International Association
for Cryptologic Research

Event date: 17 November 2018
Submission deadline: 7 August 2018
Notification: 4 September 2018

Event date: 30 July to 3 August 2018

In CRYPTO 2016, Cogliati and Seurin have proposed a highly secure nonce-based MAC called Encrypted Wegman-Carter with Davies-Meyer ($\textsf{EWCDM}$) construction, as $\textsf{E}_{K_2}\bigl(\textsf{E}_{K_1}(N)\oplus N\oplus \textsf{H}_{K_h}(M)\bigr)$ for a nonce $N$ and a message $M$. This construction achieves roughly $2^{2n/3}$ bit MAC security with the assumption that $\textsf{E}$ is a PRP secure $n$-bit block cipher and $\textsf{H}$ is an almost xor universal $n$-bit hash function. In this paper we propose Decrypted Wegman-Carter with Davies-Meyer ($\textsf{DWCDM}$) construction, which is structurally very similar to its predecessor $\textsf{EWCDM}$ except that the outer encryption call is replaced by decryption. The biggest advantage of $\textsf{DWCDM}$ is that we can make a truly single key MAC: the two block cipher calls can use the same block cipher key $K=K_1=K_2$. Moreover, we can derive the hash key as $K_h=\textsf{E}_K(1)$, as long as $|K_h|=n$. Whether we use encryption or decryption in the outer layer makes a huge difference; using the decryption instead enables us to apply an extended version of the mirror theory by Patarin to the security analysis of the construction. $\textsf{DWCDM}$ is secure beyond the birthday bound, roughly up to $2^{2n/3}$ MAC queries and $2^n$ verification queries against nonce-respecting adversaries. $\textsf{DWCDM}$ remains secure up to $2^{n/2}$ MAC queries and $2^n$ verification queries against nonce-misusing adversaries.

A postdoctoral research fellow position in cybersecurity is available in the Virginia Modeling, Analysis and Simulation Center (VMASC) at Old Dominion University, for an initial appointment of one year, renewable based on the performance.

The incumbent is expected to participate in the cybersecurity research lab at VMASC led by Dr. Sachin Shetty

Responsibilities include conducting fundamental research in Blockchain for IoT security and publishing in leading conferences and journals, participation in proposal development, and some supervision of graduate students. This position is ideally suited for a recent Ph.D. graduate who plans to pursue a future research career. A completed Ph.D. degree in ECE or CS is required by the time of the appointment. Solid background in network security, distributed systems, protocols and algorithms, is highly desirable.

Closing date for applications: 30 July 2018

Contact: Sachin Shetty, Ph.D.

Associate Professor

Virginia Modeling, Analysis and Simulation Center

Center for Cybersecurity Education and Research

Dept. of Modeling, Simulation and Visualization Engineering

Old Dominion University

1030 University Blvd

Suffolk, VA 23435

Email- sshetty (at) odu.edu

Web: https://www.odu.edu/~sshetty

More information: http://www.lions.odu.edu/~sshetty/PostDoc_ODU_2018.htm

The goal of this PhD research is to investigate possibility of integrating additional cryptographic concepts that are not yet present in the existing blockchain technologies and services, but have been developed by cryptographers for many years.

The applicants should have a master’s degree in mathematics, computer science, communications technology or related areas with an average grade of B or better. Candidates completing their MSc degree in the Spring 2018 are encouraged to apply.

Knowledge in cryptography and strong programming skills is desirable.

Closing date for applications: 10 June 2018

Contact: For further information about the position, please contact Professor Danilo Gligoroski, danilog (at) ntnu.no

More information: https://www.jobbnorge.no/en/available-jobs/job/153395/

Event date: 6 September to 7 September 2018
Submission deadline: 16 June 2018
Notification: 16 July 2018

Event date: 4 March to 8 March 2019
Submission deadline: 14 September 2018
Notification: 19 November 2018

Surrey Centre for Cyber Security (SCCS) at the University of Surrey invites applications for a full-time one-year Post-doc/Research fellow position in Wireless Security. The post is part of the funded Innovate UK project “SAFRON: Safe Operational Radio Network for mixed-priority communications to trains using a shared architecture”. SAFRON will create a prototype to demonstrate how wireless networks (e.g. WiFi, LTE, and 5G) can be used for train to trackside communications for mixed applications including safety-related and mission critical.

