Lecture Notes in Computer Science 8269Commenced Publication in 1973Founding and Former Series Editors:Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board

David HutchisonLancaster University, UK

Takeo KanadeCarnegie Mellon University, Pittsburgh, PA, USA

Josef KittlerUniversity of Surrey, Guildford, UK

Jon M. KleinbergCornell University, Ithaca, NY, USA

Alfred KobsaUniversity of California, Irvine, CA, USA

Friedemann MatternETH Zurich, Switzerland

John C. MitchellStanford University, CA, USA

Moni NaorWeizmann Institute of Science, Rehovot, Israel

Oscar NierstraszUniversity of Bern, Switzerland

C. Pandu RanganIndian Institute of Technology, Madras, India

Bernhard SteffenTU Dortmund University, Germany

Madhu SudanMicrosoft Research, Cambridge, MA, USA

Demetri TerzopoulosUniversity of California, Los Angeles, CA, USA

Doug TygarUniversity of California, Berkeley, CA, USA

Gerhard WeikumMax Planck Institute for Informatics, Saarbruecken, Germany

Kazue Sako Palash Sarkar (Eds.)

Advances in Cryptology –ASIACRYPT 2013

19th International Conference on the Theoryand Application of Cryptology and Information SecurityBengaluru, India, December 1-5, 2013Proceedings, Part I

13

Volume Editors

Kazue SakoNEC CorporationKawasaki, JapanE-mail: k-sako@ab.jp.nec.com

Palash SarkarIndian Statistical InstituteKolkata, IndiaE-mail: palash@isical.ac.in

ISSN 0302-9743 e-ISSN 1611-3349ISBN 978-3-642-42032-0 e-ISBN 978-3-642-42033-7DOI 10.1007/978-3-642-42033-7Springer Heidelberg New York Dordrecht London

CR Subject Classification (1998): E.3, D.4.6, F.2, K.6.5, G.2, I.1, J.1

LNCS Sublibrary: SL 4 – Security and Cryptology

© International Association for Cryptologic Research 2013

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part ofthe material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,broadcasting, reproduction on microfilms or in any other physical way, and transmission or informationstorage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodologynow known or hereafter developed. Exempted from this legal reservation are brief excerpts in connectionwith reviews or scholarly analysis or material supplied specifically for the purpose of being entered andexecuted on a computer system, for exclusive use by the purchaser of the work. Duplication of this publicationor parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,in its current version, and permission for use must always be obtained from Springer. Permissions for usemay be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecutionunder the respective Copyright Law.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoes not imply, even in the absence of a specific statement, that such names are exempt from the relevantprotective laws and regulations and therefore free for general use.While the advice and information in this book are believed to be true and accurate at the date of publication,neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors oromissions that may be made. The publisher makes no warranty, express or implied, with respect to thematerial contained herein.

Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India

Printed on acid-free paper

Springer is part of Springer Science+Business Media (www.springer.com)

Preface

It is our great pleasure to present the proceedings of Asiacrypt 2013 in twovolumes of Lecture Notes in Computer Science published by Springer. This wasthe 19th edition of the International Conference on Theory and Application ofCryptology and Information Security held annually in Asia by the InternationalAssociation for Cryptologic Research (IACR). The conference was organized byIACR in cooperation with the Cryptology Research Society of India and washeld in the city of Bengaluru in India during December 1–5, 2013.

About one year prior to the conference, an international Program Committee(PC) of 46 scientists assumed the responsibility of determining the scientificcontent of the conference. The conference evoked an enthusiastic response fromresearchers and scientists. A total of 269 papers were submitted for possiblepresentations approximately six months before the conference. Authors of thesubmitted papers are spread all over the world. PC members were allowed tosubmit papers, but each PC member could submit at most two co-authoredpapers or at most one single-authored paper. The PC co-chairs did not submitany paper. All the submissions were screened by the PC and 54 papers werefinally selected for presentations at the conference. These proceedings containthe revised versions of the papers that were selected. The revisions were notchecked and the responsibility of the papers rests with the authors and not thePC members.

