Submission deadline: 28 February 2017

Notification: 6 April 2017 ]]>

Submission deadline: 23 November 2017

Notification: 23 January 2018 ]]>

Submission deadline: 1 September 2017

Notification: 1 November 2017 ]]>

Submission deadline: 1 June 2017

Notification: 1 August 2017 ]]>

Submission deadline: 1 March 2017

Notification: 1 May 2017 ]]>

Our construction relies on a new primitive which we define and study, called ℓℓ-more extractable hash functions. This notion, which may be of independent interest, is strictly stronger than the previous notion of extractable hash by Goldwasser et al. (Eprint '11) and Bitansky et al. (ITCS '12, Eprint '14), yet we can instantiate it under the same assumption used for the previous extractable hash function (a variant of the Knowledge of Exponent Assumption). ]]>

Submission deadline: 15 April 2017

Notification: 1 June 2017 ]]>

Submission deadline: 15 May 2017

Notification: 10 July 2017 ]]>

Unlike previous record-setting algorithms, this paper's multiply-by-n algorithm uses double-base chains. The new speeds rely on advances in tripling speeds and on advances in constructing double-base chains. This paper's new tripling formula for twisted Edwards curves takes just 11.4M, and its new algorithm for constructing an optimal double-base chain for n takes just (log n)^{2.5+o(1)} bit operations.

Extending this double-base algorithm to double-scalar multiplications, as in signature verification, takes 8.80M per bit to compute n_1P+n_2Q. Previous techniques used 9.34M per bit. ]]>

Despite the ubiquitous role of hash functions in cryptography, several of the most basic questions regarding their computational and algebraic complexity remained open. In this work we settle most of these questions under new, but arguably quite conservative, cryptographic assumptions, whose study may be of independent interest. Concretely, we obtain the following results:

(1) Low-complexity CRH. Assuming the intractability of finding short codewords in natural families of linear error-correcting codes, there are CRH that shrink the input by a constant factor and have a {\em constant algebraic degree} over $Z_2$ (as low as 3), or even {\em constant output locality and input locality}. Alternatively, CRH with an arbitrary polynomial shrinkage can be computed by {\em linear-size} circuits.

(2) Win-win results. If low-degree CRH with good shrinkage {\em do not} exist, this has useful consequences for learning algorithms and data structures.

(3) Degree-2 hash functions. Assuming the conjectured intractability of solving a random system of quadratic equations over $Z_2$, a uniformly random degree-2 mapping is a {\em universal one-way hash function} (UOWHF). UOWHF relaxes CRH by forcing the attacker to find a collision with a random input picked by a challenger. On the other hand, a uniformly random degree-2 mapping is {\em not} a CRH. We leave the existence of degree-2 CRH open, and relate it to open questions on the existence of degree-2 randomized encodings of functions. ]]>

At the end of their paper, Juels and Ristenpart leave as an open question the adaptation of honey encryption to natural language messages. A recent paper by Chatterjee et al. takes a mild attempt at the challenge and constructs a natural language honey encryption scheme relying on simple models for passwords.

In this position paper we explain why this approach cannot be extended to reasonable-size human-written documents e.g. e-mails. We propose an alternative approach and evaluate its security. ]]>

• The preprocessing phase can be instantiated efficiently using, e.g., TinyOT. Using this approach with our improvements to TinyOT, we obtain a protocol in which secure evaluation of an AES circuit (at 128-bit computational security and 40-bit statistical security) uses roughly 6 MB of communication in total. Most of the communication is circuit independent. A single execution of our protocol performs even better than the best previous work supporting circuit-independent preprocessing when amortized over 1024 executions.

• If the preprocessing phase is instantiated using the IPS compiler, we obtain a constant- round protocol whose communication complexity is asymptotically as small as a semi- honest garbled-circuit protocol in the OT-hybrid model.