Successful applicants will have core skills in key management and network authentication standards (e.g. IPSEC) and wireless communications. Experience in tunnelling techniques is advantageous (e.g. L2TP or GRE). A PhD and/or industrial experience would be desirable since the project is research oriented and in collaboration with industry. A graduate with an appropriate background would also be considered.

The successful applicant will be working under supervision of Dr Helen Treharne and Dr Mark Manulis and will benefit from the environment provided by the Surrey Centre for Cyber Security, an Academic Centre of Excellence in Cyber Security Research recognized by the British Government.

Salary: 31604 GBP – 34520 GBP depending on qualifications

Expected start date: 1 August 2018

Applicants should submit their applications through the University portal via: https://jobs.surrey.ac.uk/vacancy.aspx?ref=038718

Closing date for applications: 20 June 2018

Contact: Dr. Mark Manulis --- m.manulis (at) surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=038718

This is a joint project between Simula@UiB and NTNU and others, funded by the Research Council of Norway. The main objective of this project is to develop cryptographic protocols and primitives that realize trusted and secure communication in an IoT ecosystem.

We are entering the era of the Internet of Things (IoT). The IoT connects not only classical computing and communication devices, but all kinds of other gadgets that we use in our everyday lives. For IoT, security concerns go beyond traditional privacy or denial of service; also the immediate physical security of humans is at stake, and the cost of security failures becomes much more severe. Moreover, the IoT will be comprised of heterogeneous and lightweight devices, many of which may be unable to perform the complex computations required by modern security protocols.

The constrained IoT environment poses novel challenges for cryptographic protocol design and analysis. The PhD fellow will study protocols implementing either traditional trusted third party trust mechanism and/or newer (but less well-understood) notions of distributed trust. In both cases the protocols will rely on quantum-safe primitives. Of particular interest is the construction of security proofs for such light-weight protocols, requiring tight proofs as well as high assurance (e.g. automatic verification of security proofs).

Closing date for applications: 18 June 2018

Contact: Professor Kristian Gjøsteen (kristian.gjosteen (at) ntnu.no)

More information: https://www.jobbnorge.no/ledige-stillinger/stilling/153293/

The positions are connected to the project «Secure, Usable and Robust Cryptographic Voting Systems». This is a joint project between NTNU and the University of Luxembourg, funded by the Research Council of Norway and the Luxembourg National Research Fund. The goal of the project is to study the security of cryptographic voting schemes.

Traditional voting has some significant limitations. From a security viewpoint, it has relied heavily on trust in the election officials, which in turn restricts independent verifiability and high assurance regarding confidentiality of votes. In addition, traditional voting has problems regarding errors in counting, accessibility, and timeliness.

Although cryptographic voting systems have been proposed almost 30 years ago, and deployed in many countries more recently, there remain major obstacles to their widespread adoption. As we have seen in recent years, voting systems sometimes fail and they are susceptible to a range of attacks, even in established democracies.

This project will investigate the security of voting systems and increase our assurance in state-of-the-art voting systems. In particular, the project will study user confidence in cryptographic voting systems, security proofs for such systems, as well as options for long-term security (including post-quantum security).

Security proofs will be a particular focus for one PhD fellow, while long-term security will be a particular focus for the other PhD fellow.

Closing date for applications: 18 June 2018

Contact: Professor Kristian Gjøsteen (kristian.gjosteen (at) ntnu.no), or Professor Colin Boyd (colin.boyd (at) ntnu.no).

