International Association
for Cryptologic Research

We study a new methodology supporting data integrity called 'implicit integrity' and present cryptographic constructions supporting it. Implicit integrity allows for corruption detection without producing, storing or verifying mathematical summaries of the content such as MACs, ICVs etc. The main idea behind this methodology is that, whereas typical user data demonstrate patterns such as repeated bytes or words, decrypted data resulting from corrupted ciphertexts no longer demonstrate such patterns. Thus, by checking the entropy of some decrypted ciphertexts, corruption can be possibly detected.

We discuss that implicit integrity can be associated with a notion of security which is different from the typical requirement that the output of cryptographic systems should be indistinguishable from the output of a random permutation. The notion of security we discuss is that it should be computationally difficult for an adversary to corrupt some ciphertext so that the resulting plaintext demonstrates specific patterns. We further introduce two kinds of adversaries. First, an input perturbing adversary performs content corruption attacks. Second an oracle replacing adversary performs content replay attacks. We discuss requirements for supporting implicit integrity in these two adversary models, and provide security bounds for a construction called IVP, a three-level confusion diffusion network which can support implicit integrity and is inexpensive to implement.

We present a quantum polynomial time attack against the GMMSSZ branching program obfuscator of Garg et al. (TCC'16), when instantiated with the GGH13 multilinear map of Garg et al. (EUROCRYPT'13). This candidate obfuscator was proved secure in the weak multilinear map model introduced by Miles et al. (CRYPTO'16). Our attack uses the short principal ideal solver of Cramer et al. (EUROCRYPT'16), to recover a secret element of the GGH13 multilinear map in quantum polynomial time. We then use this secret element to mount a (classical) polynomial time mixed-input attack against the GMMSSZ obfuscator. The main result of this article can hence be seen as a classical reduction from the security of the GMMSSZ obfuscator to the short principal ideal problem (the quantum setting is then only used to solve this problem in polynomial time).

As an additional contribution, we explain how the same ideas can be adapted to mount a quantum polynomial time attack against the DGGMM obfuscator of D\"ottling et al. (ePrint 2016), which was also proved secure in the weak multilinear map model.

The FHEW fully homomorphic encryption scheme (Ducas and Micciancio, Eurocrypt 2015) offers very fast homomorphic NAND-gate computations (on encrypted data) and a relatively fast refreshing procedure that allows to homomorphically evaluate arbitrary NAND boolean circuits. Unfortunately, the refreshing procedure needs to be executed after every single NAND computation, and each refreshing operates on a single encrypted bit, greatly decreasing the overall throughput of the scheme. We give a new refreshing procedure that simultaneously refreshes $n$ FHEW ciphertexts, at a cost comparable to a single-bit FHEW refreshing operation. As a result, the cost of each refreshing is amortized over $n$ encrypted bits, improving the throughput for the homomorphic evaluation of boolean circuits roughly by a factor $n$.

Side Channel Attacks (SCA) and Fault Injection Attacks (FIA) allow an opponent to have partial access to the internal behavior of the hardware. Since the end of the nineties, many works have shown that this type of attacks constitute a serious threat to cryptosystems implemented in embedded devices. In the state of the art, there exist several countermeasures to protect symmetric encryption (especially AES-128). Most of them protect only against one of these two attacks (SCA or FIA). A method called ODSM has been proposed to withstand SCA and FIA , but its implementation in the whole algorithm is a big open problem when no particular hardware protection is possible. In the present paper, we propose a practical masking scheme specifying ODSM which makes it possible to protect the symmetric encryption against these two attacks.

We construct a two-message oblivious transfer (OT) protocol without setup that guarantees statistical privacy for the sender even against malicious receivers. Receiver privacy is game based and relies on the hardness of learning with errors (LWE). This flavor of OT has been a central building block for minimizing the round complexity of witness indistinguishable and zero knowledge proof systems and multi-party computation protocols, as well as for achieving circuit privacy for homomorphic encryption in the malicious setting. Prior to this work, all candidates in the literature from standard assumptions relied on number theoretic assumptions and were thus insecure in the post-quantum setting. This work provides the first (presumed) post-quantum secure candidate and thus allows to instantiate the aforementioned applications in a post-quantum secure manner.

Technically, we rely on the transference principle: Either a lattice or its dual must have short vectors. Short vectors, in turn, can be translated to information loss in encryption. Thus encrypting one message with respect to the lattice and one with respect to its dual guarantees that at least one of them will be statistically hidden.

Trapdoor functions (TDFs) are a fundamental primitive in cryptography. Yet, the current set of assumptions known to imply TDFs is surprisingly limited, when compared to public-key encryption. We present a new general approach for constructing TDFs. Specifically, we give a generic construction of TDFs from any Hash Encryption (Doettling and Garg [CRYPTO '17]) satisfying a novel property which we call recyclability. By showing how to adapt current Computational Diffie-Hellman (CDH) based constructions of hash encryption to yield recyclability, we obtain the first construction of TDFs with security proved under the CDH assumption. While TDFs from the Decisional Diffie-Hellman (DDH) assumption were previously known, the possibility of basing them on CDH had remained open for more than 30 years.

