*03:17* [Pub][ePrint]
The Special Number Field Sieve in $\\F _{p^{n}}$, Application to Pairing-Friendly Constructions, by Antoine Joux and Cécile Pierrot
In this paper, we study thediscrete logarithm problem in finite fields related to pairing-based

curves. We start with a precise analysis of the

state-of-the-art algorithms for computing discrete logarithms that

are suitable for finite fields related to pairing-friendly

constructions. To improve upon these algorithms, we extend the

Special Number Field Sieve to compute discrete logarithms in

$\\F_{p^{n}}$, where $p$ has an adequate sparse representation. Our

improved algorithm works for the whole range of applicability of the

Number Field Sieve.

*03:17* [Pub][ePrint]
Cryptanalysis of GOST R Hash Function, by Zongyue Wang, Hongbo Yu, Xiaoyun Wang
GOST R is the hash function standard of Russia. This paper presents some cryptanalytic results on GOST R. Using the rebound attack technique, we achieve collision attacks on the reduced round compression function. Result on up to 9.5 rounds is proposed, the time complexity is 2^{176} and the memory requirement is 2^{128} bytes. Based on the 9.5-round collision result, a limited birthday distinguisher is presented. Moreover, a method to construct k collisions on 512-bit version of GOST R is given which show the weakness of the structure used in GOST R. To the best of our knowledge, these are the first results on GOST R.

*03:17* [Pub][ePrint]
On Algebraic Immunity of $\\Tr(x^{-1})$ over $\\mathbb{F}_{2^n}, by Xiutao Feng
The trace inverse function $\\Tr(x^{-1})$ over the finite field $\\mathbb{F}_{2^n}$ is a class of very important Boolean functions in stream ciphers, which possesses many good properties, including high algebraic degree, high nonlinearity, ideal autocorrelation, etc. In this work we discuss properties of $\\Tr(x^{-1})$ in resistance to (fast) algebraic attacks.

As a result, we prove that the algebraic immunity of $\\Tr(x^{-1})$ arrives the upper bound

given by Y. Nawaz et al when $n\\ge4$, that is, $\\AI(\\Tr(x^{-1}))=\\ceil{2\\sqrt{n}}-2$, which shows that D.K. Dalai\' conjecture on the algebraic immunity

of $\\Tr(x^{-1})$ is correct for almost all positive integers $n$. What is more, we further demonstrate some weak properties of $\\Tr(x^{-1})$ in resistance to fast algebraic attacks.

*03:17* [Pub][ePrint]
Generic related-key and induced chosen IV attacks using the method of key differentiation, by Enes Pasalic and Yongzhuang Wei
Related-key and chosen IV attacks are well known cryptanalytic tools in cryptanalysis of stream ciphers. Though the related-key model is considered to be much more unrealistic scenario than the chosen IV model we show that under certain circumstances the attack assumptions may become equivalent. We show that the key differentiation method induces a generic attack in a related-key model whose time complexity in the on-line phase is less than the exhaustive key search. The case of formal equivalency between the two scenarios arises when so-called {\\em differentiable polynomials} with respect to some subset of key variables are a part of the state bit expressions (from which the output keystream bits are built). Then the differentiation over a key cube has the same effect as the differentiation over the corresponding IV cube, so that a generic nature of a related-key model is transferred into a more practical chosen IV model. The existence of such polynomials is confirmed for the reduced round stream cipher TRIVIUM up to some 710 rounds and an algorithm for their detection is proposed. The key differentiation method induces a time/related-key trade-off (TRKTO) attack which (assuming the existence of differentiable polynomials) can be run in a chosen IV model. The resulting trade-off curve of our TMDTO attack is given by $T^2M^2D^2=(KV)^2$ ($V$ denoting the IV space), which is a significant improvement over the currently best known trade-off $TM^2D^2=(KV)^2$ \\cite{IVDunkel08}.

