizing the outsourced database model in the form of database-as-a-service offerings. Security in terms of data privacy remains an obstacle because data storage and processing are done on an untrusted cloud. As such, providing a strong notion of security under additional constraints of functionality and performance is challenging, for which advanced encryption and recent trusted computing primitives alone prove insufficient.

This paper proposes a practical system for privacy-preserving data management, called PRAMOD, in which data is stored in encrypted form and data-dependent computations are carried out inside a trusted environment. The system supports popular algorithms underlying many data management applications, including sort, compaction, join

and group aggregation. Data privacy is ensured even when data movement between different components (caused by limited private memory) is observed by the adversary. For many algorithms, this is achieved by appending a component called scrambler which breaks the linkage between the input and output. Our experimental study indicates reasonable overheads over a baseline system with a weaker level of security. In addition, PRAMOD shows better performance

than state-of-the-art solutions with similar levels of security. For example, PRAMOD achieves 4.4× speedup over the alternative data-oblivious sorting algorithm.

We provide a framework for constructing leakage-resilient identification(ID) protocols in the bounded retrieval model (BRM) from proofs of storage(PoS) that hide partial information about the file. More precisely, we describe a generic transformation from any

zero-knowledge PoS to a leakage-resilient ID protocol in the BRM.

We then describe a ZK-PoS based on RSA which, under our transformation,

yields the first ID protocol in the BRM based on RSA (in the ROM). The resulting protocol relies on a different computational assumption and is more efficient than previously-known constructions.

Identity-based revocation (IBR) is a specific kind of broadcast encryption that can effectively send a ciphertext to a set of receivers. In IBR, a ciphertext is associated with a set of revoked users instead of a set of receivers and the maximum number of users in the system can be an exponential value in the security parameter. In this paper, we reconsider the general method of Lee, Koo, Lee, and Park (ESORICS 2014) that constructs a public-key revocation (PKR) scheme by combining the subset difference (SD) method of Naor, Naor, and Lotspiech (CRYPTO 2001) and a single revocation encryption (SRE) scheme. Lee et al. left it as an open problem to construct an SRE scheme under the standard assumption without random oracles. In this work, we first propose a selectively secure SRE scheme under the standard assumption without random oracles. Next, we propose a fully secure SRE scheme under simple static assumptions without random oracles. Finally, we present an efficient IBR scheme derived from the SD method and our SRE scheme. The security of our IBR scheme depends on that of the underlying SRE scheme.

A localised multisecret sharing scheme is a multisecret sharing scheme for an ordered set of players in which players in the smallest sets who are authorised to access secrets are close together in the underlying ordering. We define threshold versions of localised multisecret sharing schemes, we provide lower bounds on the share size of perfect localised multisecret sharing schemes in an information theoretic setting, and we give explicit constructions of schemes to show that these bounds are tight. We then analyse a range of approaches to relaxing the model that provide trade-offs between the share size and the level of security guarantees provided by the scheme, in order to permit the construction of schemes with smaller shares. We show how these techniques can be used in the context of an application to key distribution for RFID-based supply-chain management motivated by the proposal of Juels, Pappu and Parno from USENIX 2008.

The recent advent of cloud computing and the IoT has made

it imperative to have efficient and secure cryptographic schemes for online data sharing. Data owners would ideally want to store their data/files online in an encrypted manner, and delegate decryption rights for some of these to users with appropriate credentials. An efficient and recently proposed solution in this regard is to use the concept of aggregation that allows users to decrypt multiple classes of data using a single key of constant size. In this paper, we propose a secure and dynamic key aggregate encryption scheme for online data sharing that operates on elliptic curve subgroups while allowing dynamic revocation of user access rights. We augment this basic construction to a generalized two-level hierarchical structure that achieves optimal space and time complexities, and also

efficiently accommodates extension of data classes. Finally, we propose an extension to the generalized scheme that allows use of efficiently computable bilinear pairings for encryption and decryption operations. Each scheme is formally proven to be semantically secure. Practical experiments have been conducted to validate all claims made in the paper.

Instantiations of the McEliece cryptosystem which are considered computationally secure even in a post-quantum era still require hardening against side channel attacks for practical applications. Recently, the first differential power analysis attack on a McEliece cryptosystem successfully recovered the full secret key of a state-of-the-art FPGA implementation of QC-MDPC McEliece. In this work we show how to apply masking countermeasures to the scheme and present the first masked FPGA implementation that includes these countermeasures. We validate the side channel resistance of our design by practical DPA attacks and statistical tests for leakage detection.

Horizontal collision correlation analysis (HCCA) imposes a serious threat to simple power analysis resistant elliptic curve cryptosystems involving unified algorithms, for e.g. Edward curve unified formula. This attack can be mounted even in presence of differential power analysis resistant randomization schemes. In this paper we have designed an effective countermeasure for HCCA protection, where the dependency of side-channel leakage from a school-book multiplication with the underling multiplier operands is investigated. We have shown

how changing the sequence in which the operands are passed to the multiplication algorithm introduces dissimilarity in the information leakage. This disparity has been utilized in constructing a zero-cost countermeasure against HCCA. This countermeasure integrated with an effective randomization method has been shown to successfully thwart HCCA. Additionally we provide experimental validation for our proposed countermeasure technique on a SASEBO platform. To the best of our knowledge, this is the first time that asymmetry in information leakage has been utilized in designing a side channel countermeasure.

