Elisabeth OswaldMarc Fischlin (Eds.)
123
LNCS
905
6
34th Annual International Conferenceon the Theory and Applications of Cryptographic TechniquesSofia, Bulgaria, April 26–30, 2015, Proceedings, Part I
Advances in Cryptology – EUROCRYPT 2015
Lecture Notes in Computer Science 9056
Commenced Publication in 1973Founding and Former Series Editors:Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David HutchisonLancaster University, Lancaster, UK
Takeo KanadeCarnegie Mellon University, Pittsburgh, PA, USA
Josef KittlerUniversity of Surrey, Guildford, UK
Jon M. KleinbergCornell University, Ithaca, NY, USA
Friedemann MatternETH Zürich, Zürich, Switzerland
John C. MitchellStanford University, Stanford, CA, USA
Moni NaorWeizmann Institute of Science, Rehovot, Israel
C. Pandu RanganIndian Institute of Technology, Madras, India
Bernhard SteffenTU Dortmund University, Dortmund, Germany
Demetri TerzopoulosUniversity of California, Los Angeles, CA, USA
Doug TygarUniversity of California, Berkeley, CA, USA
Gerhard WeikumMax Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Elisabeth Oswald · Marc Fischlin (Eds.)
Advances in Cryptology –EUROCRYPT 201534th Annual International Conference on the Theoryand Applications of Cryptographic TechniquesSofia, Bulgaria, April 26–30, 2015Proceedings, Part I
ABC
EditorsElisabeth OswaldUniversity of BristolBristolUK
Marc FischlinTechnische Universität DarmstadtDarmstadtGermany
ISSN 0302-9743 ISSN 1611-3349 (electronic)Lecture Notes in Computer ScienceISBN 978-3-662-46799-2 ISBN 978-3-662-46800-5 (eBook)DOI 10.1007/978-3-662-46800-5
Library of Congress Control Number: 2015935614
LNCS Sublibrary: SL4 – Security and Cryptology
Springer Heidelberg New York Dordrecht Londonc© International Association for Cryptologic Research 2015
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of thematerial is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broad-casting, reproduction on microfilms or in any other physical way, and transmission or information storageand retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now knownor hereafter developed.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoes not imply, even in the absence of a specific statement, that such names are exempt from the relevantprotective laws and regulations and therefore free for general use.The publisher, the authors and the editors are safe to assume that the advice and information in this bookare believed to be true and accurate at the date of publication. Neither the publisher nor the authors or theeditors give a warranty, express or implied, with respect to the material contained herein or for any errors oromissions that may have been made.
Printed on acid-free paper
Springer-Verlag GmbH Berlin Heidelberg is part of Springer Science+Business Media(www.springer.com)
Preface
Eurocrypt 2015, the 34th annual International Conference on the Theory and Applica-tions of Cryptographic Techniques, was held during April 26–30, 2015, in Sofia, Bul-garia, and sponsored by the International Association for Cryptologic Research (IACR).Responsible for the local organization were Svetla Nikova, from Katholieke UniversiteitLeuven, and Dimitar Jetchev, from EPFL. They were supported by a Local OrganizingCommittee consisting of Tsonka Baicheva (Institute of Mathematics and Informatics,BAS), Violeta Ducheva (SANS), and Georgi Sharkov (ESI Center Eastern Europe). Weare indebted to them for their support.
To accommodate the request by IACR to showcase as many high-quality submis-sions as possible, the program was organized in two tracks. These tracks ran in parallelwith the exception of invited talks, the single best paper, and two papers with honor-able mention. Following a popular convention in contemporary cryptography, one trackwas labeled R and featured results more closely related to ‘real’ world cryptography,whereas the second track was labeled I and featured results in a more abstract or ‘ideal’world.
A total of 194 submissions were considered during the review process, many wereof high quality. As usual, all reviews were conducted double-blind and we excludedProgram Committee members from discussing submissions for which they had a pos-sible conflict of interest. To account for a desire (by authors and the wider communityalike) to maintain the high standard of publications, we allowed for longer submissionssuch that essential elements of proofs or other form of evidence could be included inthe body of the submissions (appendices were not scrutinized by reviewers). Further-more, a more focused review process was used that consisted of two rounds. In thefirst round of reviews we solicited three independent reviews per submission. After ashort discussion phase among the 38 Program Committee members, just over half ofthe submissions were retained for the second round. Authors of these retained paperswere given the opportunity to comment on the reviews so far. After extensive delibera-tions in a second round, we accepted 57 papers. The revised versions of these papers areincluded in these two volume proceedings, organized topically within their respectivetrack.
