LNCS 10031 Jung Hee Cheon Tsuyoshi Takagi (Eds.) Advances in Cryptology – ASIACRYPT 2016 22nd International Conference on the Theory and Application of Cryptology and Information Security Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 10031 More information about this series at http://www.springer.com/series/7410 Jung Hee Cheon Tsuyoshi Takagi (Eds.) • Advances in Cryptology – ASIACRYPT 2016 22nd International Conference on the Theory and Application of Cryptology and Information Security Hanoi, Vietnam, December 4–8, 2016 Proceedings, Part I 123 Editors Jung Hee Cheon Seoul National University Seoul Korea (Republic of) Tsuyoshi Takagi Kyushu University Fukuoka Japan ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-662-53886-9 ISBN 978-3-662-53887-6 (eBook) DOI 10.1007/978-3-662-53887-6 Library of Congress Control Number: 2016956613 LNCS Sublibrary: SL4 – Security and Cryptology © International Association for Cryptologic Research 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer-Verlag GmbH Germany The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany Preface ASIACRYPT 2016, the 22nd Annual International Conference on Theory and Application of Cryptology and Information Security, was held at InterContinental Hanoi Westlake Hotel in Hanoi, Vietnam, during December 4–8, 2016 The conference focused on all technical aspects of cryptology, and was sponsored by the International Association for Cryptologic Research (IACR) Asiacrypt 2016 received a total of 240 submissions from all over the world The Program Committee selected 67 papers from these submissions for publication in the proceedings of this conference The review process was made via the usual doubleblind pier review by the Program Committee comprising 43 leading experts in the field Each submission was reviewed by at least three reviewers and five reviewers were assigned to submissions co-authored by Program Committee members This year, the conference operated a two-round review system with a rebuttal phase In the first-round review the Program Committee selected the 140 submissions that were considered of value for proceeding to the second round In the second-round review the Program Committee further reviewed the submissions by taking into account their rebuttal letter from the authors The selection process was assisted by a total of 309 external reviewers These two-volume proceedings contain the revised versions of the papers that were selected The revised versions were not reviewed again and the authors are responsible for their contents The program of Asiacrypt 2016 featured three excellent invited talks Nadia Heninger gave a talk on “The Reality of Cryptographic Deployments on the Internet,” Hoeteck Wee spoke on “Advances in Functional Encryption,” and Neal Koblitz gave a nontechnical lecture on “Cryptography in Vietnam in the French and American Wars.” The conference also featured a traditional rump session that contained short presentations on the latest research results of the field The Program Committee selected the work “Faster Fully Homomorphic Encryption: Bootstrapping in Less Than 0.1 Seconds” by Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène for the Best Paper Award of Asiacrypt 2016 Two more papers, “Nonlinear Invariant Attack—Practical Attack on Full SCREAM, iSCREAM, and Midori64” by Yosuke Todo, Gregor Leander, Yu Sasaki and “Cliptography: Clipping the Power of Kleptographic Attacks” by Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou were solicited to submit full versions to the Journal of Cryptology Many people contributed to the success of Asiacrypt 2016 We would like to thank the authors for submitting their research results to the conference We are very grateful to all of the Program Committee members as well as the external reviewers for their fruitful comments and discussions on their areas of expertise We are greatly indebted to Ngo Bao Chau and Phan Duong Hieu, the general co-chairs for their efforts and overall organization We would also like to thank Nguyen Huu Du, Nguyen Quoc Khanh, Nguyen Duy Lan, Duong Ngoc Thai, Nguyen Ta Toan Khoa, Nguyen Ngoc Tuan, VI Preface Le Thi Lan Anh, and the local Organizing Committee for their continuous supports We thank Steven Galbraith for expertly organizing and chairing the rump session Finally we thank Shai Halevi for letting us use his nice software for supporting the paper submission and review process We also thank Alfred Hofmann, Anna Kramer, and their colleagues at Springer for handling the editorial process of the proceedings We would like to express our gratitude to our partners and sponsors: XLIM, Microsoft Research, CISCO, Intel, Google December 2016 Jung Hee Cheon Tsuyoshi Takagi ASIACRYPT 2016 The 22nd Annual International Conference on Theory and Application of Cryptology and Information Security Sponsored by the International Association for Cryptologic Research (IACR) December 4–8, 2016, Hanoi, Vietnam General Co-chairs Ngo Bao Chau Phan Duong Hieu VIASM, Vietnam and University of Chicago, USA XLIM, University of Limoges, France