LNCS 8885

Willi Meier
Debdeep Mukhopadhyay (Eds.)

Progress in Cryptology –
INDOCRYPT 2014
15th International Conference on Cryptology in India
New Delhi, India, December 14–17, 2014
Proceedings

123


Lecture Notes in Computer Science
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Z¨urich, Z¨urich, Switzerland
John C. Mitchell

Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany

8885


More information about this series at />

Willi Meier · Debdeep Mukhopadhyay (Eds.)

Progress in Cryptology –
INDOCRYPT 2014
15th International Conference
on Cryptology in India
New Delhi, India, December 14–17, 2014
Proceedings

ABC



Editors
Willi Meier
Fachhochschule Nordwestschweiz
Hochschule f¨ur Technik
Windisch
Switzerland

ISSN 0302-9743
ISBN 978-3-319-13038-5
DOI 10.1007/978-3-319-13039-2

Debdeep Mukhopadhyay
Computer Science and Engineering
Indian Institute of Technology
Kharagpur
India

ISSN 1611-3349 (electronic)
ISBN 978-3-319-13039-2 (eBook)

Library of Congress Control Number: 2014953958
LNCS Sublibrary: SL4 – Security and Cryptology
Springer Cham Heidelberg New York Dordrecht London
c Springer International Publishing Switzerland 2014
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage
and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known
or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews
or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a

computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts
thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be
obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under
the respective Copyright Law.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material
contained herein.
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)


Preface

We are glad to present the proceedings of INDOCRYPT 2014, held during 14–17 December in New Delhi, India. INDOCRYPT 2014 is the 15th edition of the INDOCRYPT
series organized under the aegis of the Cryptology Research Society of India (CRSI).
The conference has been organized by the Scientific Analysis Group (SAG), DRDO,
New Delhi, India. The INDOCRYPT series of conferences began in 2000 under the
leadership of Prof. Bimal Roy of Indian Statistical Institute.
In response to the call for papers, we received 101 submissions from around 30
countries around the globe. The submission deadline was July 28, 2014. The review
process was conducted in two stages: In the first stage, most papers were reviewed by
at least four committee members, while papers from Program Committee members received at least five reviews. This was followed by a week-long online discussion phase
to decide on the acceptance of the submissions. The Program Committee was also suitably aided in this tedious task by 94 external reviewers to be able to complete this as
per schedule, which was on September 7. Finally, 25 submissions were selected for
presentation at the conference.
We would like to thank the Program Committee members and the external reviewers

for giving every paper a fair assessment in such a short time. The refereeing process
resulted in 367 reviews, along with several comments during the discussion phase. The
authors had to revise their papers according to the suggestions of the referees and submit
the camera-ready versions by September 22.
We were delighted that Phillip Rogaway, Marc Joye, and Mar´ıa Naya-Plasencia
agreed to deliver invited talks on several interesting topics of relevance to INDOCRYPT.
The program was also enriched to have Claude Carlet and Florian Mendel as Tutorial
speakers on important areas of Cryptography, to make the conference program complete.
We would like to thank the General Chairs, Dr. G. Athithan and Dr. P.K. Saxena, for
their advice and for being a prime motivator. We would also like to specially thank the
Organizing Chair Saibal K. Pal and the Organizing Secretary Sucheta Chakrabarty for
developing the layout of the program and in managing the financial support required for
such a conference. Our job as Program Chairs was indeed made much easier by the software, easychair. We also say our thanks to Durga Prasad for maintaining the webpage
for the conference. We would also acknowledge Springer for their active cooperation
and timely production of the proceedings.
Last but certainly not least, our thanks go to all the authors, who submitted papers to
INDOCRYPT 2014, and all the attendees. Without your support the conference would
not be a success.

December 2014

Willi Meier
Debdeep Mukhopadhyay


Message from the General Chairs

Commencing from the year 2000, INDOCRYPT — the International Conference on
Cryptology — is held every year in India. This event has been one of the regular activities of the Cryptology Research Society of India (CRSI) to promote R&D in the
area of Cryptology in the country. The conference is hosted by different organizations including Academic as well as R&D organizations located across the country. The

