*15:17* [Pub][ePrint]
Weakness of $\\mbox{${\\mathbb F}$}_{3^{6 \\cdot 509}}$ for Discrete Logarithm Cryptography, by Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodr\\\'iguez-Henr\\\'iquez
In 2013, Joux, and then Barbulescu, Gaudry, Joux and Thom\\\'{e}, presented new algorithms for computing discrete logarithms in finite

fields of small and medium characteristic. We show that these new

algorithms render the finite field $\\Fmain = \\FF_{3^{3054}}$ weak for

discrete logarithm cryptography in the sense that discrete logarithms

in this field can be computed significantly faster than with the

previous fastest algorithms. Our concrete analysis shows that the

supersingular elliptic curve over $\\FF_{3^{509}}$ with embedding degree

6 that had been considered for implementing pairing-based cryptosystems

at the 128-bit security level in fact provides only a significantly

lower level of security.

*15:17* [Pub][ePrint]
Dynamic Runtime Methods to Enhance Private Key Blinding, by Karine Gandolfi-Villegas and Nabil Hamzi
In this paper we propose new methods to blind exponentsused in RSA and in elliptic curves based algorithms. Due to classical

differential power analysis (DPA and CPA), a lot of countermeasures to

protect exponents have been proposed since 1999 Kocher [20] and by

Coron [13]. However, these blinding methods present some drawbacks

regarding execution time and memory cost. It also got some weaknesses.

Indeed they could also be targeted by some attacks such as The Carry

Leakage on the Randomized Exponent proposed by P.A. Fouque et al.

in [23] or inefficient against some others analysis such as Single Power

Analysis. In this article, we explain how the most used method could

be exploited when an attacker can access test samples. We target here

new dynamic blinding methods in order to prevent from any learning

phase and also to improve the resistance against the latest side channel

analyses published.

*15:17* [Pub][ePrint]
Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits, by Sanjam Garg and Craig Gentry and Shai Halevi and Mariana Raykova and Amit Sahai and Brent Waters
In this work, we study indistinguishability obfuscation and functional encryption for general circuits:Indistinguishability obfuscation requires that given any two equivalent circuits C_0 and C_1 of similar size, the obfuscations of C_0 and C_1 should be computationally indistinguishable.

In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C. Using the key SK_C to decrypt a ciphertext CT_x = Enc(x), yields the value C(x) but does not reveal anything else about x. Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually.

We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps:

- We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles.

- We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits.

- Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption, and non-interactive zero knowledge to achieve functional encryption for all circuits. The functional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other applications.

*15:17* [Pub][ePrint]
Secret Disclosure attack on Kazahaya, a Yoking-Proof For Low-Cost RFID Tags, by Nasour Bagheri, Masoumeh Safkhani
Peris-Lopez et al. recently provides some guidelines that should be followed todesign a secure yoking-proof protocol. In addition, conforming to those guidelines and

EPC C1 G2, they presented a yoking-proof for low-cost RFID tags, named Kazahaya. However,

in this letter, we scrutinize its security showing how an passive adversary can retrieve secret

parameters of patient\'s tag in cost of O(216) o-line PRNG evaluations. Given the tag\'s secret

parameters, any security claims are ruined. Nevertheless, to show other weaknesses of the

protocol and rule out any possible improvement by increasing the length of the used PRNG,

we presented a forgery attack that shows that a proof generated at time tn can be used to

forge a valid proof for any desired time tj . The success probability of this attack is `1\' and the

complexity is negligible.

*14:28* [Job][New]
Post-doc in e-voting and related research topics, *Newcastle University, UK*
We are looking for a post-doc researcher to join a vibrant and growing team of security researchers at the Centre for Cybercrime and Computer Security (CCCS) at Newcastle University, UK. Newcastle University is recognized by EPSRC/GCHQ as one of the 11 Academic Centres of Excellence in Cyber Security Research in the country.The post is supported by a five-year ERC Starting Grant on \\\"Self-enforcing Electronic Voting: Trustworthy Elections in the Presence of Corrupt Authorities\\\". The candidate should have a PhD in Computer Science, engineering or a related discipline, with a solid background in security. Previous research experience on e-voting is desirable but not required.

An ideal candidate would be the one who 1) has good understanding of theory; 2) has good practical skills; 3) has a keen interest to tackle real-world problems.

*00:17* [Pub][ePrint]
On Fair Exchange, Fair Coins and Fair Sampling, by Shashank Agrawal and Manoj Prabhakaran
We study various classical secure computation problems in the context of fairness, and relate them with each other. We also systematically study fair sampling problems (i.e., inputless functionalities) and discover three levels of complexity for them.Our results include the following:

-Fair exchange cannot be securely reduced to the problem of fair coin-tossing by an r-round protocol, except with an error that is $\\Omega(1/r)$.

-Finite fair {\\em sampling} problems with rational probabilities can all be reduced to fair coin-tossing and unfair 2-party computation (or equivalently, under computational assumptions). Thus, for this class of functionalities, fair coin-tossing is complete.

-Only sampling problems which have fair protocols without any fair setup are the trivial ones in which the two parties can sample their outputs independently. Others all have an $\\Omega(1/r)$ error, roughly matching an upper bound for fair sampling from Moran et al.(TCC 2009).

-We study communication-less protocols for sampling, given another sampling problem as setup, since such protocols are inherently fair. We use spectral graph theoretic tools to show that it is impossible to reduce a sampling problem with {\\em common information} (like fair coin-tossing) to a sampling problem without (like \'noisy\' coin-tossing, which has a small probability of disagreement).

The last result above is a slightly sharper version of a classical result by Witsenhausen from 1975. Our proof reveals the connection between the tool used by Witsenhausen, namely \'maximal correlation\', and spectral graph theoretic tools like Cheeger inequality.