More information: https://www.jobbnorge.no/ledige-stillinger/stilling/153300/

The position is connected to the project «Secure, Usable and Robust Cryptographic Voting Systems». This is a joint project between NTNU and the University of Luxembourg, funded by the Research Council of Norway and the Luxembourg National Research Fund. The goal of the project is to study the security of cryptographic voting schemes.

Traditional voting has some significant limitations. From a security viewpoint, it has relied heavily on trust in the election officials, which in turn restricts independent verifiability and high assurance regarding confidentiality of votes. In addition, traditional voting has problems regarding errors in counting, accessibility, and timeliness.

Although cryptographic voting systems have been proposed almost 30 years ago, and deployed in many countries more recently, there remain major obstacles to their widespread adoption. As we have seen in recent years, voting systems sometimes fail and they are susceptible to a range of attacks, even in established democracies.

This project will investigate the security of voting systems and increase our assurance in state-of-the-art voting systems. In particular, the project will study user confidence in cryptographic voting systems, security proofs for such systems, as well as options for long-term security (including post-quantum security).

Closing date for applications: 18 June 2018

Contact: Professor Kristian Gjøsteen (kristian.gjosteen (at) ntnu.no) or Professor Colin Boyd (colin.boyd (at) ntnu.no).

More information: https://www.jobbnorge.no/ledige-stillinger/stilling/153320/

Surrey Centre for Cyber Security (SCCS) and Surrey Space Centre (SSC) at the University of Surrey invite applications for a fully-funded PhD position in Satellite System Security to work on an industry-funded research project TargetSat: Security of COTS-based Satellite Systems.

The project is funded by the NCC Group and aims to develop understanding of security risks and requirements associated with the use of commercial off-the-shelf components (incl. operating systems and software) in satellites and ground control systems, identify weaknesses and vulnerabilities in existing single and multi-satellite architectures and communication protocols, and propose mitigating countermeasures. An appropriate test-bed facility will be developed as part of this project.

Successful applicants are expected to be familiar with:

• Linux-based OS systems, incl. kernel programming

• System- / network-level attacks (e.g. buffer overflows, command injection), penetration testing

• Programming languages: C/C++, Assembly, or Python

We particularly welcome applications from ongoing students who are projected to complete their degree in 2018.

This PhD studentship includes a tax-free PhD stipend of GBP 20,000 per year for 3.5 years of PhD studies. This stipend is significantly higher than an average PhD stipend in the UK. Additional funding is available to support conference travel, etc.

Closing and starting dates: This is a “rolling advert” with a nominal closing date. Applications are welcome at any time and the timing of the selection process will be dependent on the applications received. Planned start date is October 2018.

Applications should be sent via https://jobs.surrey.ac.uk/Vacancy.aspx?id=4966

Closing date for applications: 30 September 2018

Contact: Informal inquiries can be directed to Dr Mark Manulis (m.manulis (at) surrey.ac.uk)

More information: https://jobs.surrey.ac.uk/Vacancy.aspx?id=4966

Funded Ph.D. Student Positions in Hardware Security and Reliability, VLSI Testing and VLSI

Ph.D. student positions are available (start date: Fall 2018) in the field of hardware security, reliability, VLSI Testing and VLSI in the CSEE Department of University of Maryland, Baltimore County.

UMBC is ranked 55 in Computer Engineering according to US News, and places 7th in the ranking of Most Innovative national universities.

Our group has a strong background in hardware security, reliability, and trust, and in particular in side-channel analysis and fault analysis attacks, IC Counterfeiting, Trojan detection, IP/IC protection, Physically Unclonable Functions (PUFs) and Crypto devices as well as testing and reliability of secure devices and VLSI.

Requirements:

- M.Sc./B.Sc. in Computer Engineering or Electrical Engineering

- Solid knowledge in Hardware Description Languages (HDL)

- Solid Knowledge in digital design

Please contact me with your CV and Statement of Purpose by June 30th.