• If the preprocessing phase is carried out by a trusted server, we obtain a constant-round protocol whose communication complexity is essentially the same as in the linear-round protocol of Mohassel et al. in the analogous setting. ]]>

In this work, we revisit the problem of constructing ABE that tolerates collusions of arbitrary but a priori bounded size. We present two ABE schemes secure against bounded collusions that require only semantically secure public-key encryption. Our schemes achieve significant improvement in the size of the public parameters, secret keys, and ciphertexts over the previous construction of bounded-collusion ABE from minimal assumptions by Gorbunov et al. (CRYPTO 2012). In fact, in our second scheme, the size of ABE secret keys does not grow at all with the collusion bound. As a building block, we introduce a multidimensional secret-sharing scheme that may be of independent interest. We also obtain bounded-collusion symmetric-key ABE (which requires the secret key for encryption) by replacing the public-key encryption with symmetric-key encryption, which can be built from the minimal assumption of one-way functions. ]]>

More concretely, (1) our first semi-honest secure protocol implies communication complexity that is linear in the input sizes, namely $O((\sum_{i=1}^n m_i)\cdot\kappa)$ bits of communication where $\kappa$ is the security parameter and $m_i$ is the size of $P_i$'s input set, whereas overall computational overhead is quadratic in the input sizes only for a designated party, and linear for the rest. We further reduce this overhead by employing two types of hashing schemes. (2) Our second protocol is proven secure in the malicious setting. This protocol induces communication complexity $O((n^2 + nm_\maxx + nm_\minn\log m_\maxx)\kappa)$ bits of communication where $m_\minn$ (resp. $m_\maxx$) is the minimum (resp. maximum) over all input sets sizes and $n$ is the number of parties. ]]>

As a corollary to our techniques, we present the first adaptively secure protocols in the Random Oracle Model (ROM) with round complexity proportional to the depth of circuit implementing the functionality. Our protocols are secure in the Global Random Oracle Model introduced recently by Canetti, Jain and Scafuro in CCS 2014 that provides strong compositional guarantees. More precisely, we obtain an adaptively secure UC-commitment scheme in the global ROM assuming only one-way functions. In comparison, the protocol of Canetti, Jain and Scafuro achieves only static security and relies on the specific assumption of Discrete Diffie-Hellman assumption (DDH). ]]>

Structure-preserving signatures are used pervasively in group signatures, group encryptions, blind signatures, proxy signatures and many other anonymous credential applications. Our work directly leads to improvements in these schemes. Moreover, the improvements are usually of a higher multiplicative factor order, as these constructions use Groth-Sahai NIZK proofs for zero-knowledge verification of pairing-product equations.

We also give our construction under the more general and standard $\D_k$-MDDH (Matrix-DDH) assumption. The signature size in our scheme is $3k+2$ elements in one group, and one element in the other. The number of pairing product equations required for verification is only $2k$, whereas the earlier schemes required at least $2k+1$ equations. ]]>

As applications, we propose new fully secure ABE systems for general predicates, namely, ABE for circuits. We obtain two schemes for each of key-policy (KP) and ciphertext-policy (CP) variants of ABE. All of our four fully secure schemes can deal with unbounded-size circuits, while enjoy succinctness, meaning that the key and ciphertext sizes are (less than or) proportional to corresponding circuit sizes. In the CP-ABE case, no scheme ever achieves such properties, even when considering selectively secure systems. Furthermore, our second KP-ABE achieves constant-size ciphertexts, whereas our second CP-ABE achieves constant-size keys. Previous ABE systems for circuits are either selectively secure (Gorbunov et al. STOC'13, Garg et al. Crypto'13, and subsequent works), or semi-adaptively secure (Brakerski and Vaikuntanathan Crypto'16), or fully-secure but not succinct and restricted to bounded-size circuits (Garg et al. ePrint 2014/622, and Garg et al. TCC'16-A). ]]>

Application deadline: March 12, 2017.

