*15:17* [Pub][ePrint]
Biclique Cryptanalysis of TWINE, by Mustafa \\c{C}oban and Ferhat Karako\\c{c} and \\\"{O}zkan Bozta\\c{s}
TWINE is a lightweight block cipher proposed at ECRYPT Workshop on Lightweight Cryptography 2011, Belgium.The cipher consists of 36 rounds and has two versions TWINE-80 and TWINE-128 supporting key lengths of 80 and 128 bits, respectively.

The block length of the two versions is 64-bit.

In this paper, we present the first single-key attacks on the both versions of the cipher.

In these attacks, we use the recently developed biclique technique.

The complexities of the attacks on TWINE-80 and TWINE-128 are $2^{79.10}$ and $2^{126.82}$ respectively and the data requirement for the two attacks is $2^{60}$.

*15:17* [Pub][ePrint]
Programmable encryption and key-dependent messages, by Dominique Unruh
We present the notion of PROG-KDM security for public-key encryption schemes. This security notion captures both KDM security and

revealing of secret keys (key corruptions) in a single

definition. This is achieved by requiring the existence of a

simulator that can program ciphertexts when a secret key is

revealed, i.e., the simulator can delay the decision what plaintext

is contained in what ciphertext to the moment where the ciphertext

is opened. The definition is formulated in the random oracle model.

We show that PROG-KDM security can be achieved by showing that a

natural and practical construction in the ideal cipher model is

PROG-KDM secure (hybrid encryption using authenticated CBC

encryption).

*15:17* [Pub][ePrint]
Scalable Group Signatures with Revocation, by Benoit Libert and Thomas Peters and Moti Yung
Group signatures are a central cryptographic primitive, simultaneously supporting accountability and anonymity. They allowusers to anonymously sign messages on behalf of a group they are

members of. The recent years saw the appearance of several

constructions with security proofs in the standard model ({\\it

i.e.}, without appealing to the random oracle heuristic). For a

digital signature scheme to be adopted, an efficient revocation

scheme (as in regular PKI) is absolutely necessary.

Despite over a decade of extensive research, membership revocation

remains a non-trivial problem in group signatures: all existing

solutions are not truly scalable due to either high overhead (e.g., large group public key size), or limiting operational requirement (the need for all users to follow the system\'s entire history). In the standard model, the situation is even worse as many existing solutions are not readily adaptable. To fill this gap and tackle this challenge, we describe a new revocation approach based, perhaps

somewhat unexpectedly, on the Naor-Naor-Lotspiech framework which was introduced for a different problem (namely, that of broadcast encryption). Our mechanism yields efficient and scalable revocable group signatures in the standard model. In particular, the size of signatures and the verification cost are independent of the number of

revocations and the maximal cardinality $N$ of the group while other

complexities are at most polylogarithmic in $N$. Moreover, the

schemes are history-independent: unrevoked group members do not have

to update their keys when a revocation occurs.

*15:17* [Pub][ePrint]
The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures, by Gautham Sekar
The core of the 3rd Generation Partnership Project (3GPP) encryption standard 128-EEA3 is a stream cipher called ZUC. It was designed by the Chinese Academy of Sciences and proposed for inclusion in the cellular wireless standards called \"Long Term Evolution\" or \"4G\". The LFSR-based cipher uses a 128-bit key. In this paper, we first show timing attacks on ZUC that can recover, with about 71.43% success rate, (i) one bit of the secret key immediately, and (ii) information involving 6 other key bits. The time, memory and data requirements of the attacks are negligible. While we see potential improvements to the attacks, wealso suggest countermeasures.