Program Co-chairs Jung Hee Cheon Tsuyoshi Takagi Seoul National University, Korea Kyushu University, Japan Program Committee Elena Andreeva Xavier Boyen Anne Canteaut Chen-Mou Cheng Sherman S.M Chow Nico Döttling Thomas Eisenbarth Georg Fuchsbauer Steven Galbraith Sanjam Garg Vipul Goyal Jens Groth Sylvain Guilley Alejandro Hevia Antoine Joux Xuejia Lai Hyung Tae Lee Kwangsu Lee Dongdai Lin Feng-Hao Liu Takahiro Matsuda Alexander May KU Leuven, Belgium Queensland University of Technology, Australia Inria, France National Taiwan University, Taiwan Chinese University of Hong Kong, Hong Kong, SAR China University of California, Berkeley, USA Worcester Polytechnic Institute, USA École Normale Supérieure, France Auckland University, New Zealand University of California, Berkeley, USA Microsoft Research, India University College London, UK Secure-IC S.A.S., France Universidad de Chile, Chile Foundation UPMC and LIP6, France Shanghai Jiaotong University, China Nanyang Technological University, Singapore Sejong University, Korea Chinese Academy of Sciences, China Florida Atlantic University, USA AIST, Japan Ruhr University Bochum, Germany VIII ASIACRYPT 2016 Florian Mendel Amir Moradi Svetla Nikova Tatsuaki Okamoto Elisabeth Oswald Thomas Peyrin Rei Safavi-Naini Peter Schwabe Jae Hong Seo Damien Stehlé Ron Steinfeld Rainer Steinwandt Daisuke Suzuki Mehdi Tibouchi Yosuke Todo Hoang Viet Tung Dominique Unruh Ivan Visconti Huaxiong Wang Meiqin Wang Aaram Yun Graz University of Technology, Austria Ruhr University Bochum, Germany KU Leuven, Belgium NTT, Japan University of Bristol, UK Nanyang Technological University, Singapore University of Calgary, Canada Radboud University, The Netherlands Myongji University, Korea ENS de Lyon, France Monash University, Australia Florida Atlantic University, USA Mitsubishi Electric, Japan NTT, Japan NTT, Japan University of California Santa Barbara, USA University of Tartu, Estonia University of Salerno, Italy Nanyang Technological University, Singapore Shandong University, China UNIST, Korea External Reviewers Michel Abdalla Aysajan Abidin Shashank Agrawal Shweta Agrawal Ahmad Ahmadi Mamun Akand Saed Alsayigh Joël Alwen Abdelrahaman Aly Daniel Apon Muhammad Rizwan Asghar Tomer Ashur Nuttapong Attrapadung Benedikt Auerbach Saikrishna Badrinarayanan Shi Bai Razvan Barbulescu Lejla Batina Georg T Becker Christof Beierle Fabrice Benhamouda Begül Bilgin Céline Blondeau Tobias Boelter Carl Bootland Jonathan Bootle Yuri Borissov Christina Boura Colin Boyd Wouter Castryck Dario Catalano Andrea Cerulli Gizem Cetin Pyrros Chaidos Nishanth Chandran Yu-Chen Chang Lin Changlu Binyi Chen Cong Chen Jie Chen Ming-Shing Chen Yu Chen Céline Chevalier Chongwon Cho Kyu Young Choi HeeWon Chung Kai-Min Chung Eloi de Chérisey Michele Ciampi Craig Costello Joan Daemen Ricardo Dahab Wei Dai Bernardo David Thomas de Cnudde David Derler Apoorvaa Deshpande Christoph Dobraunig Yarkin Doroz Ming Duan Léo Ducas ASIACRYPT 2016 Dung Hoang Duong Maria Eichlseder Martianus Frederic Ezerman Xiong Fan Pooya Farshim Serge Fehr Max Fillinger Dario Fiore Victor Fischer Marc Fischlin Thomas Fuhr Jake Longo Galea David Galindo Peter Gazi Essam Ghadafi Mohona Ghosh Zheng Gong Rishab Goyal Hannes Gross Vincent Grosso Berk Gulmezoglu Chun Guo Jian Guo Qian Guo Divya Gupta Iftach Haitner Dong-Guk Han Kyoohyung Han Shuai Han Goichiro Hanaoka Christian Hanser Mitsuhiro Hattori Gottfried Herold Felix Heuer Takato Hirano Shoichi Hirose Wei-Chih Hong Yuan-Che Hsu Geshi Huang Guifang Huang Jialin Huang Xinyi Huang Pavel Hubacek Ilia Iliashenko Mehmet Sinan Inci Vincenzo Iovino Gorka Irazoqui Ai Ishida Takanori Isobe Tetsu Iwata Aayush Jain Sune Jakobsen Yin Jia Shaoquan Jiang Chethan Kamath Sabyasachi Karati Sayasachi Karati Yutaka Kawai Carmen Kempka HeeSeok Kim Hyoseung Kim Jinsu Kim Myungsun Kim Taechan Kim Paul Kirchner Elena Kirshanova Fuyuki Kitagawa Susumu Kiyoshima Jessica Koch Markulf Kohlweiss Vladimir Kolesnikov Thomas Korak Yoshihiro Koseki Ashutosh Kumar Ranjit Kumaresan Po-Chun Kuo Robert Kübler Thijs Laarhoven Ching-Yi Lai Russell W.F Lai Virginie Lallemand Adeline Langlois Sebastian Lauer Su Le Gregor Leander Kwangsu Lee Gaëtan Leurent Anthony Leverrier Jingwei Li Ming Li Wen-Ding Li Benoit Libert Fuchun Lin Tingting Lin Meicheng Liu Yunwen Liu Zhen Liu Zidong Lu Yiyuan Luo Atul Luykx Vadim Lyubashevsky Bernardo Magri Mary Maller Alex Malozemoff Antonio Marcedone Benjamin Martin Daniel Martin Marco Martinoli Daniel Masny Maike Massierer Mitsuru Matsui Willi Meier Bart Mennink Peihan Miao Kazuhiko Minematsu Nicky Mouha Pratyay Mukherjee Sean Murphy Jörn Müller-Quade Valérie Nachef Michael Naehrig Matthias Nagel Yusuke Naito Mridul Nandi María Naya-Plasencia Kartik Nayak Khoa Nguyen Ivica Nikolic Ventzislav Nikov Ryo Nishimaki Anca Nitulescu Koji Nuida Maciej Obremski Toshihiro Ohigashi Miyako Ohkubo Sumit Kumar Pandey Jong Hwan Park IX Public-Key Cryptosystems Resilient to Continuous Tampering 927 is computed as e · (g )−1 The secret key sk is refreshed between each two time periods as sk := sk + β where β ← ker(α) is