International Association
for Cryptologic Research

Direct Anonymous Attestation (DAA) is a cryptographic protocol for privacy-protecting authentication. It is standardized in the TPM standard and implemented in millions of chips. A variant of DAA is also used in Intel's SGX. Recently, Camenisch et al. (PKC 2016) demonstrated that existing security models for DAA do not correctly capture all security requirements, and showed a number of flaws in existing schemes based on the LRSW assumption.

In this work, we identify flaws in security proofs of a number of qSDH-based DAA schemes and point out that none of the proposed schemes can be proven secure in the recent model by Camenisch et al. (PKC 2016). We therefore present a new, provably secure DAA scheme that is based on the qSDH assumption. The new scheme is as efficient as the most efficient existing DAA scheme, with support for DAA extensions to signature-based revocation and attributes. We rigorously prove the scheme secure in the model of Camenisch et al., which we modify to support the extensions.

As a side-result of independent interest, we prove that the BBS+ signature scheme is secure in the type-3 pairing setting, allowing for our scheme to be used with the most efficient pairing-friendly curves.

At Crypto'15 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model construction of efficient round-optimal blind signatures that does not require complexity leveraging. It is conceptually simple and builds on the primitive of structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme and hardness of a version of the DH inversion problem. Blindness under adversarially chosen keys is proven under an interactive variant of the DDH assumption.

We propose a variant of their scheme whose blindness can be proven under a non-interactive assumption, namely a variant of the bilinear DDH assumption. We moreover prove its unforgeability assuming only unforgeability of the underlying SPS-EQ but no additional assumptions as needed for the FHS scheme.

We study practical order-revealing encryption (ORE) with a well-defined leakage profile (the information revealed about the plaintexts from their ciphertexts), a direction recently initiated by Chenette, Lewi, Weis, and Wu (CLWW). ORE, which allows public comparison of plaintext order via their ciphertexts, is a useful tool in the design of secure outsourced database systems. We first show a general construction of ORE with reduced leakage as compared to CLWW, by combining ideas from their scheme with a new type of ''property-preserving'' hash function. We then show how to construct such a hash function efficiently based on bilinear maps. Our resulting ORE scheme is fairly practical: for n-bit plaintexts, ciphertexts consists of about 4n group elements, and order comparison requires about n^2 pairings. The leakage is, roughly speaking, the ''equality pattern'' of the most-significant differing bits, whereas CLWW's is the location and values of the most-significant differing bits. We also provide a generalization of our scheme that improves the leakage and/or efficiency.

To analyze the quality of our leakage profile, we show several additional results. In particular, we show that order-\emph{preserving} (OPE) encryption, an important special case of ORE scheme in which ciphertexts are ordered, cannot be secure wrt.our leakage profile. This implies that our ORE scheme is the first one without multilinear maps that is proven secure wrt.a leakage profile unachievable by OPE. We also also show that our generalized scheme meets a ''semantically meaningful'' one-wayness notion that schemes with the leakage of CLWW do not.

We present a new tweakable block cipher family SKINNY , whose goal is to compete with NSA recent design SIMON in terms of hardware/software performances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers implementations (SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process).

Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency implementations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption. MANTIS basically reuses well understood, previously studied, known components. Yet, by putting those components together in a new fashion, we obtain a competitive cipher to PRINCE in latency and area, while being enhanced with a tweak input.

Lattice-based cryptography offers some of the most attractive primitives believed to be resistant to quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key exchange protocols based on hard problems in ideal lattices, mainly based on the Ring Learning With Errors (R-LWE) problem. While ideal lattices facilitate major efficiency and storage benefits over their non-ideal counterparts, the additional ring structure that enables these advantages also raises concerns about the assumed difficulty of the underlying problems. Thus, a question of significant interest to cryptographers, and especially to those currently placing bets on primitives that will withstand quantum adversaries, is how much of an advantage the additional ring structure actually gives in practice.