Selection of papers for presentation was made through a double-blind re-view process. Each paper was assigned three reviewers and submissions by PCmembers were assigned six reviewers. Apart from the PC members, 291 externalreviewers were involved. The total number of reviews for all the papers was morethan 900. In addition to the reviews, the selection process involved an extensivediscussion phase. This phase allowed PC members to express opinion on all thesubmissions. The final selection of 54 papers was the result of this extensive andrigorous selection procedure. One of the final papers resulted from the mergingof two submissions.

The best paper award was conferred upon the paper“Shorter Quasi-AdaptiveNIZK Proofs for Linear Subspaces”authored by Charanjit Jutla and Arnab Roy.The decision was based on a vote among the PC members. In addition to thebest paper, the authors of two other papers, namely, “Families of Fast EllipticCurves from Q-Curves”authored by Benjamin Smith and“Key Recovery Attackson 3-Round Even-Mansour, 8-Step LED-128, and Full AES2” authored by ItaiDinur, Orr Dunkelman, Nathan Keller and Adi Shamir, were recommended bythe Editor-in-Chief of the Journal of Cryptology to submit expanded versions tothe journal.

A highlight of the conference was the invited talks. An extensive multi-rounddiscussion was carried out by the PC to decide on the invited speakers. This

VI Preface

resulted in very interesting talks on two different aspects of the subject. LarsRamkilde Knudsen spoke on “Block Ciphers — Past and Present” a topic ofclassical and continuing importance, while George Danezis spoke on“EngineeringPrivacy-Friendly Computations,” which is an important and a more moderntheme.

Apart from the regular presentations and the invited talks, a rump sessionwas organized on one of the evenings. This consisted of very short presentationson upcoming research results, announcements of future events, and other topicsof interest to the audience.

We would like to thank the authors of all papers for submitting their researchworks to the conference. Such interest over the years has ensured that the Asi-acrypt conference series remains a cherished venue of publication by scientists.Thanks are due to the PC members for their enthusiastic and continued partic-ipation for over a year in different aspects of selecting the technical program.External reviewers contributed by providing timely reviews and thanks are dueto them. A list of external reviewers is provided in these proceedings. We havetried to ensure that the list is complete. Any omission is inadvertent and if thereis an omission, we apologize to the person concerned.

Special thanks are due to Satyanarayana V. Lokam, the general chair ofthe conference. His message to the PC was to select the best possible scientificprogram without any other considerations. Further, he ensured that the PC co-chairs were insulated from the organizational work. This work was done by theOrganizing Committee and they deserve thanks from all the participants forthe wonderful experience. We thank Daniel J. Bernstein and Tanja Lange forexpertly organizing and conducting the rump session.

The reviews and discussions were entirely carried out online using a softwaredeveloped by Shai Halevi. At several times, we had to ask Shai for his help withsome feature or the other of the software. Every time, we received immediateand helpful responses. We thank him for his support and also for developing thesoftware. We also thank Josh Benaloh, who was our IACR liaison, for guidanceon several issues. Springer published the volumes and made these available beforethe conference. We thank Alfred Hofmann and Anna Kramer and their team fortheir professional and efficient handling of the production process.

Last, but, not the least, we thank Microsoft Research; Google; Indian Statis-tical Institute, Kolkata; and National Mathematics Initiative, Indian Institute ofScience, Bengaluru; for being generous sponsors of the conference.

December 2013 Kazue SakoPalash Sarkar

Asiacrypt 2013

The 19th Annual International Conferenceon Theory and Application of Cryptology

and Information Security

Sponsored by the International Association for CryptologicResearch (IACR)

December 1–5, 2013, Bengaluru, India

General Chair

Satyanarayana V. Lokam Microsoft Research, India

Program Co-chairs

Kazue Sako NEC Corporation, JapanPalash Sarkar Indian Statistical Institute, India

Program Committee

Michel Abdalla Ecole Normale Superieure, FranceColin Boyd Queensland University of Technology, AustraliaAnne Canteaut Inria Paris-Rocquencourt, FranceSanjit Chatterjee Indian Institute of Science, IndiaJung Hee Cheon Seoul National University, KoreaSherman S.M. Chow Chinese University of Hong Kong, SAR ChinaOrr Dunkelmann University of Haifa, IsraelPierrick Gaudry CNRS Nancy, FranceRosario Gennaro City College of New York, USAGuang Gong University of Waterloo, CanadaVipul Goyal Microsoft Research, IndiaEike Kiltz University of Bochum, GermanyTetsu Iwata Nagoya University, JapanTanja Lange Technische Universiteit Eindhoven,