chosen using secret α Here, f = g = g , because < α, β >= We first convert this scheme to an IND-CPA secure PKE scheme that is resilient to continuous memory leakage in the model of Brakerski et al [10], where the key-update is executed without additional secret α To so, we pick up independent vectors, v , , v ∈ ker(α), where < n − = dim(ker(α)), and publish g˜V where V = (v , , v ) ∈ (Z/qZ)n× is n× matrix with v i as ith column Here we assume asymmetric pairing groups (e, G1 , G2 , GT ) where g, g˜ are generators of G1 and G2 , respectively We then set pk = (g, g˜, g α , g˜V , Y ) and sk = g s such that Y = e(g, g˜) Here, the encryption of message m ∈ GT under pk is ct = (g c , e) = (g rα , m · Y r ), while the decryption is computed as e · K −1 , where K = e(g c , sk) = e(g, g˜) The secret key sk is refreshed between each two time periods as sk := sk · g˜β where β ← span(V) ⊂ ker(α) We note that random g˜β = g˜Vr’ can be computed using public g˜V with random vector r’ ∈ Fq This construction is an IND-CPA secure PKE scheme resilient to continuous memory leakage in the sense of [10] under the extended matrix d-linear assumption (on G1 ), which is implied by the SXDH assumption We provide the formal description of the scheme as well as the security proof in Appendix C The proposed PKE scheme (as described in Appendix C) is based on a hash proof system where K = HPS.pub(Y, g rα , r) = HPS.priv(g rα , sk) = e(g, g˜) We then filter the hash key K using the one-time lossy filter technique [31] and finally obtain our CTL-CCA secure construction We now describe our full-fledged scheme in Fig Asymmetric Pairing Let GroupG be a PPT algorithm that on input a security parameter 1κ outputs a bilinear paring (G1 , G2 , GT , e, q, g, g˜) such that; G1 , G2 , and GT are cyclic groups of prime order q, g, g˜ are generators of G1 and G2 , respectively, and a map e : G1 × G2 → GT satisfies the following properties: – (Bilinear:) for any g ∈ G1 , h ∈ G2 , and any a, b ∈ Zq , e(g a , hb ) = e(g, h)ab , – (Non-degenerate:) e(g, g˜) has order q in GT , and – (Efficiently computable:) e(·, ·) is efficiently computable Symmetric External Diffie-Hellman (SXDH) Assumption The symmetric external DH assumption (SXDH) (on GroupG) is that the DDH problem is hard in both groups, G1 and G2 The assumption implies that there is no efficiently computable mapping between G1 and G2 We now present our CTL-CCA secure PKE scheme in Fig Theorem The PKE scheme in Fig is (Φall , {id}, λ)-CT L-CCA secure, as long as λ(κ) < log(q) − lf − m − η − ω(log κ) with η(κ) = ω(log κ), and for any PPT adversary A with at most Q queries to RKDec oracle, 928 E Fujisaki and K Xagawa Fig Our CTL-CCA secure PKE scheme Advctl-cca Π,A,(Φall ,{id},λ) (κ) ≤ tcr +2 otsig +4 lossy +4 ex + 2−η+2 + Q · 2−(log(q)−η−λ− +2Q · 2λ + 2Q · q −1 2λ q n−1 + lf − m −1) 2λ q n−1 , denote some negligible functions such that Advot OTSig,B (κ) ≤ ex (κ) ≤ lossy , and AdvD (κ) ≤ ex for any PPT adversaries, B, otsig , B and D, respectively otsig , lossy , and Advlossy ABO,B ex Due to the space limitation, the proof is given in the full version An Instantiation of CTL-CCA Secure PKE with 14 −o(1) Leakage Rate We remark that the underlying hash proof system is log(q)-entropic and we have |sk| = n log(q) By construction, we require ≤ < n − Hence, the best parameter for leakage rate is n = and = 2, where the resulting CTL-CCA secure PKE scheme has 14 − o(1) leakage rate Public-Key Cryptosystems Resilient to Continuous Tampering 929 Impossibility of Non-Persistent Tampering Resilient Signatures We show that there is no secure digital signature scheme resilient to the nonpersistent tampering attacks, if it does not have a key-updating mechanism (See for definition Appendix D) This fact does not contradict [26] (in which they claim a tampering resilient digital signature scheme), because the persistent tampering attack is weaker than the non-persistent attack To prove our claim, we consider the following adversary The adversary runs the key-generation algorithm, Gen, and obtains two legitimate pairs of verification and signing keys, (vk0 , sk0 ) and (vk1 , sk1 ) Then, it sets a set of functions {φi(sk0 ,sk1 ) }, such that φi(sk0 ,sk1 ) (sk) = sk0 sk1 if the i-th bit of sk is 0, otherwise For i = 1, , |sk|, the adversary submit (φi(sk0 ,sk1 ) , m) to the signing oracle and receives σi ’s Then the adversary finds bit bi such that Vrfy(vkbi , m, σi ) = for all i and retrieves the entire secret key sk This attack is unavoidable because both sk0 and sk1 are real secret keys and the signing algorithm cannot detect the tampering attack and cannot self-destruct If the key-updating algorithm is allowed to run only when a tampering is detected (which is the case of our definition), then there is no secure digital signature scheme resilient to the non-persistent tampering attacks, even if it has both self-destructive and key-updating mechanisms (See for definition Appendix D) A Computational Hardness Assumptions Let G be a PPT algorithm that takes security parameter 1κ and outputs a triplet G = (G, q, g) where G is a group of prime order q that is generated by g ∈ G d -Linear Assumption The d-linear assumption [24,29] (where d ≥ 1), a generalization of the linear assumption [8], states that there is a PPT algorithm G such that the following two ensembles are computationally indistinguishable, d i=1 G, g1 , , gd , gd+1 , g1r1 , , gdrd , gd+1 ri κ∈N c ≈ r d+1 G, g1 , , gd , gd+1 , g1r1 , , gdrd , gd+1 κ∈N where G ← G(1 ), and the elements g1 , , gd+1 ∈ G and r1 , , rd+1 ∈ Z/qZ are chosen independently and uniformly at random The DDH assumption (on G) is equivalent to 1-linear assumption (on G) and these assumptions are progressively weaker: For every d ≥ 1, the (d + 1)-linear assumption is weaker than the d-linear assumption κ 930 E Fujisaki and K Xagawa Matrix d -Linear Assumption We denote by Rki (Fqm×n ) the set of all m × n matrices over Fq with rank i The matrix d-linear assumption [29] states that there is a PPT algorithm G such that, for any integers, m and n, and for any d ≤ i ≤ j ≤ min(m, n), the following two ensembles are computationally indistinguishable, (G, g, g x ) | c ≈ G ← G(1κ ); x ← Rki (Fqm×n ) (G, g, g x ) | κ∈N G ← G(1κ ); x ← Rkj (Fqm×n ) κ∈N It is known that breaking the matrix d-Linear assumption implies breaking the d-Linear assumption (on the same G) The following statement holds Lemma ([29]) Breaking the matrix d-Linear assumption is at least as hard as breaking the d-Linear assumption (on the same G) Extended Matrix d -Linear Assumption We state a stronger version of the matrix d-linear assumption, called the extended matrix d-linear assumption [2] For matrix x ∈ Fn×m , we write ker(x) to denote the left kernel of x, i.e., q } ker(x) = {v ∈ Fnq | v T x = ∈ F1×m q Here ker(x) is a subspace in Fnq of dimension (n − rank(x)) The matrix d-linear assumption means that it is infeasible to distinguish g xi from g xj , where rank-i matrix xi and rank-j matrix xi are chosen independently and uniformly for any d ≤ i < j ≤ min(n, m) Since dim(ker(xi )) = n−i and dim(ker(xj )) = n−j (with n − j < n − i), the matrix d-linear assumption does not hold if an adversary additionally receive n − i independent vectors orthogonal to x However, one cannot yet distinguish them even if n − j independent vectors orthogonal to x are given, as long as the matrix d-linear assumption holds true The extended matrix d-linear assumption [2] states that there is a PPT algorithm G such that, for any integers, m and n, for any d ≤ i ≤ j ≤ min(m, n), and for any ≤ n − j, the following two ensembles are computationally indistinguishable, (G, g, g x , v , , v ) | G ← G(1κ ); x ← Rki (Fqm×n ); v1 , , v ← ker(x) c ≈ (G, g, g x , v , , v ) | G ← G(1κ ); x ← Rkj (Fqm×n ); v1 , , v ← ker(x) κ∈N κ∈N The following statement holds Lemma ([2,10]) Breaking the extended matrix d-Linear assumption is at least as hard as breaking the d-Linear assumption (on the same G) The proof is implicitly in [10] Public-Key Cryptosystems Resilient to Continuous Tampering 931 Decision Computational Residue (DCR) Assumption Let n = pq be a composite number of distinct odd primes, p and q, and ≤ d < p, q be a positive integer We say that the DCR assumption holds if for every PPT A, there exists a parameter generation algorithm Gen such that Advdcr A (κ) = Pr[Exptdcr−0 (κ) = 1] − Pr[Exptdcr−1 (κ) = 1] A A is negligible in κ, where dcr−1 Exptd,A (κ) : Exptdcr−0 (κ) : A U U × κ n ← Gen(1 ); R ← Zn2 n ← G(1κ ); R ← Z× n2 n c = R mod n c = (1 + n)Rn mod n2 return A(n, c) return A(n, c) B Instantiation of ABO Injective Functions B.1 A Matrix Instantiation Based on DDH Let G be a PPT algorithm that takes security parameter 1κ and outputs a triplet G = (G, q, g) where G is a group of prime order q that is generated by g ∈ G Let B = {Z/qZ} be a branch collection associated with G = (G, q, g) generated by G – ABO.gen(1κ , b∗ ) where b∗ ∈ Z/qZ: Pick up a random column vector u = (ui ) ∈ Gμ and a random column vector v = (vj ) ∈ Gμ Compute matrix A = (Ai,j ) ∈ Gμ×μ as A = (u · v T ) g −(b ∗ )Iμ = ui vj g −(b ∗ )δi,j ∈ Gμ×μ where denotes the componet-wise product of matrices over G, Iμ ∈ (Z/qZ)μ×μ is the identity matrix and δi,j is Kronecker’s delta, i.e., δi,j = if i = j and otherwise We note that rank(u · v T ) = and, at least with probability − 2μ q , rank(A) = μ We let A(b) to denote A(b) := A g bIμ = ui vj g (b−b ∗ )δi,j ∈ Gμ×μ Finally, output ιabo = A(·) – ABO.eval(ιabo , b, x): On input matrix X ∈ (Z/qZ)μ×d , output ABO.eval(ιabo , b, x) = A(b) · X ∈ Gμ×d This implementation realizes a collection of (μ · d log(q), (μ − 1)d log(q))-allbut-one injective functions (under the DDH assumption) 932 B.2 E Fujisaki and K Xagawa DCR Based Instantiation Let n = pq be a composite number of distinct odd primes, p and q, and ≤ ∼ Znd × (Z/nZ)× and d < p, q be a positive integer It is known that Z× nd+1 = d any element in Z× is uniquely represented as (1 + n)δ γ n (mod nd+1 ) for nd+1 some δ ∈ Znd and γ ∈ (Z/nZ)× For δ ∈ Znd , we write Edj (δ) to denote a d such that Edj (δ) = {(1 + n)δ γ n | γ ∈ (Z/nZ)× } It is known subset in Z× nd+1 that for any two