International Association
for Cryptologic Research

LowMC is a block cipher family that is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. It was designed in 2015 by Albrecht et al., and has recently become a substantial building block in several novel post-quantum cryptosystems. A large portion of LowMC instances use a relatively recent design strategy (initiated by G\`{e}rard et al. at CHES 2013) of applying the non-linear layer to only a part of the state in each round, where the shortage of non-linear operations is partially compensated by heavy linear algebra. Since the high linear algebra complexity has been a bottleneck in several applications, one of the open questions raised by the designers was to reduce it, without introducing additional non-linear operations (or compromising security).

In this paper, we consider LowMC instances with block size $n$, partial non-linear layers of size $s \leq n$ and $r$ encryption rounds. We show that when $s < n$, each LowMC instance belongs to a large class of equivalent instances. We then select a \emph{representative instance} from this class for which encryption (and decryption) can be implemented much more efficiently than for an arbitrary instance. This yields a new encryption algorithm that is equivalent to the standard one, but reduces the evaluation time and storage of the linear layers from $r \cdot n^2$ bits to about $r \cdot n^2 - (r-1)(n-s)^2$, which is a substantial improvement for small $s$ and a reasonable choice of $r$. For standard LowMC parameters, our new encryption algorithm achieves a reduction by a factor between 2 and 4, while for more extreme parameter choices (suggested by the designers) the reduction is by a factor of more than 140. Furthermore, our new encryption algorithm is applicable to all SP-networks with partial non-linear layers.

An additional unique feature of LowMC is that the linear layers of its instances are sampled at random. In the second part of the paper, we show how to reduce the sampling time and randomness complexities (i.e., the number of random bits used) by directly sampling representative instances. Finally, we formalize the notion of linear equivalence of block ciphers with partial non-linear layers and prove that the memory complexity of our encryption algorithm and the randomness complexity of our sampling algorithm are optimal.

We give a simple construction of indistinguishability obfuscation for Turing machines where the time to obfuscate grows only with the description size of the machine and otherwise, independent of the running time and the space used. While this result is already known [Koppula, Lewko, and Waters, STOC 2015], our construction and its analysis are conceptually much simpler. In particular, the main technical component in the proof of our construction is a simple combinatorial pebbling argument [Garg and Srinivasan, EUROCRYPT 2018]. Our construction makes use of indistinguishability obfuscation for circuits and laconic oblivious transfer.

We formulate and study the security of cryptographic hash functions in the backdoored random-oracle (BRO) model, whereby a big brother designs a "good" hash function, but can also see arbitrary functions of its table via backdoor capabilities. This model captures intentional (and unintentional) weaknesses due to the existence of collision-finding or inversion algorithms, but goes well beyond them by allowing, for example, to search for structured preimages. The latter can easily break constructions that are secure under random inversions.

BROs make the task of bootstrapping cryptographic hardness somewhat challenging. Indeed, with only a single arbitrarily backdoored function no hardness can be bootstrapped as any construction can be inverted. However, when two (or more) independent hash functions are available, hardness emerges even with unrestricted and adaptive access to all backdoor oracles. At the core of our results lie new reductions from cryptographic problems to the communication complexities of various two-party tasks. Along the way we establish a communication complexity lower bound for set-intersection for cryptographically relevant ranges of parameters and distributions and where set-disjointness can be easy.

Almost perfect nonlinear (APN) functions over fields of characteristic 2 play an important role in cryptography, coding theory and, more generally, information theory as well as mathematics. Building new APN families is a challenge which has not been successfully addressed for more than seven years now. The most general known equivalence relation preserving APN property in characteristic 2 is CCZ-equivalence. Extended to general characteristic, it also preserves planarity. In the case of quadratic planar functions, it is a particular case of isotopic equivalence. We apply the idea of isotopic equivalence to transform APN functions in characteristic 2 into other functions, some of which can be APN. We deduce new quadratic APN functions and a new quadratic APN family.

We present and analyze the performance of DRANKULA, a McEliece-like cryptosystem implementation using \textit{rank metric} instead of Hamming distance. Namely, we use the scheme proposed by Loidreau in PQCrypto 2017 using Gabidulin codes. We propose a set of carefully selected parameters and we address several non-trivial issues when porting this scheme into real-world systems as, for example, the generation of errors of a given rank. We provide the pseudo-code of the core algorithms of the cryptosystem. In addition, we also show code optimization when special instructions like Carry-less multiplications are available. Moreover, we argue how to have a practical and side-channel resistant version of the cryptosystem. We integrated the scheme in Open Quantum Safe and benchmarked it against the other schemes implemented there. Our results show that DRANKULA can be a practical alternative to other well-known quantum-safe schemes.

