*21:17* [Pub][ePrint]
Third-order nonlinearities of some biquadratic monomial Boolean functions, by Brajesh Kumar Singh
In this paper, we estimate the lower bounds on third-ordernonlinearities of some biquadratic monomial Boolean functions of the

form $Tr_1^n(\\lambda x^d)$ for all $x \\in \\mathbb F_{2^n}$, where

$\\lambda \\in \\BBF_{2^n}^{*}$,

\\begin{itemize}

\\item [{(1)}]$d = 2^i + 2^j + 2^k + 1$, $i, j, k$

are integers such that $ i > j > k \\geq 1$ and $n > 2 i$.

\\item [{(2)}] $d = 2^{3\\ell} + 2^{2\\ell} + 2^{\\ell} + 1$, $\\ell$

is a positive integer such that $\\gcd (i, n) = 1$ and $n > 6$.

\\end{itemize}

*21:17* [Pub][ePrint]
SmartTokens: Delegable Access Control with NFC-enabled Smartphones (Full Version), by Christian Wachsmann and Alexandra Dmitrienko and Ahmad-Reza Sadeghi and Sandeep Tamrakar
Today\'s smartphones and tablets offer compelling computing and storage capabilities enabling a variety of mobile applications with rich functionality. The integration of new interfaces, in particular near field communication~(NFC) opens new opportunities for new applications and business models, as the most recent trend in industry for payment and ticketing shows. These applications require storing and processing security-critical data on smartphones, making them attractive targets for a variety of attacks. The state of the art to enhance platform security concerns outsourcing security-critical computations to hardware-isolated Trusted Execution Environments~(TrEE). However, since these TrEEs are used by software running in commodity operating systems, malware could impersonate the software and use the TrEE in an unintended way. Further, existing NFC-based access control solutions for smartphones are either not public or based on strong assumptions that are hard to achieve in practice.We present the design and implementation of a generic access control system for NFC-enabled smartphones based on a multi-level security architecture for smartphones. Our solution allows users to delegate their access rights and addresses the bandwidth constraints of NFC.

Our prototype captures electronic access to facilities, such as entrances and offices, and binds NFC operations to a software-isolated TrEE established on the widely used Android smartphone operating system. We provide a formal security analysis of our protocols and evaluated the performance of our solution.

*21:17* [Pub][ePrint]
Non-Malleable Extractors, Two-Source Extractors and Privacy Amplification, by Xin Li
Dodis and Wichs introduced the notion of a non-malleable extractor to study the problem of privacy amplification with an active adversary. A non-malleable extractor is a much stronger version of a strong extractor. Given a weakly-random string $x$ and a uniformly random seed $y$ as the inputs, the non-malleable extractor $nmExt$ has the property that $nmExt(x,y)$ appears uniform even given $y$ as well as $nmExt(x,A(y))$, for an arbitrary function $A$ with $A(y) \\neq y$. Dodis and Wichs showed that such an object can be used to give optimal privacy amplification protocols with an active adversary.Previously, there are only two known constructions of non-malleable extractors \\cite{DLWZ11, CRS11}. Both constructions only work for $(n, k)$-sources with $k>n/2$. Interestingly, both constructions are also two-source extractors.

In this paper, we present a strong connection between non-malleable extractors and two-source extractors. The first part of the connection shows that non-malleable extractors can be used to construct two-source extractors. If the non-malleable extractor works for small min-entropy and has a short seed length with respect to the error, then the resulted two-source extractor beats the best known construction of two-source extractors. This partially explains why previous constructions of non-malleable extractors only work for sources with entropy rate $>1/2$, and why explicit non-malleable extractors for small min-entropy may be hard to get.

The second part of the connection shows that certain two-source extractors can be used to construct non-malleable extractors. Using this connection, we obtain the first construction of non-malleable extractors for $k < n/2$. Specifically, we give an unconditional construction for min-entropy $k=(1/2-\\delta)n$ for some constant $\\delta>0$, and a conditional (semi-explicit) construction that can potentially achieve $k=\\alpha n$ for any constant $\\alpha>0$.

We also generalize non-malleable extractors to the case where there are more than one adversarial seeds, and show a similar connection between the generalized non-malleable extractors and two-source extractors.

Finally, despite the lack of explicit non-malleable extractors for arbitrarily linear entropy, we give the first 2-round privacy amplification protocol with asymptotically optimal entropy loss and communication complexity for $(n, k)$ sources with $k=\\alpha n$ for any constant $\\alpha>0$. This dramatically improves previous results and answers an open problem in \\cite{DLWZ11}.

*18:17* [Pub][ePrint]
Attacking RSA-CRT Signatures with Faults on Montgomery Multiplication, by Pierre-Alain Fouque and Nicolas Guillermin and Delphine Leresteux and Mehdi Tibouchi and Jean-Christophe Zapalowicz
In this paper, we present several efficient fault attacks against implementations of RSA-CRT signatures that use modular exponentiation algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are thefirst fault attacks effective against RSA-PSS.

The new attacks work provided that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures.

*18:17* [Pub][ePrint]
Automatically Verified Mechanized Proof of One-Encryption Key Exchange, by Bruno Blanchet
We present a mechanized proof of the password-based protocol One-Encryption Key Exchange (OEKE) using the computationally-sound protocol prover CryptoVerif. OEKE is a non-trivial protocol, and thus mechanizing its proof provides additional confidence that it is correct.This case study was also an opportunity to implement several important extensions of CryptoVerif, useful for proving many other protocols. We have indeed extended CryptoVerif to support the computational Diffie-Hellman assumption. We have also added support for proofs that rely on Shoup\'s lemma and additional game transformations. In particular, it is now possible to insert case distinctions manually and to merge cases that no longer need to be distinguished. Eventually, some improvements have been added on the computation of the probability bounds for attacks, providing better reductions. In particular, we improve over the standard computation of probabilities when Shoup\'s lemma is used, which allows us to improve the bound given in a previous manual proof of OEKE, and to show that the adversary can test at most one password per session of the protocol.

In this paper, we present these extensions, with their application to the proof of OEKE. All steps of the proof, both automatic and manually guided, are verified by CryptoVerif.