Lecture Notes in 6223 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, , and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell , CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany Tal Rabin (Ed.)

Advances in Cryptology – CRYPTO 2010

30th Annual Cryptology Conference Santa Barbara, CA, USA, August 15-19, 2010 Proceedings

13 Volume Editor

Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY, USA E-mail: [email protected]

Library of Congress Control Number: 2010931385

CR Subject Classification (1998): E.3, G.2.1, F.2.1-2, D.4.6, K.6.5, C.2, J.1

LNCS Sublibrary: SL 4 – Security and Cryptology

ISSN 0302-9743 ISBN-10 3-642-14622-8 Springer Berlin Heidelberg New York ISBN-13 978-3-642-14622-0 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © International Association for Cryptologic Research 2010 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper 06/3180 Preface

CRYPTO 2010, the 30th Annual International Cryptology Conference, was spon- sored by the International Association for Cryptologic Research (IACR) in co- operation with the IEEE Computer Society Technical Committee on Security and Privacy and the Computer Science Department of the University of Cal- ifornia at Santa Barbara. The conference was held in Santa Barbara, Califor- nia, during August 15-19, 2010, in conjunction with CHES 2010 (Workshop on Cryptographic Hardware and Embedded Systems). Zulfikar Ramzan served as the General Chair. The conference received 203 submissions. The quality of the submissions was very high, and the selection process was a challenging one. The Program Com- mittee, aided by a 159 external reviewers, reviewed the submissions and after an intensive review period the committee accepted 41 of these submissions. Three submissions were merged into a single paper and two papers were merged into a single talk, yielding a total of 39 papers in the proceedings and 38 presenta- tions at the conference. The revised versions of the 39 papers appearing in the proceedings were not subject to editorial review and the authors bear full re- sponsibility for their contents. The best-paper award was awarded to the paper “Toward Basing Fully Homomorphic on Worst-Case Hardness” by Craig Gentry. The conference featured two invited presentations. This year we celebrated 25 years from the publication of the ground-breaking work of Shafi Goldwasser, and Charles Rackoff “The Knowledge Complexity of Interactive Proof-Systems.” We had the privilege of having “GMR” give the first invited talk of the conference. The second invited talk was in a joint session with CHES. The topic was “Is Theoretical Any Good in Practice?” and the talk was jointly given by Ivan Damg˚ard and Markus Kuhn. The program also included a Rump Session, chaired by Daniel J. Bernstein and Tanja Lange, featuring short informal talks on new and in-progress results. I am in debt to the many people who contributed to the success of the conference, and I apologize to those I have forgotten. First and foremost I thank the authors who submitted their papers; a conference is only as good as the submissions that it receives. The Program Committee members made a great effort contributing their time, knowledge, expertise and taste and for that I am grateful. I also thank the large number of external reviewers who assisted in the process. (The Program Committee and sub-reviewers are listed in the following pages.) The submission and review process used the software that Shai Halevi designed and I received a lot of help from him in running it. And always, I want to thank my friends at IBM Research, Rosario Gennaro, Craig Gentry, Shai Halevi, Charanjit Jutla, Hugo Krawczyk and Vinod Vaikun- tanathan – being part of this group makes everything so much more worthwhile.

June 2010 Tal Rabin CRYPTO 2010

The 30th International Cryptology Conference

August 15–19, 2010, Santa Barbara, California, USA Sponsored by the International Association for Cryptologic Research (IACR) in cooperation with IEEE Computer Society Technical Committee on Security and Privacy, Computer Science Department, University of California, Santa Barbara

General Chair

Zulfikar Ramzan Symantec

Program Chair

Tal Rabin IBM Research

Program Committee

Michel Abdalla ENS, France Adi Akavia Weizmann Institute, Israel Amos Beimel Ben-Gurion University, Israel Xavier Boyen Universit´edeLi`ege, Belgium Christian Cachin IBM Research, Zurich, Switzerland Serge Fehr CWI, The Netherlands Johan H˚astad Royal Institute of Technology, Sweden Carmit Hazay Weizmann Institute and IDC Herzelia, Israel Susan Hohenberger Johns Hopkins, USA Thomas Holenstein ETH, Switzerland Yael Tauman Kalai Microsoft Research - New England, USA John Kelsey NIST, USA Eike Kiltz CWI, The Netherlands Eyal Kushilevitz Technion, Israel Tanja Lange Technische Universiteit Eindhoven, The Netherlands Yehuda Lindell Bar-Ilan University, Israel Ilya Mironov Microsoft Research, USA Tal Moran Harvard, USA VIII Organization

