International Association
for Cryptologic Research

OCB3 is the current version of the OCB authenticated encryption mode which is selected for the third round in CAESAR. So far the integrity analysis has limited to an adversary making a single forging attempt. A simple extension for the best known bound establishes integrity security as long as the total number of query blocks (including encryptions and forging attempts) does not exceed the birthday-bound.

In this paper we show an improved bound for integrity of OCB3 in terms of the number of blocks in the forging attempt. In particular we show that when the number of encryption query blocks is not more than birthdaybound (an assumption without which the privacy guarantee of OCB3 disappears), even an adversary making forging attempts with the number of blocks in the order of 2n=L_MAX (n being the block-size and L_MAX being the length of the longest block) may fail to break the integrity of OCB3.

We address the practicality challenges of secure program obfuscation by developing, implementing and experimentally assessing an approach to securely obfuscate conjunction programs in software. Conjunction programs evaluate functions $f\left(x_1,\ldots,x_L\right) = \bigwedge_{i \in I} y_i$, where $y_i$ is either $x_i$ or $\lnot x_i$ and $I \subseteq \left[L\right]$, and can be used as classifiers. Our obfuscation approach satisfies distributional Virtual Black Box (VBB) security based on reasonable hardness assumptions, namely an entropic variant of the Ring Learning with Errors (Ring-LWE) assumption. Prior implementations of secure program obfuscation techniques support either trivial programs like point functions, or support the obfuscation of more general but less efficient branching programs to satisfy Indistinguishability Obfuscation (IO), a weaker security model. Further, the more general implemented techniques, rather than relying on standard assumptions, base their security on conjectures that have been shown to be theoretically vulnerable.

Our work is the first implementation of non-trivial program obfuscation based on polynomial rings. Our contributions include multiple design and implementation advances resulting in reduced program size, obfuscation runtime, and evaluation runtime by many orders of magnitude. We implement our design in software and experimentally assess performance in a commercially available multi-core computing environment. Our implementation achieves runtimes of 6.7 hours to securely obfuscate a 64-bit conjunction program and 2.5 seconds to evaluate this program over an arbitrary input. We are also able to obfuscate a 32-bit conjunction program with 48 bits of security in 7 minutes and evaluate the obfuscated program in 43 milliseconds on a commodity desktop computer, which implies that 32-bit conjunction obfuscation is already practical. Our graph-induced (directed) encoding implementation runs up to 25 levels, which is higher than previously reported in the literature for this encoding. Our design and implementation advances are applicable to obfuscating more general compute-and-compare programs and can also be used for many cryptographic schemes based on lattice trapdoors.

This paper contributes to understanding the interplay of security notions for PKE, KEMs, and DEMs, in settings with multiple users, challenges, and instances. We start analytically by first studying (a) the tightness aspects of the standard hybrid KEM+DEM encryption paradigm, (b) the inherent weak security properties of all deterministic DEMs due to generic key-collision attacks in the multi-instance setting, and (c) the negative effect of deterministic DEMs on the security of hybrid encryption.

We then switch to the constructive side by (d) introducing the concept of an augmented data encapsulation mechanism (ADEM) that promises robustness against multi-instance attacks, (e) proposing a variant of hybrid encryption that uses an ADEM instead of a DEM to alleviate the problems of the standard KEM+DEM composition, and (f) constructing practical ADEMs that are secure in the multi-instance setting.

Random number generation is critical to many security protocols, a basic building block on which it rests the robustness of many security solutions. Quantum physics, on the other hand, offers a very attractive approach to True Random Number Generation, based on the inherent randomness of some physical phenomena. Naturally, there are a number of quantum random number generators in the market. In this work, we present the first analysis of a popular commercial family called Quantis, designed and manufactured by ID Quantique. We subject their output to three batteries of statistical tests, for evaluating its performance. Dieharder and NIST STS 2.1.2 are included in many certification schemes, whilst ENT provides a free, simple and powerful means of expanding on the previous tests. The Quantis devices under examination have achieved METAS and other independent certifications and indeed the results over the Dieharder and NIST batteries confirm that the certifications awarded are based on an acceptable performance on both sets of tests. However, ENT finds strong evidence of significant biases in the Quantis devices. These biases are analyzed to identify their traits and attempt to isolate their root cause. We end with a discussion on the need to expand testing strategies to incorporate lesser-known tests that regularly detect problems that the commonly accepted batteries do not.