distinct δ, δ ∈ Znd , it is computationally hard to distinguish a random element in Edj (δ) from a random element in Edj (δ ) as long as the decision computational residue (DCR) assumption holds true – ABO.gen(1κ , b∗ ) where b∗ ∈ {0, 1}dκ : Pick up κ/2-bit distinct odd primes p, q and compute n = pq Then choose ιabo ← Edj (−b∗ ) Output ιabo – ABO.eval(ιabo , b, x): On input matrix x ∈ Znd , output ABO.eval(ιabo , b, x) = ιabo · (1 + n)b x (∈ Edj (b − b∗ )x ) This implementation realizes a collection of (d log(n), log((p − 1)(q − 1)))-allbut-one injective functions (under the DCR assumption) C The Continuous Leakage Resileint CPA PKE Scheme We propose an IND-CPA secure PKE scheme resilient to continuous memory leakage, based on Agrawal et al scheme [2] – The Key Generation Algorithm: Choose (G1 , G2 , GT , e, q, g, g˜) ← GroupG Pick up a random column vector α ← (Z/qZ)n Pick up independent column vectors, v , , v , in (Z/qZ)n uniformly from Ker(α) where ≤ ≤ n − Set n × matrix V = (v , , v ) Set g α := (g α1 , , g αn )T g v , , g˜v ) Pick up a random column vector s ← (Z/qZ)n Set g˜V := (˜ s g s1 , , g˜sn )T Compute Y = e(g α , g˜s ) = e(g, g˜) α,s Set Compute g˜ = (˜ α V pk := (g, g˜, g , g˜ , Y ) and sk := g˜s Output (pk, sk) – The Key Update Algorithm: Take (pk, sk) as input Choose a random column vector r’ ← (Z/qZ) and compute g˜β = g˜Vr Update sk := sk · g˜β = g˜s+β Note that β ∈ span(V) ⊂ ker(α) Output sk – The Encryption Algorithm: To encrypt m ∈ GT under pk, pick up random r ← Z/qZ Compute C = g rα and K = Y r Output CT = (C , e) where e = m · K – The Decryption algorithm: To decrypt ciphertext CT = (g c , e) under sk, compute K = e(g c , sk)(= e(g, g˜) ) Output m = e · K −1 We define IND-CPA security of PKE resilient to λ-continuous memory leakage [10] as (∅, ∅, λ)-CTL-CCA security of PKE Public-Key Cryptosystems Resilient to Continuous Tampering 933 Theorem The above PKE scheme is (∅, ∅, λ)-CTL-CCA secure, as long as λ(κ) < log(q) − ω(log κ), and for any PPT adversary A, Advctl-cca Π,A,(∅,∅,λ) (κ) ≤ +4 ex + 2Q · 2λ + 2Q · q −1 2λ q n−1 + 2λ q n−1 , where Q denotes the total number of key-updates in the running time of A Proof Here we prove the theorem by using the standard game-hopping strategy We denote by Si the event that adversary A wins in Game i ∗ – Game 0: This game is the original game We write CT∗ = (g c , e∗ ) where e∗ = mb∗ · K ∗ to denote the challenge ciphertext Let us assume that Q is the maximum number of the key-updates By definition, Pr[S0 ] = Pr[b = b∗ ] and Advctl-cca Π,A,(∅,∅,λ) (κ) = |2 Pr[S0 ] − 1| – Game 1: In this game, we instead produce CT∗ as follows: Compute K ∗ = ∗ e(g c , sk) = e(g, g˜)r α,s and set e∗ = mb∗ ·K ∗ This change is just conceptual Then, Pr[S0 ] = Pr[S1 ] – Game 2: This game is identical to Game 1, except that we choose independent vectors v , , v ← ker(α, c ∗ ) and set V = (v , , v ) Since c ∗ = r∗ α, ker(α, c ∗ ) = ker(α) Hence, Pr[S1 ] = Pr[S2 ] – Game 3: This game is identical to Game 2, except that when producing CT∗ , we instead pick up random vector c ∗ ← Fnq We note that since independent vecdim(ker(α, c ∗ )) = n − ≥ , we can still choose tors v , , v The difference between these two games is bounded by the extended matrix d-linear assumption Lemma 10 Under the extended matrix d-linear assumption in Appendix A, we have Pr[S2 ] − Pr[S3 ] ≤ ex Proof Let x ∈ (Z/qZ)n×2 whose columns are α and c, i.e., x = (α, c) Let v , , v be independent random column vectors chosen via v i ← ker(x) = ker(α, c) and set V = (v , , v ) Now given g x and V = (v , , v ), we can simulate public and secret keys that the adversary sees during the game, as well as the challenge ciphertext In the case that rank(X) = 1, we perfectly simulate Game In the case that rank(X) = 2, we perfectly simulate Game Then, we have Pr[S2 ] − Pr[S3 ] ≤ ex – Game is defined as a sequence of Q + sub-games denoted by Games, 4.0, , 4.Q For i = 0, , Q, we have • Game 4.i: This game is identical to Game 4.0, except that at the last i key-updates, we instead choose β ← ker(α) and update sk := sk · g˜β We insist that the first Q − i key-updates, β is chosen from span(V), whereas in the last i key-updates, it is chosen from ker(α) Game 4.0 is identical to Game The difference between Games, 4.i and 4.i + 1, is computationally bounded 934 E Fujisaki and K Xagawa Indeed, by Corollary 2, we have Dist (V, L(s + Vr’ )) : (V, L(s + β)) ≤ 2λ + q −1 2λ q m−1 , where V ← ker(α, c ∗ ) , r’ ← (Z/qZ) , and β ← ker(α), with dim(ker(α, c ∗ )) = n − and dim(ker(α)) = n − So, we have Pr[S4.i ] − Pr[S4.i+1 ] ≤ 2λ q −1 + 2λ q m−1 , Therefore Pr[S3 ] − Pr[S4.Q ] ≤ Q 2λ q −1 + 2λ q m−1 Q – Game 5: This game is identical to Game4.Q, except that we pick up random ∗ k ∗ ← Z/qZ and compute K ∗ = e(g, g˜)k This k ∗ is statistically close to < c ∗ , s + β > By Lemma 3, ∗ ∗ ∗ ∗ Dist((c , < c , s + β >, L(s + β), view) : (c , k , L(s + β), view)) ≤ − 2 √ H∞ (s+β|L(s+β),view) , where view is fixed values containing α,V, and < α, s > Let us repersent s = s ∗ + r α such that s ∗ ∈ ker(α) and r ∈ Z/qZ Since s ∗ and β are only random