Scientific Analysis Group (SAG), one of the research laboratories of the Defence Research and Development Organization (DRDO), organized the conference in the years
2003 and 2009 in collaboration with the Indian Statistical Institute (Delhi Centre) and
Delhi University, respectively. SAG was privileged to get an opportunity to organize
INDOCRYPT 2014, the 15th conference in this series. Since its inception, the INDOCRYPT has proved to be a powerful platform for researchers to meet, share their
ideas with their peers, and work toward the growth f cryptology, especially in India. For
each edition of the conference in the past, the response from the cryptology research
community has been overwhelming and the esponse for the current edition is no exception. As is evident from the quality of submissions and the a high rate of rejections due
to a transparent and rigorous process of reviewing, the conference has been keeping its
standards with proceedings published by LNCS. Even this year, the final set of selected
papers amount to a net acceptance ratio of 25 percent.
On the first day of the conference, there were two Tutorials on the topics of
S-Boxes and Hash Functions. They were delivered by Claude Carlet of University of
Paris, France and Florian Mendel of Graz University of Technology, Austria. Both the
Tutorials provided the participants with deep understanding of the chosen topics and
stimulated discussions among others. Beginning from the second day, the main conference had three invited talks and 25 paper presentations for 3 days. Maria Naya-Plasencia
of Inria (France), Marc Joye of Technicolor (USA), and Phillip Rogaway of University
of California (USA) delivered the invited talks on Lightweight Block Ciphers and Their
Security, Recent Advances in ID-Based Encryption, and Advances in Authenticated Encryption, respectively. We are grateful to all the Invited and Tutorial Speakers.
Organizing a conference having such wide ranging involvement and participation
from international crypto community is not possible without the dedicated efforts of
different committees drawn from the hosting and other support agencies. The Organizing Committee took care of all the logistic, coordination, and financial aspects concerning the conference under the guidance of the Organizing Chair Saibal K. Pal and the
Organizing Secretary Sucheta Chakrabarty. We thank both of them and all the members
of these committees for their stellar efforts.
Equally demanding is the task of the Program Committee in coordinating the submissions and in selecting the papers for presentation. The Program Co-Chairs Willi
Meier and Debdeep Mukhopadhyay were the guiding forces behind the efforts of the
Program Committee. Their love for the subject and the commitment to the cause of
promoting Cryptology Research in India and elsewhere is deep and we thank them for


VIII


Message from the General Chairs

putting together an excellent technical program. We also thank all the members of the
Program Committee for their support to the Program Co-chairs. Special thanks are due
to the Reviewers for their efforts and for sharing their comments with concerned persons, which led to completing the selection process in time.
We express our heartfelt thanks to DRDO and CRSI for being the mainstay in ensuring that the Conference received all the support that it needed. We also thank NBHM,
DST, Deity, ISRO, CSIR, RBI, BEL, ITI, IDRBT, Microsoft, Google, TCS, and others
for generously supporting/sponsoring the event. Finally, thanks are due to the authors
who submitted their work, especially to those whose papers are included in the present
Proceedings of INDOCRYPT 2014 and those who could make it to present their papers
personally in the Conference.

December 2014

P.K. Saxena
G. Athithan


Organization

General Chairs
P.K. Saxena
G. Athithan

SAG, DRDO, New Delhi, India
SAG, DRDO, New Delhi, India

Program Chairs
Willi Meier

Debdeep Mukhopadhyay

FHNW, Switzerland
Indian Institute of Technology Kharagpur, India

Program Committee
Martin Albrecht
Subidh Ali
Elena Andreeva
Frederik Armknecht
Daniel J. Bernstein
C´eline Blondeau
Christina Boura
C. Pandurangan
Anne Canteaut
Nishanth Chandran
Sanjit Chatterjee
Abhijit Das
Sylvain Guilley
Abhishek Jain
Dmitry Khovratovich
Tanja Lange
Willi Meier
Debdeep Mukhopadhyay
David Naccache
Phuong Ha Nguyen
Saibal K. Pal
Goutam Paul
Christiane Peters


Technical University of Denmark, Denmark
NYU, Abu Dhabi
KU Leuven, Belgium
Universit¨at Mannheim, Germany
University of Illinois at Chicago, USA
Aalto University School of Science, Finland
Universit´e de Versailles Saint-Quentin-enYvelines, France
Indian Institute of Technology Madras, India
Inria, France
Microsoft Research, India
Indian Institute of Science Bangalore, India
Indian Institute of Technology Kharagpur, India
TELECOM-ParisTech and Secure-IC S.A.S.,
France
MIT and BU, USA
University of Luxembourg, Luxembourg
Technische Universiteit Eindhoven,
The Netherlands
FHNW, Switzerland
Indian Institute of Technology Kharagpur, India
Universit´e Paris II, Panth´eon-Assas, France
Indian Institute of Technology Kharagpur, India
SAG, DRDO, New Delhi, India
Indian Statistical Institute Kolkata, India
ENCS, The Netherlands