Hello IACR members,

We hope this news update finds you well. There are several items of news to report from the world of IACR:

1. IACR Museum of Historic Papers in Cryptology
2. Nominations for 2015 Election
3. Streamlined Access to IACR Publications
4. ia.cr URL Shortener
5. Membership Meetings & Upcoming Events

IACR Museum of Historic Papers in Cryptology

We are pleased to announce a new Museum of Historic Papers in Cryptology. In the past century, the intertwining of cryptology with national security has made it difficult to get access to some original source material from the beginnings of modern cryptology. Beyond that, the fragility of paper and human memory have further obscured the picture. The IACR's Museum of Cryptology will try to fill in some of the gaps by being a repository for older research papers that have not been otherwise published for the public.

The first paper in the museum is Claude Shannon's 1945 report, A Mathematical Theory of Cryptography. It has been re-typeset in LaTeX by IACR fellow Whitfield Diffie, and is available in the museum with permission from Alcatel. We are in the process of adding several more papers in the following months, and welcome further suggestions.

The museum is available at iacr.org/museum/.

Nominations for 2015 Election

The 2015 IACR election is being held to fill 3 of 9 elected IACR Director positions. Nominations for the election are due very soon, September 24! Information about the open positions and the nomination process is available at iacr.org/elections/2015/.

Streamlined Access to IACR Publications

We remind all IACR members that they can access Journal of Cryptology and conference/workshop proceedings volumes for free, as part of the IACR agreement with Springer. In addition, the "IACR version" of many proceedings volumes older than two years are available for free to the general public.

We have created a new centralized portal to access all of these IACR publications. Check it out at iacr.org/publications/access.php. If you use old bookmarks to access the IACR publications, they should automatically redirect to this new portal.

ia.cr URL Shortener

We have recently acquired the ia.cr domain name and are now using it to offer short URLs for all ePrint reports. You will now see a "Short URL" listed among the information for each ePrint report, for example: ia.cr/2005/187. We expect that the time saved from this 41% decrease in characters will significantly advance the state of the art of cryptology in the upcoming years.

Membership Meetings & Upcoming Events

The President's slides from the CRYPTO 2015 membership meeting and the minutes from the Eurocrypt 2015 membership meeting are available at www.iacr.org/docs/minutes/. Highlights from the CRYPTO membership meeting include the announcement of several new events:

• CHES 2016 will take place 16-19 Aug in UCSB.
• Eurocrypt 2017 will take place 15-18 May in Paris.

The following IACR workshop has also very recently been approved by the IACR board:

• TCC 2016-B will take place 1-3 Nov in Beijing.

Because TCC is moving in the calendar, there will be two TCC events in 2016. TCC 2016-A will take place in Tel Aviv in January. For a list of all IACR events, see www.iacr.org/events/.

Thanks for reading! We hope to see you at an IACR event soon,
Mike Rosulek (IACR communications secretary)

We are looking for an excellent, motivated, self-driven doctoral student to work in the area of information security and cryptography. The position is for five years at the Department of Computer Science and Engineering. The PhD student will join Katerina Mitrokotsa’s group and will be funded by a project funded by the Swedish research council focusing on security and privacy issues in resource constrained devices.

The PhD student is expected to have a MSc degree or equivalent, and strong background in mathematics and/or theoretical computer science, with some background in cryptography. Successful candidates will help to design and evaluate cryptographically reliable and privacy-preserving authentication protocols.

The position is fully funded for five years. The call for expressions of interest will remain open until a suitable candidate is appointed. To Apply and for more information: http://www.chalmers.se/en/about-chalmers/vacancies/?rmpage=job&rmjob=3333

The crypto.sec group at the National and Kapodistrian U. of Athens seeks a postdoctoral researcher in computer science. The position will be supporting a EU H2020 project on mix-nets (PANORAMIX) for applications like electronic voting, secure messaging, and statistics gathering. The postdoctoral researcher should have a strong track record in cryptography.

Successful candidates will help to design and evaluate cryptographically secure mix-nets and perform other research duties to help with the project, coordinate and advise partners on implementing research prototypes (the candidate may or may not participate in implementing), and ensure the smooth administration of the project including the timely delivery of research output.

The EU H2020 project PANORAMIX supports travel to and collaboration with colleagues throughout the European Union. Full travel and equipment budget is available to support the activities of the project.

For any inquiries or to apply for the position, submit a full research curriculum-vitae (cv), names of two references, and a research statement to Prof Aggelos Kiayias (firstname (at) di.uoa.gr).

The call for expressions of interest will remain open until a suitable candidate is appointed.The position is available immediately.

We have an opening at University College London for a postdoctoral researcher in the area of efficient zero-knowledge proofs. The post is under the supervision of Prof. Jens Groth with a flexible starting date and an initial duration until September 2017. Candidates must have or be about to complete a PhD with a strong publication record in cryptography.

University College London is one of Europe\'s highest ranked universities and the Department of Computer Science is ranked as the best in the UK and recognized by the EPSRC and GCHQ as an Academic Centre of Excellence in Cyber Security Research. We are located at UCL\'s main campus in the centre of London.

The Simeck family of lightweight block ciphers was proposed in CHES 2015 which combines the good design components from NSA designed ciphers SIMON and SPECK. Dynamic key-guessing techniques were proposed by Wang {\\it et al.} to greatly reduce the key space guessed in differential cryptanalysis and work well on SIMON. In this paper, we implement the dynamic key-guessing techniques in a program to automatically give out the data in dynamic key-guessing procedure and thus simplify the security evaluation of SIMON and Simeck like block ciphers regarding differential attacks. We use the differentials from K\\\"{o}lbl {\\it et al.}\'s work and also a differential with lower Hamming weight we find using Mixed Integer Linear Programming method to attack Simeck and improve the previously best results on all versions of Simeck by 2 rounds.