We present a length doubler, LDT, that turns an n-bit tweakable block cipher into an efficient and secure cipher that can encrypt any bit string of length [n..2n-1]. The LDT mode is simple, uses only two cryptographic primitive calls (while prior work needs at least four), and is a strong length-preserving pseudorandom permutation if the underlying tweakable block ciphers are strong tweakable pseudorandom permutations. We demonstrate that LDT can be used to neatly turn an authenticated encryption scheme for integral data into a mode for arbitrary-length data.

This paper considers efficient scalar multiplication of elliptic curves over binary fields with a twofold purpose. Firstly, we derive the most efficient $3P$ formula in $\lambda$-projective coordinates and $5P$ formula in both affine and $\lambda$-projective coordinates. Secondly, extensive experiments have been conducted to test various multi-base scalar multiplication methods (e.g., greedy, ternary/binary, multi-base NAF, and tree-based) by integrating our fast formulas. The experiments show that our $3P$ and $5P$ formulas had an important role in speeding up the greedy, the ternary/binary, the multi-base NAF, and the tree-based methods over the NAF method. We also establish an efficient $3P$ formula for Koblitz curves and use it to construct an improved set for the optimal pre-computation of window TNAF.

We try to propose two fully homomorphic encryption (FHE) schemes, one for symmetric (aka. secret-key) settings and another under asymmetric (aka. public-key) scenario. The presented schemes are noiseless in the sense that there is no ``noise" factor contained in the ciphertexts. Or equivalently, before performing fully homomorphic computations, our schemes do not incorporate any noise-control process (such as bootstrapping, modulus switching, etc) to refresh the ciphertexts, since our fully homomorphic operations do not induce any noise. {Instead of decrypting approximately, our proposal works in an exact homomorphic manner,} no matter the inputs are the first-hand ciphertexts that come from the encryptions of plaintexts, or the second-hand ciphertexts that come from homomorphic combinations of other ciphertexts. Therefore in essential, our schemes have no limitation on the depth of the fully homomorphic operations over the ciphertexts.

Our solution is comprised of three steps. First, Ostrovsky and Skeith's idea for building FHE from a multiplicative homomorphic encryption (MHE) over a non-abelian simple group is extended so that FHE can be built from an MHE over a group ring that takes an underlying non-abelian simple group as the natural embedding. Second, non-trivial zero factors of the underlying ring are plugged into the encoding process for entirely removing the noise after fully homomorphic operations, and a slight but significant modification towards Ostrovsky-Skeith's NAND gate representation is also introduced for avoiding computing inverse matrices of the underlying group ring. In such manner, a symmetric FHE scheme is produced. Finally, based on the proposed symmetric FHE scheme, an asymmetric FHE scheme is built by taking a similar diagram to the well-known GM84 scheme. But different from GM84 that only supports ciphertext homomorphism according to the logically incomplete gate XOR, our scheme supports ciphertext homomorphism according to the logically complete gate NAND.

Submissions to Eurocrypt 2018 are now open, see https://eurocrypt.iacr.org/2018/papersubmission.html for information. The submission deadline is September 19. Eurocrypt 2018 will be held April 29 - May 3 in Tel Aviv, Israel.

The AST Security team, an R&D group focusing on supporting ST product divisions for security-related solutions, is looking for a cryptographic software engineer for a position based in the Milan area of Italy.

Your mission will be to:

• Deploy security expertise and help ST product divisions shape the right security solutions for their products (ICs).

• Develop cryptographic and security software IPs.
• Stay on top of security needs and state-of-the-art evolution, anticipating/identifying solutions and partners, developing or making available the security competences and IPs that will be needed by the Company in a 3-5 years time frame.

The candidate should have:

• Software development skills (in particular C). Experience on embedded devices (i.e. microcontrollers) is particularly appreciated
• A theoretical background in cryptography (symmetric and asymmetric) and side-channel attacks
• Teamwork, networking, customer-orientation & communication skills
• Motivation for bridging research outcomes and product design

Closing date for applications: 30 November 2017

Contact: Ruggero Susella - ruggero.susella (at) st.com

At the Quantum Cryptography Group, University of Tartu, we are looking for phd students on Verification of Quantum Cryptography. Full funding is available.

We are starting a project in which we will develop methods for the verification of proofs in quantum cryptography. Similar to what the EasyCrypt tool does in classical cryptography. The scope of the project covers everything from the logical foundations, through the development of tools, to the verification of real quantum protocols.

The ideal candidate would have experience in one or more of the following topics:

• Semantics

• Theorem proving

• Verification of classical cryptography

• Quantum cryptography

• Quantum computation / communication

Students who are enthusiastic about those topics, and have some background related to (some) of these, are encouraged to apply.

Please contact Dominique Unruh (unruh (at) ut.ee) if you have more questions about the project, the required background, Estonia, the position itself, or the application process.