As part of a joint project between the University of South Florida (USF, based in Tampa) and Florida Atlantic University (FAU, based in Boca Raton), we expect to hire two postdocs for 2 years each. The starting date is negotiable (immediate start is possible).

The areas of interest are

• Lattice based cryptography.
• Isogeny-based cryptography.
• Cryptocurrencies.
• Classical and quantum cryptanalysis.

The person recruited at USF will report to Dr. Jean-Francois Biasse. They will work on fundamental aspects of the aforementioned topics and be hired by the Mathematics department. The annual salary will be $47,659

The person recruited at FAU will report to Dr Reza Azarderakhsh. They will work on efficient implementations related to the topics of interests, with an emphasis on hardware solutions. They will be hired by the Department of Computer and Electrical Engineering and Computer Science. The annual salary will be $50,000.

If you are interested in either position, please send a CV and a 1 page research statement to usf.fau.crypto.postdoc (at) gmail.com.

Review of applications will start immediately and will continue until both positions are filled.

Closing date for applications: 31 December 2018

This document presents Xoodoo, a 48-byte cryptographic permutation that allows very efficient symmetric crypto on a wide range of platforms and a suite of cryptographic functions built on top of it. The central function in this suite is Xoofff, obtained by instantiating Farfalle with Xoodoo. Xoofff is what we call a deck function and can readily be used for MAC computation, stream encryption and key derivation. The suite includes two session authenticated encryption (SAE) modes: Xoofff-SANE and Xoofff-SANSE. Both are built on top of Xoofff and differ in their robustness with respect to nonce misuse. The final members of the suite are a tweakable wide block cipher Xoofff-WBC and authenticated encryption mode Xoofff-WBC-AE, obtained by instantiating the Farfalle-WBC and Farfalle-WBC-AE constructions with Xoofff. This paper is a specification and security claim reference for the Xoodoo suite. It is a standing document: over time, we may extend the Xoodoo suite, e.g., with a hash function or a dedicated lightweight MAC function and we will update it accordingly.

Event date: 10 October 2018

We are seeking an experienced and enthusiastic academic to augment our capabilities, capacity, and connections to industry in the rapidly evolving domain of cybersecurity. This opportunity is strongly motivated by the increasing need for cybersecurity in a world where our reliance on, and threats to, digital systems and data are escalating in tandem with a surging demand for graduates skilled in cybersecurity tools and techniques.

This critical position will sit within the School\'s Information Security Discipline whose research and teaching addresses a range of interdisciplinary topics in information security management, cryptography, network security and digital forensics. QUT is also one of the founding members of the newly-established Cyber Security Cooperative Research Centre. This position will involve conducting high quality research in emerging areas of cybersecurity; teaching undergraduate and postgraduate classes in cybersecurity principles and practices; and supervising higher-degree research students. The research will be conducted in one or more areas of cybersecurity principles and practices such as:

• Critical infrastructure design

• Computer security certification

• Identity management

• Digital forensics

• Network security

• Ransomware recovery

• Security auditing

• Information security management

• Trusted computing bases

• Malware analysis

• Intrusion detection

• Security-by-design

• Social engineering

• Applied cryptography

• Cloud security

• Supply chain security

Closing date for applications: 22 September 2018

More information: https://qut.nga.net.au/?jati=D9C23EA3-394E-7D62-5EDD-A474F0AE7BD7

Overview

Algorand is the next generation blockchain platform and digital currency. Possessing a thorough and thoughtfully constructed decentralized economy where all transactions are safe, fast and uncensored while scalable to billions of users, Algorand will help unleash the economic potential of people across the globe as we democratize access to financial instruments.

The Team

The Algorand team combines technological luminaries and proven business leaders. Algorand is founded by Silvio Micali, MIT Ford Professor of Engineering and recipient of the Turing Award in Computer Science.

Our office is located in the heart of downtown Boston. All positions are in this location, though remote work is possible for exceptional candidates.