X

Organization


Thomas Peyrin
Josef Pieprzyk
Rajesh Pillai
Axel Poschmann
Bart Preneel
Chester Rebeiro
Vincent Rijmen
Bimal Roy
Dipanwita Roy Chowdhury
S.S. Bedi
Sourav Sen Gupta
Francois-Xavier Standaert
Ingrid Verbauwhede

Nanyang Technological University, Singapore
ACAC, Australia
SAG, DRDO, New Delhi, India
NXP Semiconductors, Germany
KU Leuven, Belgium
Columbia University, USA
KU Leuven and iMinds, Belgium
Indian Statistical Institute, Kolkata, India
Indian Institute of Technology Kharagpur, India
SAG, DRDO, New Delhi, India
Indian Statistical Institute, Kolkata, India
UCL Crypto Group, Belgium
KU Leuven, Belgium

External Reviewers

Tamaghna Acharya
Ansuman Banerjee
Ayan Banerjee
Harry Bartlett
Beg¨ul Bilgin
Joppe Bos
Seyit Camtepe
Sucheta Chakrabarti
Avik Chakraborti
Kaushik Chakraborty
Anupam Chattopadhyay
Roopika Chaudhary
Chien-Ning Chen
Kang Lang Chiew
Dhananjoy Dey
Manish Kant Dubey
Pooya Farshim
Aur´elien Francillon
Lubos Gaspar
Benoˆıt G´erard
Hossein Ghodosi
Santosh Ghosh
Shamit Ghosh
Vincent Grosso
Divya Gupta
Indivar Gupta
Nupur Gupta
Jian Guo
Sartaj Ul Hasan


Gregor Leander
Wang Lei
Feng-Hao Liu
Atul Luykx
Subhamoy Maitra
Bodhisatwa Mazumdar
Florian Mendel
Bart Mennink
Nele Mentens
Prasanna Mishra
Paweł Morawiecki
Imon Mukherjee
Nicky Mouha
Michael Naehrig
Ivica Nikoli´c
Ventzi Nikov
Omkant Pandey
Sumit Pandey
Tapas Pandit
Kenny Paterson
Arpita Patra
Ludovic Perret
L´eo Perrin
Christophe Petit
Bertram Poettering
Romain Poussier
Micha¨el Quisquater
Francesco Regazzoni
Michał Ren



Organization

Yj Huang
Andreas H¨ulsing
Hassan Jameel Asghar
Kimmo J¨arvinen
Jeremy Jean
Bhavana Kanukurthi
Sabyasachi Karati
Pierre Karpman
Oleksandr Kazymyrov
Manas Khatua
Dakshita Khurana
Markulf Kohlweiss
Sukhendu Kuila
Manoj Kumar
Vijay Kumar
Yogesh Kuma
Mario Lamberger
Martin M. Lauridsen

Dhiman Saha
Abhrajit Sengupta
Sujoy Sinha Roy
Dale Sibborn
Dave Singelee
Ron Steinfeld
Valentin Suder
Aris Tentes

Tyge Tiessen
Meilof Veeningen
Muthuramakrishnan Venkitasubramaniam
Frederik Vercauteren
Dhinakaran Vinayagamurthy
Jo Vliegen
Qingju Wang
Bohan Yang
Wentao Zhang
Ralf Zimmermann

Local Organizing Committee
Saibal K. Pal (Organizing Chair)
Kanika Bhagchandani
Dhananjoy Dey
Sartaj Ul Hasan
Gopal C. Kandpal
Ashok Kumar
P.R. Mishra
Manoj Kumar Singh
Divya Anand Subba

Sucheta Chakrabarti (Organizing Secretary)
Vivek Devdhar
Indivar Gupta
Mohammad Javed
Sarvjeet Kaur
Girish Mishra
Bhartendu Nandan
Ajay Srivastava


XI


Invited Talks


S-boxes, Their Computation and Their
Protection against Side Channel Attacks
Claude Carlet