We present a key recovery attack against Y. Wang's Random Linear Code Encryption (RLCE) scheme recently submitted to the NIST call for post-quantum cryptography. This attack recovers the secret key for all the short key parameters proposed by the author.

Determining the security of AES is a central problem in cryptanalysis, but progress in this area had been slow and only a handful of cryptanalytic techniques led to significant advancements. At Eurocrypt 2017 Grassi et al. presented a novel type of distinguisher for AES-like structures, but so far all the published attacks which were based on this distinguisher were inferior to previously known attacks in their complexity. In this paper we combine the technique of Grassi et al. with several other techniques to obtain the best known key recovery attack on 5-round AES in the single-key model, reducing its overall complexity from about $2^{32}$ to about $2^{22.5}$. Extending our techniques to 7-round AES, we obtain the best known attacks on AES-192 which use practical amounts of data and memory, breaking the record for such attacks which was obtained 18 years ago by the classical Square attack.

This paper highlights a particular construction of a correct KEM without failures and without ciphertext expansion from any correct deterministic PKE, and presents a simple tight proof of ROM IND-CCA2 security for the KEM assuming merely OW-CPA security for the PKE. Compared to previous proofs, this proof is simpler, and is also factored into smaller pieces that can be audited independently. In particular, this paper introduces the notion of ``IND-Hash'' security and shows that this allows a new separation between checking encryptions and randomizing decapsulations. The KEM is easy to implement in constant time, given a constant-time implementation of the PKE.

Location-based services are now quite popular. The variety of applications and their numerous users show it clearly. However, these applications rely on the persons' honesty to use their real location. If they are motivated to lie about their position, they can do so. A location-proof system allows a prover to obtain proofs from nearby witnesses, for being at a given location at a given time. Such a proof can be used to convince a verifier later on. Yet, provers and witnesses may want to keep their location and their identity private. In this paper, a solution is presented in which a malicious adversary, acting as a prover, cannot cheat on his position and remain undetected. It relies on multi-party computations and group-signature schemes to protect the private information of both the prover and the witnesses against any semi-honest participant.

Oblivious transfer is an important tool against malicious cloud server providers. Halevi-Kalai OT, which is based on smooth projective hash(SPH), is a famous and the most efficient framework for $1$-out-of-$2$ oblivious transfer ($\mbox{OT}^{2}_{1}$) against malicious adversaries in plain model. A natural question however, which so far has not been answered, is whether its security level can be improved, i.e., whether it can be made fully-simulatable.

In this paper, we press a new SPH variant, which enables a positive answer to above question. In more details, it even makes fully-simulatable $\mbox{OT}^{n}_{t}$ ($n,t\in \mathbb{N}$ and $n>t$) possible. We instantiate this new SPH variant under not only the decisional Diffie-Hellman assumption, the decisional $N$-th residuosity assumption and the decisional quadratic residuosity assumption as currently existing SPH constructions, but also the learning with errors (LWE) problem. Before this paper, there is a folklore that it is technically difficult to instantiate SPH under the lattice assumption (e.g., LWE). Considering quantum adversaries in the future, lattice-based SPH makes important sense.

We propose a new method for reducing complexity of the pairing comparisons based on polynomials. Thought the construction introduces uncertainty into (usually deterministic) checks, it is easily quantifiable and in most cases extremely small. The application to CL-LRSW signature verification under n messages and group order q allows to reduce the number of computed pairings from 4n down to just 4, while the introduced uncertainty is just (2n-1)/q.

A fast correlation attack (FCA) is a well-known cryptanalysis technique for LFSR-based stream ciphers. The correlation between the initial state of an LFSR and corresponding key stream is exploited, and the goal is to recover the initial state of the LFSR. In this paper, we revisit the FCA from a new point of view based on a finite field, and it brings a new property for the FCA when there are multiple linear approximations. Moreover, we propose a novel algorithm based on the new property, which enables us to reduce both time and data complexities. We finally apply this technique to the Grain family, which is a well-analyzed class of stream ciphers. There are three stream ciphers, Grain-128a, Grain-128, and Grain-v1 in the Grain family, and Grain-v1 is in the eSTREAM portfolio and Grain-128a is standardized by ISO/IEC. As a result, we break them all, and especially for Grain-128a, the cryptanalysis on its full version is reported for the first time.