The NetherlandsDong Hoon Lee Korea University, KoreaAllison Lewko Columbia University, USABenoit Libert Technicolor, FranceDongdai Lin Chinese Academy of Sciences, ChinaAnna Lysyanskaya Brown University, USASubhamoy Maitra Indian Statistical Institute, India

VIII Asiacrypt 2013

Willi Meier University of Applied Sciences, SwitzerlandPhong Nguyen Inria, France and Tsinghua University, ChinaKaisa Nyberg Aalto University, FinlandSatoshi Obana Hosei University, JapanKenny Paterson Royal Holloway, University of London, UKKrzysztof Pietrzak Institute of Science and Technology, Austria

David Pointcheval Ecole Normale Superieure, FranceManoj Prabhakaran University of Illinois at Urbana-Champaign,

USAVincent Rijmen KU Leuven, BelgiumRei Safavi-Naini University of Calgary, CanadaYu Sasaki NTT, JapanNicolas Sendrier Inria Paris-Rocquencourt, FrancePeter Schwabe Radboud University Nijmegen,

The NetherlandsThomas Shrimpton Portland State University, USANigel Smart University of Bristol, UKFrancois-Xavier Standaert Universite Catholique de Louvain, Belgium

Damien Stehle Ecole Normale Superieure de Lyon, FranceWilly Susilo University of Wollongong, AustraliaTsuyoshi Takagi Kyushu University, JapanVinod Vaikuntanathan University of Toronto, CanadaFrederik Vercauteren KU Leuven, BelgiumXiaoyun Wang Tsinghua University, ChinaHoeteck Wee George Washington University, USA

and Ecole Normale Superieure, FranceHongjun Wu Nanyang Technological University, Singapore

External Reviewers

Carlos Aguilar-MelchorMasayuki AbeGergely AcsShashank AgrawalAhmad AhmadiHadi AhmadiMohsen AlimomeniJoel AlwenPrabhanjan AnanthGilad AsharovTomer AshurGiuseppe AtenieseMan Ho AuJean-Philippe AumassonPablo Azar

Foteini BaldimtsiSubhadeep BanikPaulo BarretoRishiraj BatacharryaLejla BatinaAnja BeckerMihir BellareFabrice BenhamoudaDebajyoti BeraDaniel J. BernsteinRishiraj BhattacharyyaGaetan BissonOlivier BlazyCeline BlondeauAndrey Bogdanov

Asiacrypt 2013 IX

Alexandra BoldyrevaJoppe W. BosCharles BouillaguetChristina BouraElette BoyleFabian van den BroekBilly Bob BrumleyChristina BrzuskaAngelo De CaroDario CatalanoAndre ChaillouxMelissa ChaseAnupam ChattopadhyayChi ChenJie ChenJing ChenYu ChenCeline ChevalierAshish ChoudharyHeeWon ChungKai-Min ChungDeepak Kumar DalaiM. Prem Laxman DasGareth DaviesYi DengMaria DubovitskayaFrancois DurvauxBarıs EgeNicolas EstibalsXinxin FanPooya FarshimSebastian FaustNelly FazioSerge FehrDario FioreMarc FischlinGeorg FuchsbauerEichiro FujisakiJun FurukawaPhilippe GaboritTommaso GagliardoniMartin GagneSteven GalbraithDavid GalindoNicolas Gama

Sanjam GargLubos GasparPeter GaziRan GellesEssam GhadafiChoudary GorantlaSergey GorbunovDov S. GordonLouis GoubinMatthew GreenVincent GrossoJens GrothTim GuneysuFuchun GuoJian GuoDivya GuptaSourav Sen GuptaBenoıt GerardDong-Guk HanJinguang HanCarmit HazayNadia HeningerJens HermansFlorian HessShoichi HiroseViet Tung HoangJaap-Henk HoepmannDennis HofheinzHyunsook HongJin HongQiong HuangTao HuangYan HuangFei HuoMichael HutterJung Yeon HwangTakanori IsobeMitsugu IwamotoAbhishek JainStanislaw JareckiMahavir JhawarShoaquan JiangAri JuelsMarc KaplanKoray Karabina

