*10:43* [Job][New]
Ph.D. students, *TELECOM-ParisTech*
TELECOM-ParisTech crypto group seeks 4 PhD studentsTELECOM-ParisTech crypto group develops prototype solutions to fight against cyber and physical penetration of embedded devices.

Our contributions in this field of research are:

We seek four PhD candidates on those subjects:

- \\\"Calculer dans les codes comme contremesure aux attaques physiques\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10213751
- \\\"Native Protection of Processors against Cyber-Attacks\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10253861
- \\\"Insertion automatique de contre-mesures dans des circuits de sécurité\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10213779
- \\\"Attaques FIRE : Rétroconception de cryptographie secrète\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10166999

Working language is French or English.

Positions are open until Aug 2014.

To ap

*21:17* [Pub][ePrint]
A Second Look at Fischlin\'s Transformation, by Özgür Dagdelen and Daniele Venturi
Fischlin\'s transformation is an alternative to the standard Fiat-Shamir transform to turn a certain class of public key identification schemes into digital signatures (in the random oracle model).We show that signatures obtained via Fischlin\'s transformation are existentially unforgeable even in case the adversary is allowed to get arbitrary (yet bounded) information on the entire state of the signer (including the signing key and the random coins used to generate signatures). A similar fact was already known for the Fiat-Shamir transform, however, Fischlin\'s transformation allows for a significantly higher leakage parameter than Fiat-Shamir.

Moreover, in contrast to signatures obtained via Fiat-Shamir, signatures obtained via Fischlin enjoy a tight reduction to the underlying hard problem. We use this observation to show (via simulations) that Fischlin\'s transformation, usually considered less efficient, outperforms the Fiat-Shamir transform in verification time for a reasonable choice of parameters. In terms of signing Fiat-Shamir is faster for equal signature sizes. Nonetheless, our experiments show that the signing time of Fischlin\'s transformation becomes, e.g., 22% of the one via Fiat-Shamir if one allows the signature size to be doubled.

*21:17* [Pub][ePrint]
Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment, by Jaydeep Howlader, Sanjit Kumar Roy, Ashis Kumar Mal
Sealed-Bid auction is an efficient and rational method toestablish the price in open market. However sealed-bid auctions are sub-

ject to bid-rigging attack. Receipt-free mechanisms were proposed to

prevent bid-rigging. The prior receipt-free mechanisms are based on two

assumptions; firstly, existence of untappable channel between bidders

and auction authorities. Secondly, mechanisms assume the authorities

to be honest (not colluding). Moreover the bandwidth required to com-

municate the receipt-free bids is huge. This paper presents a sealed-bid

auction mechanism to resist bid-rigging. The proposed method does not

assume untappable channel nor consider the authorities to be necessarily

honest. The proposed mechanism also manages the bandwidth efficiently,

and improves the performance of the system.

*21:17* [Pub][ePrint]
Two-sources Randomness Extractors for Elliptic Curves, by Abdoul Aziz Ciss
This paper studies the task of two-sources randomness extractors for elliptic curves defined over finite fields $K$, where $K$ can be a prime or a binary field. In fact, we introduce new constructions of functions over elliptic curves which take in input two random points from two differents subgroups. In other words, for a ginven elliptic curve $E$ defined over a finite field $\\mathbb{F}_q$ and two random points $P \\in \\mathcal{P}$ and $Q\\in \\mathcal{Q}$, where $\\mathcal{P}$ and $\\mathcal{Q}$ are two subgroups of $E(\\mathbb{F}_q)$, our function extracts the least significant bits of the abscissa of the point $P\\oplus Q$ when $q$ is a large prime, and the $k$-first $\\mathbb{F}_p$ coefficients of the asbcissa of the point $P\\oplus Q$ when $q = p^n$, where $p$ is a prime greater than $5$. We show that the extracted bits are close to uniform. Our construction extends some interesting randomness extractors for elliptic curves, namely those defined in \\cite{op} and \\cite{ciss1,ciss2}, when $\\mathcal{P} = \\mathcal{Q}$. The proposed constructions can be used in any cryptographic schemes which require extraction of random bits from two sources over elliptic curves, namely in key exchange protole, design of strong pseudo-random number generators, etc.

*15:17* [Pub][ePrint]
AES-Based Authenticated Encryption Modes in Parallel High-Performance Software, by Andrey Bogdanov and Martin M. Lauridsen and Elmar Tischhauser
Authenticated encryption (AE) has recently gained renewed interest due to the ongoing CAESAR competition. This paper deals with the performance of block cipher modes of operation for AE in parallel software. We consider the example of the AES on Intel\'s new Haswell microarchitecture that has improved intructions for AES rounds and finite field multiplication.As opposed to most previous high-performance software implementations of operation modes -- that have considered the encryption of single messages -- we propose to process multiple messages in parallel. We demonstrate that this message scheduling is of significant advantage for most modes. As a baseline for longer messages, the performance of AES-CBC encryption on a single core increases by factor 6.8 when adopting this approach.

For the first time, we report optimized AES-NI implementations of the novel AE modes OTR, McOE-G, COBRA, and POET -- both with single and multiple messages. For almost all AE modes considered, we obtain a consistent speed-up when processing multiple messages in parallel. Notably, among the nonce-based modes, AES-CCM gets by factor 3.5 faster and its performance is about 1.2 cpb which is close to that of AES-GCM (the latter, however, possessing classes of weak keys), with AES-OCB3 still performing at only 0.69 cpb. Among the nonce-misuse resistant modes, AES-McOE-G receives a speed-up by factor 4 and its performance is about 1.44 cpb, which is faster than AES-COBRA with its 1.55 cpb but slower than AES-COPA with 1.29 cpb.