Order-preserving encryption emerged as a key ingredient underlying the security of practical database management systems. Boldyreva et al. (EUROCRYPT '09) initiated the study of its security by introducing two natural notions of security. They proved that their first notion, a ``best-possible'' relaxation of semantic security allowing ciphertexts to reveal the ordering of their corresponding plaintexts, is not realizable. Later on Boldyreva et al. (CRYPTO '11) proved that any scheme satisfying their second notion, indistinguishability from a random order-preserving function, leaks about half of the bits of a random plaintext.

This unsettling state of affairs was recently changed by Chenette et al. (FSE '16), who rigorously relaxed the above ``best-possible'' notion and constructed a scheme satisfying it based on any pseudorandom function. In addition to revealing the ordering of any two encrypted plaintexts, ciphertexts in their scheme reveal only the position of the most significant bit on which the plaintexts differ. A significant drawback of their scheme, however, is its substantial ciphertext expansion: Encrypting plaintexts of length $m$ bits results in ciphertexts of length $m \cdot \ell$ bits, where $\ell$ determines the level of security (e.g., $\ell = 80$ in practice).

In this work we prove a lower bound on the ciphertext expansion of any order-preserving encryption scheme satisfying the ``limited-leakage'' notion of Chenette et al. with respect to non-uniform polynomial-time adversaries, matching the ciphertext expansion of their scheme up to lower-order terms. This improves a recent result of Cash and Zhang (ePrint '17), who proved such a lower bound for schemes satisfying this notion with respect to computationally-unbounded adversaries (capturing, for example, schemes whose security can be proved in the random-oracle model without relying on cryptographic assumptions). Our lower bound applies, in particular, to schemes whose security is proved in the standard model.

In Eurocrypt 2018, Luykx and Preneel described hash-key-recovery and forgery attacks against polynomial hash based Wegman-Carter-Shoup (WCS) authenticators. Their attacks require $2^{n/2}$ message-tag pairs and recover hash-key with probability about $1.34 \times 2^{-n}$ where $n$ is the bit-size of the hash-key. Bernstein in Eurocrypt 2005 had provided an upper bound (known as Bernstein bound) of the maximum forgery advantages. The bound says that all adversaries making $O(2^{n/2})$ queries of WCS can have maximum forgery advantage $O(2^{-n})$. So, Luykx and Preneel essentially analyze WCS in a range of query complexities where WCS is known to be perfectly secure. Here we revisit the bound and found that WCS remains secure against all adversaries making $q \ll \sqrt{n} \times 2^{n/2}$ queries. So it would be meaningful to analyze adversaries with beyond birthday bound complexities.

In this paper, we show that the Bernstein bound is tight by describing two attacks (one in the ``chosen-plaintext model" and other in the ``known-plaintext model") which recover the hash-key (hence forges) with probability at least $\frac{1}{2}$ based on $\sqrt{n} \times 2^{n/2}$ message-tag pairs. We also extend the forgery adversary to the Galois Counter Mode (or GCM). More precisely, we recover the hash-key of GCM with probability at least $\frac{1}{2}$ based on only $\sqrt{\frac{n}{\ell}} \times 2^{n/2}$ encryption queries, where $\ell$ is the number of blocks present in encryption queries.

Abertay University, in Dundee, Scotland, is a modern university with a global outlook, rooted in its local and national communities. In 2013 we marked the 125th anniversary of our foundation as an institution dedicated to supporting science, industry and the professions with a distinctive interdisciplinary and multi-disciplinary approach to teaching, research and knowledge exchange.

The University now seeks to appoint two Lecturers in Computing and Cybersecurity within the Division of Cybersecurity, part of the School of Design and Informatics.

The School of Design and Informatics is the home of Abertay’s undergraduate and postgraduate degree programmes in games, digital arts, cybersecurity and applied computer science. Abertay was the first university to offer degrees in Computer Games Technology and Ethical Hacking, and the School continues to be recognised as an international leader in its fields. The School has long-established professional links with Dundee’s thriving computer games community and the UK\'s cybersecurity community.

The Division of Cybersecurity is Abertay\'s centre for teaching and research in applied computing and cybersecurity, with particular interests in ethical hacking, digital forensics, IoT and secure software development. Reporting to the Head of Division, you will provide high-quality, research-informed teaching across all of our degree programmes, with a particular focus on specialist content within our Ethical Hacking and Computing degrees, and conduct internationally-recognised research that contributes to Abertay\'s strategic interests within the cybersecurity industries and wider digital sector.

The Lecturer in Computing and Cybersecurity will demonstrate relevant knowledge and practical ability in one or more of the following areas:, IoT, secure software development, Big Data for cybersecurity or AI for cybersecurity, ethical hacking or network security.

If you believe you have the skills and experience for this exciting and challenging role, please submit your application through our online recruitment system.