Jesper Buus Nielsen University of Aarhus, Denmark Eiji Okamoto University of Tsukuba, Japan Pascal Paillier Gemalto, France Rafael Pass Cornell University, USA Giuseppe Persiano University of Salerno, Italy Thomas Peyrin Ingenico, France Leonid Reyzin Boston University, USA Matt Robshaw Orange Labs, France Palash Sarkar Indian Statistical Institute, India abhi shelat University of Virginia, USA Vinod Vaikuntanathan IBM Research, USA University of Texas, Austin, USA Hoeteck Wee Queens College, CUNY, USA Andrew Yao ,

Advisory Members

Shai Halevi (CRYPTO 2009 Program Chair) - IBM Research Phil Rogaway (CRYPTO 2011 Program Chair) - University of California, Davis

External Reviewers

Divesh Aggarwal Anne Canteaut Maria Dubovitskaya Shweta Agrawal Claude Carlet Leo Ducas Jae Hyun Ahn David Cash Dejan Dukaric Joel Alwen Nishanth Chandran Orr Dunkeman Benny Applebaum Donghoon Chang Sebastian Faust Gilad Asharov Melissa Chase Matthias Fitzi Aslan Askarov Sanjit Chatterjee Manuel Forster Jean-Philippe Aumasson Lily Chen Pierre-Alain Fouque Roberto M. Avanzi Victor Chen David Freeman Steve Babbage Nathan Chenette Georg Fuchsbauer Daniel J. Bernstein Cline Chevalier Thomas Fuhr Luk Bettale Christophe Clavier Benjamin Fuller Rishiraj Bhattacharyya Jean-S´ebastien Coron Steven Galbraith Sanjay Bhattacherjee Scott Coull Clemente Galdi Niek Bouman Giovanni Di Crescenzo Sharon Goldberg Elette Boyle Dana Dachman-Soled Prasant Gopal Zvika Brakerski M. Prem Laxman Das Dov Gordon Eric Brier Blandine Debraize Louis Goubin Dan Brown C´ecile Delerable Aline Gouget Jan Camenisch Yevgeniy Dodis Vipul Goyal Sbastien Canard Chandan Dubey Matthew Green Ran Canetti Renaud Dubois Iftach Haitner Organization IX

Mike Hamburg Gregory Neven Gil Segev Nadia Heninger Phong Nguyen Yannick Seurin Javier Herranz Mats N¨aslund Igor Shparlinski Martin Hirt Adam O’Neill Francesco Sica Dennis Hofheinz Eran Omri Martijn Stam Esther H¨anggi Claudio Orlandi John Steinberger Vincenzo Iovino Ilan Orlov Henning Stichtenoth Yuval Ishai Duong Hieu Phan Kunal Talwar Abhishek Jain Omkant Pandey Christophe Tartary Otto Johnston Periklis B¨ojrn Terelius Antoine Joux Papakonstantinou Stefano Tessaro Charanjit Jutla Bryan Parno Emmanuel Thom´e Seny Kamara Anat Paskin Mehdi Tibouchi Bhavana Kanukurthi Souradyuti Paul Tomas Toft Alexandre Karlov Chris Peikert Luca Trevisan Dmitry Khovratovich Ray Perlner Wei-lung (Dustin) Tseng Hugo Krawczyk Ludovic Perret Meltem Turan Gunnar Kreitz Christiane Peters Dominique Unruh Robin K¨unzler Krzysztof Pietrzak Muthuramakrishnan Allison Lewko David Pointcheval Venkitasubramaniam Huijia Rachel Lin Stefan Popoveniuc Damien Vergnaud Carolin Lunemann Emmanuel Prouff Ivan Visconti Vadim Lyubashevsky Elizabeth Quaglia Bogdan Warinschi Subhamoy Maitra Somindu C. Ramanna Stephanie Wehner Willi Meier Dominik Raub Daniel Wichs Alfred Menezes Christian Rechberger Douglas Wikstr¨om Daniele Micciancio Andrew Regenscheid Severin Winkler Steve Miller Matthieu Rivain Christopher Wolf Hart Montgomery Yannis Rouselakis Bo-Yin Yang Jorge Nakahara Andrea R¨ock Shona Yu Mridul Nandi Subhabrata Samajder Hila Zarosim Table of Contents

Leakage

Circular and Leakage Resilient Public-Key Encryption under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back) ...... 1 Zvika Brakerski and Shafi Goldwasser

Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks ...... 21 Yevgeniy Dodis and Krzysztof Pietrzak

Protecting Cryptographic Keys against Continual Leakage ...... 41 Ali Juma and Yevgeniy Vahlis

Securing Computation against Continuous Leakage ...... 59 Shafi Goldwasser and Guy N. Rothblum

Lattice

An Efficient and Parallel Gaussian Sampler for Lattices ...... 80 Chris Peikert

Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE ...... 98 Shweta Agrawal, Dan Boneh, and Xavier Boyen