*03:17* [Pub][ePrint]
ESPOON ERBAC: Enforcing Security Policies in Outsourced Environments, by Muhammad Rizwan Asghar and Mihaela Ion and Giovanni Russello and Bruno Crispo
Data outsourcing is a growing business model offering services to individuals and enterprises for processing and storing a huge amount of data. It is not only economical but also promises higher availability, scalability, and more effective quality of service than in-house solutions. Despite all its benefits, data outsourcing raises serious security concerns for preserving data confidentiality. There are solutions for preserving confidentiality of data while supporting search on the data stored in outsourced environments. However, such solutions do not support access policies to regulate access to a particular subset of the stored data. For complex user management, large enterprises employ Role-Based Access Controls (RBAC) models for making access decisions based on the role in which a user is active in. However, RBAC models cannot be deployed in outsourced environments as they rely on trusted infrastructure in order to regulate access to the data. The deployment of RBAC models may reveal private information about sensitive data they aim to protect. In this paper, we aim at filling this gap by proposing ESPOON ERBAC for enforcing RBAC policies in outsourced environments. ESPOON ERBAC enforces RBAC policies in an encrypted manner where a curious service provider may learn a very limited information about RBAC policies. We have implemented ESPOON ERBAC and provided its performance evaluation showing a limited overhead, thus confirming viability of our approach.

*00:17* [Pub][ePrint]
Equivalence between MAC and PRF for Blockcipher based Constructions, by Nilanjan Datta and Mridul Nandi
In FSE 2010, Nandi proved a sufficient condition of pseudo random function (PRF) for affine domain extensions (ADE), wide class of block cipher based domain extensions. This sufficient condition is satisfied by all known blockcipher based ADE constructions, however, it is not a characterization of PRF. In this paper we completely characterize the ADE and show that {\\em message authentication code (MAC) and weakly collision resistant (WCR) are indeed equivalent to PRF}. Note that a PRF is trivially a MAC and WCR, however, the converse need not be true in general. So our result suggests that it would be sufficient to ensure resisting against weakly collision attack or the forging attack to construct a pseudo random function ADE. Unlike FSE 2010 paper, here we consider the {\\em forced collisions of inputs of underlying blockciphers by incorporating the final outputs of a domain extension queried by an adaptive adversary}. This is the main reason why we are able to obtain a characterization of PRF. Ourapproach is a more general and hence might have other theoretical interest.

*00:17* [Pub][ePrint]
Secure Two-Party Computation with Reusable Bit-Commitments, via a Cut-and-Choose with Forge-and-Lose Technique, by Luís T. A. N. Brandão
A Secure Two Party Computation (S2PC) protocol allows two parties to compute over their combined private inputs, as if intermediated by a trusted third party. In the active model, security is maintained even if one party is malicious, deviating from the protocol specification. For example, a honest party retains privacy of its input and is ensured a correct output. This can be achieved with a cut-and-choose of garbled circuits (C&C-GCs), where some GCs are verified for correctness and the remaining are evaluated to determine the circuit output.This paper presents a new C&C-GCs-based S2PC protocol, with significant advantages in efficiency and applicability. First, in contrast with prior protocols that require a majority of evaluated GCs to be correct, the new protocol only requires that at least one evaluated GC is correct. In practice this reduces the total number of GCs to approximately one third, for the same statistical security goal. This is accomplished by augmenting the C&C with a new forge-and-lose technique based on bit commitments with trapdoor. Second, the output of the new protocol includes reusable XOR-homomorphic bit commitments of all circuit input and output bits, thereby enabling efficient linkage of several S2PCs in a reactive manner.

The protocol has additional interesting characteristics (which may allow new comparison tradeoffs). The number of exponentiations is only linear with the number of input and output wires and a statistical parameter -- this is an improvement over protocols whose number of exponentiations is proportional to the number of GCs multiplied by the number of input and output wires. It uses unconditionally hiding bit commitments with trapdoor as the basis of oblivious transfers, with the circuit evaluator choosing a single value and the circuit constructor receiving two (a sort of 2-out-of-1 oblivious transfer, instead of the typical 1-out-of-2). The verification of consistency of circuit input and output keys across different GCs is embedded in the C&C structure.