First Part of the Talk
After recalling the necessary background on S-boxes (see below), we shall study
the criteria for substitution boxes (S-boxes) in block ciphers:
1. bijectivity when used in SP networks, and if possible balancedness when used
in Feistel ciphers,
2. high nonlinearity (for the resistance to linear attacks),
3. low differential uniformity (for the resistance to differential attacks),
4. not low algebraic degree (for resisting higher order differential attacks).
We shall give the main properties of APN functions ((n, n)-functions having the
best possible differential uniformity) and AB functions ((n, n)-functions having
the best possible nonlinearity, which are APN).
Second Part of the Talk
We shall list the main known AB, APN, and differentially 4-uniform functions.
These functions are defined within the structure of the finite field F2n . We shall
address the question of their implementation.
Satisfying the criteria 1-4 above is not sufficient for an S-box. It needs also to be
fastly computable, for two reasons: (1) it is not always possible to use a look-uptable for implementing it, (2) the condition of being fastly computable more or
less coincides with the constraint of allowing counter-measures to side-channel
attacks (SCA) with minimized cost. The implementation of cryptographic algorithms in devices like smart cards, FPGA or ASIC leaks information on the

secret data, leading to very powerful SCA if countermeasures are not included.
Such counter-measures are costly in terms of running time and of memory when
they need to resist higher order SCA. The most commonly used counter-measure
is masking. We shall describe how an S-box can be protected with this countermeasure with minimized cost.

*

LAGA, Universities of Paris 8 and Paris 13, CNRS; Address: Department of Mathematics, University of Paris 8, 2 rue de la libert´e, 93526 Saint-Denis Cedex, France;
e-mail:


XVI

S-boxes, Their Computation and Their Protection

Background
Let n and m be two positive integers. The functions from Fn2 to Fm
2 are called
(n, m)-functions. Such function F being given, the Boolean functions f1 , . . . , fm
defined by F (x) = (f1 (x), . . . , fm (x)), are called the coordinate functions of F .
The linear combinations of these coordinate functions, with non-all-zero coefficients, are called the component functions of F . When the numbers m and n are
not specified, (n, m)-functions can be called vectorial Boolean functions and in
cryptography we use the term of S-boxes .
The Walsh transform of an (n, m)-function F maps any ordered pair (u, v) ∈
Fn2 × Fm
(−1)v·F (x)+u·x , where the same
2 to the sum (calculated in Z):
x∈Fn
2
symbol “·” is used to denote inner products in Fn2 and Fm

2 . Note that the function
v · F is a component function of F when v = 0. The Walsh spectrum of F is
∗
the multi-set of all the values of the Walsh transform of F , for u ∈ Fn2 , v ∈ Fm
2
∗
(where Fm
= Fm
2
2 \ {0}). We call extended Walsh spectrum of F the multi-set of
their absolute values.
The algebraic normal form (ANF) of any (n, m)-function F :
aI

xi

; aI ∈ F m
2

(1)

i∈I

I⊆{1,···,n}

(this sum being calculated in Fm
2 ) exists and is unique and satisfies the relation
aI =
F (x); conversely, we have F (x) = I⊆supp(x) aI .
x∈Fn

2 / supp(x)⊆I

The algebraic degree of the function is by definition the global degree of its ANF.
It is a right and left affine invariant (that is, it does not change when we compose
F by affine automorphisms). Vectorial functions for cryptography have better
not too low algebraic degrees, to withstand higher order differential attacks.
A second representation of (n, m)-functions exists when m = n: we endow Fn2
with the structure of the field F2n ; any (n, n)-function F then admits a unique
univariate polynomial representation over F2n , of degree at most 2n − 1:
2n −1

F (x) =

bj xj , bj ∈ F2n .

(2)

j=0

We denote by w2 (j) the number of nonzero coefficients js in the binary expann−1
n−1
sion s=o js 2s of j, i.e. w2 (j) = s=0 js and call it the 2-weight of j. Then, the
function F has algebraic degree maxj=0,...,2n −1/ bj =0 w2 (j). If m is a divisor of n,
then any (n, m)-function F can be viewed as a function from F2n to itself, since
F2m is a sub-field of F2n . Hence, the function admits a univariate polynomial
2n −1
representation, which can be represented in the form trn/m ( j=0 bj xj ), where
m

2m


3m

n−m

is the trace function from F2n
trn/m (x) = x + x2 + x2 + x2 + · · · + x2
to F2m .
An (n, m)-function F is balanced (i.e. takes every value of Fm
2 the same number 2n−m of times) if and only if its component functions are balanced (i.e. have
Hamming weight 2n−1 ).