The project is to develop new theoretical foundations for practical obfuscation. The theoretical component will focus on designing and evaluating new security definitions for practical obfuscation solutions. The practical component will focus on creating practical obfuscation tools inspired by the results obtained in the theoretical component. The theoretical work will be led by Prof Steven Galbraith while Dr. Giovanni Russello will lead the practical aspects.

The ideal candidate will have an undergraduate degree in computer science, engineering or mathematics and have written a master thesis in some topic related to security, cryptography, or the underlying mathematics. Experience with obfuscation and programming preferable.

**Closing date for applications:** 12 March 2017

**Contact:** Professor Steven Galbraith

Mathematics Department

University of Auckland

*aucklandobfuscationphd (at) gmail.com*

**More information:** https://www.math.auckland.ac.nz/~sgal018/PhD-Marsden.pdf

To solve the above problem, we introduce a notion of watermarking for cryptographic functions and define its security. Furthermore, we present a lossy trapdoor function (LTF) based on the decisional linear (DLIN) problem and a watermarking scheme for the LTF. Our watermarking scheme is secure under the DLIN assumption in the standard model. We use techniques of dual system encryption and dual pairing vector spaces (DPVS) to construct our watermarking scheme. This is a new application of DPVS. Our watermarking for cryptographic functions is a generalized notion of copyrighted functions introduced by Naccache, Shamir, and Stern (PKC 1999) and our scheme is based on an identity-based encryption scheme whose private keys for identities (i.e., decryption functions) are marked, so our technique can be used to construct black-box traitor tracing schemes. ]]>

In this work we take a different approach. Instead of tackling the VRF problem as a whole we demonstrate a simple and generic way of building Verifiable Random Functions from more basic and narrow cryptographic primitives. Then we can turn to exploring solutions to these primitives with a more focused mindset. In particular, we show that VRFs can be constructed generically from the ingredients of: (1) a 1-bounded constrained pseudo random function for a functionality that is ``admissible hash friendly" , (2) a non-interactive statistically binding commitment scheme (without trusted setup) and (3) a non-interactive witness indistinguishable proofs or NIWIs. The first primitive can be replaced with a more basic puncturable PRF constraint if one is willing to settle for selective security or assume sub-exponential hardness of assumptions.

In addition, we support our generic approach by giving new constructions of constrained PRFs under non bilinear groups and new constructions of perfectly binding commitments from the Learning with Errors (LWE) and Learning Parity with Noise (LPN) assumptions. ]]>

In this paper, we propose to analyse some of the existing data concerning TLS measures on the Internet. We studied several datasets, from the first public ones in 2010 to more recent scans. Even if the collection methodology and the used tools vary between campaigns, we propose a unified and reproducible way to analyse the TLS ecosystem through different datasets. Our approach is based on a set of open-source tools, concerto.

Our contribution is therefore threefold: an analysis of existing datasets to propose a unified methodology, the implementation of our approach with concerto, and the presentation of some results to validate our toolsets. ]]>

Although pooled mining benefits miners, it severely degrades decentralization, since a centralized pool manager administers the pooling protocol. Furthermore, pooled mining increases the transaction censorship significantly since pool managers decide which transactions are included in blocks. Due to this widely recognized threat, the Bitcoin community has proposed an alternative called P2Pool which decentralizes the operations of the pool manager. However, P2Pool is inefficient, increases the variance of miners' rewards, requires much more computation and bandwidth from miners, and has not gained wide adoption.

