Lecture Notes in Computer Science 6110 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan Van Leeuwen

Home , Antoine Joux

Lecture Notes in Computer Science 6110 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany Henri Gilbert (Ed.)

Advances in Cryptology – EUROCRYPT 2010

29th Annual International Conference on the Theory and Applications of Cryptographic Techniques French Riviera, May 30 – June 3, 2010 Proceedings

13 Volume Editor

Henri Gilbert Orange Labs/MAPS/STT 38–40 rue du Général Leclerc, 92794 Issy les Moulineaux Cedex 9, France E-mail: [email protected]

Library of Congress Control Number: 2010926925

CR Subject Classiﬁcation (1998): E.3, K.6.5, C.2, D.4.6, J.1, G.2.1

LNCS Sublibrary: SL 4 – Security and Cryptology

ISSN 0302-9743 ISBN-10 3-642-13189-1 Springer Berlin Heidelberg New York ISBN-13 978-3-642-13189-9 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © International Association for Cryptologic Research 2010 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper 06/3180 Preface

These are the proceedings of Eurocrypt 2010, the 29th in the series of Euro- pean conferences on the Theory and Application of Cryptographic Techniques. The conference was sponsored by the International Association for Cryptologic Research and held on the French Riviera, May 30–June 3, 2010. A total of 191 papers were received of which 188 were retained as valid submissions. These were each assigned to at least three Program Committee members and a total of 606 review reports were produced. The printed record of the reviews and extensive online discussions that followed would be almost as voluminous as these proceedings. In the end 35 submissions were accepted with two submission pairs being merged to give 33 papers presented at the conference. The final papers in these proceedings were not subject to a second review before publication and the authors are responsible for their contents. The Program Committee, listed on the next page, deserves particular thanks for all their hard work, their outstanding expertise, and their constant com- mitment to all aspects of the evaluation process. These thanks are of course extended to the very many external reviewers who took the time to help out during the evaluation process. It was also a great pleasure to honor and welcome Moti Yung who gave the 2010 IACR Distinguished Lecture. It might be recalled that Eurocrypt 2010 took place under exceptionally difficult circumstances. First, in the aftermath of the financial crisis, sponsorship was a low priority for many companies. We are therefore grateful to I3S, Ingenico, Microsoft, Nagravision, Oberthur, Orange Labs, Qualcomm, Sagem Sécurité, and Technicolor for their support of Eurocrypt 2010. We specifically acknowledge the kind efforts of Hervé Chabanne, Guillaume Dabosville, Jean-Bernard Fischer, Paul Friedel, Marc Joye, Fran¸cois Larbey, Kristin Lauter, Bruno Martin, David Naccache, Jim Ostrich, and Greg Rose for making it happen. Second, long- standing plans for Eurocrypt 2010 were disrupted by the sudden decision of the French Government to hold an international summit at the same time and at the same venue. For their help following this forced relocation, we would like to extend our gratitude to our friends and family members who helped with wise advice, good connections, and imaginative suggestions. We would like to thank the IACR board for the honor of hosting Euro- crypt 2010. Particular thanks are due to Shai Halevi for all his unseen work on the submission, review, and registration sites, to Antoine Joux for sharing his experience as Program Chair of Eurocrypt 2009, and to Helena Handschuh and Bart Preneel for their constant advice, help, and support. Last, but not least, we are grateful for the help and input of our colleagues Ryad Benadjila, Gilles Macario-Rat, and Yannick Seurin, all at Orange Labs.

March 2010 Henri Gilbert (Program Chair) Olivier Billet (General Chair) Matthew Robshaw (General Chair) Organization