C. Carlet

XVII

The nonlinearity nl(F ) of an (n, m)-function F is the minimum Hamming
distance between all the component functions of F and all affine functions on n
variables and quantifies the level of resistance of the S-box to the linear attack.
We have:
nl(F ) = 2n−1 −

1
2

(−1)v·F (x)+u·x .

max


∗
n
v∈Fm
2 ; u∈F2

(3)

x∈Fn
2

The two main known upper bounds on the nonlinearity are:
- the covering radius bound:
nl(F ) ≤ 2n−1 − 2n/2−1
which is tight for n even and m ≤ n/2 (the functions achieving it with equality
are called bent);
- the Sidelnikov-Chabaud-Vaudenay bound, valid only for m ≥ n − 1:
nl(F ) ≤ 2n−1 −

1
2

3 × 2n − 2 − 2

(2n − 1)(2n−1 − 1)
2m − 1

which equals the covering radius bound when m = n − 1 and is strictly better when m ≥ n. It is tight only for m = n (in which case it states that
n−1
nl(F ) ≤ 2n−1 − 2 2 ), with n odd (the functions achieving it with equality
are called almost bent AB).

An (n, m) function is bent if and only if all its derivatives Da F (x) = F (x) +
F (x + a), a ∈ Fn2 ∗ , are balanced. For this reason, bent functions are also called
perfect nonlinear PN. According to Chabaud-Vaudenay’s proof of the SidelnikovChabaud-Vaudenay bound, any AB function is almost perfect nonlinear APN,
that is, all its derivatives Da F , a ∈ Fn2 ∗ , are 2-to-1 (every element of Fn2 has
0 or 2 pre-images by Da F ). Such functions, whose notion has been studied by
Nyberg, contribute to an optimal resistance to the differential attack . More
generally, F is called differentially δ-uniform if the equation Da F (x) = b has at
most δ solutions, for every nonzero a and every b.
The nonlinearity and the δ-uniformity are invariant under affine, extended
affine and CCZ equivalences (in increasing order of generality). Two functions
are called affine equivalent if one is equal to the other, composed on the left and
on the right by affine permutations. They are called extended affine equivalent
(EA-equivalent) if one is affine equivalent to the other, added with an affine function. They are called CCZ-equivalent if their graphs {(x, y) ∈ Fn2 ×Fn2 | y = F (x)}
and {(x, y) ∈ Fn2 × Fn2 | y = G(x)} are affine equivalent, that is, if there exists an
affine automorphism L = (L1 , L2 ) of Fn2 × Fn2 such that y = F (x) ⇔ L2 (x, y) =
G(L1 (x, y)).


Cryptanalysis of Hash Functions
Florian Mendel
Graz University of Technology, Austria

Abstract. This extended abstract briefly summarizes a talk with the
same title and gives literature pointers. In particular, we discuss recent
advances in the cryptanalysis of ARX- and AES-based hash functions.

Overview
In the last few years, the cryptanalysis of hash functions has become an important topic within the cryptographic community. Especially the collision attacks
on the MD4 family of hash functions (MD5, SHA-1) have weakened the security
assumptions of these commonly used hash functions [17, 18]. As a consequence,

NIST decided to organize a public competition in order to design a new hash
function, which lead to the selection of Keccak as SHA-3 in 2012. In this talk,
we discuss some recent advances in the cryptanalysis of hash functions. First, we
will review the collision attacks of Wang et al. on the MD4 family and discuss
the limitations of the techniques when applied to more complex functions such
as the SHA-2 family. Due to the more complex structure of SHA-2 (compared
to SHA-1 and MD5), several new challenges arise for the cryptanalyst. We show
how to overcome these difficulties and present an automatic approach to construct complex differential characteristics and thus collisions for round-reduced
SHA-2 with practical complexity [2, 10, 12]. The same techniques and tools also
lead to new collision attacks on the Korean hash function standard HAS-160 [9]
and the Chinese hash function standard SM3 [11], among others [6, 8, 13].
While the first part of the talk focuses on the analysis of the MD4 family
and similar hash functions, the second part is dedicated to the analysis of AESbased hash functions. In the course of the SHA-3 competition, several advances
have been made in the cryptanalysis of AES-based hash functions. In particular,
several of the SHA-3 candidates turned out to be susceptible to the rebound
attack [14], a new cryptanalytic technique that was introduced during the design of the SHA-3 finalist Grøstl. In the last years, the rebound attack and its
extensions [3, 4, 7, 15] have become one of the most important tools for analyzing
the security of AES-based hash functions. Even though the rebound attack was
originally conceived to attack AES-based hash functions as well as their building
blocks, it was later shown to also be applicable to other designs, including the
SHA-3 finalists JH [16], Skein [5] and Keccak [1].
Finally, we will discuss directions of future work and open research problems
at the end of this talk.