Naghmeh Karimi, Assistant Professor

Department of Computer Science and Electrical Engineering

University of Maryland, Baltimore County

Baltimore, MD 21250

Web: http://www.csee.umbc.edu/~nkarimi/

Closing Date for Applications: 2018-06-30

Closing date for applications: 30 June 2018

Contact: Naghmeh Karimi, Ph.D.

E-mail: nkarimi (at) umbc.edu

The Elliptic Curve Digital Signature Algorithm (ECDSA) is one of the most widely used schemes in deployed cryptography. Through its applications in code and binary authentication, web security, and cryptocurrency, it is likely one of the few cryptographic algorithms encountered on a daily basis by the average person. However, its design is such that executing multi-party or threshold signatures in a secure manner is challenging: unlike other, less widespread signature schemes, secure multi-party ECDSA requires custom protocols, which has heretofore implied reliance upon additional cryptographic assumptions and primitives such as the Paillier cryptosystem.

We propose new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which we prove secure against malicious adversaries in the random oracle model using only the Computational Diffie-Hellman Assumption and the assumptions already relied upon by ECDSA itself. Our scheme requires only two messages, and via implementation we find that it outperforms the best prior results in practice by a factor of 56 for key generation and 11 for signing, coming to within a factor of 18 of local signatures. Concretely, two parties can jointly sign a message in just over three milliseconds.

One important open question in the field of side-channel analysis is to find out whether all the leakage samples in an implementation can be exploited by an adversary, as suggested by masking security proofs. For concrete attacks exploiting a divide-and-conquer strategy, the answer is negative (i.e., only the leakages corresponding to the first/last rounds of a block cipher can be exploited). Soft Analytical Side-Channel Attacks (SASCA) have been introduced as a powerful solution to mitigate this limitation. They represent the target implementation and its leakages as a code (similar to a Low Density Parity Check code) that is then decoded thanks to belief propagation. Previous works have shown the low data complexities that SASCA can reach in practice (at the cost of a higher time complexity). In this work, we revisit these attacks by modeling them with a variation of the Random Probing Model used in masking security proofs, that we denote as the Local Random Probing Model (LRPM). Our study establishes interesting connections between this model and the erasure channel used in coding theory, leading to the following benefits. First, the LRPM allows assessing the security of concrete implementations against SASCA in a fast and intuitive manner. We use it to confirm that the leakage of any operation in a block cipher can be exploited, although the leakages of external operations dominate in known-plaintext/ciphertext attack scenarios. Second, we show that the LRPM is a tool of choice for the (nearly worst-case) analysis of masked implementations in the noisy leakage model, taking advantage of all the operations performed, and leading to new possibilities of tradeoffs between their amount of randomness and physical noise level.

Recently, several practical attacks raised serious concerns over the security of searchable encryption. The attacks have brought emphasis on forward privacy, which is the key concept behind solutions to the adaptive leakage-exploiting attacks, and will very likely to become a must-have property of all new searchable encryption schemes. For a long time, forward privacy implies inefficiency and thus most existing searchable encryption schemes do not support it. Very recently, Bost (CCS 2016) showed that forward privacy can be obtained without inducing a large communication overhead. However, Bost’s scheme is constructed with a relatively inefficient public key cryptographic primitive, and has poor I/O performance. Both of the deficiencies significantly hinder the practical efficiency of the scheme, and prevent it from scaling to large data settings. To address the problems, we first present FAST, which achieves forward privacy and the same communication efficiency as Bost’s scheme, but uses only symmetric cryptographic primitives. We then present FASTIO, which retains all good properties of FAST, and further improves I/O efficiency. We implemented the two schemes and compared their performance with Bost’s scheme. The experiment results show that both our schemes are highly efficient.

