*18:17* [Pub][ePrint]
Encryption Schemes with Post-Challenge Auxiliary Inputs, by Tsz Hon Yuen and Ye Zhang and Siu-Ming Yiu
In this paper, we tackle the open problem of proposing a leakage-resilience encryption model that can capture leakage from both the secret key owner and the encryptor, in the auxiliary input model. Existing models usually do not allow adversaries to query more leakageinformation after seeing the challenge ciphertext of the security games. On one hand, side-channel attacks on the random factor (selected by the encryptor) are already shown to be feasible. Leakage from the encryptor should not be overlooked. On the other hand, the technical challenge for allowing queries from the adversary after he sees the ciphertext is to avoid a trivial attack to the system since he can then embed the decryption function as the leakage function (note that we consider the auxiliary input model in which the leakage is modeled as computationally hard-to-invert functions). We solve this problem by defining the post-challenge auxiliary input model in which the family of leakage functions must be defined before the adversary is given the public key. Thus the adversary cannot embed the decryption function as a leakage function after seeing the challenge ciphertext while is allowed to make challenge-dependent queries. This model is able to capture a wider class of real-world side-channel attacks.

To realize our model, we propose a generic transformation from the auxiliary input model to our new post-challenge auxiliary input model for both public key encryption (PKE) and identity-based encryption (IBE). Furthermore, we extend Canetti et al.\'s technique, that converts CPA-secure IBE to CCA-secure PKE, into the leakage-resilient setting. More precisely, we construct a CCA-secure PKE in the post-challenge auxiliary input model, by using strong one-time signatures and strong extractor with hard-to-invert auxiliary inputs, together with a CPA-secure IBE in the auxiliary input model. Moreover, we extend our results to signatures, to obtain fully leakage-resilient signatures with auxiliary inputs using standard signatures and strong extractor with hard-to-invert auxiliary inputs. It is more efficient than the existing fully leakage-resilient signature schemes.

*18:17* [Pub][ePrint]
Elligator: Elliptic-curve points indistinguishable from uniform random strings, by Daniel J. Bernstein and Anna Krasnova and Tanja Lange
Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection.Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits.

This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings.

*18:17* [Pub][ePrint]
Protocol Variants and Electronic Identification, by Kristian Gjøsteen
It is important to be able to evaluate information security systems involving humans. We propose an approach in which we consider the system as a cryptographic protocol, and users are modeled as ordinary players. To model the fact that users make mistakes that affect security, we introduce protocol variants that model mistakes or combinations of mistakes. By analysing the base protocol and its variants, and at the same time considering how likely each variant is, we get a reasonable estimate of the real security of the system.Our work takes the form of a case study of four Norwegian federated identity systems, as well as two proposals for improved systems. The four systems span a good mix of various types of federated identity systems.

*18:17* [Pub][ePrint]
Trapdoor Privacy in Asymmetric Searchable Encryption Schemes, by Afonso Arriaga and Qiang Tang
We investigate the open problem, namely trapdoor privacy, inasymmetric searchable encryption (ASE) schemes. We first present two trapdoor privacy definitions (i.e. 2-TRAP-PRIV and poly-TRAP-PRIV) which provide different levels of security guarantee. Motivated by the generic transformation from IBE to ASE, we introduce two key anonymity properties (i.e. 2-KEY-ANO and poly-KEY-ANO) for IBE schemes, so that these properties directly lead to the resulting ASE\'s 2-TRAP-PRIV and poly-TRAP-PRIV properties respectively at the end of a transformation. We then present a simplified

Boyen-Waters scheme and prove that it achieves IBE-IND-CPA, IBEANO

(anonymity), and 2-KEY-ANO security in the random oracle model. Finally, we extend the simplified Boyen-Waters scheme to be based on pairings over composite-order groups and prove that the extended scheme achieves poly-KEY-ANO security without random oracles.

*18:17* [Pub][ePrint]
New Constructions and Applications of Trapdoor DDH Groups, by Yannick Seurin
Trapdoor Decisional Diffie-Hellman (TDDH) groups, introduced by Dent and Galbraith (ANTS 2006), are groups where the DDH problem is hard, unless one is in possession of a secret trapdoor which enables solving it efficiently. Despite their intuitively appealing properties, they have found up to now very few cryptographic applications. Moreover, among the two constructions of such groups proposed by Dent and Galbraith, only a single one based on hidden pairings remains unbroken.In this paper, we extend the set of trapdoor DDH groups by giving a construction based on composite residuosity. We also introduce a more restrictive variant of these groups that we name \\emph{static} trapdoor DDH groups, where the trapdoor only enables to solve the DDH problem with respect to a fixed pair $(G,G^x)$ of group elements. We give two constructions for such groups whose security relies respectively on the RSA and the factoring assumptions. Then, we show that static trapdoor DDH groups yield elementary constructions of convertible undeniable signature schemes allowing delegatable verification. Using our constructions of static trapdoor DDH groups from the RSA or the factoring assumption, we obtain slightly simpler variants of the undeniable signature schemes of respectively Gennaro, Rabin, and Krawczyk (J. Cryptology, 2000) and Galbraith and Mao (CT-RSA 2003). These new schemes are conceptually more satisfying since they can strictly be viewed as instantiations, in an adequate group, of the original undeniable signature scheme of Chaum and van Antwerpen (CRYPTO~\'89).

*17:27* [Job][New]
Post-Doc, *Radboud University Nijmegen*
For a project on attribute based credentials / identity management on smart cards that is about to start, we are looking for a postdoc for one year. The postdoc should be a good coder, have some experience with smart card programming, and know about crypto and security. The project is related to the IRMA project, about which more info can be found at the link below.If you think you qualify, please apply. If know anyone that fits this description, and that can start july, august or september 2013, let us know as well.

Also, feel free to forward this question to anyone you know that may be able to help.