General Chairs Olivier Billet Matthew Robshaw Orange Labs, France

Program Chair

Henri Gilbert Orange Labs, France

Program Committee

Dan Boneh Stanford University Ran Canetti Tel Aviv University Anne Canteaut INRIA Carlos Cid Royal Holloway, University of London Jean-Sébastien Coron Université du Luxembourg Ivan Damg˚ard University of Aarhus Steven Galbraith Auckland University Rosario Gennaro IBM Research Helena Handschuh K.U.Leuven and Intrinsic-ID Inc. Stanislaw Jarecki University of California at Irvine Antoine Joux DGA and Université de Versailles Marc Joye Technicolor Ari Juels RSA Laboratories Aggelos Kiayias University of Connecticut Lars Knudsen Technical University of Denmark Arjen Lenstra EPFL and Alcatel-Lucent Bell Laboratories Helger Lipmaa Cybernetica AS Mitsuru Matsui Mitsubishi Electric Alexander May Ruhr-University Bochum Tatsuaki Okamoto NTT Krzysztof PietrzakCWIAmsterdam David Pointcheval ENS/CNRS/INRIA Bart Preneel Katholieke Universiteit Leuven Phillip Rogaway University of California, Davis Amit Sahai UCLA Berry Schoenmakers Technische Universiteit Eindhoven Ron Steinfeld Macquarie University Frederik Vercauteren Katholieke Universiteit Leuven Yiqun Lisa Yin Independent Security Consultant VIII Organization

External Reviewers

Michel Abdalla Shai Halevi Phong Q. Nguyen Masayuki Abe Mike Hamburg Jesper Buus Nielsen Shweta Agrawal Carmit Hazay Svetla Nikova Martin Albrecht Brett Hemenway Ryo Nishimaki Davide Alessio Jens Hermans Karsten Nohl Elena Andreeva Mathias Herrmann Adam O’Neill Giuseppe Ateniese Dennis Hofheinz Josh Olsen Roberto Avanzi Susan Hohenberger Alina Oprea Ali Bagherzandi Sebastiaan de Hoogh Rafi Ostrovsky Paulo Barreto Fumitaka Hoshino Dag Arne Osvik Anja Becker Thomas Icart Onur Ozen Mihir Bellare Sorina Ionica Carles Padró Rikke Bendlin Yuval Ishai Pascal Paillier Nir Bitansky Hongxia Jin Omkant Pandey Bruno Blanchet Ellen Jochemsz Omer Paneth Julia Borghoff Pascal Junod Jacques Patarin Joppe Bos Marcelo Kaihara Kenny Paterson Arnaud Boscher Alexandre Karlov Serdar Pehlivanoglu Ahto Buldas Marcel Keller Duong Hieu Phan Sébastien Canard John Kelsey Josef Pieprzyk Christophe De Cannière Shahram Khazaei Benny Pinkas David Cash Eike Kiltz Zeger Plug Wouter Castryck Thorsten Kleinjung Bart Preneel Pascale Charpin Hugo Krawczyk Emmanuel Prouff Céline Chevalier Eyal Kushilevitz Xavier Pujol Cécile Delerablée Tanja Lange Tal Rabin Alex Dent Gregor Leander Alfredo Rial Léo Ducas Reynald Lercier Thomas Ristenpart Thomas Dullien Gaëtan Leurent Maike Ritzenhofen Orr Dunkelman Allison Lewko Ben Riva Sebastian Faust Peter van Liesdonk Sondre Rønjom Marc Fischlin Xiaomin Liu Rei Safavi-Naini Matthias Fitzi Carolin Lunemann Juraj Sarinay Georg Fuchsbauer Hemanta Maji Christian Schaffner Teddy Furon Yoshifumi Manabe Gil Segev Sebastian Gajek Krystian Matusiewicz Yannick Seurin David Galindo Alfred Menezes Hakan Seyalioglu Nicolas Gama Alexander Meurer Stefaan Seys Praveen Gauravaram Lorenz Minder Hovav Shacham Sharon Goldberg Marine Minier Daniel Shahaf Louis Goubin Hart Montgomery Igor Shparlinski Aline Gouget Sean Murphy Koen Simoens Vipul Goyal Mar´ıa Naya-Plasencia Dave Singelée Jens Groth Gregory Neven Boris Skori´ˇ c Organization IX

Nigel Smart Jacques Traoré Shabsi Walfish Ben Smith Joana Treger Huaxiong Wang Martijn Stam Elena Trichina Brent Waters Till Stegers Toyohiro Tsurumaru Steve Weis Damien Stehlé Pim Tuyls Christopher Wolf Mario Strefler Berkant Ustao˘glu Brecht Wyseur Xiaoming Sun Vinod Vaikuntanathan Keita Xagawa Daisuke Suzuki Margarita Vald Go Yamamoto Katsuyuki Takashima Mayank Varia Santiago Stefano Tessaro Serge Vaudenay Zanella Béguelin Kobayashi Tetsutaro Bastien Vayssière Erik Zenner Søren S. Thomsen Damien Vergnaud Haibin Zhang Mehdi Tibouchi José Villegas Hong-Sheng Zhou Jean-Pierre Tillich Ivan Visconti Tomas Toft Martin Vuagnoux Table of Contents