The Role

This is a senior level role where you will have the opportunity to influence the design and implementation of Algorand’s core cryptographic protocols and schemes. You’ll be working closely with senior cryptographers at the company to engineer new schemes and constructions, implement and deploy them at scale. This involves open source development, contribution to cutting-edge research, and industry standards.

Cryptography engineers are expected to have deep domain knowledge, be familiar with the nuances of implementing public-key cryptography, side-channel attacks, padding oracles, constant-time implementations.

Responsibilities

You will join a small, extremely capable, and enthusiastic Boston-based team. Your ideas and your innovation will help shape the new blockchain and cryptocurrency ecosystem of tomorrow. The current suite of projects are implemented in primarily Go and C++.

The core product will be open sourced. Significant open source contribution experience will be considered very favorably.

Closing date for applications: 1 July 2019

Contact: Sergey Gorbunov, sergey (at) algorand.com

More information: https://www.algorand.com/careers/

The Faculty of Engineering, Computer and Mathematical Sciences at the University of Adelaide strives to develop a culture of high performance, collaboration and respect that attracts and nurtures exceptional talent to deliver excellence. We invite applications from suitably qualified women to join us as Associate Professor/Senior Lecturer in Cyber Security in our School of Computer Science to drive research with profound impact and to participate in our vibrant learning environment.

In the most recent Academic Ranking of World Universities (Computer Science & Engineering) the School of Computer Science was ranked 43rd world-wide. We can provide you with an excellent research and industry environment in cybersecurity in which to thrive. This continuing position is a great opportunity for you to set new research directions and contribute to teaching curriculum development.

A variety of flexible working arrangements are available for the successful candidate.

Closing date for applications: 9 September 2018

More information: http://careers.adelaide.edu.au/cw/en/job/499007/senior-lecturer-associate-professor-in-cyber-security-school-of-computer

The ISG is seeking to recruit a post-doctoral research assistant to work in the area of cryptography. The position is available now and will run until the end of 2021.

The PDRA will work alongside Martin Albrecht and other cryptographic researchers at Royal Holloway on topics in lattice-based cryptography. This post is part of the EU H2020 PROMETHEUS project (http://prometheuscrypt.gforge.inria.fr) for building privacy preserving systems from advanced lattice primitives. Our research focus within this project is on cryptanalysis and implementations, but applicants with a strong background in other areas such as protocol/primitive design are also encouraged to apply.

Applicants should have already completed, or be close to completing, a PhD in a relevant discipline. Applicants should have an outstanding research track record in cryptography. Applicants should be able to demonstrate scientific creativity, research independence, and the ability to communicate their ideas effectively in written and verbal form.

In return we offer a highly competitive rewards and benefits package including generous annual leave and training and development opportunities. This is a full time fixed term post is based in Egham, Surrey where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

To view further details of this post and to apply please visit https://jobs.royalholloway.ac.uk. For queries on the application process the Human Resources Department can be contacted by email at: recruitment (at) rhul.ac.uk.

Please quote the reference: 0818-334

Closing date for applications: 17 September 2018

Contact: Martin Albrecht, martin.albrecht _at_ royalholloway.ac.uk

More information: https://jobs.royalholloway.ac.uk/vacancy.aspx?ref=0818-334

The 2018 TCC Test-of-Time Award goes to Dan Boneh, Eu-Jin Goh and Kobbi Nissim, for their TCC 2005 paper "Evaluating 2-DNF Formulas on Ciphertexts".

The award committee recognizes this paper "for introducing compact two-operation homomorphic encryption and developing new bilinear map techniques that led to major improvements in the design of cryptographic schemes."

The TCC Test of Time Award recognizes outstanding papers, published in TCC at least eight years ago, making a significant contribution to the theory of cryptography, preferably with influence also in other area of cryptography, theory, and beyond. The inaugural TCC Test of Time Award was given in TCC 2015 for papers published no later than TCC 2007.

The Noise Protocol Framework, introduced recently, allows for the design and construction of secure channel protocols by describing them through a simple, restricted language from which complex key derivation and local state transitions are automatically inferred. Noise "Handshake Patterns" can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding and other advanced features. Since the framework's release, Noise-based protocols have been adopted by WhatsApp, WireGuard and other high-profile applications.