Closing date for applications: 29 June 2018

More information: https://www.jobs.ac.uk/job/BKB796/lecturer-in-computing-and-cybersecurity/

We are looking for Research Fellow (Post-Doc), to join our group. The applicants should have background and be interested in working on different aspects of lattice-based cryptography, in particular on:

• security proofs for lattice-based schemes,
• building and implementing lattice-based constructions,
• fully homomorphic encryption

The research will take place in the Embedded Security and Cryptography (EMSEC) team, within the IRISA computer science institute located in Rennes, France.

We are looking for candidates with a PhD in cryptography and with publications in cryptographic conferences.

To apply please send your detailed CV (with publication list), a motivation letter, and contact informations of at least two people who can provide reference letters.

The duration of the position is 2 years, it has flexible starting date (ideally between September and December). Review of applications will start immediately until the position is filled.

Closing date for applications: 31 August 2018

Contact: Adeline Roux-Langlois, adeline.roux-langlois (at) irisa.fr and Pierre-Alain Fouque, pierre-alain.fouque (at) irisa.fr

A position is available for a Post-Doctoral Researcher in the Decentralized and Distributed Systems (DEDIS) lab at EPFL led by Prof. Bryan Ford. The DEDIS lab focuses on building secure, scalable, and privacy-preserving decentralized systems, with a strong emphasis on building and deploying fully functional and usable systems. DEDIS is currently developing next-generation blockchain or distributed ledger technology, already available as an open-source prototype and in use by industry partners and within EPFL’s campus-wide infrastructure. DEDIS is the only academic research lab globally to have both built a next-generation blockchain system from the ground up and regularly published its design elements in top-tier peer-reviewed security/privacy conferences such as IEEE S&P ‘16, ‘17, ‘18 and USENIX Security ‘16, ‘17.

The Post-Doctoral Researcher will work closely with Prof. Ford, PhD and undergraduate students, senior researchers, and software engineers within the DEDIS lab, along with multiple external research and development partners from industry and academia. Some participation in teaching activities is also expected. Research activities will include notably the design, implementation, and experimental validation of state-of-the-art decentralized systems, including playing a core role in the ongoing design and development of DEDIS’s next-generation blockchain architecture and software infrastructure.

Closing date for applications: 31 July 2018

Contact: dedis (at) epfl.ch

More information: https://recruiting.epfl.ch/Vacancies/568/Description/2

The Applied Crypto group of the University of Luxembourg is offering multiple Ph.D. student and post-doc positions in cryptography, funded by the H2020 ERC programme. Possible topics of interests are fully homomorphic encryption, multilinear maps, public-key cryptanalysis, and blockchain applications.

The Ph.D. students and post-docs will be members of the Security and Trust (SnT) research center from the university of Luxembourg (>200 researchers in all aspects of IT security). We offer a competitive salary (about 34,000 euro/year gross for Ph.D, and 60,000 euro/year gros for post-doc). The duration of the position is 3 years (+ 1 year extension) for Ph.D., and 2.5 years for post-doc.

Profile:

• For Ph.D. position: MSc degree or equivalent in Computer Science or in Mathematics.

• For post-doc position: a PhD in cryptography, with publications in competitive cryptographic conferences

Candidates should submit the following documents:

• Motivation letter indicating your research interests.
• Curriculum vitae (including your contact address, work experience, publications)
• For Ph.D. position: transcripts of B.Sc. and M.Sc. grades
• For post-doc position: a short description of your PhD work (max 1 page).
• Contact information for 3 referees

Closing date for applications: 15 July 2018

Contact: Jean-Sebastien Coron - jean-sebastien.coron at uni dot lu

More information: http://www.crypto-uni.lu/vacancies.html

We initiate the study of incorporating remotely unhackable hardware modules, such as air-gap switches and data diodes, into the field of multi-party computation. As a result, we are able to construct protocols with very strong composable security guarantees that cannot be achieved with adaptive security.

Our application of hardware modules is motivated by the fact that modules with very limited functionality can be implemented securely as fixed-function circuits and (formally) verified for correctness. They can therefore not be hacked remotely.

In comparison to the hardware tokens proposed by Katz at EUROCRYPT `07, our hardware modules are based on substantially weaker assumptions. Our hardware modules may be physically tampered. Hence, they cannot be passed to another (possibly malicious) party but only used and trusted by their owner. In particular, our remotely unhackable hardware modules do not constitute a setup for Universal Composability (UC).

Based on architectures with very few and very simple hardware modules, we are able to construct protocols that provide security against remote hacking if the hack occurs after a protocol party received its (first) input. More specifically, an adversary can neither learn nor change the inputs and outputs of a remotely hacked party in our constructions unless he has control over that party before it has received its (first) input (or controls all parties). In our constructions we assume erasing parties. However, we also show that this assumption can be substantially weakened.

Since the advantages provided by unhackable hardware modules cannot be adequately captured in existing composable security frameworks, we have conceived a new security framework based on the UC framework. We call our framework Fortified UC.