*15:17* [Pub][ePrint]
A Generalised Formula for Calculating the Resilience of Random Key Predistribution Schemes, by Ed Kendall and Michelle Kendall and Wilfrid S. Kendall
A commonly used metric for comparing the resilience of key predistribution schemes is $\\fail_s$, which measures the proportion of network connections which are `broken\' by an adversary which has compromised $s$ nodes. In `Random key predistribution schemes for sensor networks\', Chan, Perrig and Song present a formula for measuring the resilience in a class of random key predistribution schemes called $q$-composite schemes. We present a correction to this formula for schemes where more than one key may be used to secure a link between a pair of nodes. Our corrected formula features an additional parameter which makes it applicable to a wider variety of random key predistribution schemes, including the original Eschenauer Gligor scheme. We also present a simplification of the formula for calculating connectivity.We refer to the recent paper by Yum and Lee which also claims to correct the original formula for the $q$-composite scheme. However the resulting formula is complicated, computationally demanding, and hard to understand. The formula which we propose and prove is easily computable and can be applied to a wider range of schemes.

*15:17* [Pub][ePrint]
Simple construction of epsilon-biased distribution, by Long Hoang Nguyen and Andrew William Roscoe
Epsilon-biased distribution has many applications in practice, including universal hashing computation. In this paper we will improve an existing epsilon-biased distribution construction due to Alon et al. that requires to uniformly and efficiently sample irreducible polynomials of a large degree, e.g. between 80 and 160. To remove the need for such a sampling which can be computationally expensive, we will replace the irreducible polynomials by random monic polynomials of higher degree, i.e. every degree r monic polynomial whether irreducible or reducible is selected with the same probability 2^{-r}. To analyse the security of the scheme, we need to find the maximum number of degree r polynomials that divide a degree n polynomial where n > r.

*15:17* [Pub][ePrint]
A formal study of two physical countermeasures against side channel attacks, by Sébastien Briais and Sylvain Guilley and Jean-Luc Danger
Secure electronic circuits must implement countermeasures against a wide range of attacks.Often, the protection against side channel attacks requires to be tightly integrated within the functionality to be protected.

It is now part of the designer\'s job to implement them.

But this task is known to be error-prone, and with current development processes, countermeasures are evaluated often very late (at circuit fabrication).

In order to improve the confidence of the designer in the efficiency of the countermeasure,

we suggest in this article to resort to formal methods early in the design flow for two reasons.

First of all, we intend to check that the process of transformation of the design from the vulnerable description to the protected one does not alter the functionality.

Second, we wish to prove that the security properties (that can derive from a formal security functional specification) are indeed met after transformation.

Our first contribution is to show how such a framework can be setup (in COQ) for netlist-level protections.

The second contribution is to illustrate that this framework indeed allows to detect vulnerabilities in dual-rail logics.

*15:17* [Pub][ePrint]
On the Security of Dynamic Group Signatures: Preventing Signature Hijacking, by Yusuke Sakai and Jacob C.N. Schuldt and Keita Emura and Goichiro Hanaoka and Kazuo Ohta
We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the dynamic group signature scheme by Groth (ASIACRYPT 2007) does not provide protection against this type of malicious behavior.To address this, we introduce the notion of \\emph{opening soundness} for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions.

We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

*15:17* [Pub][ePrint]
TorScan: Tracing Long-lived Connections and Differential Scanning Attacks, by Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann
Tor is a widely used anonymity network providing low-latency communication capabilities. Around 400,000 users per day use Tor to route TCP traffic through a sequence of relays; three hops are selected from a pool of currently almost 3000 volunteer-operated Tor relays to comprise a route through the network for a limited time. In comparison to single-hop proxies, forwarding TCP streams through multiple relays increases the anonymity of the users significantly: each hop along the route only knows its successor and predecessor.The anonymity provided by Tor heavily relies on the hardness of linking a user\'s entry and exit nodes. If an attacker gains access to the topological information about the Tor network instead of having to consider the network as a fully connected graph, this anonymity may be reduced. In fact, we have found ways to probe the connectivity of a Tor relay. We demonstrate how the resulting leakage of the Tor network topology can be used and present attacks to trace back a user from an exit relay to a small set of potential entry nodes.