X Asiacrypt 2013

Aniket KateJonathan KatzLiam KeliherStephanie KerckhofHyoseung KimKitak KimMinkyu KimSungwook KimTaechan KimYuichi KomanoTakeshi KoshibaAnna KrasnovaFabien LaguillaumieRussell W.F. LaiAdeline LangloisJooyoung LeeKwangsu LeeMoon Sung LeeYounho LeeTancrede LepointGaetan LeurentAnthony LeverrierHuijia Rachel LinFeng-Hao LiuZhenhua LiuZongbin LiuAdriana Lopez-AltAtul LuykxVadim LyubashevskyArpita MaitraHemanta MajiCuauhtemoc Mancillas-LopezKalikinkar MandalTakahiro MatsudaAlexander MaySarah MeiklejohnFlorian MendelAlfred MenezesKazuhiko MinematsuMarine MinierRafael MisoczkiAmir MoradiTal MoranKirill MorozovPratyay Mukherjee

Yusuke NaitoMarıa Naya-PlasenciaGregory NevenKhoa NguyenAntonio NicolosiIvica NikolicRyo NishimakiRyo NojimaAdam O’NeillCristina OneteElisabeth OswaldIlya OzerovOmkant PandeyTapas PanditJong Hwan ParkSeunghwan ParkMichal ParusinskiValerio PastroArpita PatraGoutam PaulRoel PeetersChristopher PeikertMilinda PereraLudovic PerretThomas PetersChristophe PetitDuong Hieu PhanBertram PoetteringJoop van de PolGordon ProctorEmmanuel ProuffElizabeth QuagliaSomindu C RamannaMariana RaykovaChristian RechbergerFrancesco RegazzoniOscar ReparazReza ReyhanitabarThomas RistenpartDamien RobertThomas RocheMike RosulekSujoy Sinha RoySushmita RujCarla Rafols

Asiacrypt 2013 XI

Santanu SarkarMichael SchneiderDominique SchroderJacob SchuldtJae Hong SeoMinjae SeoYannick SeurinHakan SeyaliogluSetareh SharifianAbhi ShelatDale SibbornDimitris E. SimosDave SingeleeWilliam E. Skeith IIIBoris SkoricAdam SmithBen SmithHadi SoleimanyKatherine StangeDouglas StebilaJohn SteinbergerRon SteinfeldMario StreflerDonald SunKoutarou SuzukiYin TanYing-Kai TangSidharth TelangIsamu TeranishiR. Seth TerashimaStefano TessaroSusan ThomsonEmmanuel ThomeGilles Van AsscheKonstantinos VamvourellisAlex VardyK. VenkataDamien VergnaudNicolas Veyrat-CharvillonGilles VillardIvan Visconti

Huaxiong WangLei WangMeiqin WangPeng WangPengwei WangWenhao WangGaven WatsonCarolyn WhitnallDaniel WichsMichael J. WienerShuang WuTeng WuKeita XagawaHaixia XuRui XueBohan YangGuomin YangKan YasudaTakanori YasudaKazuki YoneyamaHongbo YuTsz Hon YuenDae Hyun YumAaram YunHui ZhangLiang Feng ZhangLiting ZhangMingwu ZhangRui ZhangTao ZhangWentao ZhangZongyang ZhangColin Jia ZhengXifan ZhengHong-Sheng ZhouYongbin ZhouBo ZhuYouwen ZhuVassilis ZikasPaul Zimmermann

XII Asiacrypt 2013

Organizing Committee

Raghav Bhaskar Microsoft Research India, BengaluruVipul Goyal Microsoft Research India, BengaluruNeeraj Kayal Microsoft Research India, BengaluruSatyanarayana V. Lokam Microsoft Research India, BengaluruC. Pandurangan Indian Institute of Technology, ChennaiGovindan Rangarajan Indian Institute of Science, Bengaluru