variables in the above H∞ , we have ∗ ∗ H∞ (s + β|L(s + β), view) = H∞ (s + β|L(s + β)) ≥ H∞ (s + β) − λ = (n − 1) log(q) − λ Therefore, we have Pr[S4.Q ] − Pr[S5 ] ≤ 2λ q n−1 To summarize the above, we have Pr[S0 ] − D ex +Q· 2λ +Q· q −1 2λ q n−1 By construction, Pr[S5 ] = 12 = + 2λ q n−1 Continuos Tampering Secure Signature A digital signature scheme Σ = (Setup, KGen, Sign, Vrfy) consists four algorithms Setup, the set-up algoritm, takes as input security parameter 1k and outputs public parameter ρ KGen, the key-generation algorithm, takes as input ρ and outputs a pair comprising the verification and signing keys, (vk, sk) Sign, the signing algorithm, takes as input (ρ, sk) and message m and produces signature σ Vrfy, the verification algorithm, takes as input verification key vk, message m and signature σ, as well as ρ, and outputs a bit For completeness, it is required that for all ρ ∈ Setup(1κ ), all (vk, sk) ∈ KGen(ρ) and for all m ∈ {0, 1}∗ , it holds Vrfyρ (vk, m, Signρ (sk, m)) = We say that digital signature scheme Σ is self-destructive, if the signing algorithm can erase all inner states including sk and does not work any more, when it can detect tampering We say that digital signature scheme Σ has a key-updating mechanism if there is a PPT algorithm Update that takes ρ and sk and returns an “updated” secret key sk = Updateρ (sk) We assume that Public-Key Cryptosystems Resilient to Continuous Tampering 935 the key-updating mechanism Update can be activated only when the signing algorithm detects tampering CTBL-CMA Security For digital signature scheme Σ and an adversary A, we define the experiment Exptctbl-cma Π,A,(Φ,λ) (κ) as in Fig We define the advantage of A against Π with respects Φ as Advctbl-cma Σ,A,(Φ,λ) (κ) Pr[Exptctbl-cma Σ,A,(Φ,λ) (κ) = 1] A may adaptively submit (unbounded) polynomially many queries (φ, CT) to oracle RKSign, but it should be φ ∈ Φ A may also adaptively submit (unbounded) polynomially many queries L to oracle Leak Finally, A outputs (m , σ ) We say that A wins if Vrfy(vk, m , σ ) = and m is not asked to RKSign We note that if Sig has “self-destructive” property, RKSign does not receive any further query from the adversary or simply returns ⊥ We say that tbl-cma (κ) = negl(κ) for every PPT A Σ is (Φ, λ)-CTBL-CMA secure if AdvΣ,A,(Φ,λ) Fig The experiment of the CTBL-CMA game CTL-CMA Security For digital signature scheme Σ = (Setup, KGen, Update, Sign, Vrfy) with a key-updating mechanism and an adversary A, we define the experiment Exptctl-cma Σ,A,(Φ,λ) (κ) as in Fig We define the advantage of A against Σ with respects Φ as ctl-cma AdvΣ,A,(Φ,λ) (κ) ctl-cma Pr[ExptΣ,A,(Φ,λ) (κ) = 1] A may adaptively submit (unbounded) polynomially many queries (φ, CT) to oracle RKSign, but it should be φ ∈ Φ A may also adaptively submit (unbounded) polynomially many queries L to oracle Leak Finally, A outputs (m , σ ) We say that A wins if Vrfy(vk, m , σ ) = and m is not asked to ctl-cma (κ) = negl(κ) RKSign We say that Σ is (Φ, λ)-CTL-CMA secure if AdvΣ,A,(Φ,λ) for every PPT A 936 E Fujisaki and K Xagawa Fig The experiment of the CTL-CMA game References 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2010, IEEE Computer Society (2010) Agrawal, S., Dodis, Y., Vaikuntanathan, V., Wichs, D.: On continual leakage of discrete log representations In: Sako and Sarkar [36], pp 401–420 Anonymous A note on the RKA security of continuously non-malleable keyderivation function from PKC 2015 Submitted to PKC 2016 Bellare, M., Cash, D.: Pseudorandom functions and permutations provably secure against related-key attacks In: Rabin, T (ed.) CRYPTO 2010 LNCS, vol 6223, pp 666–684 Springer, Heidelberg (2010) doi:10.1007/978-3-642-14623-7 36 Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering In: Lee, D.H., Wang, X (eds.) ASIACRYPT 2011 LNCS, vol 7073, pp 486–503 Springer, Heidelberg (2011) doi:10.1007/978-3-642-25385-0 26 Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications In: Biham, E (ed.) EUROCRYPT 2003 LNCS, vol 2656, pp 491–506 Springer, Heidelberg (2003) doi:10.1007/3-540-39200-9 31 Bellare, M., Paterson, K.G., Thomson, S.: RKA security beyond the linear barrier: IBE, encryption and signatures In: Wang, X., Sako, K (eds.) ASIACRYPT 2012 LNCS, vol 7658, pp 331–348 Springer, Heidelberg (2012) doi:10.1007/ 978-3-642-34961-4 21 Boneh, D., Boyen, X., Shacham, H.: Short group signatures In: Franklin, M (ed.) CRYPTO 2004 LNCS, vol 3152, pp 41–55 Springer, Heidelberg (2004) doi:10 1007/978-3-540-28628-8 Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman In: Wagner, D (ed.) CRYPTO 2008 LNCS, vol 5157, pp 108–125 Springer, Heidelberg (2008) doi:10.1007/978-3-540-85174-5 10 Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathan, V.: Overcoming the hole in the bucket,: Public-key cryptography resilient to continual memory leakage In: FOCS 2010 [1], pp 501–510 11 Cramer, R., Dodis, Y., Fehr, S., Padr´ o, C., Wichs, D.: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors In: Smart, N (ed.) EUROCRYPT 2008 LNCS, vol 4965, pp 471–488 Springer, Heidelberg (2008) doi:10.1007/978-3-540-78967-3 