In this work, we propose a new protocol design for a decentralized mining pool. Our protocol called SmartPool shows how one can leverage {\em smart contracts}, which are autonomous agents themselves running on decentralized blockchains, to decentralize cryptocurrency mining. SmartPool guarantees high security, low reward's variance for miners and is cost-efficient. We implemented a prototype of SmartPool as an Ethereum smart contract working as a decentralized mining pool for Bitcoin. We have deployed it on the Ethereum testnet and our experiments confirm that SmartPool is efficient and ready for practical use. ]]>

We present new constructions of VRFs from general primitives, the main one being {\em non-interactive witness-indistinguishable proofs} (NIWIs). This includes: \begin{itemize} \item A selectively-secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively-secure assuming subexponential hardness of the underlying primitives. \item An adaptively-secure VRF assuming (polynomially-hard) NIWIs, non-interactive commitments, and {\em (single-key) constrained pseudorandom functions} for a restricted class of constraints. \end{itemize}

The above primitives have known instantiations under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known. One notable example is a non-uniform construction of VRFs from subexponentially-hard trapdoor permutations, or more generally, {\em verifiable pseudorandom generators} (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS '00).

The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of {\em indistinguishability obfuscation}. ]]>

For the Shortest Vector Problem, our configuration-search algorithm results in an exponential improvement for memory-efficient sieving algorithms. For $k=3$, it allows us to bring down the complexity of the BLS sieve algorithm on an $n$-dimensional lattice from $2^{0.4812n+o(n)}$ to $2^{0.3962n + o(n)}$ with the same space-requirement $2^{0.1887n + o(n)}$. Note that our algorithm beats the Gauss Sieve algorithm with time resp. space requirements of $2^{0.415n+o(n)}$ resp. $2^{0.208n + o(n)}$, while being easy to implement. Using LSH techniques, we can further reduce the time complexity down to $2^{0.3717n + o(n)}$ while retaining a memory complexity of $2^{0.1887n+o(n)}$. ]]>

In this work, we ask whether super-constant locality is inherent in this setting. We answer the question affirmatively by showing tight upper and lower bounds. Specifically, in any threat model which allows for a rewind attack-wherein the attacker leaks a small amount of data, waits for the data to be overwritten and then writes the original data back-we show that a locally decodable and updatable non-malleable code with block size Chi in poly(lambda) number of bits requires locality delta(n) in omega(1), where n = poly(lambda) is message length and lambda is security parameter. On the other hand, we re-visit the threat model of Dachman-Soled et al.~(TCC '15)-which indeed allows the adversary to launch a rewind attack-and present a construction of a locally decodable and updatable non-malleable code with block size Chi in Omega(lambda^{1/mu}) number of bits (for constant 0 < mu < 1) with locality delta(n), for any delta(n) in omega(1), and n = poly(lambda). ]]>

Furthermore, we initiate the study of {\em Quantum ORAMs (QORAMs)}, that is, ORAM constructions meant to be executed between quantum parties acting on arbitrary quantum data. We address many problems arising when formalizing Quantum ORAMs, and we provide a secure construction (based on Path-ORAM and a quantum encryption scheme introduced by Alagic et al.) which has the interesting property of making read and write operations {\em inherently equivalent}. In so doing, we develop a novel technique of quantum extractability which is of independent interest. We believe that QORAMs represent a natural and interesting step in the direction of achieving privacy in future scenarios where quantum computing is ubiquitous. ]]>

One important limitation for applying universal samplers in practice is that the constructions are built upon indistinguishability obfuscation. The costs of using current $\iO$ constructions is prohibitively large. We ask is whether the cost of a (universal) sampling could be paid by one party and then shared (soundly) with all other users? We address this question by introducing the notion of universal samplers with verification. Our notion follows the general path of \cite{HJKSWZ14}, but has additional semantics that allows for validation of a sample.

In this work we define and give a construction for universal samplers with verification. Our verification procedure is simple and built upon one-time signatures, making verification of a sample much faster than computing it. Security is proved under the sub exponential hardness of indistinguishability obfuscation, puncturable pseudorandom functions, and one-time signatures. ]]>

The original work of Damg{\aa}rd et al.~\cite{cryptoeprint:2016:106} introducing this notion left several open questions, in particular whether it is possible to construct ACE schemes with polylogarithmic complexity (in the number of possible identities in the system) from standard cryptographic assumptions.