Homomorphic Encryption

Toward Basing Fully Homomorphic Encryption on Worst-Case Hardness...... 116 Craig Gentry

Additively Homomorphic Encryption with d-Operand Multiplications ... 138 Carlos Aguilar Melchor, Philippe Gaborit, and Javier Herranz i-Hop Homomorphic Encryption and Rerandomizable Yao Circuits ..... 155 Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan

Theory and Applications

Interactive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography ...... 173 Vipul Goyal, Yuval Ishai, Mohammad Mahmoody, and Amit Sahai XII Table of Contents

Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption ...... 191 Tatsuaki Okamoto and Katsuyuki Takashima

Structure-Preserving Signatures and Commitments to Group Elements...... 209 Masayuki Abe, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo

Efficient Indifferentiable Hashing into Ordinary Elliptic Curves ...... 237 Eric Brier, Jean-S´ebastien Coron, Thomas Icart, David Madore, Hugues Randriam, and Mehdi Tibouchi

Key Exchange, OAEP/RSA, CCA

Credential Authenticated Identification and Key Exchange ...... 255 Jan Camenisch, Nathalie Casati, Thomas Gross, and

Password-Authenticated Session-Key Generation on the Internet in the Plain Model ...... 277 Vipul Goyal, Abhishek Jain, and Rafail Ostrovsky

Instantiability of RSA-OAEP under Chosen-Plaintext Attack ...... 295 Eike Kiltz, Adam O’Neill, and Adam Smith

Efficient Chosen-Ciphertext Security via Extractable Hash Proofs ...... 314 Hoeteck Wee

Attacks

Factorization of a 768-Bit RSA Modulus ...... 333 Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, ArjenK.Lenstra,EmmanuelThom´e, Joppe W. Bos, Pierrick Gaudry, Alexander Kruppa, Peter L. Montgomery, DagArneOsvik,HermanteRiele,AndreyTimofeev,and Paul Zimmermann

Correcting Errors in RSA Private Keys ...... 351 Wilko Henecka, Alexander May, and Alexander Meurer

Improved Differential Attacks for ECHO and Grøstl ...... 370 Thomas Peyrin

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony ...... 393 Orr Dunkelman, Nathan Keller, and Table of Contents XIII

Composition

Universally Composable Incoercibility ...... 411 Dominque Unruh and J¨orn M¨uller-Quade

Concurrent Non-Malleable Zero Knowledge Proofs ...... 429 Huijia Lin, Rafael Pass, Wei-Lung Dustin Tseng, and Muthuramakrishnan Venkitasubramaniam

Equivalence of Uniform Key Agreement and Composition Insecurity .... 447 Chongwon Cho, Chen-Kuei Lee, and Rafail Ostrovsky

Computation Delegation and Obfuscation

Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers ...... 465 Rosario Gennaro, Craig Gentry, and Bryan Parno

Improved Delegation of Computation Using Fully Homomorphic Encryption ...... 483 Kai-Min Chung, Yael Kalai, and Salil Vadhan

Oblivious RAM Revisited ...... 502 Benny Pinkas and Tzachy Reinman

On Strong Simulation and Composable Point Obfuscation ...... 520 Nir Bitansky and Ran Canetti

Multiparty Computation

Protocols for Multiparty Coin Toss with Dishonest Majority ...... 538 Amos Beimel, Eran Omri, and Ilan Orlov

Multiparty Computation for Dishonest Majority: From Passive to Active Security at Low Cost ...... 558 Ivan Damg˚ard and Claudio Orlandi

Secure Multiparty Computation with Minimal Interaction ...... 577 Yuval Ishai, Eyal Kushilevitz, and Anat Paskin-Cherniavsky

A Zero-One Law for Cryptographic Complexity with Respect to Computational UC Security ...... 595 Hemanta K. Maji, Manoj Prabhakaran, and Mike Rosulek

Pseudorandomness

On Generalized Feistel Networks ...... 613 Viet Tung Hoang and Phillip Rogaway XIV Table of Contents

Cryptographic Extraction and Key Derivation: The HKDF Scheme ..... 631 Hugo Krawczyk

Time Space Tradeoffs for Attacks against One-Way Functions and PRGs ...... 649 Anindya De, Luca Trevisan, and Madhur Tulsiani

Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks ...... 666 Mihir Bellare and David Cash

Quantum

Secure Two-Party Quantum Evaluation of Unitaries against Specious Adversaries ...... 685 Fr´ed´eric Dupuis, Jesper Buus Nielsen, and Louis Salvail

On the Efficiency of Classical and Quantum Oblivious Transfer Reductions ...... 707 Severin Winkler and J¨urg Wullschleger

Sampling in a Quantum Population, and Applications ...... 724 Niek J. Bouman and Serge Fehr

Author Index ...... 743