F. Mendel

XIX

References

1. Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: Application to
keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer,
Heidelberg (2012)
2. Eichlseder, M., Mendel, F., Sch¨
affer, M.: Branching Heuristics in Di erential Collision Search with Applications to SHA-512. IACR Cryptology ePrint Archive 2014,
302 (2014)
3. Gilbert, H., Peyrin, T.: Super-sbox cryptanalysis: Improved attacks for AES-like
permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–
383. Springer, Heidelberg (2010)
4. Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved Cryptanalysis of AES-like Permutations. J. Cryptology 27(4), 772–798 (2014)
5. Khovratovich, D., Nikolic, I., Rechberger, C.: Rotational Rebound Attacks on Reduced Skein. J. Cryptology 27(3), 452–479 (2014)
6. K¨
olbl, S., Mendel, F., Nad, T., Schl¨
affer, M.: Differential cryptanalysis of keccak
variants. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 141–157. Springer,
Heidelberg (2013)
7. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V.: Sch¨
affer, M.: The Rebound Attack and Subspace Distinguishers: Application to Whirlpool. J. Cryptology (2013)
8. Mendel, F., Nad, T., Scherz, S., Schl¨
affer, M.: Differential attacks on reduced
RIPEMD-160. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483,
pp. 23–38. Springer, Heidelberg (2012)
9. Mendel, F., Nad, T., Schl¨
affer, M.: Cryptanalysis of round-reduced HAS-160. In:
Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 33–47. Springer, Heidelberg (2012)
10. Mendel, F., Nad, T., Schl¨
affer, M.: Finding SHA-2 characteristics: Searching
through a minefield of contradictions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT
2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011)
11. Mendel, F., Nad, T., Schl¨

affer, M.: Finding collisions for round-reduced SM3. In:
Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 174–188. Springer, Heidelberg (2013)
12. Mendel, F., Nad, T., Schl¨
affer, M.: Improving local collisions: New attacks on
reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013.
LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013)
13. Mendel, F., Peyrin, T., Schl¨
affer, M., Wang, L., Wu, S.: Improved cryptanalysis of
reduced RIPEMD-160. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II.
LNCS, vol. 8270, pp. 484–503. Springer, Heidelberg (2013)
14. Mendel, F., Rechberger, C., Schl¨
affer, M., Thomsen, S.S.: The rebound attack:
Cryptanalysis of reduced whirlpool and grøstl. In: Dunkelman, O. (ed.) FSE
2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)
15. Naya-Plasencia, M.: How to improve rebound attacks. In: Rogaway, P. (ed.)
CRYPTO 2011. LNCS, vol. 6841, pp. 188–205. Springer, Heidelberg (2011)
16. Naya-Plasencia, M., Toz, D., Varici, K.: Rebound attack on JH42. In: Lee, D.H.,
Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 252–269. Springer, Heidelberg (2011)
17. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V.
(ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)
18. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R.
(ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)


On Lightweight Block Ciphers and Their
Security
Mar´ıa Naya-Plasencia
Inria, France
Maria.Naya


Abstract. In order to answer the requirements raised by a large number
of applications, like RFID or sensor networks, the design of lightweight
primitives has become a major interest of the cryptographic community.
A (very) large number of lightweight block ciphers have been proposed.
Correctly evaluating their security has become a primordial task requiring the attention of our community. In this talk we will make a survey
of these proposed ciphers, some of the proposed cryptanalysis and their
actual status. We will also try to provide links between some of these
ciphers/attacks and the SHA-3 competition.
Keywords: lightweight block ciphers · cryptanalysis.


Recent Advances in ID-Based Encryption
Marc Joye
Technicolor, USA


Abstract. Most ID-based cryptosystems make use of bilinear maps. A
notable exception is a 2001 publication by Clifford Cocks describing an
ID-based cryptosystem that works in standard RSA groups. Its semantic
security relies on the quadratic residuosity assumption. Cocks’s publication gave rise to several follow-up works aiming at improving the original scheme in multiple directions. This talk reviews Cocks’ scheme and
presents its known variants and extensions. It also discusses applications
thereof. Finally it reports some recent developments the author made in
the area.