In this work we answer the question in the affirmative by giving (efficient) constructions of ACE for an interesting class of predicates which includes equality, comparison, interval membership, and more.

We instantiate our constructions based both on standard pairing assumptions (SXDH) or more efficiently in the generic group model. ]]>

Applicants who have a Master degree in mathematics, computer science or related areas are encouraged to apply. Skills in error-correcting codes, complexity and software development will also be appreciated.

The position is fully funded for 3 years to work within our research teams. Additionally, the candidate may be proposed a six-month internship before the beginning of the Ph.D. Review of applications will start immediately until position is filled.

**Closing date for applications:** 1 September 2017

**Contact:** Applications should be directed to: slim.bettaieb [at] worldline.com, loic.bidoux [at] worldline.com and gaborit [at] unilim.fr

Job Responsibilities

•Design and build financial technology applications using Blockchain / Distributed Ledger Technologies

•Work closely with the banking industry to create high values Blockchain applications

•Conduct research on cryptographic schemes for Blockchain / Distributed Ledger Technologies

•Design and develop innovative yet high quality application software for cybersecurity and FinTech initiatives.

•Collaborate with the energetic team to develop impactful Blockchain Proof-of-Concept and production applications.

Requirements

•Bachelor’s degree in Computer Science or related disciplines with 6+ years’ experience or Master’s degree of equivalent education with 3+ years’ experience or Ph.D degree holder with less experience. Candidates with less experience will be considered as Engineer.

•Knowledge in Blockchain technology and good understanding of the cryptographic principles. Understanding of Blockchain platform such as Bitcoin, Ethereum, HyperLedger, etc. is a big plus.

•Understanding of distributed system and experience in implementing cryptographic protocols is a plus.

•Hands-on experience in one or more programming languages: Java, Scala, Python, JavaScript, C/C++, Go, etc.

•Good understanding of data structure, algorithm and design patterns.

•Must possess excellent interpersonal, verbal, and written communication skills.

•Must have collaborative mind set, be a team-player and be keen to share knowledge.

•Ability to work independently and thrive in learning new technologies.

**Closing date for applications:** 15 January 2017

**Contact:** *charlenechoo (at) astri.org*

**More information:** http://www.astri.org

The PhD position is for three years and will be located in Hamburg (Germany) within the Innovation Center for Cryptography and Security of NXP and it will be supervised at the academic level by Pr. François-Xavier Standaert (Université Catholique de Louvain). It will be funded by the REASSURE European research project focusing on improving the efficiency of security evaluations with respect to side-channel analysis.

Education and Requirements

--------------------

- A Master degree in computer science, security or mathematics

- A proven interest in cryptography and side-channel analysis

- Excellent communication and presentation skills on tactical as well as executive level (internally and externally)

- Strong analytical skills

- Team player

- Fluent in spoken and written English

Background in cryptography and embedded security will be a plus. Knowledge of German is not required.

Applications will be considered on a rolling basis until the position is filled.

**Closing date for applications:**

**Contact:** Vincent Verneuil

**More information:** https://nxp.wd3.myworkdayjobs.com/careers/job/Hamburg/PhD-student-in-Side-Channel-Analysis--m-f-_R-10001468-1

The position is based in Madrid, Spain, where the IMDEA Software Institute is situated. Salaries are internationally competitive and include attractive conditions such as access to an excellent public healthcare system. The working language at the institute is English.

Applicants should have already completed, or be close to completing, a PhD in computer science, mathematics, or a related discipline. Applicants should have an excellent research track record demonstrated by publications at major cryptography/security venues, and should have significant experience in the design of cryptographic protocols and provable security. Solid programming skills and experience in implementing cryptographic protocols will be considered positively. The application requires, among other document, a CV, a research statement, and the names of 3 persons that can provide references about you and your work.

