*15:17* [Pub][ePrint]
Conversions among Several Classes of Predicate Encryption and Their Applications, by Shota Yamada and Nuttapong Attrapadung and Goichiro Hanaoka
Predicate encryption is an advanced form of public-key encryption that yield high flexibility in terms of access control. In the literature, many predicate encryption schemes have been proposed such as fuzzy-IBE, KP-ABE, CP-ABE, (doubly) spatial encryption (DSE), and ABE for arithmetic span programs. In this paper, we study relations among them and show that some of them are in fact equivalent by giving conversions among them. More specifically, our main contributions are as follows: - We show that monotonic, small universe KP-ABE (CP-ABE) with bounds on the size of attribute sets and span programs (or linear secret sharing matrix) can be converted into DSE. Furthermore, we show that DSE implies non-monotonic CP-ABE (and KP-ABE) with the same bounds on parameters. This implies that monotonic/non-monotonic KP/CP-ABE (with the bounds) and DSE are all equivalent in the sense that one implies another.

- We also show that if we start from KP-ABE without bounds on the size of span programs (but bounds on the size of attribute sets), we can obtain ABE for arithmetic span programs. The other direction is also shown: ABE for arithmetic span programs can be converted into KP-ABE.These results imply, somewhat surprisingly, KP-ABE without bounds on span program sizes is in fact equivalent to ABE for arithmetic span programs, which was thought to be more expressive or at least incomparable.

By applying these conversions to existing schemes, we obtain many non-trivial consequences. We obtain the first non-monotonic, large universe CP-ABE (that supports span programs) with constant-size ciphertexts, the first ABE for arithmetic span programs with adaptive security, the first ciphertext-policy version of ABE for arithmetic span programs, the first KP-ABE with constant-size private keys, and even more.

We also obtain the first attribute-based signature scheme that supports non-monotone span programs and achieves constant-size signatures via our technique.

*15:17* [Pub][ePrint]
Non-Repudiable Provable Data Possession in Cloud Storage, by Hongyuan Wang and Liehuang Zhu and Yijia Lilong and Chang Xu
Provable data possession (PDP) and Proof of Retrievability (POR) are techniques for a client to verify whether an untrusted server (i.e. the cloud storage provider) possesses the original data entirely, and many PDP and POR schemes have been proposed to resolve above issue so far. But another question comes up: driven by profits, a malicious client may accuse an honest server and deny the correct verification in many circumstances. As far as we know, none of the existing private verification schemes that are not based on a third party has settled this matter.In this paper, we give a method to reform any private verification PDP/POR scheme into a non-repudiable PDP/POR scheme. And then we propose an instantiation, the first Non-repudiable PDP (NRPDP) scheme of private verification, which can provide mutual proof to protect both the client and server. Based on homomorphic verifiable tags and commitment function, our solution allows both the client and the server to prove themselves and verify the other side respectively. To achieve better performance, we improve the NRPDP scheme to obtain an E-NRPDP scheme, which can save the storage cost of the server and reduce the I/O costs to raise efficiency.

We prove the security of NRPDP scheme in the random oracle model, and implement a prototype based on our NRPDP scheme. Then we utilize big data as much as 10G to evaluate the performance in a realistic cloud platform. The experiments show our scheme can be executed efficiently as the original PDP/POR scheme and guarantee non-repudiation efficaciously. Our method is universal and practical, which means that it can be applied in any private PDP/POR schemes to guarantee non-repudiation.

*15:17* [Pub][ePrint]
A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT, by Wentao Zhang and. Zhenzhen Bao and. Vincent Rijmen and. Meicheng Liu
In this paper, we present a new classification of 4-bit optimal S-boxes. All optimal 4-bit S-boxes can be classified into 183 different categories, among which we specify 3 platinum categories. Under the design criteria of the PRESENT (or SPONGENT) S-box, there are 8064 different S-boxes up to adding constants before and after an S-box. The 8064 S-boxes belong to 3 different categories, we show that the S-box should be chosen from one out of the 3 categories or other categories for better resistance against linear cryptanalysis. Furthermore, we study in detail how the S-boxes in the 3 platinumcategories influence the security of PRESENT, RECTANGLE and SPONGENT88 against differential and linear cryptanalysis. Our results show that the S-box selection has a great influence on the security of the schemes. For block ciphers or hash functions with 4-bit S-boxes as confusion layers and bit permutations as diffusion layers, designers can extend the range of S-box selection to the 3 platinum categories and select their S-box very carefully. For PRESENT, RECTANGLE and SPONGENT88 respectively, we get a set of potentially best/better S-box candidates from the 3 platinum categories. These potentially best/better S-boxes can be further investigated to see if they can be used to improve the security-performance tradeoff of the 3 cryptographic algorithms.