PhD students will have to pay no tuition fees and will be funded with 1000 Euro net (after taxes). This is highly competitive in Estonia due to low costs of living. Healthcare is covered.

To apply, please send the following documents to unruh (at) ut.ee:

• Curriculum vitae (please explain your scientific background)

• List of publications

• Research plan (i.e., how do you think you could contribute to the topic)

• At least two letters of reference (please ask for the letters to be sent directly to us)

• Masters degree (if you do not have it yet, provide whatever confirmation you can get)

• Grade transcript

Applications will be accepted until the position is filled.

Closing date for applications:

Contact: Dominique Unruh (unruh (at) ut.ee)

More information: http://crypto.cs.ut.ee/Main/PhdInVerificationOfQuantumCryptography

At the Quantum Cryptography Group, University of Tartu, we have two open postdoc positions on Verification of Quantum Cryptography.

We are starting a project in which we will develop methods for the verification of proofs in quantum cryptography. Similar to what the EasyCrypt tool does in classical cryptography. The scope of the project covers everything from the logical foundations, through the development of tools, to the verification of real quantum protocols.

The ideal candidate would have experience in:

• Semantics

• Theorem proving

• Verification of classical cryptography

• Quantum cryptography

• Quantum computation / communication

Of course, expertise in all those areas is very rare, so candidates who are strong in some of those areas and are interested in the others are encouraged to apply!

Please contact Dominique Unruh (unruh (at) ut.ee) if you have more questions about the project, the required background, Estonia, the position itself, or the application process.

The salary range is 30000-36000 Euro per year (depending on experience), which is highly competitive in Estonia due to low costs of living and low income tax rate (20%), pension contributions and health insurance are covered by the employer.

The position is for three years, as soon as possible till August 31, 2020. The starting date and duration can be negotiated (in both directions).

To apply, please send the following documents to unruh (at) ut.ee:

• Curriculum vitae (please explain your scientific background)

• List of publications

• Research plan (i.e., how do you think you could contribute to the topic)

• At least two letters of reference (please ask for the letters to be sent directly to us)

• Phd degree

Applications will be accepted until the position is filled.

Closing date for applications:

Contact: Dominique Unruh

More information: http://crypto.cs.ut.ee/Main/PostdocInVerificationOfQuantumCryptography

Event date: 17 January to 19 January 2018
Submission deadline: 1 January 2018

Password-based authenticated key exchange (PAKE) enables two users with shared low-entropy passwords to establish cryptographically strong session keys over insecure networks. At Asiacrypt 2009, Katz and Vaikuntanathan showed a generic three-round PAKE based on any CCA-secure PKE with associated approximate smooth projective hashing (ASPH), which helps to obtain the first PAKE from lattices. In this paper, we give a framework for constructing PAKE from CCA-secure PKE with associated ASPH, which uses only two-round messages by carefully exploiting a splittable property of the underlying PKE and its associated non-adaptive ASPH. We also give a splittable PKE with associated non-adaptive ASPH based on the LWE assumption, which finally allows to instantiate our two-round PAKE framework from lattices.

The security of a probabilistic Message Authentication Code (MAC) usually depends on the uniqueness of the random salt which restricts the security to birthday bound of the salt size due to the collision on random salts (e.g XMACR). To overcome the birthday bound limit, the natural approach to use (a) either a larger random salt (e.g $\mathrm{MACRX}_3$ uses $3n$ bits of random salt where $n$ is the input and output size of the underlying non-compressing pseudorandom function or PRF) or (b) a PRF with increased domain size (e.g RWMAC or Randomized WMAC). Enhanced Hash-then-Mask (\textsf{EHtM}), proposed by Minematsu in FSE 2010, is the first probabilistic MAC scheme that provides beyond birthday bound security without increasing the randomness of the salt and the domain size of the non-compressing PRF. The author proved the security of \textsf{EHtM} as long as the number of MAC query is smaller than $2^{2n/3}$ where $n$ is the input size of the underlying non-compressing PRF. In this paper, we provide the exact security bound of \textsf{EHtM} and prove that this construction offers security up to $2^{3n/4}$ MAC queries. The exactness is shown by demonstrating a matching attack.

In this paper, we present a low complexity bit-parallel Montgomery multiplier for $GF(2^m)$ generated with a special class of irreducible pentanomials $x^m+x^{m-1}+x^k+x+1$. Based on a combination of generalized polynomial basis (GPB) squarer and a newly proposed square-based divide and conquer approach, we can partition field multiplications into a composition of sub-polynomial multiplications and Montgomery/GPB squarings, which have simpler architecture and thus can be implemented efficiently. Consequently, the proposed multiplier roughly saves 1/4 logic gates compared with the fastest multipliers, with the time complexity matching previous multipliers using divide and conquer algorithms.

