Protocols for secure two-party computation enable a pair of
mistrusting parties to compute a joint function of their private
inputs without revealing anything but the output. One of the
fundamental techniques for obtaining secure computation is that of
Yao's garbled circuits. In the setting of malicious adversaries, where
the corrupted party can follow any arbitrary (polynomial-time)
strategy in an attempt to breach security, the cut-and-choose
technique is used to ensure that the garbled circuit is constructed
correctly. The cost of this technique is the construction and
transmission of multiple circuits; specifically, $s$ garbled circuits
are used in order to obtain a maximum cheating probability of
$2^{-s}$.
In this talk, we will begin with a general introduction to Yao garbled
circuits and how cut-and-choose is used in order to prevent malicious
cheating. We then show how to significantly reduce the amortized cost
of cut-and-choose based secure two-party computation in the batch and
online/offline settings. Our protocol provides a very fast online time
and a reasonable offline time. In particular, it is possible to
securely compute reasonably complex functions in mere milliseconds.
This is joint work with Ben Riva (appeared at CRYPTO 2014).

ההרצאה תינתן באנגלית - Lecture will be given in English

Traditionally, the two main cryptographic goals of confidentiality and
integrity are realized separately by encryption and authentication
schemes, respectively. The current trend in cryptography is to use a
single algorithm for both; namely an authenticated encryption (AE)
scheme. The demand for secure and efficient AE schemes is reflected in
the ongoing CAESAR cryptographic competition for the recommendation of
a portfolio of AE algorithms.
In this talk we will give an overview of the existing AE design
methods such as generic composition and dedicated approaches. We will
cover the target AE security definitions for each these settings and
further will discuss a number of security vulnerabilities and their
possible solutions. Finally, we will focus on the CAESAR competition
by presenting some of the candidates, their features and comparisons.

ההרצאה בשיתוף הקולוקוויום הפקולטי
ההרצאה תינתן באנגלית - Lecture will be given in English

Highly sensitive computers are usually unreachable in the sense that they are located in isolated facilities surrounded by armed guards, and are not connected to the internet or to any other external communication networks. In addition, they are protected from standard side channel attacks by receiving their electricity from local generators and by being surrounding by Faraday cages to prevent any leakage of electromagnetic radiation. The holy grail of cyber attacks is to find a way to reach such unreachable computers. In this talk, I will describe some new experimentally verified techniques which can be used by an outside attacker to establish long range (>1 kilometer) bidirectional communication with such an airgapped computer system that contains only standard untampered hardware components.

Can cryptographic secret keys be extracted from personal computers by
measuring their physical properties from the outside? What would it
take to extract whole keys from such fast and complex devices? We
present myriad ways to do so, by analyzing signals acquired through
microphones, antennas, paperclips, or even the touch of a human
hand. The talk will discuss the attacks' principles, and will include
a live demonstration.
The talk is based on joint works with Lev Pachmanov, Itamar
Pipman, Adi Shamir and Eran Tromer. See
http://www.cs.tau.ac.il/~tromer/acoustic and
http://www.cs.tau.ac.il/~tromer/handsoff/ for more details.

The traditional view of encryption schemes guarantees the security of the encrypted data via an all-or-nothing approach: The encrypted data can be fully recovered using a decryption key, but it is completely useless without such a key. However, recent technological breakthroughs have demonstrated that a more subtle approach is needed for a wide variety of applications.
This has motivated the cryptography community to develop a vision of "functional encryption": Enabling the usage of restricted decryption keys that allow a user to learn specific functions of the encrypted data but nothing more. In this talk I will provide a brief introduction to functional encryption and its applications, as well as a high-level overview of recent advances in the design of functional encryption schemes.

Since its introduction over 26 years ago FEAL played a key role in the
development of many cryptanalytic techniques, including differential and
linear cryptanalysis. For its 25th anniversary Prof. Mitsuru Matsui, the
father of linear cryptanalysis, announced a challenge for an improved known
plaintext attack on FEAL-8X. In this talk I will describe our attack and our
improvement to linear cryptanalysis, which allowed us to recover the key
given 2^14 known plaintexts in about 14 hours of computation, and eventually
led us to win the challenge.
The talk will include the required background in linear cryptanalysis.
Joint work with Prof. Eli Biham.