*19:17* [Pub][ePrint]
On the Impossibility of Sender-Deniable Public Key Encryption, by Dana Dachman-Soled
The primitive of deniable encryption was first introduced by Canetti et al. (CRYPTO, 1997). Deniable encryption is a regular public key encryption scheme with the added feature that after running the protocol honestly and transmitting a message $m$, both Sender and Receiver may produce random coins showing that the transmitted ciphertext was an encryption of any message $m\'$ in the message space. Deniable encryption is a key tool for constructing incoercible protocols, since it allows a party to send one message and later provide apparent evidence to a coercer that a different message was sent. In addition, deniable encryption may be used to obtain \\emph{adaptively}-secure multiparty computation (MPC) protocols and is secure under \\emph{selective-opening} attacks.Different flavors such as sender-deniable and receiver-deniable encryption, where only the Sender or Receiver can produce fake random coins, have been considered.

Recently, several open questions regarding the feasibility of deniable encryption have been resolved (c.f. (O\'Neill et al., CRYPTO, 2011), (Bendlin et al., ASIACRYPT, 2011)). A fundamental remaining open question is whether it is possible to construct sender-deniable Encryption Schemes with super-polynomial security, where an adversary has negligible advantage in distinguishing real and fake openings.

The primitive of simulatable public key encryption (PKE), introduced by Damg{\\aa}rd and Nielsen (CRYPTO, 2000), is a public key encryption scheme with additional properties that allow oblivious sampling of public keys and ciphertexts. It is one of the low-level primitives used to construct adaptively-secure MPC protocols and was used by O\'Neill et al. in their construction of bi-deniable encryption in the multi-distributional model (CRYPTO, 2011). Moreover, the original construction of sender-deniable encryption with polynomial security given by Canetti et al. can be instantiated with simulatable PKE. Thus, a natural question to ask is whether it is possible to construct sender-deniable encryption with \\emph{super-polynomial security} from simulatable PKE.

In this work, we investigate the possibility of constructing sender-deniable public key encryption from the primitive of simulatable PKE

in a black-box manner. We show that, in fact, there is no black-box construction of sender-deniable encryption with super-polynomial security from simulatable PKE. This indicates that the original construction of sender-deniable public key encryption given by Canetti et al. is in some sense optimal, since improving on it will require the use of non-black-box techniques, stronger underlying assumptions or interaction.

*19:17* [Pub][ePrint]
Systematic Treatment of Remote Attestation, by Aurelien Francillon and Quan Nguyen and Kasper B. Rasmussen and Gene Tsudik
Embedded computing devices (such as actuators, controllers and sensors of various sizes) increasingly permeate many aspects of modern life: from medical to automotive, from building and factory automation to weapons, from critical infrastructures to home entertainment. Despite their specialized nature as well as limited resources and connectivity, these devices are now becoming increasingly popular and attractive targets for various attacks, especially, remote malware infestations. There has been a number of research proposals to detect and/or mitigate such attacks. They vary greatly in terms of application generality and underlying assumptions. However, one common theme is the need for Remote Attestation, a distinct security service that allows a trusted party (verifier) to check the internal state of a remote untrusted embedded device (prover).This paper provides a systematic treatment of Remote Attestation, starting with a precise definition of the desired service and proceeding to its systematic deconstruction into necessary and sufficient properties. These properties are, in turn, mapped into a minimal collection of hardware and software components that results in secure Remote Attestation. One distinguishing feature of this line of research is the need to prove (or, at least argue) architectural minimality; this is rarely encountered in security research. This work also offers some insights into vulnerabilities of certain prior techniques and provides a promising platform for attaining more advanced security services and guarantees.

*19:17* [Pub][ePrint]
New Impossible Differential Attack on $\\text{SAFER}_{+}$ and $\\text{SAFER}_{++}$, by Jingyuan Zhao and Meiqin Wang and Jiazhe Chen and Yuliang Zheng
SAFER\\scriptsize + \\normalsize was a candidate block cipher for AES with 128-bit block size and a variable key sizes of 128, 192 or 256 bits. Bluetooth uses customized versions of SAFER\\scriptsize + \\normalsize for security. The numbers of rounds for SAFER\\scriptsize + \\normalsize with key sizes of 128, 192 and 256 are 8, 12 and 16, respectively. SAFER\\scriptsize ++\\normalsize, a variant of SAFER\\scriptsize +\\normalsize, was among the cryptographic primitives selected for the second phase of the NESSIE project. The block size is 128 bits and the key size can take either 128 or 256 bits. The number of rounds for SAFER\\scriptsize ++ \\normalsize is 7 for keys of 128 bits, and 10 for keys of 256 bits. Both ciphers use PHT as their linear transformation.In this paper, we take advantage of properties of PHT and S-boxes to identify 3.75-round impossible differentials for SAFER\\scriptsize ++ \\normalsize and 2.75-round impossible differentials for SAFER\\scriptsize +\\normalsize, which result in impossible differential attacks on 4-round SAFER\\scriptsize +\\normalsize/128(256), 5-round SAFER\\scriptsize ++\\normalsize/128 and 5.5-round SAFER\\scriptsize ++\\normalsize/256. Our attacks significantly improve previously known impossible differential attacks on 3.75-round SAFER\\scriptsize +\\normalsize/128(256) and SAFER\\scriptsize ++\\normalsize/128(256). Our attacks on SAFER\\scriptsize +\\normalsize/128(256) and SAFER\\scriptsize ++\\normalsize/128(256) represent the best currently known attack in terms of the number of rounds.