We present a principled technique for reducing the matrix size in some applications of Coppersmith's lattice method for finding roots of modular polynomial equations. It relies on an analysis of the actual performance of Coppersmith's attack for smaller parameter sizes, which can be thought of as ``focus group'' testing. When applied to the small-exponent RSA problem, it reduces lattice dimensions and consequently running times (sometimes by factors of two or more). We also argue that existing metrics (such as enabling condition bounds) are not as important as often thought for measuring the true performance of attacks based on Coppersmith's method. Finally, experiments are given to indicate that certain lattice reductive algorithms (such as Nguyen-Stehl\'e's L2) may be particularly well-suited for Coppersmith's method.

In this work, we study a class of randomized weak pseudorandom functions, which we call weak PRFs with hidden auxiliary input (HIwPRF). Compared to Learning Parity with Noise (LPN) or Learning with Errors (LWE) based randomized weak PRFs, it provides less algebraic structure such that many known techniques and constructions do not translate to this class. We investigate the potential of HIwPRFs for secure message and user authentication. We construct a protocol that gives as strong security guarantees when instantiated with a HIwPRF as known from weak PRF, LPN or LWE based protocols.

We consider the problems of i) using public-key encryption to enforce dynamic access control on clouds; and ii) key rotation of data stored on clouds. Historically, proxy re-encryption, ciphertext delegation, and related technologies have been advocated as tools that allow for revocation and the ability to cryptographically enforce \emph{dynamic} access control on the cloud, and more recently they have suggested for key rotation of data stored on clouds. Current literature frequently assumes that data is encrypted directly with public-key encryption primitives. However, for efficiency reasons systems would need to deploy with hybrid encryption. Unfortunately, we show that if hybrid encryption is used, then schemes are susceptible to a key-scraping attack. Given a proxy re-encryption or delegation primitive, we show how to construct a new hybrid scheme that is resistant to this attack and highly efficient. The scheme only requires the modification of a small fraction of the bits of the original ciphertext. The number of modifications scales linearly with the security parameter and logarithmically with the file length: it does not require the entire symmetric-key ciphertext to be re-encrypted!

Beyond the construction, we introduce new security definitions for the problem at hand, prove our construction secure, discuss use cases, and provide quantitative data showing its practical benefits and efficiency. We show the construction extends to identity-based proxy re-encryption and revocable-storage attribute-based encryption, and thus that the construction is robust, supporting most primitives of interest.

At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES has been presented. Although it allows to distinguish a random permutation from an AES like one, it seems (rather) hard to exploit such a distinguisher in order to implement a key-recovery attack different than brute-force like. In this paper, we propose new secret-key distinguishers for 4 and 5 rounds of AES that exploit properties which are independent of the secret key and of the details of the S-Box. While the 4-round distinguisher exploits in a different way the same property presented at Eurocrypt 2017, the new proposed 5-round one is obtained by combining our new 4-round distinguisher with a modified version of a truncated differential distinguisher. As a result, while a "classical" truncated differential distinguisher exploits the probability that a couple of texts satisfies or not a given differential trail independently of the others couples, our distinguisher works with sets of $2^{17}$ (related) couples of texts. In particular, our new 5-round AES distinguisher exploits the fact that the probability that at least one couple of texts of such a set satisfies a given differential trail is lower for 5-round AES than for a random permutation in order to distinguish the two cases. These probabilities exploited by the distinguishers have been practically verified on a small-scale AES.

Even if such a 5-round distinguisher has higher complexity than the one present in the literature, it allows to set up the first key-recovery attack on 6-round AES that exploits directly a 5-round secret-key distinguisher. The goal of this paper is indeed to present and explore new approaches, showing that even a distinguisher like the one presented at Eurocrypt - believed to be hard to exploit - can be used to set up a key-recovery attack. Finally we show how to exploit the proposed 4-round distinguisher to set up new (practically verified) key-recovery attacks on 5-round AES with a single secret S-Box.

JAMBU is an AEAD mode of operation which entered the third round of CAESAR competition. However, it does not have a security proof like other modes of operation do, and there was a cryptanalysis result that has overthrown the security claim under nonce misuse case by the designers. In this paper, we complement the shortage of the scheme by giving security proofs of JAMBU both under nonce respecting case and nonce misuse case. We prove that JAMBU under nonce respecting case has a slightly lower security than the birthday bound of $n$ bits, and JAMBU under nonce misuse case has a tight security bound of $n/2$ bits.