*16:17* [Pub][ePrint]
Statistical Properties of Multiplication mod $2^n$, by A. Mahmoodi Rishakani and S. M. Dehnavi and M. R. Mirzaee Shamsabad and Hamidreza Maimani and Einollah Pasha
In this paper, we investigate some statistical properties of multiplication mod $2^n$ for cryptographic use.For this purpose, we introduce a family of T-functions similar to modular multiplication, which we call

M-functions as vectorial Boolean functions. At first, we determine the joint probability distribution of

arbitrary number of the output of an M-function component bits. Then, we obtain the probability distribution

of the component Boolean functions of combination of a linear transformation with an M-function. After that,

using a new measure for computing the imbalance of maps, we show that the restriction of the output of an

M-function to its upper bits is asymptotically balanced.

*16:17* [Pub][ePrint]
Adaptively Secure Coin-Flipping, Revisited, by Shafi Goldwasser and Yael Tauman Kalai and Sunoo Park
The full-information model was introduced by Ben-Or and Linial in 1985 to study collective coin-flipping: the problem of generating a common bounded-bias bit in a network of $n$ players with $t=t(n)$ faults. They showed that the majority protocol, in which each player sends a random bit and the output is the majority of the players\' bits, can tolerate $t(n)=O (\\sqrt n)$ even in the presence of \\emph{adaptive} corruptions, and they conjectured that this is optimal for such adversaries. Lichtenstein, Linial, and Saks proved that the conjecture holds for protocols in which each player sends only a single bit. Their result has been the main progress on the conjecture during the last 30 years.In this work we revisit this question and ask: what about protocols where players can send longer messages? Can increased communication allow for a larger fraction of corrupt players?

We introduce a model of \\emph{strong adaptive} corruptions, in which an adversary sees all messages sent by honest parties in any given round and, based on the message content, decides whether to corrupt a party (and alter its message or sabotage its delivery) or not. This is in contrast to the (classical) adaptive adversary who can corrupt parties only based on past messages, and cannot alter messages already sent.

We prove that any one-round coin-flipping protocol, \\emph{regardless of message length}, can be secure against at most $\\widetilde{O}(\\sqrt n)$ strong adaptive corruptions. Thus, increased message length does not help in this setting.

We then shed light on the connection between adaptive and strongly adaptive adversaries, by proving that for any symmetric one-round coin-flipping protocol secure against $t$ adaptive corruptions, there is a symmetric one-round coin-flipping protocol secure against $t$ strongly adaptive corruptions. Going back to the standard adaptive model, we can now prove that any symmetric one-round protocol with arbitrarily long messages can tolerate at most $\\widetilde{O}(\\sqrt n)$ adaptive corruptions.

At the heart of our results there is a new technique for converting any one-round secure protocol with arbitrarily long messages into a secure one where each player sends only $\\polylog(n)$ bits. This technique may be of independent interest.

*16:17* [Pub][ePrint]
Achieving Side-Channel Protection with Dynamic Logic Reconfiguration on Modern FPGAs, by Pascal Sasdrich and Amir Moradi and Oliver Mischke and Tim Güneysu
Reconfigurability is a unique feature of modern FPGA devices to load hardware circuits just on demand. This also implies that a completely different set of circuits might operate at the exact same location of the FPGA at different time slots, making it difficult for an external observer or attacker to predict what will happen at what time.

In this work we present and evaluate a novel hardware implementation of the lightweight cipher PRESENT with built-in side-channel countermeasures based on dynamic logic reconfiguration. In our design we make use of Configurable Look-Up Tables (CFGLUT) integrated in modern Xilinx FPGAs to nearly instantaneously change hardware internals of our cipher implementation for improved resistance against side-channel attacks. We provide evidence from practical experiments based on a Spartan-6 platform that even with 10 million recorded power traces we were unable to detect a first-order leakage using the state-of-the-art leakage assessment.

