*13:17* [Pub][ePrint]
Making Masking Security Proofs Concrete Or How to Evaluate the Security of any Leaking Device, by Alexandre Duc and Sebastian Faust and Fran\\c{c}ois-Xavier Standaert
We investigate the relationships between theoretical studies of leaking cryptographic devices and concrete security evaluations with standard side-channel attacks. Our contributions are in four parts.First, we connect the formal analysis of the masking countermeasure proposed by Duc et al. (Eurocrypt 2014) with the Eurocrypt 2009 evaluation framework for side-channel key recovery attacks. In particular, we re-state their main proof for the masking countermeasure based on a mutual information metric, which is frequently used in concrete physical security evaluations.

Second, we discuss the tightness of the Eurocrypt 2014 bounds based on experimental case studies. This allows us to conjecture a simplified link between the mutual information metric and the success rate of a side-channel adversary, ignoring technical parameters and proof artifacts.

Third, we introduce heuristic (yet well-motivated) tools for the evaluation of the masking countermeasure when its independent leakage assumption is not perfectly fulfilled, as it is frequently encountered in practice.

Thanks to these tools, we argue that masking with non-independent leakages may provide improved security levels in certain scenarios. Eventually, we consider the tradeoff between measurement complexity and key enumeration in divide-and-conquer side-channel attacks, and show that it can be predicted based on the mutual information metric, by solving a non-linear integer programming problem for which efficient solutions exist.

The combination of these observations enables significant reductions of the evaluation costs for certification bodies.

*13:17* [Pub][ePrint]
Reconfigurable LUT: Boon or Bane for Secure Applications, by Debapriya Basu Roy and Shivam Bhasin and Sylvain Guilley and Jean-Luc Danger and Debdeep Mukhopadhyay
Modern FPGAs offer various new features for enhanced re-configurability and better performance. One of such featureis a dynamically Re-configurable LUT (RLUT) whose content can be updated internally, even during run-time. There

are many scenarios like pattern matching where this feature

has been shown to enhance performance of the system. In

this paper, we study RLUT in the context of secure applications. Next, we design several case-studies to apply this feature on security critical scenarios. These case-studies vary

from destructive scenarios like stealthy hardware Trojans to

constructive scenarios like implementation of secret ciphers

with custom Sboxes and masking countermeasure.

*13:17* [Pub][ePrint]
Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting, by Dennis Hofheinz and Jessica Koch and Christoph Striecks
We construct an identity-based encryption (IBE) scheme that is tightly secure in a very strong sense. Specifically, we consider a setting with many instances of the scheme and many encryptions per instance. In this setting, we reduce the security of our scheme to a variant of a simple assumption used for a similar purpose by Chen and Wee (Crypto 2013). The security loss of our reduction is O(k) (where k is the security parameter). Our scheme is the first IBE scheme to achieve this strong flavor of tightness under a simple assumption.Technically, our scheme is a variation of the IBE scheme by Chen and Wee. However, in order to \"lift\" their results to the multi-instance, multi-ciphertext case, we need to develop new ideas. In particular, while we build on (and extend) their high-level proof strategy, we deviate significantly in the low-level proof steps.

*13:17* [Pub][ePrint]
GliFreD: Glitch-Free Duplication - Towards Power-Equalized Circuits on FPGAs, by Alexander Wild and Amir Moradi and Tim Güneysu
Designers of secure hardware are required to harden their implementations against physical threats, such as power analysis attacks. In particular, cryptographic hardware circuits are required to decorrelate their current consumption from the information inferred by processing (secret) data. A common technique to achieve this goal is the use of special logic styles that aim at equalizing the current consumption at each single processing step. However, since all hiding techniques like Dual-Rail Precharge (DRP) were originally developed for ASICs, the deployment of such countermeasures on FPGA devices with fixed and predefined logic structure poses a particular challenge.In this work, we propose and practically evaluate a new DRP scheme (GliFreD) that has been exclusively designed for FPGA platforms. GliFreD overcomes the well-known early propagation issue, prevents glitches, uses an isolated dual-rail concept, and mitigates imbalanced routings. With all these features, GliFreD significantly exceeds the level of physical security achieved by any previously reported, related countermeasures for FPGAs.

*13:17* [Pub][ePrint]
Perfect Structure on the Edge of Chaos, by Nir Bitansky and Omer Paneth and Daniel Wichs
We construct trapdoor permutations based on (sub-exponential) indistinguishability obfuscation and one-way functions, thereby providing the first candidate that is not based on the hardness of factoring.Our construction shows that even highly structured primitives, such as trapdoor permutations, can be potentially based on hardness assumptions with noisy structures such as those used in candidate constructions of indistinguishability obfuscation. It also suggest a possible way to construct trapdoor permutations that resist quantum attacks, and that their hardness may be based on problems outside the complexity class SZK - indeed, while factoring-based candidates do not possess such security, future constructions of indistinguishability obfuscation might.

As a corollary, we eliminate the need to assume trapdoor permutations and injective one-way function in many recent constructions based on indistinguishability obfuscation.

*13:17* [Pub][ePrint]
Block-wise Non-Malleable Codes, by Nishanth Chandran and Vipul Goyal and Pratyay Mukherjee and Omkant Pandey and Jalaj Upadhyay
Non-malleable codes, introduced by Dziembowski, Pietrzak, and Wichs (ICS \'10), provide the guarantee that if a codeword $c$ of a message $m$, is modified by a tampering function $f$ to $c\'$, then $c\'$ either decodes to $m$ or to ``something unrelated\" to $m$. It is known that non-malleable codes cannot exist for the class of all tampering functions and hence a lot of work has focused on explicitly constructing such codes against a large and natural class of tampering functions. One such popular, but restricted, class is the so-called \\emph{split-state} model in which the tampering function operates on different parts of the codeword \\emph{independently}.In this work, we remove the above restriction by considering a stronger adversarial model that we call the {\\em block-wise tampering} model. In this model, the adversary can tamper every block of the codeword, with the only restriction being that he can tamper every block at most once. As an example, if a codeword $c = (c_1,c_2)$, then the first tampering function $f_1$ could produce a tampered part $c_1\'=f_1(c_1)$ and the second tampering function $f_2$ could produce $c_2\' = f_2(c_1,c_2)$ which can depend on {\\em both} $c_2$ and $c_1$. An example is when the blocks are being sent one by one and the adversary must temper and send the first block before the second block comes along.

- Surprisingly, defining non-malleability in the block-wise tampering model is challenging. Our first contribution is that of providing a relaxed, yet meaningful definition of non-malleability for this model. Unfortunately, we show, that even this notion is impossible to achieve in the information-theoretic setting (i.e., when the tampering functions can be unbounded) and we must turn our attention towards computationally bounded adversaries.

- Next, we provide an interesting connection between block-wise non-malleable codes and non-malleable commitments. We show that any block-wise non-malleable code can be converted into a non-malleable (wrt opening) commitment. In the other direction, we show that any non-interactive non-malleable (wrt opening) commitment can be used to construct a block-wise non-malleable code (with $2$ blocks).

- While the above transformation gives us a construction of a block-wise non-malleable code, it is based on the highly non-standard assumption of adaptive one-way functions (which can only be realized based on assumptions such as Oracle DDH). As our main result, we show, how to construct a block-wise non-malleable code from any sub-exponentially hard one-way permutations. Our techniques, quite surprisingly, also give rise to a non-malleable commitment scheme (secure against so-called synchronizing adversaries), in which {\\em only} the committer sends messages. We believe this result to be of independent interest.