Nigel P. Smart (Ed.) 8 0 8 Topics in Cryptology – 0 1 S C CT-RSA 2018 N L The Cryptographers' Track at the RSA Conference 2018 San Francisco, CA, USA, April 16–20, 2018 Proceedings 123 Lecture Notes in Computer Science 10808 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C. Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany More information about this series at http://www.springer.com/series/7410 Nigel P. Smart (Ed.) – Topics in Cryptology CT-RSA 2018 ’ The Cryptographers Track at the RSA Conference 2018 – San Francisco, CA, USA, April 16 20, 2018 Proceedings 123 Editor NigelP. Smart KULeuven Leuven Belgium ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notesin Computer Science ISBN 978-3-319-76952-3 ISBN978-3-319-76953-0 (eBook) https://doi.org/10.1007/978-3-319-76953-0 LibraryofCongressControlNumber:2018935889 LNCSSublibrary:SL4–SecurityandCryptology ©SpringerInternationalPublishingAG,partofSpringerNature2018 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow knownorhereafterdeveloped. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictionalclaimsin publishedmapsandinstitutionalaffiliations. Printedonacid-freepaper ThisSpringerimprintispublishedbytheregisteredcompanySpringerInternationalPublishingAG partofSpringerNature Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland Preface CT-RSA 2018 was held at its traditional home of the Moscone Centre in April 2018. The RSA conference has been a major international event for information security expertssinceitsinceptionin1991.Itisanannualeventthatattractsseveralhundredsof vendorsandover30,000participantsfromindustry,government,andacademia.Since 2001, the RSA conference has included the Cryptographers Track (CT-RSA), which provides a forum for current research in cryptography. CT-RSA has become a major publication venue in cryptography. It covers a wide variety of topics from public-key to symmetric-key cryptography and from cryptographic protocols to primitives and their implementation security. This volume representstheproceedingsofthe2018RSAConferenceCryptographersTrack.Atotal of 79 full papers were submitted for review, out of which 26 papers were selected for presentation. As chair of the Program Committee, I deeply thank all the authors who contributed the results of their innovative research. My appreciation also goes to the members of the Program Committee and the numerous external reviewers who carefully reviewed these submissions. Each sub- mission had at least three independent reviewers. Together, Program Committee members and external reviewers generated well over 250 reviews. The selection pro- cess proved to be (as usual) a very difficult task, since each contribution had its own merits.Thesubmissionprocessaswellasthereviewprocessandtheeditingofthefinal proceedings were greatly simplified by the software written by Shai Halevi and we thank him for his kind and immediate support throughout the whole process. It is now a tradition that the technical CT-RSA program is also augmented by a paneldiscussiononsome“hottopic”currentlyincryptography.ThisyearIthankBart Preneel for organizing the panel discussion on “CryptoCurrencies.” The panel con- sisted of a number of experts in this space including Adi Shamir and Matthew Green. April 2018 Nigel P. Smart CT-RSA 2018 Cryptographers Track RSA Conference Moscone Center, San Francisco, California, USA April 16–20, 2018 Program Chair Nigel Paul Smart KU Leuven, Belgium and University of Bristol, UK Program Committee Martin Albrecht Royal Holloway University of London, UK Josh Benaloh Microsoft Research, USA Alex Biryukov University of Luxembourg, Luxembourg Alexandra Boldyreva Georgia Institute of Technology, USA Joppe W. Bos NXP Semiconductors, Belgium David Cash University of Chicago, USA Junfeng Fan Open Security Research, China Tim Güneysu University of Bremen and DFKI, Germany Helena Handschuh Rambus Cryptography Research, USA Tibor Jager Paderborn University, Germany Stanislaw Jarecki University of California at Irvine, USA Marc Joye NXP Semiconductors, USA Florian Kerschbaum University of Waterloo, Canada Kwangjo Kim KAIST, Republic of Korea Susan Langford Cryptographic Consultant, USA Anja Lehmann IBM Research Zurich, Switzerland Tancrède Lepoint SRI International, USA Stefan Mangard Graz University of Technology, Austria Mitsuru Matsui Mitsubishi Electric, Japan David M’Raihi Symphony, USA Maria Naya-Plasencia Inria, France Michael Naehrig Microsoft Research, USA Kaisa Nyberg Aalto University (retired), Finland Claudio Orlandi Aarhus University, Denmark Elisabeth Oswald University of Bristol, UK Raphael Phan Multimedia University, Malaysia David Pointcheval CNRS/Ecole Normale Supérieure, France Bart Preneel KU Leuven and iMinds, Belgium Matt Robshaw Impinj, USA Reihaneh Safavi-Naini University of Calgary, Canada Kazue Sako NEC, Japan VIII CT-RSA 2018 Douglas Stebila McMaster University, Canada Huaxiong Wang Nanyang Technological University, Singapore