*04:17* [Pub][ePrint]
Algebraic Properties of Modular Addition Modulo a Power of Two, by S. M. Dehnavi and Alireza Rahimipour
Modular addition modulo a power of two, is one of the most applicable operators in symmetric cryptography; therefore, investigating cryptographic properties of this operator has a significant role in design and analysis of symmetric ciphers.Algebraic properties of modular addition modulo a power of two have been studied for two operands by Braeken in fse\'05. Also, the authors of this paper, have studied this operator, in some special cases, before. In this paper, taking advantage of previous researches in this area, we generalize the algebraic properties of this operator for more than two summands. More precisely, we

determine the algebraic degree of the component Boolean functions of modular addition of arbitrary number of summands modulo a power of two, as a vectorial Boolean function, along with the number of terms and variables in these component functions. As a result, algebraic degrees of the component Boolean functions of Generalized Pseudo-Hadamard Transforms are driven.

*04:17* [Pub][ePrint]
Efficient Three-Party Computation from Cut-and-Choose, by Seung Geol Choi and Jonathan Katz and Alex J. Malozemoff and Vassilis Zikas
With relatively few exceptions, the literature on efficient (practical) secure computation has focused on secure two-party computation~(2PC). It is, in general, unclear whether the techniques used to construct practical 2PC protocols---in particular, the \\emph{cut-and-choose} approach---can be adapted to the multi-party setting.In this work we explore the possibility of using cut-and-choose for practical secure \\emph{three-party} computation. The three-party case has been studied in prior work in the semi-honest setting, and is motivated by the observation that real-world deployments of multi-party computation are likely to involve few parties. We propose a constant-round protocol for three-party computation tolerating any number of malicious parties, whose computational cost is essentially only \\emph{twice} that of state-of-the-art two-party protocols.

*04:17* [Pub][ePrint]
How to Use Bitcoin to Design Fair Protocols, by Iddo Bentov and Ranjit Kumaresan
We study a model of fairness in secure computation in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty. We then show how the Bitcoin network can be used to achieve the above notion of fairness in the two-party as well as the multiparty setting (with a dishonest majority). In particular, we propose new ideal functionalities and protocols for fair secure computation and fair lottery in this model. One of our main contributions is the definition of an ideal primitive, which we call $\\mathcal{F}_{\\mathrm{CR}}^\\star$ ($\\mathrm{CR}$ stands for ``claim-or-refund\'\'), that formalizes and abstracts the exact properties we require from the Bitcoin network to achieve our goals. Naturally, this abstraction allows us to design fair protocols in a hybrid model in which parties have access to the $\\mathcal{F}_{\\mathrm{CR}}^\\star$ functionality, and is otherwise independent of the Bitcoin ecosystem.

We also show an efficient realization of $\\mathcal{F}_{\\mathrm{CR}}^\\star$ that requires only two Bitcoin transactions to be made on the network.

Our constructions also enjoy high efficiency. In a multiparty setting, our protocols only require a constant number of calls to $\\mathcal{F}_{\\mathrm{CR}}^\\star$ per party on top of a standard multiparty secure computation protocol. Our fair multiparty lottery protocol improves over previous solutions which required a quadratic number of Bitcoin transactions.

*04:17* [Pub][ePrint]
Efficient Revocable Identity-Based Encryption via Subset Difference Methods, by Kwangsu Lee and Dong Hoon Lee and Jong Hwan Park
Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user\'s credential (or private key) can be expired or revealed. Revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme or the layered subset difference (LSD) scheme instead of using the CS scheme to improve the size of update keys.Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has $O(r)$ number of group elements in update keys. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the LSD scheme to reduce the size of private keys.

*04:17* [Pub][ePrint]
Kummer strikes back: new DH speed records, by Daniel J. Bernstein and Chitchanok Chuengsatiansup and Tanja Lange and Peter Schwabe
This paper introduces high-security constant-time variable-base-point Diffie--Hellman software using just 274593 Cortex-A8 cycles, 91460 Sandy Bridge cycles, 90896 Ivy Bridge cycles, or 72220 Haswell cycles. The only higher speed appearing in the literature for any of these platforms is a claim of 60000 Haswell cycles for unpublished software performing arithmetic on a binary elliptic curve.The new speeds rely on a synergy between (1) state-of-the-art formulas for genus-2 hyperelliptic curves and (2) a modern trend towards vectorization in CPUs. The paper introduces several new techniques for efficient vectorization of Kummer-surface computations.

*04:17* [Pub][ePrint]
Anonymous Two-Factor Authentication: Certain Goals Are Beyond Attainment, by Ding Wang, Ping Wang, and Debiao He
Despite a decade of intensive research, it still remains a challenge to design a practical dynamic id-based two-factor authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to mart card loss attack) and desirable attributes (e.g., local and secure password update). Dozens of solutions have been proposed, yet most of them are shortly found either unable to satisfy some security requirements or short of important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new solution (but no one has succeeded so far), while paying little attention to the question: Whether or not there are inherent limitations (conflicts) that prevents us from designing an ideal scheme that satisfies all of these goals?In this work, we attempt to provide an answer to this question. We revisit two latest (and reprentative) proposals, i.e. Xie\'s scheme and Li\'s scheme, and explore some inherent conflicts and unavoidable trade-offs in designing such schemes. Our results highly indicate that, under the current widely accepted adversary model, certain goals are beyond attainment. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for dynamic id-based two-factor authentication, which we believe will facilitate better design of two-factor protocols that offer acceptable trade-offs between usability, security and privacy.