Despite conventional wisdom that generic lattices might be too slow and unwieldy, we demonstrate that LWE-based key exchange is quite practical: our constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7$\times$, but remain under 12 KiB in each direction. Our protocol is competitive when used for serving web pages over TLS; when partnered with ECDSA signatures, latencies increase by less than a factor of 1.6$\times$, and (even under heavy load) server throughput only decreases by factors of 1.5$\times$ and 1.2$\times$ when serving typical 1 KiB and 100 KiB pages, respectively. To achieve these practical results, our protocol takes advantage of several innovations. These include techniques to optimize communication bandwidth, dynamic generation of public parameters (which also offers additional security against backdoors), carefully chosen error distributions, and tight security parameters.

Discussions are currently underway about the choice of a tree hash mode of operation for a standardization. It appears that a single tree mode cannot address the specificities of all possible uses and specifications of a system. In this paper, we review the tree modes which have been proposed, we discuss their problems and propose remedies. We make the reasonnable assumption that communicating systems have different specifications and that software applications are of different types (securing stored content or streamed live content). More particularly, we propose modes of operation that address the memory usage problem. When designing a parallel algorithm, one major question is how to improve the running time (using as many processors as we want) while minimizing the required memory of an implementation using a small number of (maybe only one) processors. Conversely, an interesting question is how to obtain a near-optimal running time while containing the memory consumption.

Private Set Intersection (PSI) and other private set operations have many current and emerging applications. Numerous PSI techniques have been proposed that vary widely in terms of underlying cryptographic primitives, security assumptions as well as complexity. One recent strand of PSI-related research focused on an additional privacy property of hiding participants’ input sizes. Despite some interesting results, only one (comparatively) practical size-hiding PSI (SH-PSI) has been demonstrated thus far [1]. One legitimate general criticism of size-hiding private set intersection is that the party that hides its input size can attempt to enumerate the entire (and possibly limited) domain of set elements, thus learning the other party’s entire input set. Although this “attack” goes beyond the honest-but-curious model, it motivates investigation of techniques that simultaneously hide and limit a participant’s input size. To this end, this paper explores the design of bounded size-hiding PSI techniques that allow one party to hide the size of its input while allowing the other party to limit that size. Its main contribution is a reasonably efficient (quasi-quadratic in input size) bSH-PSI protocol based on bounded keyed accumulators. This paper also studies the relationships between several flavors of the “Strong Diffie-Hellman” (SDH) problem.

At Eurocrypt 2011, Lindell presented practical static and adaptively UC-secure commitment schemes based on the DDH assumption. Later, Blazy {\etal} (at ACNS 2013) improved the efficiency of the Lindell's commitment schemes. In this paper, we present static and adaptively UC-secure commitment schemes based on the same assumption and further improve the communication and computational complexity, as well as the size of the common reference string.

We introduce a {\em tag based encoding}, a new generic framework for modular design of Predicate Encryption (PE) schemes in prime order groups. Our framework is equipped with a compiler which is adaptively secure in prime order groups under the standard Decisional Linear Assumption (DLIN). Compared with prior encoding frameworks in prime order groups which require multiple group elements to interpret a tuple of an encoding in a real scheme, our framework has a distinctive feature which is that each element of an encoding can be represented with only a group element and an integer. This difference allows us to construct a more efficient encryption scheme. In the current literature, the most efficient compiler was proposed by Chen, Gay and Wee (CGW) in Eurocrypt'15. It features one tuple of an encoding into two group elements under the Symmetric External Diffie-Hellman assumption (SXDH). Compared with their compiler, our encoding construction saves the size of either private keys or ciphertexts up-to 25 percent and reduces decryption time and the size of public key up-to 50 percent in 128 security level. Several new schemes such as inner product encryption with short keys, dual spatial encryption with short keys and hierarchical identity based encryption with short ciphertexts are also introduced as instances of our encoding.