We present Noise Explorer, an online engine for designing, reasoning about and formally verifying arbitrary Noise Handshake Patterns. Based on our formal treatment of the Noise Protocol Framework, Noise Explorer can validate any Noise Handshake Pattern and then translate it into a model ready for automated verification. We use Noise Explorer to analyze 50 Noise Handshake Patterns. We confirm the stated security goals for 12 fundamental patterns and provide precise properties for the rest. We also analyze unsafe Noise patterns and discover potential attacks. All of this work is consolidated into a usable online tool that presents a compendium of results and can parse formal verification results to generate detailed-but-pedagogical reports regarding the exact security guarantees of each message of a Noise Handshake Pattern with respect to each party, under an active attacker and including malicious principals. Noise Explorer evolves alongside the standard Noise Protocol Framework, having already contributed new security goal verification results and stronger definitions for pattern validation and security parameters.

Symbolic methods have been used extensively for proving security of cryptographic protocols in the Dolev-Yao model, and more recently for proving security of cryptographic primitives and constructions in the computational model. However, existing methods for proving security of cryptographic constructions in the computational model often require significant expertise and interaction, or are fairly limited in scope and expressivity.

This paper introduces a symbolic approach for proving security of cryptographic constructions based on the Learning With Errors assumption (Regev, STOC 2005). Such constructions are instances of lattice-based cryptography and are extremely important due to their potential role in post-quantum cryptography. Following (Barthe, Gr\'egoire and Schmidt, CCS 2015), our approach combines a computational logic and deducibility problems---a standard tool for representing the adversary's knowledge, the Dolev-Yao model. The computational logic is used to capture (indistinguishability-based) security notions and drive the security proofs whereas deducibility problems are used as side-conditions to control that rules of the logic are applied correctly. We then use \AutoLWE, an implementation of the logic, to deliver very short or even automatic proofs of several emblematic constructions, including CPA-PKE (Gentry et al., STOC 2008), (Hierarchical) Identity-Based Encryption (Agrawal et al. Eurocrypt 2010), Inner Product Encryption (Agrawal et al. Asiacrypt 2011), CCA-PKE (Micciancio et al., Eurocrypt 2012). The main technical novelty beyond AutoLWE is a set of (semi-)decision procedures for deducibility problems, using extensions of Gr\"obner basis computations for subalgebras in the (non-)commutative setting (instead of ideals in the commutative setting). Our procedures cover the theory of matrices, which is required for lattice-based assumption, as well as the theory of non-commutative rings, fields, and Diffie-Hellman exponentiation, in its standard, bilinear and multilinear forms. Additionally, AutoLWE supports oracle-relative assumptions, which are used specifically to apply (advanced forms of) the Leftover Hash Lemma, an information-theoretical tool widely used in lattice-based proofs.

Post-quantum cryptosystems involve basically the families of algorithms based on lattices, error correcting codes, multivariate quadratic systems (MQ), and schemes based on symmetric cryptography primitives in general, as well as on hash functions. The project in which the candidate will be inserted aims to specify, develop and analyze secure and hardware-friendly post-quantum cryptographic schemes for providing a variety of security services, including encryption, authentication and digital signatures.

The focus will be on performance improvements, possibly in terms of processing time and energy requirements, but especially in terms of key, signatures and ciphertext sizes. The security analysis of these schemes should consider both cryptanalytic attacks and implementation-related threats, such as side-channel attacks. The performance evaluation of the schemes will be both theoretical (considering computational complexity, underlying parallelism opportunities) and experimental (using software prototypes and hardware implementations).

The main requirements for the application are: (1) to have a solid background in cryptography, preferably (but not necessarily) with post-quantum primitives; (2) to have good design/programming skills, preferably (but not necessarily) in programming languages such as C and/or hardware description languages such as VHDL, and (3) to be enrolled (or to be willing to enroll) at the Graduate Program in Electrical Engineering, Escola Politécnica, Universidade de São Paulo, São Paulo campus (http://ppgee.poli.usp.br/en/), with a full time dedication.

This opportunity is open for candidates of any nationality.

Closing date for applications: 27 August 2018

Contact: Prof. Marcos A. Simplicio Jr -- msimplicio (at) larc.usp.br

Are You Interested in Cryptography And/Or Blockchain Technology?

Post-Doc Positions.

