*06:17* [Pub][ePrint]
T-MATCH: Privacy-Preserving Item Matching for Storage-Only RFID Tags, by Kaoutar Elkhiyaoui and Erik-Oliver Blass and Refik Molva
RFID-based tag matching allows a reader Rk to determine whether two tags Ti and Tj storesome attributes that jointly fulfill a boolean constraint. The challenge in designing a matching mechanism

is tag privacy. While cheap tags are unable to perform any computation, matching has to be

achieved without revealing the tags\' attributes. In this paper, we present T-MATCH, a protocol for secure

and privacy preserving RFID tag matching. T-MATCH involves a pair of tags Ti and Tj , a reader

Rk, and a backend server S. To ensure tag privacy against Rk and S, T-MATCH employs a new technique

based on secure two-party computation that prevents Rk and S from disclosing tag attributes. For

tag privacy against eavesdroppers, each tag Ti in T-MATCH stores an IND-CPA encryption of its attribute.

Such an encryption allows Rk to update the state of Ti by merely re-encrypting Ti\'s ciphertext.

T-MATCH targets cheap tags that cannot perform any computation, but are only required to store 150

bytes.

*06:17* [Pub][ePrint]
Computational Entropy and Information Leakage, by Benjamin Fuller and Leonid Reyzin
We investigate how information leakage reduces computational entropy of a random variable X. Recall that HILL and metric computational entropy are parameterized by quality (how distinguishable is X from a variable Z that has true entropy) and quantity (how much true entropy is there in Z).We prove an intuitively natural result: conditioning on an event of probability p reduces the quality of metric entropy by a factor of p and the quantity of metric entropy by log 1/p note that this means that the reduction in quantity and quality is the same, because the quantity of entropy is measured on logarithmic scale). Our result improves previous bounds of Dziembowski and Pietrzak (FOCS 2008), where the loss in the \\emph{quantity} of entropy was related to its original quality. The use of metric entropy simplifies the analogous the result of Reingold et. al. (FOCS 2008) for HILL entropy.

Further, we simplify dealing with information leakage by investigating conditional metric entropy. We show that, conditioned on leakage of \\lambda bits, metric entropy gets reduced by a factor 2^\\lambda in quality and \\lambda in quantity.

*06:17* [Pub][ePrint]
Functional Encryption: New Perspectives and Lower Bounds, by Shweta Agrawal and Sergey Gorbunov and Vinod Vaikuntanathan and Hoeteck Wee
Functional encryption is an emerging paradigm for public-key encryption that enables fine-grained control of access to encrypted data. In this work, we present new perspectives on security definitions for functional encryption, as well as new lower bounds on what can be achieved. Our main contributions are as follows:* We show a lower bound for functional encryption that satisfies a weak (non-adaptive) simulation-based security notion, via pseudo-random functions. This is the first lower bound that exploits unbounded collusions in an essential way.

* We put forth and discuss a simulation-based notion of security for functional encryption, with an unbounded simulator (called USIM). We show that this notion interpolates indistinguishability and simulation-based security notions, and has strong correlations to results and barriers in the zero-knowledge and multi-party computation literature.

*06:17* [Pub][ePrint]
Some Connections Between Primitive Roots and Quadratic Non-Residues Modulo a Prime, by Sorin Iftene
In this paper we present some interesting connections between primitive roots and quadratic non-residues modulo a prime. Using these correlations, we improve the existing randomized algorithm for generating primitive roots and we propose a polynomial deterministic algorithm for generating primitive roots for primeswith special forms (for example, for safe primes). The key point of our improvement is the fact that the evaluation of Legendre-Jacobi symbol is much faster than an exponentiation.

*06:17* [Pub][ePrint]
Sender Equivocable Encryption Schemes Secure against Chosen-Ciphertext Attacks Revisited, by Zhengan Huang and Shengli Liu and Baodong Qin
The first sender equivocable encryption scheme secure against chosen-ciphertext attack (NC-CCA) was proposed by Fehr et al. in Eurocrypt 2010. The scheme was also secure against selective opening chosen-ciphertext attack (SO-CCA), since NC-CCA security implies SO-CCA security.The NC-CCA security proof of the scheme relies on security against substitution attack of a new primitive, ``cross-authentication code\'\'. However, the security of cross-authentication code can not guarantee anything when all the keys used in the code are exposed. The key observation is that in the NC-CCA game, the randomness used in the generation of the challenge ciphertext is exposed to the adversary. This random information can be used to recover all the keys involved in cross-authentication code, and forge a ciphertext (like a substitution attack of cross-authentication code) that is different from but related to the challenge ciphertext. And the response of decryption oracle leaks information. This leaked information is employed by an attack to spoil the NC-CCA security proof of the sender equivocable encryption scheme encrypting multi-bits. We also propose a new scheme encrypting single-bit plaintext, free of cross-authentication code, and prove its NC-CCA security.

*06:17* [Pub][ePrint]
Semantically Secure Functional Encryption, Revisited, by Manuel Barbosa and Pooya Farshim
Functional encryption (FE) is a powerful cryptographic primitive that generalizes many asymmetric encryption systems proposed in recent years. Syntax and security definitions for general FE were recently proposed by Boneh, Sahai, and Waters (BSW) (TCC 2011) and independently by O\'Neill (ePrint 2010/556). In this paper we revisit these definitions, identify a number of shortcomings in them, and propose a new definitional approach that overcomes these limitations. Our definitions display good compositionality properties and allow us to obtain new feasibility and impossibility results for adaptive token extraction attack scenarios that shed further light on the potential reach of general FE for practical applications. The main contributions of the paper are the following: - We show that the BSW definition of semantic security fails to reject intuitively insecure FE schemes where a ciphertext leaks more about an encrypted message than that which can be recovered from an image under the supported functionality. Our definition (as O\'Neill\'s) does not suffer from this problem.

- We introduce an orthogonal notion of {\\em setup security} that rejects all FE schemes where the master secret key may give unwanted power to the TA, allowing the recovery of extra information from images under the supported functionality. We prove FE schemes supporting {\\em all-or-nothing} functionalities are intrinsically setup-secure and further show that many well-known functionalities {\\em are} all-or-nothing.

- We extend the equivalence result of O\'Neill between indistinguishability and semantic security to restricted {\\em adaptive} token extraction attacks (the standard notion of security for, e.g., IBEs and ABEs). We establish that this equivalence holds for the large class of all-or-nothing functionalities. Conversely, we show that the proof technique used to establish this equivalence cannot be applied to schemes supporting a one-way function.

- We show that the notable {\\em inner-product} functionality introduced by Katz, Sahai, and Waters (EUROCRYPT 2008) can be used to encode a one-way function under the small integer solution problem, and hence natural approaches to prove its (restricted) adaptive security fail. This complements the equivalence result of O\'Neill for the non-adaptive case, and leaves open the question of proving the semantic security of existing inner-product encryption schemes.

*06:17* [Pub][ePrint]
Efficient Signatures of Knowledge and DAA in the Standard Model, by David Bernhard and Georg Fuchsbauer and Essam Ghadafi
Direct Anonymous Attestation (DAA) is one of the most complex cryptographic protocols deployed in practice.It allows an embedded secure processor known as a Trusted Platform Module (TPM) to attest to the configuration of its host computer without violating the owner\'s privacy.

DAA has been standardized by the Trusted Computing Group.

The security of the DAA standard and all existing schemes is analyzed in the random oracle model.

We provide the first constructions of DAA in the standard model, that is, without relying on random oracles.

As a building block for our schemes, we construct the first efficient standard-model signatures of knowledge, which have many applications beyond DAA.