International Association
for Cryptologic Research

An Oblivious PRF (OPRF) is a protocol between a server holding a key to a PRF and a user holding an input. At the end of the interaction, the user learns the output of the OPRF on its input and nothing else. The server learns nothing, including nothing about the user's input or the function's output. OPRFs have found many applications in multiple areas of cryptography. Everspaugh et al. (Usenix 2015) introduced Partially Oblivious PRF (pOPRF) in which the OPRF accepts an additional non-secret input that can be chosen by the server itself, and showed applications in the setting of password hardening protocols. We further investigate pOPRFs showing new constructions, including distributed multi-server schemes, and new applications. We build simple pOPRFs from regular OPRFs, in particular obtaining very efficient DH-based pOPRFs, and provide (n,t)-threshold implementation of such schemes.

We apply these schemes to build Oblivious Key Management Systems (KMS) as a much more secure alternative to traditional wrapping-based KMS. The new system hides keys and object identifiers from the KMS, offers unconditional security for key transport, enables forward security, provides key verifiability, reduces storage, and more. Further, we show how to provide all these features in a distributed threshold implementation that additionally protects the service against server compromise. Finally, we extend the scheme to a threshold Oblivious KMS with updatable encryption so that upon the periodic change of OPRF keys by the server, an efficient update procedure allows a client of the KMS service to non-interactively update all its encrypted data to be decryptable only by the new key. Our techniques improve on the efficiency and security of several recent works on updatable encryption from Crypto and Eurocrypt. We report on an implementation of the above schemes and their performance, showing their practicality and readiness for use in real-world systems. In particular, our pOPRF constructions achieve speeds of over an order of magnitude relative to previous pOPRF schemes.

We show how to build a practical, private data oblivious genome variants search using Intel SGX. More precisely, we consider the problem posed in Track 2 of the iDash Privacy and Security Workshop 2017 competition, which was to search for variants with high $\chi^{2}$ statistic among certain genetic data over two populations. The winning solution of this iDash competition (developed by Carpov and Tortech) is extremely efficient, but not memory oblivious, which potentially made it vulnerable to a whole host of memory- and cache-based side channel attacks on SGX. In this paper, we adapt a framework in which we can exactly quantify this leakage. We provide a memory oblivious implementation with reasonable information leakage at the cost of some efficiency. Our solution is roughly an order of magnitude slower than the non-memory oblivious implementation, but still practical and much more efficient than naive memory-oblivious solutions--it solves the iDash problem in approximately 5 minutes. In order to do this, we develop novel definitions and models for oblivious dictionary merging, which may be of independent theoretical interest.

The distributed discrete logarithm (DDL) problem was introduced by Boyle et al. at CRYPTO 2016. A protocol solving this problem was the main tool used in the share conversion procedure of their homomorphic secret sharing (HSS) scheme which allows non-interactive evaluation of branching programs among two parties over shares of secret inputs.

Let $g$ be a generator of a multiplicative group $\mathbb{G}$. Given a random group element $g^{x}$ and an unknown integer $b \in [-M,M]$ for a small $M$, two parties $A$ and $B$ (that cannot communicate) successfully solve DDL if $A(g^{x}) - B(g^{x+b}) = b$. Otherwise, the parties err. In the DDL protocol of Boyle et al., $A$ and $B$ run in time $T$ and have error probability that is roughly linear in $M/T$. Since it has a significant impact on the HSS scheme's performance, a major open problem raised by Boyle et al. was to reduce the error probability as a function of $T$.

In this paper we devise a new DDL protocol that substantially reduces the error probability to $O(M \cdot T^{-2})$. Our new protocol improves the asymptotic evaluation time complexity of the HSS scheme by Boyle et al. on branching programs of size $S$ from $O(S^2)$ to $O(S^{3/2})$. We further show that our protocol is optimal up to a constant factor for all relevant cryptographic group families, unless one can solve the discrete logarithm problem in a \emph{short} interval of length $R$ in time $o(\sqrt{R})$.

Our DDL protocol is based on a new type of random walk that is composed of several iterations in which the expected step length gradually increases. We believe that this random walk is of independent interest and will find additional applications.

We propose two authenticated key exchange protocols from supersingular isogenies. Our protocols are the first post-quantum one-round Diffie-Hellman type authenticated key exchange ones in the following points: one is secure under the quantum random oracle model and the other resists against maximum exposure where a non-trivial combination of secret keys is revealed. The security of the former and the latter is proven under an isogeny version of the decisional and gap Diffie-Hellman assumption, respectively. We also propose a new approach for invalidating the Galbraith-Vercauteren attack for the gap problem.

