*05:21* [Pub][ePrint]
Synchronous Sampling and Clock Recovery of Internal Oscillators for Side Channel Analysis, by Colin O\'Flynn and Zhizhang (David) Chen
Measuring power consumption for side-channel analysis typically uses an oscilloscope, which measures the data relative to an internal timebase. By synchronizing the sampling clock to the clock of the target device, the data storage and sampling requirements are considerably relaxed; the attack will succeed with a much lower sample rate. Previous work has demonstrated this on a system with a fixed and easily available clock; but real devices will often have an inaccessible internal oscillator, and may purposely vary the frequency this oscillator runs at (the Varying Clock countermeasure).This work measures the performance of a synchronous sampling system attacking a modern microcontroller running a software AES implementation. This attack is characterized under three conditions: with a stable clock, with a clock that randomly varies between 4.5~MHz--12.7~MHz, and with an internal oscillator that randomly varies between 7.41~MHz--7.49~MHz.

Traces captured with the synchronous sampling technique can be processed with a standard Differential Power Analysis (DPA) style attack in all three cases, whereas when an oscilloscope is used only the stable oscillator setup is successful. This work also develops the required hardware to recover the internal clock of a device which does not have an externally available clock.

*05:21* [Pub][ePrint]
Survey and Benchmark of Lightweight Block Ciphers for Wireless Sensor Networks, by Micka\\\"el Cazorla and Kevin Marquet and Marine Minier
For security applications in wireless sensor networks (WSNs), choosing best algorithms in terms of energy-efficiency and of small memory requirements is a real challenge because the sensor networks must be autonomous. In \\cite{EisenbarthGGHIKKNPRSO12,LawDH06}, the authors have benchmarked on a dedicated platform some block-ciphers and have deduced the best candidates to use in the context of small embedded platforms. This article proposes to study on a dedicated platform of sensors most of the recent lightweight block ciphers as well as some conventional block ciphers. First, we describe the design of the chosen block ciphers with a security summary and we then present some implementation tests performed on our platform.

*05:21* [Pub][ePrint]
Universally Composable Symbolic Analysis for Two-Party Protocols based on Homomorphic Encryption, by Morten Dahl and Ivan Damgård
We consider a class of two-party function evaluation protocols in which the parties are allowed to use ideal functionalities as well as a set of powerful primitives, namely commitments, homomorphic encryption, and certain zero-knowledge proofs. We illustrate that with these it is possible to capture protocols for oblivious transfer, coin-flipping, and generation of multiplication-triple.We show how any protocol in our class can be compiled to a symbolic representation expressed as a process in an abstract process calculus, and prove a general computational soundness theorem implying that if the protocol realises a given ideal functionality in the symbolic setting, then the original version also realises the ideal functionality in the standard computational UC setting. In other words, the theorem allows us to transfer a proof in the abstract symbolic setting to a proof in the standard UC model.

Finally, we show that the symbolic interpretation is simple enough in a number of cases for the symbolic proof to be partly automated using the ProVerif tool.

*05:21* [Pub][ePrint]
A Profitable Sub-Prime Loan: Obtaining the Advantages of Composite-Order in Prime-Order Bilinear Groups, by Allison Lewko and Sarah Meiklejohn
Composite-order bilinear groups provide many structural features that have proved useful for both constructing cryptographic primitives and as a technique in security reductions. Despite these convenient features, however, composite-order bilinear groups are less desirable than prime-order bilinear groups for reasons of efficiency. A recent line of work has therefore focused on translating these structural features from the composite-order to the prime-order setting; much of this work focused on two such features, projecting and canceling, in isolation, but a recent result due to Seo and Cheon showed that both features can be obtained simultaneously in the prime-order setting.In this paper, we reinterpret the construction of Seo and Cheon in the context of dual pairing vector spaces, a tool previously used to simulate other desirable features of composite-order groups in the prime-order setting. In this way, we are able to obtain a unified framework that simulates all of the known composite-order features in the prime-order setting. We demonstrate the strength of this framework by showing that the addition of even a weak form of projecting on top of the pre-existing uses of dual pairing vector spaces can be leveraged to \"boost\" a fully IND-CPA secure identity-based encryption scheme to one that is fully IND-CCA1 secure.

*05:21* [Pub][ePrint]
Cryptanalysis of Grigoriev-Shpilrain Physical Asymmetric Scheme With Capacitors, by Nicolas T. Courtois
Few days ago Grigoriev and Shpilrain have proposed to build a system for transmission of information without a shared secret, or essentially a sort of public key cryptosystem, based on properties of physical systems. In this paper we show that their second scheme based on capacitors is insecure and extremely easy to break in practice.

*05:21* [Pub][ePrint]
Theory of masking with codewords in hardware: low-weight $d$th-order correlation-immune Boolean functions, by Shivam Bhasin and Claude Carlet and Sylvain Guilley
In hardware, substitution boxes for block ciphers can be saved already masked in the implementation.The masks must be chosen under two constraints:

their number is determined by the implementation area and their properties should allow to deny high-order zero-offset attacks of highest degree.

First, we show that this problem translates into a known trade-off in Boolean functions, namely

finding correlation-immune functions of lowest weight.

For instance, this allows to prove that a byte-oriented block cipher such as AES can be protected with only $16$ mask values against zero-offset correlation power attacks of orders $1$, $2$ and $3$.

Second, we study $d$th-order correlation-immune Boolean functions $\\F_2^n \\to \\F_2$ of low-weight

and exhibit such functions of minimal weight found by a satisfiability modulo theory tool.

In particular, we give the minimal weight for $n \\leq 10$.

Some of these results were not known previously, such as the minimal weight for

$(n=9, d=4)$ and

$(n=10, d \\in \\{4,5,6\\})$.

These results set new bounds for the minimal number of lines of binary orthogonal arrays.

In particular, we point out that the minimal weight $w_{n,d}$ of a $d$th-order correlation-immune function might not be increasing with the number of variables $n$.