Sponsors

Microsoft ResearchGoogleIndian Statistical Institute, KolkataNational Mathematics Initiative, Indian Institute of Science, Bengaluru

Invited Talks

Block Ciphers – Past and Present

Lars Ramkilde Knudsen

DTU Compute, Denmark

lrkn@dtu.dk

Abstract. In the 1980s researchers were trying to understand the de-sign of the DES, and breaking it seemed impossible. Other block cipherswere proposed, and cryptanalysis of block ciphers got interesting. Thearea took off in the 1990s where it exploded with the appearance of dif-ferential and linear cryptanalysis and the many variants thereof whichappeared in the time after. In the 2000s AES became a standard andit was constructed specifically to resist the general attacks and the areaof (traditional) block cipher cryptanalysis seemed saturated.... Much ofthe progress in cryptanalysis of the AES since then has come from side-channel attacks and related-key attacks.

Still today, for most block cipher applications the AES is a goodand popular choice. However, the AES is perhaps not particularly wellsuited for extremely constrained environments such as RFID tags. There-fore, one trend in block cipher design has been to come up with ultra-lightweight block ciphers with good security and hardware efficiency. Iwas involved in the design of the ciphers Present (from CHES 2007),PrintCipher (presented at CHES 2010) and PRINCE (from Asiacrypt2012). Another trend in block cipher design has been try to increase theefficiency by making certain components part of the secret key, e.g., tobe able to reduce the number of rounds of a cipher.

In this talk, I will review these results.

Engineering Privacy-Friendly Computations

George Danezis 1,2

1 University College London2 Microsoft Research, Cambridge

Abstract. In the past few years tremendous cryptographic progress hasbeen made in relation to primitives for privacy friendly-computations.These include celebrated results around fully homomorphic encryption,faster somehow homomorphic encryption, and ways to leverage them tosupport more efficient secret-sharing based secure multi-party compu-tations. Similar break-through in verifiable computation, and succinctarguments of knowledge, make it practical to verify complex computa-tions, as part of privacy-preserving client side program execution. Besidescomputations themselves, notions like differential privacy attempt to cap-ture the essence of what it means for computations to leak little personalinformation, and have been mapped to existing data query languages.

So, is the problem of computation on private data solved, or just aboutto be solved? In this talk, I argue that the models of generic computationsupported by cryptographic primitives are complete, but rather removedfrom what a typical engineer or data analyst expects. Furthermore, theuse of these cryptographic technologies impose constrains that requirefundamental changes in the engineering of computing systems. Whilethose challenges are not obviously cryptographic in nature, they are nev-ertheless hard to overcome, have serious performance implications, anderrors open avenues for attack.

Throughout the talk I use examples from our own work relating toprivacy-friendly computations within smart grid and smart metering de-ployments for private billing, privacy-friendly aggregation, statistics andfraud detection. These experiences have guided the design of ZQL, acryptographic language and compiler for zero-knowledge proofs, as wellas more recent tools that compile using secret-sharing based primitives.

Table of Contents – Part I

Zero-Knowledge

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces . . . . . . . . . . . . 1Charanjit S. Jutla and Arnab Roy

Constant-Round Concurrent Zero Knowledge in the Bounded PlayerModel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Vipul Goyal, Abhishek Jain, Rafail Ostrovsky, Silas Richelson, andIvan Visconti

Succinct Non-Interactive Zero Knowledge Arguments from SpanPrograms and Linear Error-Correcting Codes . . . . . . . . . . . . . . . . . . . . . . . . 41

Helger Lipmaa

Algebraic Cryptography

Families of Fast Elliptic Curves from Q-curves . . . . . . . . . . . . . . . . . . . . . . . 61Benjamin Smith

Four-Dimensional GLV via the Weil Restriction . . . . . . . . . . . . . . . . . . . . . . 79Aurore Guillevic and Sorina Ionica

Discrete Gaussian Leftover Hash Lemma over Infinite Domains . . . . . . . . 97Shweta Agrawal, Craig Gentry, Shai Halevi, and Amit Sahai

New Insight into the Isomorphism of Polynomial Problem IP1S and ItsUse in Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Gilles Macario-Rat, Jerome Plut, and Henri Gilbert