We introduce a novel approach for designing symmetric ciphers to resist fault injection. The approach is fairly generic and applies to round functions of block ciphers, cryptographic permutations and stream ciphers. We showcase our method with a new permutation called FRIT and perform fault analysis on a simulated hardware and actual software implementation. We present performance results for software and hardware implementations with and without the fault detection mechanism. On a Cortex-M4 platform the overhead of the countermeasure in cycles is 83%. The penalty on resources for hardware implementations depends on the hardware and can be as low as 56%.

A $k$-out-of-$n$ ring signature is a kind of anonymous signature that can be performed by any member in a group. This signature allows the creation of valid signatures if and only if actual signers more than or equal to $k$ sign the message among $n$ possible signers. In this paper, we present a new $k$-out-of-$n$ ring signature. Our signature has a remarkable property: When the signature is updated from $k$-out-of-$n$ to $(k+\alpha)$-out-of-$n$, the previous signers do not need to sign a message again. Our scheme can ``reuse'' the old signature, whereas the previous schemes revoke it and create a signature from scratch. We call this property ``{{flexibility}}'' and formalize it rigorously. Our signature scheme has a multiple ring structure, each ring of which is based on $1$-out-of-$n$ ring signature. The structure of our scheme is completely different from that of conventional schemes, such as a secret-sharing type. The signers' keys are mostly independent of each user, thanks to a part of keys which use a special hash function. We give the results of provable security for our scheme.

Threshold cryptography provides a mechanism for protecting secret keys by sharing them among multiple parties, who then jointly perform cryptographic operations. An attacker who corrupts upto a threshold number of parties cannot recover the secrets or violate security. Prior works in this space have mostly focused on definitions and constructions for public-key cryptography and digital signatures, and thus do not capture the security concerns and efficiency challenges of symmetric-key based applications which commonly use long-term (unprotected) master keys to protect data at rest, authenticate clients on enterprise networks, and secure data and payments on IoT devices.

We put forth the first formal treatment for distributed symmetric-key encryption, proposing new notions of correctness, privacy and authenticity in presence of malicious attackers. We provide strong and intuitive game-based definitions that are easy to understand and yield efficient constructions.

We propose a generic construction of threshold authenticated encryption based on any distributed pseudorandom function (DPRF). When instantiated with the two different DPRF constructions proposed by Naor, Pinkas and Reingold (Eurocrypt 1999) and our enhanced versions, we obtain several efficient constructions meeting different security definitions. We implement these variants and provide extensive performance comparisons. Our most efficient instantiation uses only symmetric-key primitives and achieves a throughput of upto 1 million encryptions/decryptions per seconds, or alternatively a sub-millisecond latency with upto 18 participating parties.

Reduced-round AES has been a popular underlying primitive to design new cryptographic schemes and thus its security including distinguishing properties deserves more attention. At Crypto'16, a key-dependent integral distinguisher on 5-round AES was put forward, which opened up a new direction to take more insights into the distinguishing properties of AES. After that, two key-dependent impossible differential (ID) distinguishers on 5-round AES were proposed at FSE'16 and CT-RSA'18, respectively. It is strange that the current key-dependent integral distinguisher requires significantly higher complexities than the key-dependent ID distinguishers, even though they are constructed with the same property of MixColumns ($2^{128} \gg 2^{98.2}$). Proposers of the 5-round key-dependent distinguishers claimed that the corresponding integral and ID distinguishers can only work under chosen-ciphertext and chosen-plaintext settings, respectively, which is very different from the situations of traditional key-independent distinguishers.

In this paper, we first construct a novel key-dependent integral distinguisher on 5-round AES with $2^{96}$ chosen plaintexts, which is much better than the previous key-dependent integral distinguisher that requires the full codebook proposed at Crypto'16. Secondly, we show that both distinguishers are valid under either chosen-plaintext setting or chosen-ciphertext setting, which is different from the claims of previous cryptanalysis. However, under different settings, complexities of key-dependent integral distinguishers are very different while those of the key-dependent ID distinguishers are almost the same. We analyze the reasons for it.