Contents

Side Channel Analysis
Side-Channel Analysis on Blinded Regular Scalar Multiplications . . . . . . . .
Benoit Feix, Mylène Roussellet, and Alexandre Venelli


3

Online Template Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lejla Batina, Łukasz Chmielewski, Louiza Papachristodoulou,
Peter Schwabe, and Michael Tunstall

21

Improved Multi-bit Differential Fault Analysis of Trivium . . . . . . . . . . . . .
Prakash Dey and Avishek Adhikari

37

Recovering CRT-RSA Secret Keys from Message Reduced Values
with Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benoit Feix, Hugues Thiebeauld, and Lucille Tordella

53

Theory
On Constant-Round Concurrent Zero-Knowledge from a Knowledge
Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Divya Gupta and Amit Sahai

71

Balancing Output Length and Query Bound in Hardness Preserving
Constructions of Pseudorandom Functions . . . . . . . . . . . . . . . . . . . . . . . . .
Nishanth Chandran and Sanjam Garg


89

Block Ciphers
Linear Cryptanalysis of the PP-1 and PP-2 Block Ciphers . . . . . . . . . . . . . .
Michael Colburn and Liam Keliher

107

On the Key Schedule of Lightweight Block Ciphers . . . . . . . . . . . . . . . . . .
Jialin Huang, Serge Vaudenay, and Xuejia Lai

124

Cryptanalysis of Reduced-Round SIMON32 and SIMON48. . . . . . . . . . . . .
Qingju Wang, Zhiqiang Liu, Kerem Varıcı, Yu Sasaki, Vincent Rijmen,
and Yosuke Todo

143

General Application of FFT in Cryptanalysis and Improved Attack
on CAST-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Long Wen, Meiqin Wang, Andrey Bogdanov, and Huaifeng Chen

161


XXIV

Contents


Side Channel Analysis
Cryptanalysis of the Double-Feedback XOR-Chain Scheme Proposed
in Indocrypt 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Subhadeep Banik, Anupam Chattopadhyay, and Anusha Chowdhury
ESCAPE: Diagonal Fault Analysis of APE . . . . . . . . . . . . . . . . . . . . . . . . .
Dhiman Saha, Sukhendu Kuila, and Dipanwita Roy Chowdhury

179
197

Cryptanalysis
Using Random Error Correcting Codes in Near-Collision Attacks
on Generic Hash-Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Inna Polak and Adi Shamir

219

Linear Cryptanalysis of FASER128/256 and TriviA-ck . . . . . . . . . . . . . . . .
Chao Xu, Bin Zhang, and Dengguo Feng

237

Partial Key Exposure Attack on CRT-RSA . . . . . . . . . . . . . . . . . . . . . . . .
Santanu Sarkar and Ayineedi Venkateswarlu

255

On the Leakage of Information in Biometric Authentication . . . . . . . . . . . .
Elena Pagnin, Christos Dimitrakakis, Aysajan Abidin,

and Aikaterini Mitrokotsa

265

Efficient Hardware Design
One Word/Cycle HC-128 Accelerator via State-Splitting Optimization . . . . .
Ayesha Khalid, Prasanna Ravi, Anupam Chattopadhyay, and Goutam Paul

283

A Very Compact FPGA Implementation of LED and PHOTON. . . . . . . . . .
N. Nalla Anandakumar, Thomas Peyrin, and Axel Poschmann

304

S-box Pipelining Using Genetic Algorithms for High-Throughput
AES Implementations: How Fast Can We Go?. . . . . . . . . . . . . . . . . . . . . .
Lejla Batina, Domagoj Jakobovic, Nele Mentens, Stjepan Picek,
Antonio de la Piedra, and Dominik Sisejkovic

322

Protected Hardware Design
Wire-Tap Codes as Side-Channel Countermeasure: – An FPGA-Based
Experiment – . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Amir Moradi

341

Differential Power Analysis in Hamming Weight Model: How to Choose

among (Extended) Affine Equivalent S-boxes . . . . . . . . . . . . . . . . . . . . . .
Sumanta Sarkar, Subhamoy Maitra, and Kaushik Chakraborty

360


Contents

Confused by Confusion: Systematic Evaluation of DPA Resistance
of Various S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stjepan Picek, Kostas Papagiannopoulos, Barıs Ege, Lejla Batina,
and Domagoj Jakobovic

XXV

374

Elliptic Curves
Binary Edwards Curves Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kwang Ho Kim, Chol Ok Lee, and Christophe Negre

393

Summation Polynomial Algorithms for Elliptic Curves in Characteristic Two. . .
Steven D. Galbraith and Shishay W. Gebregiyorgis

409

A Quantum Algorithm for Computing Isogenies between Supersingular
Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Jean-François Biasse, David Jao, and Anirudh Sankar

428

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

443


Side Channel Analysis - I


Side-Channel Analysis on Blinded Regular
Scalar Multiplications
Benoit Feix1 , Myl`ene Roussellet2 , and Alexandre Venelli3(B)
1