We construct a functional encryption scheme for circuits which achieves a notion of security that interpolates predicate and functional encryption. Our scheme is secure based on the subexponential learning with errors (LWE) assumption. Our construction simultaneously achieves and improves upon the security of the current best known, and incomparable, constructions from standard assumptions, namely the predicate encryption scheme of Gorbunov, Vaikuntanathan and Wee (CRYPTO 2015) and the reusable garbled circuits scheme of Goldwasser, Kalai, Popa, Vaikuntanathan and Zeldovich (STOC 2013). Our contributions may be summarized as follows:

1. We show that existing LWE based predicate encryption schemes [AFV11, GVW15] are completely insecure against a general functional encryption adversary (i.e. in the “strong attribute hiding” game). We demonstrate three different attacks, the strongest of which is applicable even to the inner product predicate encryption scheme [AFV11]. Our attacks are practical and allow the attacker to completely recover a from its encryption Enc(a) within a polynomial number of queries. This illustrates that the barrier between predicate and functional encryption is not just a limitation of proof techniques.

2. We provide a new construction that unifies and extends the constructions of Gorbunov et al. [GVW15] and Goldwasser et al. [GTKP+13]. Our construction supports a single “decryption query” as in [GTKP+13] in addition to an unbounded number of “non-decryption queries” as in [GVW15]. In particular, our construction yields an alternate candidate for reusable garbled circuits.

3. We upgrade the security of our construction, as well as [AFV11, GVW15], from selective to semi-adaptive, where the adversary may output the challenge after seeing the public parameters in the security game. Our transformation is generic, and applies to several LWE based selectively secure FE schemes.

4. We generalise the above scheme to support q decryption queries, for any polynomial q which is a-priori fixed. The ciphertext size grows as O(q^2), improving upon the q-query version of [GTKP+13, GVW12] in which the ciphertext size grows as O(q^4). Our ciphertext is succinct in that its size does not depend on the size of the circuit.

Gentry’s bootstrapping technique is the most famous method of obtaining fully homomorphic encryption. In previous work I proposed a fully homomorphic encryption without bootstrapping which has the weak point in the plaintext. I also proposed fully homomorphic encryptions with composite number modulus which avoid the weak point by adopting the plaintext including the random numbers in it. In this paper I propose another fully homomorphic encryption with zero norm cipher text where zero norm medium text is generated and enciphered by using composite number modulus. In the proposed scheme it is proved that if there exists the PPT algorithm that generates the cipher text of the plaintext -p from the cipher text of any plaintext p, there exists the PPT algorithm that factors the given composite number modulus. That is, we include the random parameter in the plaintext so that if the random parameter and the plaintext are separated, then the composite number to be the modulus is factored. Since the scheme is based on computational difficulty to solve the multivariate algebraic equations of high degree while the almost all multivariate cryptosystems proposed until now are based on the quadratic equations avoiding the explosion of the coefficients. Because proposed fully homomorphic encryption scheme is based on multivariate algebraic equations with high degree or too many variables, it is against the Gröbner basis attack, the differential attack, rank attack and so on.

The Cybersecurity Research Center at the New Jersey Institute of Technology (NJIT) invites applications for a Postdoctoral Research Associate position and a Research Professor position in the areas of Lattice Encryption Implementation, Encrypted Program Obfuscation and Application.

Successful applicants are expected to pursue research towards developing open-source implementations of lattice encryption. Strong software engineering skills and C++11 expertise are required. Demonstrated success writing high quality software is essential. Experience with lattice encryption is required. Experience with industry-standard software engineering methods, including unit testing is very helpful. Experience with hardware design, noise sampling, secure communication systems and related technologies are helpful but not required. The candidates are expected to have excellent verbal and written skills in English

We expect the position to be available immediately for one year and to be renewable, based on mutual interest and availability of funding. Interested applicants should submit their CV and the names of at least three references by applying as soon as possible at:

njit.jobs/applicants/Central?quickFind=54616

njit.jobs/applicants/Central?quickFind=55268

Applications will be reviewed on a rolling basis until the positions are filled.