Standardization bodies such as NIST and ETSI are currently seeking quantum resistant alternatives to vulnerable RSA and elliptic curve-based public-key algorithms. In this context, we present Round5, a lattice-based cryptosystem providing a key encapsulation mechanism and a public-key encryption scheme. Round5 is based on the General Learning with Rounding problem, unifying non-ring and ring lattice rounding problems into one. Usage of rounding combined with a tight analysis leads to significantly reduced bandwidth and randomness requirements. Round5's reliance on prime-order cyclotomic rings offers a large design space allowing fine-grained parameter optimization. The use of sparse-ternary secret keys improves performance and significantly reduces decryption failure rates at minimal additional cost. The use of error-correcting codes further improves the latter. Round5 parameters have been carefully optimized for bandwidth, while the design facilitates efficient implementation. As a result, Round5 has leading performance characteristics among all NIST post-quantum candidates, and at the same time attains conservative security levels that fully fit NIST's security categories. Round5's schemes share common building blocks, simplifying (security and operational) analysis and code review. Finally, Round5 proposes various approaches of refreshing the system public parameter $\textbf{A}$, which efficiently prevent precomputation and back-door attacks.

Event date: 6 May to 10 May 2019
Submission deadline: 15 February 2018

Event date: 8 April to 12 April 2019
Submission deadline: 10 September 2018
Notification: 10 November 2018

We are looking for outstanding and highly motivated PhD students to work on topics related to hardware security, including:

• Side-channel analysis attacks

• Fault-injection attacks

• Countermeasures against physical attacks

• Physically unclonable functions

• Symmetric cryptography, design and analysis

• Low-power design

The group offers excellent working environment as a part of Horst Görtz Institut for IT Security (HGI hgi.rub.de/en/home/ ) including more than 200 scientists active in several different aspects of IT security and cryptography.

The candidate should have an M.Sc. degree in IT-security, electrical engineering, computer engineering, computer science, or applied mathematics with excellent grades. Being familiar with cryptography concepts and low-level programming is a must. Knowing a hardware design language, e.g., VHDL/verilog, is a plus.

In order to apply, please send your resume, transcripts, and a list of at least two professional references in a single pdf file to

emsec+apply (at) rub.de

Review of applications starts immediately until the position is filled.

Closing date for applications: 31 December 2018

Contact: Amir Moradi

www.emsec.rub.de/moradi

Who we are?

Promise Protocols is one of the fastest growing FinTech companies in Silicon Valley. Promise delivers cash analytics and cash access to thousands of small businesses, that operate with volatile cash balances. We are a platform company whose aim is to automate the hardest parts of small business financial management. We are sometimes the last company many small business merchants come to when no one else will help their businesses stay alive.

Why work at Promise?

We are a high-energy, innovation-focused team of engineers and technologists who want to make running a small business less painful for owners all over the world. Promise’s environment is highly collaborative, and the ideal candidate will have an eye for detail and be a team player who enjoys working with others to find cutting-edge solutions to tricky problems. Come join us!

What we are looking for in the Senior Software Engineer?

Promise Protocols is looking for a passionate and experienced developer with cryptography experience to help develop, build and deploy a distributed, fault-tolerant P2P payments and exchange platform.

This role is ideal for cryptography scientists or software engineers with deep experience and familiarity with evolving and established cryptographic protocols and their implementation.

What you will be responsible doing?

1. Develop, build and deploy crypto protocols in distributed p2p systems

2. Work with core internal team and external open source community

3. Collaborate with teammates to produce protocol specifications

4. Collaborate and support other teams in developing crypto economic consensus protocol

5. Develop and maintain interfaces for platform API

6. Identify and recommend technologies to solve technical challenges

Closing date for applications:

Contact: Please send a request to jobs (at) promiseprotocols.com

More information: https://aquila-1.workable.com/jobs/772792

The 38th annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019, will be held in Darmstadt, Germany on May 19-23, 2019. It is one of the three flagship conferences of the International Association for Cryptologic Research (IACR) and is devoted to all aspects of cryptology.

The IACR is soliciting for affiliated events to be held in conjunction with Eurocrypt 2019 on Saturday, May 18, and/or Sunday, May 19. Each such event is expected to provide a forum for discussing a specific topic of the broad cryptographic world (theory, practice, implementation, standardizations, industry, etc.). The format of the event (e.g., workshop, tutorial, panel, etc.) is up to the organizers.

Information about proposing an affiliated event can be found at https://eurocrypt.iacr.org/2019/callforaffiliatedevents.html. Proposals are due September 2.

Event date: 14 April to 17 April 2019
Submission deadline: 12 October 2018
Notification: 21 December 2018

This work proposes the first fine-grained configurable cell array specifically tailored for cryptographic implementations. The proposed architecture can be added to future FPGAs as an application-specific configurable building block, or to an ASIC as an embedded FPGA (eFPGA). The goal is to map cryptographic ciphers on combinatorial cells that are more efficient than general purpose lookup tables in terms of silicon area, configuration memory and combinatorial delay. As a first step in this research direction, we focus on block ciphers and we derive the most suitable cell structure for mapping state-of-the-art algorithms. We develop the related automated design flow, exploiting the synthesis capabilities of Synopsys Design Compiler and the routing capabilities of Xilinx ISE. Our solution is the first cryptography-oriented fine-grained architecture that can be configured using common hardware description languages. We evaluate the performance of our solution by mapping a number of well-known block ciphers onto our new cells. The obtained results show that our proposed architecture drastically outperforms commercial FPGAs in terms of silicon area and configuration memory resources, while obtaining a similar throughput.