Cryptosystems I

On Ideal Lattices and Learning with Errors over Rings ...... 1 Vadim Lyubashevsky, Chris Peikert, and Oded Regev

Fully Homomorphic Encryption over the Integers ...... 24 Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups ...... 44 David Mandell Freeman

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption ...... 62 Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters

Obfuscation and Side Channel Security

Secure Obfuscation for Encrypted Signatures ...... 92 Satoshi Hada

Public-Key Encryption in the Bounded-Retrieval Model ...... 113 Jo¨el Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walﬁsh, and Daniel Wichs

Protecting Circuits from Leakage: The Computationally-Bounded and Noisy Cases ...... 135 Sebastian Faust, Tal Rabin, Leonid Reyzin, Eran Tromer, and Vinod Vaikuntanathan

2-Party Protocols

Partial Fairness in Secure Two-Party Computation ...... 157 S. Dov Gordon and Jonathan Katz

Secure Message Transmission with Small Public Discussion ...... 177 Juan Garay, Clint Givens, and Rafail Ostrovsky XII Table of Contents

On the Impossibility of Three-Move Blind Signature Schemes ...... 197 Marc Fischlin and Dominique Schr¨oder

Eﬃcient Device-Independent Quantum Key Distribution ...... 216 Esther H¨anggi, Renato Renner, and Stefan Wolf

Cryptanalysis New Generic Algorithms for Hard Knapsacks ...... 235 Nick Howgrave-Graham and Antoine Joux

Lattice Enumeration Using Extreme Pruning ...... 257 Nicolas Gama, Phong Q. Nguyen, and Oded Regev

Algebraic Cryptanalysis of McEliece Variants with Compact Keys ...... 279 Jean-Charles Faug`ere, Ayoub Otmani, Ludovic Perret, and Jean-Pierre Tillich

Key Recovery Attacks of Practical Complexity on AES-256 Variants with Up to 10 Rounds ...... 299 Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir

2010 IACR Distinguished Lecture Cryptography between Wonderland and Underland ...... 320 Moti Yung

Automated Tools and Formal Methods Automatic Search for Related-Key Diﬀerential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others ...... 322 Alex Biryukov and Ivica Nikoli´c

Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR ...... 345 Kenneth G. Paterson and Gaven J. Watson

Computational Soundness, Co-induction, and Encryption Cycles ...... 362 Daniele Micciancio

Models and Proofs Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks ...... 381 Serge Fehr, Dennis Hofheinz, Eike Kiltz, and Hoeteck Wee Table of Contents XIII

Cryptographic Agility and Its Relation to Circular Encryption ...... 403 Tolga Acar, Mira Belenkiy, Mihir Bellare, and David Cash

Bounded Key-Dependent Message Security ...... 423 Boaz Barak, Iftach Haitner, Dennis Hofheinz, and Yuval Ishai

Multiparty Protocols

Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography ...... 445 Ivan Damg˚ard, Yuval Ishai, and Mikkel Krøigaard

Adaptively Secure Broadcast ...... 466 Martin Hirt and Vassilis Zikas

Universally Composable Quantum Multi-party Computation ...... 486 Dominique Unruh

Cryptosystems II

A Simple BGN-Type Cryptosystem from LWE ...... 506 Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan

Bonsai Trees, or How to Delegate a Lattice Basis ...... 523 David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert

Eﬃcient Lattice (H)IBE in the Standard Model ...... 553 Shweta Agrawal, Dan Boneh, and Xavier Boyen

Hash and MAC

Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation ...... 573 Jooyoung Lee and John Steinberger

Stam’s Collision Resistance Conjecture ...... 597 John Steinberger

Universal One-Way Hash Functions via Inaccessible Entropy ...... 616 Iftach Haitner, Thomas Holenstein, Omer Reingold, Salil Vadhan, and Hoeteck Wee

Foundational Primitives

Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions ...... 638 Rafael Pass and Hoeteck Wee XIV Table of Contents

Constructing Veriﬁable Random Functions with Large Input Spaces .... 656 Susan Hohenberger and Brent Waters

Adaptive Trapdoor Functions and Chosen-Ciphertext Security ...... 673 Eike Kiltz, Payman Mohassel, and Adam O’Neill

Author Index ...... 693