The review process would have been impossible without the hard work of the Pro-gram Committee members and over 210 external reviewers, whose effort we would liketo commend here. It has been an honor to work with everyone. The process was enabledby the Web Submission and Review Software written by Shai Halevi and the server washosted by IACR. We would like to thank Shai for setting up the service on the serverand for helping us whenever needed.
The Program Committee decided to honor one submission with the Best PaperAward this year. This submission was “Cryptanalysis of the Multilinear Map over theIntegers” authored by Junghee Cheo, Kyoohyung Han, Changmin Lee, Hansol Ryu, and
VI Preface
Damien Stehlé. The two runners-up to the award, “Robust Authenticated-Encryption:AEZ and the Problem that it Solves” (by Viet Tung Hoang, Ted Krovetz, and PhillipRogaway) and “On the behaviors of affine equivalent Sboxes regarding differential andlinear attacks” (by Anne Canteaut and Joëlle Roué) received Honorable Mentions andhence also invitations for the Journal of Cryptology.
In addition to the contributed talks, we had three invited speakers: Kristin Lauter,Tal Rabin, and Vincent Rijmen. We would like to thank them for accepting our invi-tation and thank everyone (speakers, session chairs, and rump session chair) for theircontribution to the program of Eurocrypt 2015.
April 2015 Elisabeth OswaldMarc Fischlin
EUROCRYPT 2015
The 34th Annual International Conference on the Theory andApplications of Cryptographic Techniques, Track R
Sofia, Bulgaria, April 26–30, 2015
General Chairs
Svetla Nikova Katholieke Universiteit Leuven, BelgiumDimitar Jetchev École Polytechnique Fédérale de Lausanne,
Switzerland
Program Co-chairs
Elisabeth Oswald University of Bristol, UKMarc Fischlin Technische Universität Darmstadt, Germany
Program Commitee
Masayuki Abe NTT, JapanGilles Barthe IMDEA, SpainLejla Batina Radboud University Nijmegen, The NetherlandsAlex Biryukov University of Luxembourg, LuxembourgAlexandra Boldyreva Georgia Institute of Technology, USAJan Camenisch IBM Research – Zurich, SwitzerlandAnne Canteaut Inria, FranceLiqun Chen HP Laboratories, UKChen-Mou Cheng National Taiwan University, TaiwanMarten van Dijk University of Connecticut, USAJens Groth University College London, UKTetsu Iwata Nagoya University, JapanMarc Joye Technicolor, USACharanjit Jutla IBM Research, USAEike Kiltz Ruhr-Universität Bochum, GermanyMarkulf Kohlweiss Microsoft Research, UKGregor Leander Ruhr-Universität Bochum, GermanyBenoît Libert ENS Lyon, FranceYehuda Lindell Bar-Ilan University, IsraelStefan Mangard Graz University of Technology, AustriaSteve Myers Indiana University, USAGregory Neven IBM Research – Zurich, Switzerland
VIII EUROCRYPT 2015
Kaisa Nyberg Aalto University, FinlandKenneth G. Paterson Royal Holloway, University of London, UKDavid Pointcheval École Normale Supérieure Paris, FranceManoj Prabhakaran University of Illinois at Urbana–Champaign, USAEmmanuel Prouff ANSSI, FranceChristian Rechberger Technical University of Denmark, DenmarkPankaj Rohatgi Cryptography Research Inc., USAAlon Rosen Herzliya Interdisciplinary Center, Herzliya, IsraelAlessandra Scafuro University of California, Los Angeles, USAChristian Schaffner University of Amsterdam, The NetherlandsDominique Schröder Saarland University, GermanyMartijn Stam University of Bristol, UKFrançois-Xavier Standaert Université catholique de Louvain, BelgiumDouglas Stebila Queensland University of Technology, AustraliaFrederik Vercauteren Katholieke Universiteit Leuven, BelgiumBogdan Warinschi University of Bristol, UK
External Reviewers
Divesh AggarwalShweta AgrawalMartin AlbrechtHiroaki AnadaPrabhanjan AnanthElena AndreevaBenny ApplebaumSrinivasan ArunachalamGilad AsharovNuttapong AttrapadungSaikrishna BadrinarayananRachid El BansarkhaniManuel BarbosaLynn BattenAmos BeimelSonia BelaidJosh BenalohFlorian BergsmaSanjay BhattacherjeeNir BitanskyCèline BlondeauAndrej BogdanovNiek BoumanColin BoydElette BoyleZvika Brakerski