Private set intersection (PSI) is an essential cryptographic protocol that has many real world applications. As cloud computing power and popularity have been swiftly growing, it is now desirable to leverage the cloud to store private datasets and delegate PSI computation to it. Although a set of efficient PSI protocols have been designed, none support outsourcing of the datasets and the computation. In this paper, we propose two protocols for delegated PSI computation on outsourced private datasets. Our protocols have a unique combination of properties that make them particularly appealing for a cloud computing setting. Our first protocol, O-PSI, satisfies these properties by using additive homomorphic encryption and point-value polynomial representation of a set. Our second protocol, EO-PSI, is mainly based on a hash table and point-value polynomial representation and it does not require public key encryption; meanwhile, it retains all the desirable properties and is much more efficient than the first one. We also provide a formal security analysis of the two protocols in the semi-honest model and we analyze their performance utilizing prototype implementations we have developed. Our performance analysis shows that EO-PSI scales well and is also more efficient than similar state-of-the-art protocols for large set sizes.

The computation of private set union/intersection cardinality (PSU-CA/PSI-CA) is one of the most intensively studied problems in Privacy Preserving Data Mining (PPDM). However, existing protocols are computationally too expensive to be employed in real-world PPDM applications. In response, we propose efficient approximate protocols, whose accuracy can be tuned according to application requirements. We first propose a two-party PSU-CA protocol based on Flajolet-Martin sketches. The protocol has logarithmic computational/communication complexity and relies mostly on symmetric key operations. Thus, it is much more efficient and scalable than existing protocols. In addition, our protocol can hide its output. This feature is necessary in PPDM applications, since the union cardinality is often an intermediate result that must not be disclosed. We then propose a two-party PSI-CA protocol, which is derived from the PSU-CA protocol with virtually no cost. Both our two-party protocols can be easily extended to the multiparty setting. We also design an efficient masking scheme for (1,n)-OT. The scheme is used in optimizing the two-party protocols and is of independent interest, since it can speed up (1,n)-OT significantly when n is large. Last, we show through experiments the effectiveness and efficiency of our protocols.

The Ring Learning with Errors problem (RLWE) introduced by Lyubashevsky, Peikert and Regev (LPR, Eurocrypt 2010, Eurocrypt 2013) quickly became a central element in cryptographic literature and a foundation to numerous cryptosystems. RLWE is an average case problem whose hardness is provably related to the worst case hardness of ideal lattice problems. However, in many cases optimizations and other considerations necessitate generating RLWE instances from distributions for which the worst case reduction does not apply, thus leaving the resulting cryptosystem secure only by heuristic reasons.

The focus of this work is RLWE with non-uniform distribution on secrets. A legal RLWE secret is (roughly) a uniform element in the ring of integers of a number field, modulo an integer $q$. We consider two main classes of "illegal" distributions of secrets.

The first is sampling from a subring of the intended domain. We show that this translates to a generalized form of RLWE that we call Order-LWE, we provide worst case hardness results for this new problem, and map out regimes where it is secure and where it is insecure. Two interesting corollaries are a (generalization of) the known hardness of RLWE with secrets sampled from the ring of integers of a subfield, and a new hardness results for the Polynomial-LWE (PLWE) problem, with different parameters than previously known.

The second is sampling from a $k$-wise independent distribution over the CRT representation of the secret. We cannot show worst case hardness in this case, but instead present a single average case problem (specifically, bounded distance decoding on a fixed specific distribution over lattices) whose hardness implies the hardness of RLWE for all such distributions of secrets.

Extensive efforts are currently put into securing messaging platforms, where a key challenge is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and recent attacks indicate that the security of group messaging is still quite fragile.

We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other's voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO '05) and Naor et al. (CRYPTO '06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it.

Within our framework we establish tight bounds on the tradeoff between the adversary's success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff.

In particular, considering groups that consist of an administrator and $k$ additional users, for statistically-secure protocols we show that at least $(k+1)\cdot (\log(1/\epsilon) - \Theta(1))$ bits must be out-of-band authenticated, whereas for computationally-secure ones $\log(1/\epsilon) + \log k$ bits suffice, where $\epsilon$ is the adversary's success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).