27 Public-Key Cryptosystems Resilient to Continuous Tampering 937 12 Cramer, R., Padr´ o, C., Xing, C.: Optimal algebraic manipulation detection codes in the constant-error model In: Dodis and Nielsen [17], pp 481–501 http://eprint iacr.org/2014/116 13 Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption In: Knudsen, L.R (ed.) EUROCRYPT 2002 LNCS, vol 2332, pp 45–64 Springer, Heidelberg (2002) doi:10 1007/3-540-46035-7 14 Damg˚ ard, I., Faust, S., Mukherjee, P., Venturi, D.: Bounded tamper resilience: how to go beyond the algebraic barrier In: Sako and Sarkar [36], pp 140–160 http:// eprint.iacr.org/2013/677 and http://eprint.iacr.org/2013/124 15 Dodis, Y., Haralambiev, K., L´ opez-Alt, A., Wichs, D.: Cryptography against continuous memory attacks In: FOCS 2010 [1], pp 511–520 http://eprint.iacr.org/ 2010/196 16 Dodis, Y., Haralambiev, K., L´ opez-Alt, A., Wichs, D.: Efficient public-key cryptography in the presence of key leakage In: Abe, M (ed.) ASIACRYPT 2010 LNCS, vol 6477, pp 613–631 Springer, Heidelberg (2010) doi:10.1007/ 978-3-642-17373-8 35 17 Dodis, Y., Nielsen, J.B (eds.): TCC 2015 LNCS, vol 9014 Springer, Heidelberg (2015) 18 Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data SIAM J Comput 38(1), 97–139 (2008) Preliminary version in EUROCRYPT 2004 19 Dziembowski, S., Pietrzak, K., Wichs, D.: Non-malleable codes In: Yao, A.C.C (ed.) ICS 2010, Beijing, China, Tsinghua University Press, pp 434–452 (2010) http://eprint.iacr.org/2009/608.D 20 Faonio, A., Venturi, D.: Efficient public-key cryptography with bounded leakage and tamper resilience IACR Cryptology ePrint Archive 2016, p 529 (2016) 21 Faust, S., Mukherjee, P., Nielsen, J.B., Venturi, D.: Continuous non-malleable codes In: Lindell, Y (ed.) TCC 2014 LNCS, vol 8349, pp 465–488 Springer, Heidelberg (2014) doi:10.1007/978-3-642-54242-8 20 22 Fujisaki, E., Xagawa, K.: Efficient RKA-Secure KEM and IBE schemes against invertible functions In: Lauter, K., Rodr´ıguez-Henr´ıquez, F (eds.) LATINCRYPT 2015 LNCS, vol 9230, pp 3–20 Springer, Heidelberg (2015) doi:10.1007/ 978-3-319-22174-8 23 Gennaro, R., Lysyanskaya, A., Malkin, T., Micali, S., Rabin, T.: Algorithmic tamper-proof (ATP) security: theoretical foundations for security against hardware tampering In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 258–277 Springer, Heidelberg (2004) doi:10.1007/978-3-540-24638-1 15 24 Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation In: Menezes, A (ed.) CRYPTO 2007 LNCS, vol 4622, pp 553–571 Springer, Heidelberg (2007) doi:10.1007/978-3-540-74143-5 31 25 Jafargholi, Z., and Wichs, D.: Tamper detection and continuous non-malleable codes In: Dodis and Nielsen [17], pp 451–480 http://eprint.iacr.org/2014/956 26 Kalai, Y.T., Kanukurthi, B., Sahai, A.: Cryptography with tamperable and leaky memory In: Rogaway, P (ed.) CRYPTO 2011 LNCS, vol 6841, pp 373–390 Springer, Heidelberg (2011) doi:10.1007/978-3-642-22792-9 21 27 Kiltz, E., Pietrzak, K., Stam, M., Yung, M.: A new randomness extraction paradigm for hybrid encryption In: Joux, A (ed.) EUROCRYPT 2009 LNCS, vol 5479, pp 590–609 Springer, Heidelberg (2009) doi:10.1007/978-3-642-01001-9 34 938 E Fujisaki and K Xagawa 28 Liu, F.-H., Lysyanskaya, A.: Tamper and leakage resilience in the split-state model In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 517– 532 Springer, Heidelberg (2012) doi:10.1007/978-3-642-32009-5 30 29 Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage In: Halevi, S (ed.) CRYPTO 2009 LNCS, vol 5677, pp 18–35 Springer, Heidelberg (2009) doi:10.1007/978-3-642-03356-8 30 Peikert, C., and Waters, B Lossy trapdoor functions and their applications In: Ladner, R.E., Dwork, C (eds.) STOC 2008, pp 187–196 ACM (2008) 31 Qin, B., Liu, S.: Leakage-resilient chosen-ciphertext secure public-key encryption from hash proof system and one-time lossy filter In: Sako and Sarkar [36], pp 381–400 32 Qin, B., Liu, S.: Leakage-flexible CCA-secure public-key encryption: simple construction and free of pairing In: Krawczyk, H (ed.) PKC 2014 LNCS, vol 8383, pp 19–36 Springer, Heidelberg (2014) doi:10.1007/978-3-642-54631-0 33 Qin, B., Liu, S., Yuen, T.H., Deng, R.H., Chen, K.: Continuous non-malleable key derivation and its application to related-key security In: Katz, J (ed.) PKC 2015 LNCS, vol 9020, pp 557–578 Springer, Heidelberg (2015) doi:10.1007/ 978-3-662-46447-2 25 34 Qin, B., Liu, S.: Leakage-resilient chosen-ciphertext secure public-key encryption from hash proof system and one-time lossy filter In: Sako, K., Sarkar, P (eds.) ASIACRYPT 2013 LNCS, vol 8270, pp 381–400 Springer, Heidelberg (2013) doi:10.1007/978-3-642-42045-0 20 35 Wee, H.: Public key encryption against related key attacks In: Fischlin, M., Buchmann, J., Manulis, M (eds.) PKC 2012 LNCS, vol 7293, pp 262–279 Springer, Heidelberg (2012) doi:10.1007/978-3-642-30057-8 16 Author Index Albrecht, Martin I-191 Attrapadung, Nuttapong II-591 Badrinarayanan, Saikrishna II-557 Baldimtsi, Foteini II-902 Bao, Zhenzhen I-648 Bay, Aslı I-354 Bellare, Mihir II-435, II-777 Biryukov, Alex I-484 Blazy, Olivier