Theoretical Cryptography-I

Constructing Confidential Channels from Authenticated Channels—Public-Key Encryption Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Sandro Coretti, Ueli Maurer, and Bjorn Tackmann

Reset Indifferentiability and Its Consequences . . . . . . . . . . . . . . . . . . . . . . . 154Paul Baecher, Christina Brzuska, and Arno Mittelbach

Computational Fuzzy Extractors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Benjamin Fuller, Xianrui Meng, and Leonid Reyzin

Efficient One-Way Secret-Key Agreement and Private Channel Codingvia Polarization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Joseph M. Renes, Renato Renner, and David Sutter

XVIII Table of Contents – Part I

Protocols

SPHF-Friendly Non-interactive Commitments . . . . . . . . . . . . . . . . . . . . . . . 214Michel Abdalla, Fabrice Benhamouda, Olivier Blazy,Celine Chevalier, and David Pointcheval

Self-Updatable Encryption: Time Constrained Access Control withHidden Attributes and Better Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee,Jong Hwan Park, and Moti Yung

Function-Private Subspace-Membership Encryption and ItsApplications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Dan Boneh, Ananth Raghunathan, and Gil Segev

Random Projections, Graph Sparsification, and Differential Privacy . . . . 276Jalaj Upadhyay

Theoretical Cryptography-II

Notions of Black-Box Reductions, Revisited . . . . . . . . . . . . . . . . . . . . . . . . . 296Paul Baecher, Christina Brzuska, and Marc Fischlin

Adaptive and Concurrent Secure Computation from New Adaptive,Non-malleable Commitments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Dana Dachman-Soled, Tal Malkin, Mariana Raykova, andMuthuramakrishnan Venkitasubramaniam

Symmetric Key Cryptanalysis

Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, andFull AES2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir

Key Difference Invariant Bias in Block Ciphers . . . . . . . . . . . . . . . . . . . . . . 357Andrey Bogdanov, Christina Boura, Vincent Rijmen, Meiqin Wang,Long Wen, and Jingyuan Zhao

Leaked-State-Forgery Attack against the Authenticated EncryptionAlgorithm ALE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Shengbao Wu, Hongjun Wu, Tao Huang, Mingsheng Wang, andWenling Wu

Symmetric Key Cryptology: Schemes and Analysis

A Modular Framework for Building Variable-Input-Length TweakableCiphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Thomas Shrimpton and R. Seth Terashima

Table of Contents – Part I XIX

Parallelizable and Authenticated Online Ciphers . . . . . . . . . . . . . . . . . . . . . 424Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink,Elmar Tischhauser, and Kan Yasuda

How to Construct an Ideal Cipher from a Small Set of PublicPermutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Rodolphe Lampe and Yannick Seurin

Generic Key Recovery Attack on Feistel Scheme . . . . . . . . . . . . . . . . . . . . . 464Takanori Isobe and Kyoji Shibutani

Side-Channel Cryptanalysis

Does My Device Leak Information? An a priori Statistical PowerAnalysis of Leakage Detection Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Luke Mather, Elisabeth Oswald, Joe Bandenburg, and Marcin Wojcik

Behind the Scene of Side Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 506Victor Lomne, Emmanuel Prouff, and Thomas Roche

SCARE of Secret Ciphers with SPN Structures . . . . . . . . . . . . . . . . . . . . . . 526Matthieu Rivain and Thomas Roche

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Table of Contents – Part II

Message Authentication Codes

New Generic Attacks against Hash-Based MACs . . . . . . . . . . . . . . . . . . . . . 1Gaetan Leurent, Thomas Peyrin, and Lei Wang

Cryptanalysis of HMAC/NMAC-Whirlpool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Jian Guo, Yu Sasaki, Lei Wang, and Shuang Wu

Signatures

Lattice-Based Group Signatures with Logarithmic Signature Size . . . . . . . 41Fabien Laguillaumie, Adeline Langlois, Benoıt Libert, andDamien Stehle

The Fiat–Shamir Transformation in a Quantum World . . . . . . . . . . . . . . . 62Ozgur Dagdelen, Marc Fischlin, and Tommaso Gagliardoni