*19:17* [Pub][ePrint]
Attribute-Based Functional Encryption on Lattices, by Xavier Boyen
We introduce a broad lattice manipulation technique for expressive cryptography, and use it to realize functional encryption for access structures from post-quantum hardness assumptions.Specifically, we build an efficient key-policy attribute-based encryption scheme, and prove its security in the selective sense from learning-with-errors intractability in the standard model.

*19:17* [Pub][ePrint]
Succinct Non-Interactive Arguments via Linear Interactive Proofs, by Nir Bitansky and Alessandro Chiesa and Yuval Ishai and Rafail Ostrovsky and Omer Paneth
\\emph{Succinct non-interactive arguments} (SNARGs) enable verifying NP statements with lower complexity than required for classical NP verification. Traditionally, the focus has been on minimizing the length of such arguments; nowadays researches have focused also on minimizing verification time, by drawing motivation from the problem of delegating computation.A common relaxation is a \\emph{preprocessing} SNARG, which allows the verifier to conduct an expensive offline phase that is independent of the statement to be proven later. Recent constructions of preprocessing SNARGs have achieved attractive features: they are publicly-verifiable, proofs consist of only $O(1)$ encrypted (or encoded) field elements, and verification is via arithmetic circuits of size linear in the NP statement. Additionally, these constructions seem to have ``escaped the hegemony\'\' of probabilistically-checkable proofs (PCPs) as a basic building block of succinct arguments.

We present a general methodology for the construction of preprocessing SNARGs, as well as resulting concrete efficiency improvements. Our contribution is three-fold:

(1)

We introduce and study a natural extension of the interactive proof model that considers \\emph{algebraically-bounded} provers; this new setting is analogous to the common study of algebraically-bounded ``adversaries\'\' in other fields, such as pseudorandomness and randomness extraction. More concretely, in this work we focus on linear (or affine) provers, and provide several constructions of (succinct two-message) \\emph{linear-interactive proofs} (LIPs) for NP. Our constructions are based on general transformations applied to both \\emph{linear} PCPs (LPCPs) and traditional ``unstructured\" PCPs.

(2)

We give conceptually simple cryptographic transformations from LIPs to preprocessing SNARGs, whose security can be based on different forms of \\emph{linear targeted malleability} (implied by previous knowledge assumptions). Our transformations convert arbitrary (two-message) LIPs into designated-verifier SNARGs, and LIPs with degree-bounded verifiers into publicly-verifiable SNARGs. We also extend our methodology to obtain \\emph{zero-knowledge} LIPs and SNARGs. Our techniques yield SNARGs \\emph{of knowledge} and thus can benefit from known recursive composition and bootstrapping techniques.

(3)

Following this methodology, we exhibit several constructions achieving new efficiency features, such as ``single-ciphertext preprocessing SNARGs\" and improved succinctness-soundness tradeoffs. We also offer a new perspective on existing constructions of preprocessing SNARGs, revealing a direct connection of these to LPCPs and LIPs.

*19:17* [Pub][ePrint]
An ideal multi-secret sharing scheme based on minimal privileged coalitions , by Yun Song , Zhihui Li
How to construct an ideal multi-secret sharing scheme for general access structures is difficult. In this paper, we solve an open problem proposed by Spiez et al.recently [Finite Fields andTheir Application, 2011(17) 329-342], namely to design an algorithm of privileged coalitions of any length if such coalitions exist. Furthermore, in terms of privileged coalitions, we show that most of the existing multi-secret sharing schemes based on Shamir threshold secret sharing are not perfect by analyzing Yang et al.\'s scheme and Pang et al.\'s scheme. Finally, based on the algorithm mentioned above, we devise an ideal multi-secret sharing scheme for families of access structures, which possesses more vivid authorized sets than

that of the threshold scheme.