Luís T.A.N. BrandãoBilly Bob BrumleyChristina BrzuskaClaude CarletAngelo De CaroIgnacio CascudoDavid CashAndrea CerulliPyrros ChaidosYun-An ChangJie ChenBaudoin CollardGeoffroy CouteauEdouard CuvelierJoan DaemenVizár DamianJean-Paul DegabrielePatrick DerbezDavid DerlerChristoph DobraunigNico DöttlingManu DrijversMaria DubovitskayaOrr DunkelmanFrancois DupressoirStefan Dziembowski
Markus DürmuthRobert EnderleinChun-I FanEdvard FargerholmPooya FarshimFeng-Hao LiuMatthieu FiniaszDario FioreRob FitzpatrickRobert FitzpatrickNils FleischhackerJean-Pierre FloriPierre-Alain FouqueThomas FuhrEiichiro FujisakiBenjamin FullerTommaso GagliardoniSteven GalbraithNicolas GamaPraveen GauravaramRan GellesRosario GennaroHenri GilbertSergey GorbunovMatthew GreenVincent Grosso
EUROCRYPT 2015 IX
Johann GroszschädlSylvain GuilleyShai HaleviMichael HamburgMike HamburgFabrice Ben HamoudaChristian HanserRyan HenryJens HermansJavier HerranzRyo HiromasaShoichi HiroseYan HuangYuval IshaiCess JansenThomas JohanssonAnthony JournaultAntoine JouxAli El KaafaraniSaqib KakviAkshay KamathBhavana KanukurthiCarmen KempkaDmitry KhovratovichDakshita KhuranaSusumu KiyoshimaStefan KoelblFrançois KoeuneVlad KolesnikovAnna KrasnovaStephan KrennPo-Chun KuoFabien LaguillaumieAdeline LangloisMartin M. LaurisdenJooyoung LeeAnja LehmannTancrède LepointReynald LercierGaëtan LeurentAnthony LeverrierHuijia LinSteve LuAtul LuykxGiulio MalavoltaMark Marson
Dan MartinChristian MattUeli MaurerIngo von MaurichMatthew McKagueMarcel MedwedFlorian MendelBart MenninkArno MittelbachPayman MohasselMridul NandiMaría Naya-PlasenciaPhong NguyenRyo NishimakiKobbi NissimAdam O’NeillWakaha OgataMiyako OhkuboOlya OhrimenkoTatsuaki OkamotoJiaxin PanOmkant PandeyOmer PanethSaurabh PanjwaniLouiza PapachristodolouAnat Paskin-CherniavskyRafael PassChris PeikertLudovic PerretLéo PerrinThomas PetersChristophe PetitDuong Hieu PhanKrzysztof PietrzakBenny PinkasJérôme PlûtChristopher PortmannRomain PoussierIgnacio Cascudo PueyoIvan PustogarovBertram PötteringMax RabkinCarla RafolsSomindu RamannaJothi RangasamyAlfredo Rial
Vincent RijmenBen RivaMatthieu RivainThomas RocheMike RosulekRon RothblumYannis RouselakisArnab RoyAtri RudraKai SamelinPalash SarkarBenedikt SchmidtPeter SchollPeter SchwabeGil SegevNicolas SendrierYannick SeurinAbhi ShelatAdam ShullJamie SikoraMark SimkinDaniel SlamanigHadi SoleimanyJuarj SomorovskyFlorian SpeelmanDamien StehléJohn SteinbergerNoah
Stephens-DavidowitzMarc StevensPierre-Yves StrubStefano TessaroSusan ThomsonMehdi TibouchiTyge TiessenPei-Yih TingElmar TischhauserMike TunstallDominique UnruhVinod VaikuntanathanKerem VariciVesselin VelichkovMuthuramakrishnanVenkitasubramaniamDaniele VenturiNicolas Veyrat-Charvillon
X EUROCRYPT 2015
Ivan ViscontiDavid WagnerHoeteck WeeErich WengerCyrille Wielding
David WuKeita XagawaBo-Yin YangShang-Yi YangKazuki Yoneyama
Mark ZhandryVassilis Zikas
Contents – Part I, Track R
Best Paper
Cryptanalysis of the Multilinear Map over the Integers . . . . . . . . . . . . . . . . 3Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu,and Damien Stehlé
Honorable Mentions
Robust Authenticated-Encryption AEZ and the Problem That It Solves. . . . . 15Viet Tung Hoang, Ted Krovetz, and Phillip Rogaway
On the Behaviors of Affine Equivalent Sboxes Regarding Differentialand Linear Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Anne Canteaut and Joëlle Roué
Random Number Generators
A Provable-Security Analysis of Intel’s Secure Key RNG . . . . . . . . . . . . . . 77Thomas Shrimpton and R. Seth Terashima
A Formal Treatment of Backdoored Pseudorandom Generators . . . . . . . . . . 101Yevgeniy Dodis, Chaya Ganesh, Alexander Golovnev,Ari Juels, and Thomas Ristenpart
Number Field Sieve
Improving NFS for the Discrete Logarithm Problem in Non-primeFinite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic,and François Morain
The Multiple Number Field Sieve with Conjugation and GeneralizedJoux-Lercier Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Cécile Pierrot