The Department of Computer Science at NJIT includes 27 tenured/tenure track professors and is rapidly expanding, supported by the university`s `2020 Vision` strategic plan. Sources of research funding include DARPA, IARPA, NSA, NSF, NIH, DHS, DOE, ARL, and ONR to name a few. Located in Northern New Jersey, within the greater New York Metropolitan area, NJIT is part of a vibrant ecosystem of research universities and corporate research centers.

Closing date for applications: 1 September 2016

Contact: Kurt Rohloff

Director, Cybersecurity Research Center

rohloff (at) njit.edu

More information: http://centers.njit.edu/cybersecurity/

The deadline for proposing an IACR Cryptology School is June 30. There are two deadlines annually, and this is the last chance to apply for IACR Schools taking place on or before April 2017. Information about proposing an IACR School can be found at http://iacr.org/schools/propose.php

The IACR sponsors a small number of Cryptology Schools providing intensive training on clearly identified topics in cryptology. The aim is to develop awareness and increased capacity for research in cryptology. A list of past and upcoming schools can be found at http://iacr.org/schools

The algorithm presented in this paper computes a maximum probability differential characteristic in a Substitution-Permutation Network (or SPN). Such characteristics can be used to prove that a cipher is practically secure against differential cryptanalysis or on the contrary to build the most effective possible attack. Running in just a few second on 64 or 128-bit SPN, our algorithm is an important tool for both cryptanalists and designers of SPN.

In this work, we analyze the resistance of \textsc{Simon}-like ciphers against differential attacks without using computer-aided methods. In this context, we first define the notion of a \textsc{Simon}-like cipher as a generalization of the \textsc{Simon} design. For certain instances, we present a method for proving the resistance against differential attacks by upper bounding the probability of a differential characteristic by $2^{-2T+2}$ where $T$ denotes the number of rounds. Interestingly, if $2n$ denotes the block length, our result is sufficient in order to bound the probability by $2^{-2n}$ for all full-round variants of \textsc{Simon} and \textsc{Simeck}. Thus, it guarantees security in a sense that, even having encryptions of the full codebook, one cannot expect a differential characteristic to hold. The important difference between previous works is that our proof can be verified by hand and thus contributes towards a better understanding of the design. However, it is to mention that we do not analyze the probability of multi-round differentials.

Although there are much better bounds known, especially for a high number of rounds, they are based on experimental search like using SAT/SMT solvers. While those results have already shown that \textsc{Simon} can be considered resistant against differential cryptanalysis, our argument gives more insights into the design itself. As far as we know, this work presents the first non-experimental security argument for full-round versions of several \textsc{Simon}-like instances.

We consider a new adversarial goal in multiparty protocols, where the adversary may corrupt some parties. The goal is to manipulate the view of some honest party in a way, that this honest party learns the private data of some other honest party. The adversary itself might not learn this data at all. This goal, and such attacks are significant because they create a liability to the first honest party to clean its systems from second honest party's data; a task that may be highly non-trivial.

Protecting against this goal essentially means achieving security against several non-cooperating adversaries, where all but one adversary are passive and corrupt only a single party. We formalize the adversarial goal by proposing an alternative notion of universal composability. We show how existing, conventionally secure multiparty protocols can be transformed to make them secure against the novel adversarial goal.