II-217, II-339 Bogdanov, Andrey I-126 Bogos, Sonia I-703 Boneh, Dan I-220 Bost, Raphael I-333 Boyen, Xavier II-404 Bruneau, Nicolas I-573 Camenisch, Jan II-807 Cao, Zhenfu II-624 Chase, Melissa II-655 Chen, Cong I-819 Chen, Jie II-624 Chen, Ming-Shing II-135 Chen, Rongmao I-844, II-745 Chevalier, Céline II-217, II-339 Chillotti, Ilaria I-3 Chinburg, Ted I-759 Coretti, Sandro II-998 Corrigan-Gibbs, Henry I-220 Dinu, Daniel I-484 Dobraunig, Christoph I-369 Dong, Xiaolei II-624 Eichlseder, Maria I-369 Eisenbarth, Thomas I-819 Enderlein, Robert R II-807 Ersoy, Oğuzhan I-354 Faonio, Antonio I-877 Farmani, Mohammad I-819 Fauzi, Prastudy II-841 Feldhofer, Martin I-602 Fiore, Dario II-499 Fouque, Pierre-Alain I-159 Fuchsbauer, Georg II-777 Fujisaki, Eiichiro I-908 Fuller, Benjamin I-277 Galbraith, Steven D I-63 Gama, Nicolas I-3 Garay, Juan II-998 Georgieva, Mariya I-3 Germouty, Paul II-217 Ghosh, Esha II-67 Gong, Junqing II-624 Goyal, Vipul II-531, II-557 Grassi, Lorenzo I-191 Großschädl, Johann I-484 Gu, Dawu I-455 Gueron, Shay I-95 Guilley, Sylvain I-573 Guo, Fuchun I-844, II-745 Guo, Jian I-249, I-455 Guo, Qian I-789 Han, Shuai II-307 Hanaoka, Goichiro II-465, II-937 Hemenway, Brett I-759 Heninger, Nadia I-759 Heuer, Felix II-248 Heuser, Annelie I-573 Hirt, Martin II-998 Hoang, Viet Tung II-278 Hofheinz, Dennis II-715 Hülsing, Andreas II-135 Isobe, Takanori I-126 Izabachène, Malika I-3 Jager, Tibor II-715 Jain, Aayush II-531, II-557 Jing, Jiwu I-307 Johansson, Thomas I-789 Karakoỗ, Ferhat I-354 Karpman, Pierre I-159 940 Author Index Katsumata, Shuichi II-682 Katz, Jonathan II-278 Kempka, Carmen II-967 Khurana, Dakshita II-715 Kiayias, Aggelos II-902 Kikuchi, Ryo II-967 Klnỗ, Handan II-873 Kirchner, Paul I-159 Korak, Thomas I-369 Krenn, Stephan II-807 Küsters, Ralf II-807 Lai, Jianchang II-745 Leander, Gregor II-3 Li, Qinyi II-404 Libert, Bent II-101, II-373 Lin, Dongdai I-648 Lin, Jingqiang I-307 Ling, San II-101, II-373 Lipmaa, Helger II-841 Liu, Meicheng I-249 Liu, Shengli II-307 Lomné, Victor I-369 Lyu, Lin II-307 Lyubashevsky, Vadim II-196 Ma, Yuan I-307 Maller, Mary II-655 Martin, Daniel P I-548 Mather, Luke I-548 Matsuda, Takahiro II-465 Medwed, Marcel I-602 Meiklejohn, Sarah II-655 Mendel, Florian I-369 Minaud, Brice I-159 Miracle, Sarah I-679 Mitrokotsa, Aikaterini II-499 Moradi, Amir I-517 Morillo, Paz I-729 Mouha, Nicky I-95 Mouhartem, Fabrice II-101, II-373 Mu, Yi I-844, II-745 Nguyen, Khoa II-101, II-373 Nielsen, Jesper Buus II-1022 Nikolić, Ivica I-627 Nikov, Ventzislav I-602 Nishide, Takashi II-937 Nizzardo, Luca II-499 Nuida, Koji II-937 O’Neill, Adam II-278, II-531 Ohrimenko, Olga II-67 Okamoto, Eiji II-937 Oswald, Elisabeth I-548 Pagnin, Elena II-499 Papadopoulos, Dimitrios II-67 Perrin, Léo I-484 Petit, Christophe I-63 Poettering, Bertram II-248, II-435 Ràfols, Carla I-729 Ranellucci, Samuel II-1022 Rausch, Daniel II-807 Rechberger, Christian I-191 Reyhanitabar, Reza I-396 Reyzin, Leonid I-277 Rijneveld, Joost II-135 Rioul, Olivier I-573 Roy, Arnab I-191 Russell, Alexander II-34 Sahai, Amit II-557, II-715 Samardjiska, Simona II-135 Sanders, Olivier I-333 Sarkar, Palash I-37 Sasaki, Yu I-627, II-3 Scafuro, Alessandra II-777 Schechter, Stuart I-220 Scherr, Zachary I-759 Schneider, Tobias I-517 Schwabe, Peter II-135 Shani, Barak I-63 Shinagawa, Kazumasa II-937 Shrimpton, Thomas I-429 Singh, Shashank I-37 Smith, Adam I-277 Song, Ling I-249 Stam, Martijn I-548 Standaert, Franỗois-Xavier I-573, I-602 Stankovski, Paul I-789 Stebila, Douglas II-435 Susilo, Willy I-844, II-745 Suzuki, Koutarou II-967 Tamassia, Roberto II-67 Tanaka, Keisuke II-465 Tang, Qiang II-34 Teglia, Yannick I-573 Author Index Terashima, R Seth I-429 Ti, Yan Bo I-63 Tiessen, Tyge I-191 Tischhauser, Elmar I-126 Todo, Yosuke II-3 Triandopoulos, Nikos II-67 Udovenko, Aleksei I-484 Unruh, Dominique II-166 Vaudenay, Serge I-396, I-703, II-873 Velichkov, Vesselin I-484 Venturi, Daniele I-877 Villar, Jorge L I-729 Vizár, Damian I-396 Wang, Huaxiong II-101, II-373 Wang, Lei I-455 Wang, Yuyu II-465 Waters, Brent II-715 Xagawa, Keita I-908 Xiang, Zejun I-648 Yamada, Shota II-682 Yang, Guomin I-844, II-745 Yilek, Scott I-679 Yung, Moti II-34 Zacharias, Thomas II-902 Zaheri, Mohammad II-278 Zając, Michał II-841 Zhandry, Mark II-715 Zhang, Bingsheng II-902 Zhang, Guoyan I-455 Zhang, Mingwu I-844 Zhang, Wentao I-648 Zhang, Zongyang II-465 Zhao, Jingyuan I-455 Zhou, Hong-Sheng II-34 Zhu, Shuangyi I-307 Zhuang, Jia I-307 Zikas, Vassilis II-998 941 ... Anthony Leverrier Jingwei Li Ming Li Wen-Ding Li Benoit Libert Fuchun Lin Tingting Lin Meicheng Liu Yunwen Liu Zhen Liu Zidong Lu Yiyuan Luo Atul Luykx Vadim Lyubashevsky Bernardo Magri Mary Maller... Hattori Gottfried Herold Felix Heuer Takato Hirano Shoichi Hirose Wei-Chih Hong Yuan-Che Hsu Geshi Huang Guifang Huang Jialin Huang Xinyi Huang Pavel Hubacek Ilia Iliashenko Mehmet Sinan Inci Vincenzo... Malozemoff Antonio Marcedone Benjamin Martin Daniel Martin Marco Martinoli Daniel Masny Maike Massierer Mitsuru Matsui Willi Meier Bart Mennink Peihan Miao Kazuhiko Minematsu Nicky Mouha Pratyay