Additional Reviewers Mohamed Ahmed Christopher Huth Yusuke Sakai Abdelraheem Helene Haagh Siamak Shahandashti Christopher Ambrose Mike Hamburg Mark Simkin Sepideh Avizheh Susan Hohenberger Juraj Somorovsky Florian Bache Mike Hutter Daisuke Suzuki Carsten Baum Lef Ionnadis Katsuyuki Takashima Pascal Bemmann Christian Janson Benjamin Hong Nina Bindel Shaoquan Jiang Meng Tan Simon Blackburn Antoine Joux Isamu Teranishi Olivier Blazy Sabyasachi Karati Yan Bo Ti Estuardo Alpirez Bock Keisuke Kitou Sergei Tikhomirov Xavier Bonnetain Rafael Kurek Isshiki Toshiyuki Guillaume Bonnoron Thijs Laarhoven Elena Trichina Angelo De Caro Marco Martinoli Meng-Tsung Tsai Jie Chen Shinichiro Matsuo Hikaru Tsuchida Céline Chevalier Marcel Medwed Toyohiro Tsurumaru Rak Yong Choi Xiaoyu Min Mike Tunstall Peter Chvojka Khoa Nguyen Aleksei Udovenko Craig Costello David Niehues Thomas Unterluggauer Anders P. K. Dalskov Tobias Oder Brent Waters Ivan Damgård Ludovic Perret Zongyue Wang Daniel Dinu Peter Pessl Mario Werner Yevgeniy Dodis Thomas Peters John Whaley Benjamin Dowling Duong Hieu Phan Yanhong Xu Leo Ducas Benny Pinkas Kang Yang Adam Everspaugh Denis Pochuev Meng-Day (Mandel) Yu Daniel Feher Romain Poussier Cong Zhang Dario Fiore Sebastian Ramacher Juanyang Zhang Nicolas Gama Oscar Reparaz Peng Zhao Johann Groszschaedl Bastian Richter Qian Guo Thomas Ricosset Contents Breaking Ed25519 in WolfSSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Niels Samwel, Lejla Batina, Guido Bertoni, Joan Daemen, and Ruggero Susella MemJam: A False Dependency Attack Against Constant-Time Crypto Implementations in SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Ahmad Moghimi, Thomas Eisenbarth, and Berk Sunar Why Johnny the Developer Can’t Work with Public Key Certificates: An Experimental Study of OpenSSL Usability . . . . . . . . . . . . . . . . . . . . . . 45 Martin Ukrop and Vashek Matyas Improved Factorization of N ¼prqs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Jean-Sébastien Coron and Rina Zeitoun Cryptanalysis of Compact-LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Jonathan Bootle, Mehdi Tibouchi, and Keita Xagawa Two-Message Key Exchange with Strong Security from Ideal Lattices. . . . . . 98 Zheng Yang, Yu Chen, and Song Luo High-Precision Arithmetic in Homomorphic Encryption. . . . . . . . . . . . . . . . 116 Hao Chen, Kim Laine, Rachel Player, and Yuhou Xia ThresholdPropertiesofPrimePowerSubgroupswithApplicationtoSecure Integer Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Rhys Carlton, Aleksander Essex, and Krzysztof Kapulkin Practical Revocation and Key Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Steven Myers and Adam Shull Asynchronous Provably-Secure Hidden Services. . . . . . . . . . . . . . . . . . . . . 179 Philippe Camacho and Fernando Krell Cryptanalysis Against Symmetric-Key Schemes with Online Classical Queries and Offline Quantum Computations. . . . . . . . . . . . . . . . . . . . . . . . 198 Akinori Hosoyamada and Yu Sasaki Improving Stateless Hash-Based Signatures . . . . . . . . . . . . . . . . . . . . . . . . 219 Jean-Philippe Aumasson and Guillaume Endignoux X Contents MixColumns Properties and Attacks on (Round-Reduced) AES with a Single Secret S-Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Lorenzo Grassi Count-then-Permute: A Precision-Free Alternative to Inversion Sampling. . . . 264 Kazuhiko Minematsu, Kentarou Sasaki, and Yuki Tanaka Zero-Sum Partitions of PHOTON Permutations. . . . . . . . . . . . . . . . . . . . . . 279 Qingju Wang, Lorenzo Grassi, and Christian Rechberger Improved Security Bound of LightMAC_Plus and Its Single-Key Variant . . . 300 Yusuke Naito Reassessing Security of Randomizable Signatures. . . . . . . . . . . . . . . . . . . . 319 David Pointcheval and Olivier Sanders Differential Attacks on Deterministic Signatures . . . . . . . . . . . . . . . . . . . . . 339 Christopher Ambrose, Joppe W. Bos, Björn Fay, Marc Joye, Manfred Lochter, and Bruce Murray Composable and Robust Outsourced Storage . . . . . . . . . . . . . . . . . . . . . . . 354 Christian Badertscher and Ueli Maurer Secure Deduplication of Encrypted Data: Refined Model and New Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Jian Liu, Li Duan, Yong Li, and N. Asokan Two Sides of the Same Coin: Counting and Enumerating Keys Post Side-Channel Attacks Revisited. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Daniel P. Martin, Luke Mather, and Elisabeth Oswald High-Resolution EM Attacks Against Leakage-Resilient PRFs Explained: And an Improved Construction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Florian Unterstein, Johann Heyszl, Fabrizio De Santis, Robert Specht, and Georg Sigl Revocable Identity-Based Encryption from Codes with Rank Metric . . . . . . . 435 Donghoon Chang, Amit Kumar Chauhan, Sandeep Kumar, and Somitra Kumar Sanadhya An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Brian Koziel, Reza Azarderakhsh, and David Jao