UL Security Transactions, UK Security Lab, Basingstoke, UK

2
Gemalto, La Ciotat, France

3
Thal`es Communications and Security, Toulouse, France


Abstract. We present a new side-channel attack path threatening stateof-the-art protected implementations of elliptic curves embedded scalar
multiplications. Regular algorithms such as the double-and-add-always
and the Montgomery ladder are commonly used to protect the scalar
multiplication from simple side-channel analysis. Combining such algorithms with scalar and/or point blinding countermeasures lead to scalar

multiplications protected from all known attacks. Scalar randomization,
which consists in adding a random multiple of the group order to the
scalar value, is a popular countermeasure due to its efficiency. Amongst
the several curves defined for usage in elliptic curves products, the most
used are those standardized by the NIST. As observed in several previous publications, the modulus, hence the orders, of these curves are
sparse, primarily for efficiency reasons. In this paper, we take advantage
of this specificity to present new attack paths which combine vertical
and horizontal side-channel attacks to recover the entire secret scalar in
state-of-the-art protected elliptic curve implementations.

Keywords: Elliptic crves
sis · Correlation analysis

1

· Scalar multiplication · Side-channel analy-

Introduction

Elliptic Curve Cryptography (ECC) has become a very promising branch of cryptology. Since its introduction by Miller [25] and Koblitz [22] numerous studies have offered a rich variety of implementation methods to perform efficient
and tamper resistant scalar multiplication algorithms in embedded products.
Many standardized protocols like the Elliptic Curve Digital Signature Algorithm
(ECDSA) [29] or the Elliptic Curve Diffie-Hellman (ECDH) are more and more
used in payment and identity products. They have the strong advantage today
to require significantly smaller parameters and key sizes than the well-known
Venelli: This work was carried out when the author was with INSIDE Secure.
c Springer International Publishing Switzerland 2014
W. Meier and D. Mukhopadhyay (Eds.): INDOCRYPT 2014, LNCS 8885, pp. 3–20, 2014.
DOI: 10.1007/978-3-319-13039-2 1



4

B. Feix et al.

RSA [30] and Diffie-Hellman [15] cryptosystems. Most industrial ECC applications use elliptic curves defined in international standards [5,29,32]. These
curves were generated with efficiency and security advantages for different classical security levels.
Besides these efficiency requirements in embedded environment, developers must also prevent their products from physical attacks. These techniques
are split in two categories namely the Side-Channel Analysis (SCA) and the
Fault Analysis (FA). In this paper, we use the full spectrum of Side-Channel
Analysis namely classical Vertical Correlation attacks [7], Horizontal Correlation attacks [12], Vertical Collision-Correlation [27,38] and Horizontal CollisionCorrelation [1,13].
A recent paper at Indocrypt 2013 from Bauer et al. [2] presented a new sidechannel attack, combining vertical and horizontal techniques, on a standard RSA
blinded exponentiation when the public exponent value is 3. Based on the same
observation, we design new side-channel attack paths on regular scalar multiplication algorithms with blinded scalar implementations for most standardized
curves. We present vertical and horizontal attacks with known and unknown
input point values that successfully recover the whole secret scalar.
Our Proposed Attack Strategy. Our attack paths consist of three steps.
First, the attacker uses the fact that the scalar blinding does not mask a large
part of the secret. This side-channel vulnerability can be exploited vertically,
i.e. using several execution traces. The attacker will recover the middle part of
the secret. In a second step, he needs to recover the random value used for each
scalar blinding. This part is performed horizontally, i.e. each random will be
recovered using only one trace. The already recovered part of the secret in the
first step can provide more side-channel information to exploit for the attacker.
This step allows to recover the most significant part of the scalar. Finally, the
third step consists in retrieving the least significant part of the scalar. Using
the already recovered random values of each traces and the middle part of the
secret, the attacker can perform a vertical attack.
Roadmap. The paper is organized as follows. Section 2 reminds basics on elliptic
curve cryptography and embedded scalar multiplication. We also detail the classical side-channel countermeasures and explain the side-channel attack knowledge necessary for a good understanding of the rest of the paper. In Section 3, we

describe our first attack that defeats a regular implementation when the secret
scalar is blinded but not the input point. Section 4 extends our attack techniques
to the unknown (or randomized) input point case. To illustrate our attacks
efficiency, we present experimental results on simulated side-channel traces in
Section 5. Discussion on countermeasures is done in Section 6. We finally conclude our paper in Section 7.