Algorithmic Cryptanalysis
Better Algorithms for LWE and LWR. . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Alexandre Duc, Florian Tramèr, and Serge Vaudenay
On Computing Nearest Neighbors with Applications to Decodingof Binary Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Alexander May and Ilya Ozerov
Symmetric Cryptanalysis I
Cryptanalytic Time-Memory-Data Tradeoffs for FX-Constructionswith Applications to PRINCE and PRIDE . . . . . . . . . . . . . . . . . . . . . . . . . 231
Itai Dinur
A Generic Approach to Invariant Subspace Attacks: Cryptanalysisof Robin, iSCREAM and Zorro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Gregor Leander, Brice Minaud, and Sondre Rønjom
Symmetric Cryptanalysis II
Structural Evaluation by Generalized Integral Property . . . . . . . . . . . . . . . . 287Yosuke Todo
Cryptanalysis of SP Networks with Partial Non-Linear Layers . . . . . . . . . . . 315Achiya Bar-On, Itai Dinur, Orr Dunkelman, Virginie Lallemand,Nathan Keller, and Boaz Tsaban
Hash Functions
The Sum Can Be Weaker Than Each Part . . . . . . . . . . . . . . . . . . . . . . . . . 345Gaëtan Leurent and Lei Wang
SPHINCS: Practical Stateless Hash-Based Signatures . . . . . . . . . . . . . . . . . 368Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange,Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider,Peter Schwabe, and Zooko Wilcox-O’Hearn
Evaluating Implementations
Making Masking Security Proofs Concrete: Or How to Evaluate the Securityof Any Leaking Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Alexandre Duc, Sebastian Faust, and François-Xavier Standaert
Ciphers for MPC and FHE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430Martin R. Albrecht, Christian Rechberger, Thomas Schneider,Tyge Tiessen, and Michael Zohner
XII Contents – Part I, Track R
Masking
Verified Proofs of Higher-Order Masking . . . . . . . . . . . . . . . . . . . . . . . . . 457Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque,Benjamin Grégoire, and Pierre-Yves Strub
Inner Product Masking Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486Josep Balasch, Sebastian Faust, and Benedikt Gierlichs
Fully Homomorphic Encryption I
Fully Homomophic Encryption over the Integers Revisited . . . . . . . . . . . . . 513Jung Hee Cheon and Damien Stehlé
(Batch) Fully Homomorphic Encryption over Integers for Non-BinaryMessage Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Koji Nuida and Kaoru Kurosawa
Related-Key Attacks
KDM-CCA Security from RKA Secure Authenticated Encryption . . . . . . . . 559Xianhui Lu, Bao Li, and Dingding Jia
On the Provable Security of the Iterated Even-Mansour Cipher AgainstRelated-Key and Chosen-Key Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Benoît Cogliati and Yannick Seurin
Fully Homomorphic Encryption II
FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second . . . 617Léo Ducas and Daniele Micciancio
Bootstrapping for HElib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641Shai Halevi and Victor Shoup
Efficient Two-Party Protocols
More Efficient Oblivious Transfer Extensions with Securityfor Malicious Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner
How to Efficiently Evaluate RAM Programs with Malicious Security . . . . . . 702Arash Afshar, Zhangxiang Hu, Payman Mohassel, and Mike Rosulek
Contents – Part I, Track R XIII
Symmetric Cryptanalysis III
Cube Attacks and Cube-Attack-Like Cryptanalysis on the Round-ReducedKeccak Sponge Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Itai Dinur, Paweł Morawiecki, Josef Pieprzyk, Marian Srebrny,and Michał Straus
Twisted Polynomials and Forgery Attacks on GCM . . . . . . . . . . . . . . . . . . 762Mohamed Ahmed Abdelraheem, Peter Beelen, Andrey Bogdanov,and Elmar Tischhauser
Lattices
Quadratic Time, Linear Space Algorithms for Gram-SchmidtOrthogonalization and Gaussian Sampling in Structured Lattices . . . . . . . . . 789
Vadim Lyubashevsky and Thomas Prest
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
XIV Contents – Part I, Track R