*12:17* [Pub][ePrint]
Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol, by Philipp Jovanovic and Samuel Neves
This paper analyses the cryptography used in the Open Smart Grid Protocol(OSGP). The authenticated encryption (AE) scheme deployed by OSGP is a

non-standard composition of RC4 and a home-brewed MAC, the ``OMA digest\'\'.

We present several practical key-recovery attacks against the OMA digest. The

first and basic variant can achieve this with a mere $13$ queries to an OMA

digest oracle and negligible time complexity. A more sophisticated version

breaks the OMA digest with only $4$ queries and a time complexity of about

$2^{25}$ simple operations. A different approach only requires one arbitrary

valid plaintext-tag pair, and recovers the key in an average of $144$

\\emph{message verification} queries, or one ciphertext-tag pair and $168$

\\emph{ciphertext verification} queries.

Since the encryption key is derived from the key used by the OMA digest, our

attacks break both confidentiality and authenticity of OSGP.

*21:17* [Pub][ePrint]
Survey on Cryptographic Obfuscation, by Máté Horváth
The recent result of Garg et al. (FOCS 2013) changed the previously pessimistic attitude towards general purpose cryptographic obfuscation. Since their first candidate construction, several authors proposed newer and newer schemes with more persuasive security arguments and better efficiency. At the same time, indistinguishability obfuscation proved its extreme usefulness by becoming the basis of many solutions for long-standing open problems in cryptography e.g. functional or witness encryption and others.In this survey, we give an overview of recent research, focusing on the theoretical results on general purpose obfuscation, particularly, indistinguishability obfuscation.

*21:17* [Pub][ePrint]
On the Optimality of Non-Linear Computations of Length-Preserving Encryption Schemes, by Mridul Nandi
It is well known that three and four rounds of balanced Feistel cipher or Luby-Rackoff (LR) encryption for two blocks messages are pseudorandom permutation (PRP) and strong pseudorandom permutation (SPRP) respectively. A {\\bf block} is $n$-bit long for some positive integer $n$ and a (possibly keyed) {\\bf block-function} is a nonlinear function mapping all blocks to themselves, e.g. blockcipher. XLS (eXtended Latin Square) with three blockcipher calls was claimed to be SPRP and later which is shown to be wrong. Motivating with these observations, we consider the following questions in this paper: {\\em What is the minimum number of invocations of block-functions required to achieve PRP or SPRP security over $\\ell$ blocks inputs}? To answer this question, we consider all those length-preserving encryption schemes, called {\\bf linear encryption mode}, for which only nonlinear operations are block-functions. Here, we prove the following results for these encryption schemes: (1) At least $2\\ell$ (or $2\\ell-1$) invocations of block-functions are required to achieve SPRP (or PRP respectively). These bounds are also tight.

(2) To achieve the above bound for PRP over $\\ell > 1$ blocks, either we need at least two keys or it can not be {\\em inverse-free} (i.e., need to apply the inverses of block-functions in the decryption). In particular, we show that a single-keyed block-function based, inverse-free PRP needs $2\\ell$ invocations.

(3) We show that 3-round LR using a single-keyed pseudorandom function (PRF) is PRP if we xor a block of input by a masking key.

*21:17* [Pub][ePrint]
STRIBOB / WHIRLBOB Security Analysis Addendum, by Markku-Juhani O. Saarinen
This memo collects references to published cryptanalytic resultswhich are directly relevant to the security evaluation of CAESAR first

round algorithm STRIBOB and its second round tweaked variant, WHIRLBOB.

During the first year after initial publication of STRIBOB and WHIRLBOB,

no cryptanalytic

breaks or other serious issues have emerged. The main difference in

the security between the two variants is that WHIRLBOB allows easier

creation of constant-time software implementations resistant to cache

timing attacks.

*21:17* [Pub][ePrint]
Order-Revealing Encryption and the Hardness of Private Learning, by Mark Bun and Mark Zhandry
An order-revealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying plaintexts. We show how to use order-revealing encryption to separate computationally efficient PAC learning from efficient $(\\epsilon, \\delta)$-differentially private PAC learning. That is, we construct a concept class that is efficiently PAC learnable, but for which every efficient learner fails to be differentially private. This answers a question of Kasiviswanathan et al. (FOCS \'08, SIAM J. Comput. \'11).To prove our result, we give a generic transformation from an order-revealing encryption scheme into one with strongly correct comparison, which enables the consistent comparison of ciphertexts that are not obtained as the valid encryption of any message. We believe this construction may be of independent interest.