On the Security of One-Witness Blind Signature Schemes . . . . . . . . . . . . . 82Foteini Baldimtsi and Anna Lysyanskaya

Cryptography Based Upon Physical Assumptions

Unconditionally Secure and Universally Composable Commitmentsfrom Physical Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Ivan Damgard and Alessandra Scafuro

Functional Encryption from (Small) Hardware Tokens . . . . . . . . . . . . . . . . 120Kai-Min Chung, Jonathan Katz, and Hong-Sheng Zhou

Bounded Tamper Resilience: How to go beyond the Algebraic Barrier . . . 140Ivan Damgard, Sebastian Faust, Pratyay Mukherjee, andDaniele Venturi

Tamper Resilient Circuits: The Adversary at the Gates . . . . . . . . . . . . . . . 161Aggelos Kiayias and Yiannis Tselekounis

Multi-Party Computation

Efficient General-Adversary Multi-Party Computation . . . . . . . . . . . . . . . . 181Martin Hirt and Daniel Tschudi

XXII Table of Contents – Part II

Fair and Efficient Secure Multiparty Computation with ReputationSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Gilad Asharov, Yehuda Lindell, and Hila Zarosim

Between a Rock and a Hard Place: Interpolating between MPC andFHE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Ashish Choudhury, Jake Loftus, Emmanuela Orsini,Arpita Patra, and Nigel P. Smart

Cryptographic Primitives

Building Lossy Trapdoor Functions from Lossy Encryption . . . . . . . . . . . . 241Brett Hemenway and Rafail Ostrovsky

Pseudorandom Generators from Regular One-Way Functions:New Constructions with Improved Parameters . . . . . . . . . . . . . . . . . . . . . . . 261

Yu Yu, Xiangxue Li, and Jian Weng

Constrained Pseudorandom Functions and Their Applications . . . . . . . . . 280Dan Boneh and Brent Waters

Fully Homomorphic Message Authenticators . . . . . . . . . . . . . . . . . . . . . . . . . 301Rosario Gennaro and Daniel Wichs

Analysis, Cryptanalysis and Passwords

Non-uniform Cracks in the Concrete: The Power of FreePrecomputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Daniel J. Bernstein and Tanja Lange

Factoring RSA Keys from Certified Smart Cards: Coppersmith in theWild . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng,Li-Ping Chou, Nadia Heninger, Tanja Lange, andNicko van Someren

Naturally Rehearsing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Jeremiah Blocki, Manuel Blum, and Anupam Datta

Leakage-Resilient Cryptography

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryptionfrom Hash Proof System and One-Time Lossy Filter . . . . . . . . . . . . . . . . . . 381

Baodong Qin and Shengli Liu

On Continual Leakage of Discrete Log Representations . . . . . . . . . . . . . . . 401Shweta Agrawal, Yevgeniy Dodis, Vinod Vaikuntanathan, andDaniel Wichs

Table of Contents – Part II XXIII

Two-Party Computation

Hiding the Input-Size in Secure Two-Party Computation . . . . . . . . . . . . . . 421Yehuda Lindell, Kobbi Nissim, and Claudio Orlandi

Secure Two-Party Computation with Reusable Bit-Commitments, viaa Cut-and-Choose with Forge-and-Lose Technique . . . . . . . . . . . . . . . . . . . . 441

Luıs T.A.N. Brandao

Hash Functions

A Heuristic for Finding Compatible Differential Paths with Applicationto HAS-160 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Aleksandar Kircanski, Riham AlTawy, and Amr M. Youssef

Improved Cryptanalysis of Reduced RIPEMD-160 . . . . . . . . . . . . . . . . . . . . 484Florian Mendel, Thomas Peyrin, Martin Schlaffer, Lei Wang, andShuang Wu

Limited-Birthday Distinguishers for Hash Functions: Collisions beyondthe Birthday Bound Can Be Meaningful . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Mitsugu Iwamoto, Thomas Peyrin, and Yu Sasaki

On Diamond Structures and Trojan Message Attacks . . . . . . . . . . . . . . . . . 524Tuomas Kortelainen and Juha Kortelainen

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541