The postdoctoral position is for one year. The starting date is negotiable but expected to be mid 2017.

Applicants interested in the position should send an email to Dario Fiore and submit the application documents at https://careers.imdea.org/software/. Applications are accepted until the position is filled.

**Closing date for applications:** 31 May 2017

**Contact:** For enquiries about the position, please contact: Dario Fiore, dario.fiore (at) imdea.org

**More information:** https://software.imdea.org/open_positions.html

Successful applicants are expected to hold Bachelor degree or Master degree in Information Security, Computer Science or Mathematics accomplished with at least 2:1 honours and have strong background knowledge and technical skills (incl. programming skills) in cryptography and/or information/cyber security. We particularly welcome applications from ongoing students who are projected to fulfil the above criteria and complete their degree in 2017.

This position is funded by HM Government and is available only to UK citizens. Applications are welcome from UK citizens who are prepared to undergo security vetting conducted by respective UK authorities. The initial stage of vetting may last up to 3 months and needs to be accomplished successfully before the applicant can commence with their PhD studies and become eligible for the stipend.

This is a rolling advert with the nominal closing date. Applications are accepted until the position is filled.

**Closing date for applications:** 31 March 2017

**Contact:** Dr Mark Manulis, *m.manulis (at) surrey.ac.uk*

**More information:** https://jobs.surrey.ac.uk/vacancy.aspx?ref=093316

•To design and develop cryptographic protocols and schemes

•To design, analyze and implement cryptographic systems and related systems such as blockchain

•To study the latest cryptographic algorithms and protocols

Requirements

•Master degree in computer science, electronic engineering or other relevant disciplines with 3+ years experience; less experience for PhD holders.

•Experience on cryptographic system design and cryptanalysis

•Deep knowledge on number theory and security proofs

•Hands-on experience with C/C++ and Java

•Preferably having experiences on using cryptographic libraries such as OpenSSL, MIRACL, PBC, etc.

•Experience on developing cloud computing systems an advantage, but not a must

•Strong interpersonal and communications skills

•Good command of both written and spoken English

**Closing date for applications:** 15 January 2017

**Contact:** *charlenechoo (at) astri.org*

**More information:** http://www.astri.org

**Closing date for applications:** 29 January 2017

**Contact:** Huaxiong wang

email: *hxwang (at) ntu.edu.sg*

Submission deadline: 6 March 2017

Notification: 26 April 2017 ]]>

\quad We present a new approach for practical function-private IPE schemes that does not employ DPVS but generalizations of Brakerski-Segev transformation. Our generalizations of Brakerski-Segev transformation are easily combinable with existing (non-function-private) IPE schemes as well as (non-function-private) FE schemes for general circuits in several levels of security. Our resulting IPE schemes achieve better performance in comparison with Bishop et al. IPE scheme as well as Datta et al. IPE scheme while preserving the same security notion under the same complexity assumption. In comparison with Tomida et al. IPE scheme, ours have comparable performance in the size of both ciphertext and decryption key, but better performance in the size of master key. ]]>

Here we describe Strobe, a new lightweight framework for building both cryptographic primitives and network protocols. Strobe is a sponge construction in the same family as Markku Saarinen’s BLINKER framework.

The Strobe framework is simple and extensible. It is suitable for use as a hash, authenticated cipher, pseudorandom generator, and as the symmetric component of a network protocol engine. With an elliptic curve or other group primitive, it also provides a flexible Schnorr signature variant.

Strobe can be instantiated with different sponge functions for different purposes. We show how to instantiate Strobe as an instance of NIST’s draft cSHAKE algorithm. We also show a lightweight implementation which is especially suitable for 16- and 32- bit microcontrollers, and also for small but high-speed hardware. ]]>

It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing certain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a successful reduction cannot decrease the amount of randomness used in the problem instance description).

When comparing MDDH problems of the same size and number of parameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative partial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other.

The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest. ]]>