Recently, Radio Frequency Identification (RFID) and Near Field Communication (NFC) systems are found in various user-friendly services that all of us deal with in our daily lives. As these systems are ubiquitously deployed in different authenti-cation and identification applications, inferring information about our behavior will be possible by monitoring our use of them. In order to provide privacy and security requirements of RFID users in novel authentication applications, lots of security schemes have been proposed which have tried to provide secure and untraceable communication for end-users. In this paper, we investi-gate the privacy of three RFID security schemes which have been proposed recently. For privacy analysis, we use the well-known RFID formal privacy model proposed by Ouafi and Phan. We show that all the studied protocols have some privacy drawbacks, making them vulnerable to various traceability attacks. Moreover, in order to overcome all the reported weaknesses and prevent the presented attacks, we apply some modifications in the structures of the studied protocols and propose an improved version of each one. Our analyses show that the modified protocols are more efficient than their previous versions and new modifications can omit all the existing weaknesses on the analyzed protocols. Finally, we compare the modified protocols with some new-found RFID authentication protocols in the terms of security and privacy.

Side-channel analysis and fault-injection attacks are known as major threats to any cryptographic implementation. Hardening cryptographic implementations with appropriate countermeasures is thus essential before they are deployed in the wild. However, countermeasures for both threats are of completely different nature: Side-channel analysis is mitigated by techniques that hide or mask key-dependent information while resistance against fault-injection attacks can be achieved by redundancy in the computation for immediate error detection. Since already the integration of any single countermeasure in cryptographic hardware comes with significant costs in terms of performance and area, a combination of multiple countermeasures is expensive and often associated with undesired side effects.

In this work, we introduce a countermeasure for cryptographic hardware implementations that combines the concept of a provably-secure masking scheme (i.e., threshold implementation) with an error detecting approach against fault injection. As a case study, we apply our generic construction to the lightweight LED cipher. Our LED instance achieves first-order resistance against side-channel attacks combined with a fault detection capability that is superior to that of simple duplication for most error distributions at an increased area demand of 12%.

Block ciphers are arguably the most important cryptographic primitive in practice. While their security against mathematical attacks is rather well understood, physical threats such as side-channel analysis (SCA) still pose a major challenge for their security. An effective countermeasure to thwart SCA is using a cipher representation that applies the threshold implementation (TI) concept. However, there are hardly any results available on how this concept can be adopted for block ciphers with large (i.e., 8-bit) Sboxes. In this work we provide a systematic analysis on and search for 8-bit Sbox constructions that can intrinsically feature the TI concept, while still providing high resistance against cryptanalysis. Our study includes investigations on Sboxes constructed from smaller ones using Feistel, SPN, or MISTY network structures. As a result, we present a set of new Sboxes that not only provide strong cryptographic criteria, but are also optimized for TI. We believe that our results will found an inspiring basis for further research on high-security block ciphers that intrinsically feature protection against physical attacks.

A party running a computation remotely may benefit from misreporting its output, say, to lower its tax. Cryptographic protocols that detect and prevent such falsities hold the promise to enhance the security of decentralized systems with stringent computational integrity requirements, like Bitcoin [Nak09]. To gain public trust it is imperative to use publicly verifiable protocols that have no “backdoors” and which can be set up using only a short public random string. Probabilistically Checkable Proof (PCP) systems [BFL90, BFLS91, AS98, ALM + 98] can be used to construct astonishingly efficient protocols [Kil92, Mic00] of this nature but some of the main components of such systems — proof composition [AS98] and low-degree testing via PCPs of Proximity (PCPPs) [BGH + 05, DR06] — have been considered efficient only asymptotically, for unrealistically large computations; recent cryptographic alternatives [PGHR13, BCG + 13a] suffer from a non-public setup phase.

This work introduces SCI, the first implementation of a scalable PCP system (that uses both PCPPs and proof composition). We used SCI to prove correctness of executions of up to $2^{20}$ cycles of a simple processor (Figure 1) and calculated (Figure 2) its break-even point [SVP + 12, SMBW12]. The significance of our findings is two-fold: (i) it marks the transition of core PCP techniques (like proof composition and PCPs of Proximity) from mathematical theory to practical system engineering, and (ii) the thresholds obtained are nearly achievable and hence show that PCP-supported computational integrity is closer to reality than previously assumed.