*16:17* [Pub][ePrint]
Towards Key-Length Extension\\\\ with Optimal Security: Cascade Encryption and Xor-cascade Encryption, by Jooyoung Lee and Martijn Stam
This paper discusses provable security of two types of cascade encryptions. The first construction $\\CE^l$, called $l$-cascade encryption, is obtained by sequentially composing $l$ blockcipher calls with independent keys. The security of $\\CE^l$ has been a longstanding open problem until Ga\\v{z}i and Maurer~\\cite{GM09} proved its security up to $2^{\\ka+\\min\\{\\frac{n}{2},\\ka\\}}$ query complexity for large cascading length, where $\\ka$ and $n$ denote the key size and the block size of the underlying blockcipher, respectively. We improve this limit by proving the security of $\\CE^l$ up to $2^{\\ka+\\min\\left\\{\\ka,n\\right\\}-\\frac{16}{l}\\left(\\frac{n}{2}+2\\right)}$ query complexity: this bound approaches $2^{\\ka+\\min\\left\\{\\ka,n\\right\\}}$ with increasing cascade length $l$. The second construction $\\XCE^l$ is a natural cascade version of the DESX scheme with intermediate keys xored between blockcipher calls. This can also be viewed as an extension of double XOR-cascade proposed by Ga\\v{z}i and Tessaro~\\cite{GT12}. We prove that $\\XCE^l$ is secure up to $2^{\\ka+n-\\frac{8}{l}\\left(\\frac{n}{2}+2\\right)}$ query complexity. As cascade length $l$ increases, this bound approaches $2^{\\ka+n}$.

In the ideal cipher model, one can obtain all the evaluations of the underlying blockcipher by making $2^{\\ka+n}$ queries, so the $(\\ka+n)$-bit security becomes the maximum that key-length extension based on a single $\\ka$-bit key $n$-bit blockcipher is able to achieve. Cascade encryptions $\\CE^l$~(with $n\\leq\\ka$) and $\\XCE^l$ provide almost optimal security with large cascade length.

*16:17* [Pub][ePrint]
Efficient and Secure Delegation of Group Exponentiation to a Single Server, by Bren Cavallo and Giovanni Di Crescenzo and Delaram Kahrobaei and Vladimir Shpilrain
We consider the problem of delegating computation of group operations from a computationally weaker client holding an input and a description of a function, to a {\\em single} computationally stronger server holding a description of the same function. Solutions need to satisfy natural correctness, security, privacy and efficiency requirements. We obtain delegated computation protocols for the following functions, defined for an {\\em arbitrary} commutative group:\\begin{enumerate}

\\item Group inverses, with security and privacy holding against any computationally unrestricted malicious server.

\\item Group exponentiation, with security and privacy holding against any computationally unrestricted ``partially honest\" server.

\\item Group exponentiation, with security and privacy holding against any polynomial-time malicious server, under a pseudorandom generation assumption, and security holding with constant probability.

\\end{enumerate}

*16:17* [Pub][ePrint]
Towards Secure Distance Bounding, by Ioana Boureanu, Aikaterini Mitrokotsa and Serge Vaudenay
Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes.In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees.

*16:17* [Pub][ePrint]
Secure and Efficient Initialization and Authentication Protocols for SHIELD, by Chenglu Jin and Marten van Dijk
With the globalization of semiconductor production, out-sourcing IC fabrication has become a trend in various aspects. This, however, introduces serious threats from the entire untrusted supply chain. To combat these threats, DARPA (Defense Advanced Research Projects Agency) proposed the SHIELD (Supply Chain Hardware Integrity for Electronics Defense) program to design a secure hardware root-of-trust, called dielet, to be inserted into the host package of legitimately produced ICs. Dielets are RF powered and communicate with the outside world through their RF antennas. They have sensors which allow them to passively (without the need for power) record malicious events which can later be read out during an authentication protocol between the dielet and server with a smartphone as intermediary.In this paper, we propose to use AES counter mode encryption (as opposed to DARPA\'s suggested plain AES encryption) as a basis for the authentication process. We show that this leads to several advantages: (1) resistance to a ``try-and-check\'\' attack which in case of DARPA\'s authentication protocol nullifies the effectiveness of one of SHIELD\'s main goals (that of being able to detect and trace adversarial activities with significant probability), (2) immunity against differential power analysis and differential fault analysis for free, (3) a 2$\\times$ speed up of the authentication phase by halving the the number of communication rounds with the server, and (4) a significant reduction of the power consumption of the dielet by halving the number of needed AES encryptions and by a 4$\\times$ reduction of the number of transmitted bits.

Each dielet needs to go through an initialization phase during which the manufacturer sets a serial ID and cryptographic key.

%Fusing this information one dielet at a time (while they are still on the wafer) takes a significant amount of time ($\\approx$7 minutes).

In this paper we propose the first efficient and secure initialization protocol where dielets generate their own serial ID and key by using a true random number generator (TRNG). Finally, the area overhead of our authentication and initialization protocols is only 64-bit NVM, one 8-bit counter and a TRNG based on a single SRAM-cell together with corresponding control logic.