*13:17* [Pub][ePrint]
Arithmetic Addition over Boolean Masking - Towards First- and Second-Order Resistance in Hardware, by Tobias Schneider and Amir Moradi and Tim Güneysu
A common countermeasure to thwart side-channel analysis attacks is algorithmic masking. For this, algorithms that mix Boolean and arithmetic operations need to either apply two different masking schemes with secure conversions or use dedicated arithmetic units that can process Boolean masked values. Several proposals have been published that can realize these approaches securely and efficiently in software. But to the best of our knowledge, no hardware design exists that fulfills relevant properties such as efficiency and security at the same time.In this paper, we present two design strategies to realize a secure and efficient arithmetic adder for Boolean-masked values. First, we introduce an architecture based on the ripple-carry adder that targets low-cost applications. The second architecture is based on a pipelined Kogge-Stone adder and targets high-performance applications. In particular, all our implementations adopt the threshold implementation approach to improve their resistance against SCA attacks even in the presence of glitches. We evaluated the security of our designs practically against SCA using a non-specific statistical t-test. Based on our analysis, we show that our constructions not only achieve resistance against first- and (univariate) second-order attacks but also require fewer random bits per operation compared to any existing software-based approach.

*13:17* [Pub][ePrint]
An Alternative Approach to Non-black-box Simulation in Fully Concurrent Setting, by Susumu Kiyoshima
We give a new proof of the existence of public-coin concurrent zero-knowledge arguments for NP in the plain model under standard assumptions (the existence of one-to-one one-way functions and collision-resistant hash functions), which was originally proven by Goyal (STOC\'13).In the proof, we use a new variant of the non-black-box simulation technique of Barak (FOCS\'01). An important property of our simulation technique is that the simulator runs in a straight-line manner in the fully concurrent setting. Compared with the simulation technique of Goyal, which also has such a property, the analysis of our simulation technique is (arguably) simpler.

*23:18* [Job][New]
Assistant Professor, *Kyushu University, Fukuoka (Japan)*
The Institute of Mathematics for Industry at Kyushu University (Fukuoka, JAPAN) invites applications for ONE ASSISTANT PROFESSOR POSITION (`Jyokyo` in Japanese) beginning April 2015. Candidates in all areas of mathematical cryptography who are interested in applications of mathematics to, and collaboration with, industry will be considered. We are looking for candidates, who possess a strong record of research achievements and expertise related to mathematical cryptography such as theory of cryptography, number theory, representation theory, computer algebra, quantum computation, graph theory, combinatorics, and so on. The selection will be based on the past achievements and/or the potential of the candidates to work in the area of mathematical cryptography.Kyushu University is one of the major seven national universities in Japan, located in Fukuoka in the western part of Japan. The Institute of Mathematics for Industry (http://www.imi.kyushu-u.ac.jp/eng) consists of approximately 25 members, who are active in various areas of pure and applied mathematics and also in collaboration with industry.

For full information about the position and the application procedure, visit the URL below.

*13:17* [Pub][ePrint]
Verified Proofs of Higher-Order Masking, by Gilles Barthe and Sonia Bela\\\"id and Fran\\c{c}ois Dupressoir and Pierre-Alain Fouque and Benjamin Gr\\\'egoire and Pierre-Yves Strub
In this paper, we study the problem of automatically verifying higher-order masking countermeasures. This problem is important in practice (weaknesses have been discovered in schemes that were thought secure), but is inherently exponential: for $t$-order masking, it involves proving that every subset of $t$ intermediate variables is distributed independently of the secrets. Some type systems have been proposed to help cryptographers check their proofs, but many of these approaches are insufficient for higher-order implementations. We propose a new method, based on program verification techniques, to check the independence of sets of intermediate variables from some secrets. Our new language-based characterization of the problem also allows us to design and implement several algorithms that greatly reduce the number of sets of variables that need to be considered to prove this independence property on \\emph{all} valid adversary observations. The result of these algorithms is either a proof of security or a set of observations on which the independence property cannot be proved. We focus on AES implementations to check the validity of our algorithms. We also confirm the tool\'s ability to give useful information when proofs fail, by rediscovering existing attacks and discovering new ones.

*13:17* [Pub][ePrint]
More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries, by Gilad Asharov and Yehuda Lindell and Thomas Schneider and Michael Zohner
Oblivious transfer (OT) is one of the most fundamental primitives in cryptography and is widely used in protocols for secure two-party and multi-party computation. As secure computation becomes more practical, the need for practical large scale oblivious transfer protocols is becoming more evident. Oblivious transfer extensions are protocols that enable a relatively small number of \"base-OTs\" to be utilized to compute a very large number of OTs at low cost. In the semi-honest setting, Ishai et al. (CRYPTO 2003) presented an OT extension protocol for which the cost of each OT (beyond the base-OTs) is just a few hash function operations. In the malicious setting, Nielsen et al. (CRYPTO 2012) presented an efficient OT extension protocol for the setting of active adversaries, that is secure in the random oracle model.In this work, we present an OT extension protocol for the setting of malicious adversaries that is more efficient and uses less communication than previous works. In addition, our protocol can be proven secure in both the random oracle model, and in the standard model with a type of correlation robustness. Given the importance of OT in many secure computation protocols, increasing the efficiency of OT extensions is another important step forward to making secure computation practical.