*22:17* [Pub][ePrint]
MJH: A Faster Alternative to MDC-2, by Jooyoung Lee and Martijn Stam
In this paper, we introduce a new class of double-block-length hash functions. Using the ideal cipher model, we prove that these hash functions, dubbed \\MJH, are asymptotically collision resistant up to $O(2^{n(1-\\epsilon)})$ query complexity for any $\\epsilon>0$ in the iteration, where $n$ is the block size of the underlying blockcipher.When based on $n$-bit key blockciphers, our construction, being of rate 1/2, provides better provable security than MDC-2, the only known construction of a rate-1/2 double-length hash function based on an $n$-bit key blockcipher with non-trivial provable security.

Moreover, since key scheduling is performed only once per message block for MJH, our proposal significantly outperforms MDC-2 in efficiency.

When based on a $2n$-bit key blockcipher, we can use the extra $n$ bits of key to increase the amount of payload accordingly. Thus we get a rate-1 hash function that is much faster than existing proposals, such as Tandem-DM with comparable provable security. The proceedings version of this paper appeared in CT-RSA 2011.

*20:12* [Job][New]
PhD Position in Lattice-Based Cryptography, *Technische Universität Darmstadt, Germany, Middle-Europe*
The group for Cryptography and Computer Algebra at the Technische Universität Darmstadt chaired by Prof. Dr. Johannes Buchmann is looking for a Ph.D. student. Candidates should have a superior Master\\\'s degree in mathematics, computer science, or related disciplines. The opportunity to work in the area of cryptography --- more precisely, in lattice-based cryptography --- is given to the prospective Ph.D. student. Any prior experience in lattice-based cryprography is certainly an asset.

*19:17* [Pub][ePrint]
Improved Slender-set Linear Cryptanalysis, by Guo-Qiang Liu and Chen-Hui Jin and Chuan-Da Qi
In 2013, Borghoff \\emph{et al}. introduced a slender-set linearcryptanalysis on PRESENT-like ciphers with key-dependent secret

S-boxes. In this paper, we propose an improved slender-set linear

attack to PRESENT-like ciphers with secret S-boxes. We investigate

three new cryptanalytic techniques, and use them to recover the

secret S-boxes efficiently. Our first new idea is that we propose a

new technique to support consistency of partitions of the input to

the secret S-boxes. Our second new technique is that we present a

more efficient method to recover the coordinate functions of secret

S-boxes based on more information than that of Borghoff\'s attack.

The third new technique is that we propose a method of constructing

all correct coordinate function of secret S-boxes by pruning search

algorithm. In particular, we implemented a successful linear attack

on the full round Maya in practice. In our experiments, the correct

S-box can be recovered with $2^{36}$ known plaintexts, $2^{18.9}$

time complexity and negligible memory complexity at a success rate

of 87.5\\%. Our attack is the improvement and sequel of Borghoff\'s

work on PRESENT-like cipher with secret S-boxes.

*19:17* [Pub][ePrint]
Actively Secure Private Function Evaluation, by Payman Mohassel and Saeed Sadeghian and Nigel P. Smart
We propose the first general framework for designing actively secure private function evaluation (PFE), not based on universal circuits. Our framework is naturally divided into pre-processing and online stages and can be instantiated using any generic actively secure multiparty computation (MPC) protocol.Our framework helps address the main open questions about efficiency of actively secure PFE. On the theoretical side, our framework yields the first actively secure PFE with linear complexity in the circuit size. On the practical side, we obtain the first actively secure PFE for arithmetic circuits with $O(g \\cdot \\log g)$ complexity where $g$ is the circuit size. The best previous construction (of practical interest) is based on an arithmetic universal circuit and has complexity $O(g^5)$.

We also introduce the first linear Zero-Knowledge proof of correctness of ``extended permutation\" of ciphertexts (a generalization of ZK proof of correct shuffles) which maybe of independent interest.

*19:17* [Pub][ePrint]
Space-efficient, byte-wise incremental and perfectly private encryption schemes, by Kévin Atighehchi
The problem raised by incremental encryption is the overhead due to the larger storage space required by the provision of random blocks together with the ciphered versions of a given document. Besides,permitting variable-length modifications on the ciphertext leads to privacy preservation issues. In this paper we present incremental encryption schemes which are space-efficient, byte-wise incremental and which preserve perfect privacy in the sense that they hide the fact that an update operation has been performed on a ciphered document. For each scheme, the run time of updates performed turns out to be very efficient and we discuss the statistically adjustable trade-off between computational cost and storage space required by the produced ciphertexts.

*16:17* [Pub][ePrint]
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures, by Masayuki Abe and Jens Groth and Miyako Ohkubo and Mehdi Tibouchi
We construct a structure-preserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structure-preserving signature scheme is optimal with respect to both signature size and public verification key size.

State of the art structure-preserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element.

Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization.

Our structure-preserving signature scheme unifies the different pairing-based settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structure-preserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.