The Cyber Security Researchers of Waikato (CROW) - the first cyber security lab in NZ - created the NZ Cyber Security Challenge, and leads the Ministry of Business, Innovation and Employment funded STRATUS project (NZD12.2 mil). CROW collaborates with 58 other local and international organisations, including STRATUS end-user partners Interpol and NZ Police.

We are seeking to appoint a full time fixed term Research Fellow to contribute to our research objectives associated with cybercrime, computer security and cloud computing. This position has responsibilities to achieve research objectives associated with the STRATUS industry partners.

A PhD in cyber security, cybercrime, computer science or a related field is essential as is having demonstrated research ability in cyber security and cybercrime. A requirement of this position is the ability to commercialise research prototypes into products/services and the demonstrated ability to publish in high quality academic journals, work collaboratively with others and undertake some teaching if required.

Preference will be given to candidates who have work experience with cybercrime, security, intelligence, or law enforcement agencies including work experience in the cybercrime, security digital forensics, machine learning, applied cryptography, etc.

Salary will be in the range of NZ$74,034 to $89,163 per year, depending on qualifications, skills and experience.

This position is fixed-term until October 2020, and will be opened until filled.

Enquiries of an academic nature should be directed to Associate Professor Ryan Ko – Director, NZ Institute for Security and Crime Science, email: ryan.ko AT waikato.ac.nz

Closing date for applications: 4 January 2019

Contact: Associate Professor Ryan Ko, ryan.ko AT waikato.ac.nz

More information: https://www.waikato.ac.nz/vacancies/current-vacancies

Round5 is a Public Key Encryption and Key Encapsulation Mechanism (KEM) based on General Learning with Rounding (GLWR), a lattice problem. We argue that the ring variant of GLWR is better suited for embedded targets than the more common RLWE (Ring Learning With Errors) due to significantly shorter keys and messages. Round5 incorporates GLWR with error correction, building on design features from NIST Post-Quantum Standardization candidates Round2 and Hila5. The proposal avoids Number Theoretic Transforms (NTT), allowing more flexibility in parameter selection and making it simpler to implement. We discuss implementation techniques of Round5 ring variants and compare them to other NIST PQC candidates on lightweight Cortex M4 platform. We show that Round5 offers not only the shortest key and ciphertext sizes among Lattice-based candidates, but also currently has leading performance and implementation size characteristics.

Blockchain technology like Bitcoin is a rapidly growing field of research which has found a wide array of applications. However, the power consumption of the mining process in the Bitcoin blockchain alone is estimated to be at least as high as the electricity consumption of Ireland which constitutes a serious liability to the widespread adoption of blockchain technology. We propose a novel instantiation of a proof of human-work which is a cryptographic proof that an amount of human work has been exercised, and show its use in the mining process of a blockchain. Next to our instantiation there is only one other instantiation known which relies on indistinguishability obfuscation, a cryptographic primitive whose existence is only conjectured. In contrast, our construction is based on the cryptographic principle of multiparty computation (which we use in a black box manner) and thus is the first known feasible proof of human-work scheme. Our blockchain mining algorithm called uMine, can be regarded as an alternative energy-efficient approach to mining.

Transparency logs allow users to audit a potentially malicious service, paving the way towards a more accountable Internet. For example, Certificate Transparency (CT) enables domain owners to audit Certificate Authorities (CAs) and detect impersonation attacks. Yet to achieve their full potential, trans- parency logs must be efficiently auditable. Specifically, everyone should be able to verify both (non)membership of log entries and that the log remains append-only. Unfortunately, current transparency logs either provide small-sized (non)membership proofs or small-sized append-only proofs, but never both. In fact, one of the proofs always requires bandwidth linear in the size of the log, making it expensive for everyone to audit the log and resulting in a few “opaque” trusted auditors. In this paper, we address this gap with a new primitive called an append-only authenticated dictionary (AAD). Our construction is the first to achieve (poly)logarithmic size for both proof types. Moreover, our experimental evaluation is very encouraging: for reasonable application scenarios, our AAD reduces the total communication bandwidth in transparency schemes by more than 200x, compared to previous approaches.