Professor Ivan Visconti is the scientific coordinator for University of Salerno of the project Privacy-Enhancing Cryptography in Distributed Ledgers (PRIViLEDGE) and is involved in several other research activities related to Cybersecurity, Cryptography and Blockchain Technology. Expressions of interest for post-doc positions in the field of privacy-preserving cryptography and distributed ledger technology, to be supervised by professor Ivan Visconti are welcome. Candidates are expected to have a solid publication record (e.g., IACR conferences, CCS, IEEE S&P,....). The positions are available immediately. The net salary can be even higher than the average net salary of an associate professor in Italy. There is also some travel budget to attend conferences, project meetings and research visits. In case you are interested, please send your CV and 2 names for letters of reference to Ivan Visconti (ivan DOT visconti AT gmail DOT com).

PhD Positions.

There are up to 14 PhD positions at the computer engineering department of University of Salerno (Italy). The deadline for applications is September 19, 2018, and the master degree must be obtained by November 6, 2018.

Closing date for applications: 6 November 2018

Contact: Ivan Visconti (ivan DOT visconti AT gmail DOT com)

More information: https://goo.gl/DmFgGM

When designing a new symmetric-key primitive, the designer must show resistance to know attacks. Perhaps most prominent amongst these are linear and differential cryptanalysis. However, it is notoriously difficult to accurately demonstrate e.g. a block cipher's resistance to these attacks, and thus most designer resort to deriving bounds on the linear correlations and differential probabilities of their cipher. On the other side of the spectrum, the cryptanalyst is also interested in accurately assessing the strength of a linear or differential attack.

While several tools have been developed to search for optimal linear and differential trails, e.g. MILP and SAT based methods, only few approaches specifically try to find as many trails of a single approximation or differential as possible. This can result in an overestimate of a ciphers resistance to linear and differential attacks, as was for example the case for PRESENT.

In this work, we present a new algorithm for linear and differential trail search. The algorithm represents the problem of estimating approximations and differentials as the problem of finding many paths through a multistage graph, and we demonstrate that this approach allows is to find a very large number of trails for each approximation or differential. Moreover, we show how the algorithm can be used to efficiently estimate the key dependent correlation distribution of a linear approximation, facilitating advanced linear attacks. We apply the algorithm to 17 different ciphers, and demonstrate new and improved results on several of these.

A new approach to invariant subspaces and nonlinear invariants is developed. This results in both theoretical insights and practical attacks on block ciphers. It is shown that, with minor modifications to some of the round constants, Midori-64 has a nonlinear invariant with $2^{96}$ corresponding weak keys. Furthermore, this invariant corresponds to a linear hull with maximal correlation. By combining the new invariant with integral cryptanalysis, a practical key-recovery attack on 10 rounds of unmodified Midori-64 is obtained. The attack works for $2^{96}$ weak keys and irrespective of the choice of round constants. The data complexity is $1.25 \cdot 2^{21}$ chosen plaintexts and the computational cost is dominated by $2^{56}$ block cipher calls. Finally, it is shown that similar techniques lead to a practical key-recovery attack on MANTIS-4. The full key is recovered using 640 chosen plaintexts and the attack requires about $2^{56}$ block cipher calls.

Protocols for secure multiparty computation (MPC) enable a set of mutually distrusting parties to compute an arbitrary function of their inputs while preserving basic security properties like \emph{privacy} and \emph{correctness}. The study of MPC was initiated in the 1980s where it was shown that any function can be securely computed, thus demonstrating the power of this notion. However, these proofs of feasibility were theoretical in nature and it is only recently that MPC protocols started to become efficient enough for use in practice. Today, we have protocols that can carry out large and complex computations in very reasonable time (and can even be very fast, depending on the computation and the setting). Despite this amazing progress, there is still a major obstacle to the adoption and use of MPC due to the huge expertise needed to design a specific MPC execution. In particular, the function to be computed needs to be represented as an appropriate Boolean or arithmetic circuit, and this requires very specific expertise. In order to overcome this, there has been considerable work on compilation of code to (typically) Boolean circuits. One work in this direction takes a different approach, and this is the SPDZ compiler (not to be confused with the SPDZ protocol) that takes high-level Python code and provides an MPC run-time environment for securely executing that code. The SPDZ compiler can deal with arithmetic and non-arithmetic operations and is extremely powerful. However, until now, the SPDZ compiler could only be used for the specific SPDZ family of protocols, making its general applicability and usefulness very limited.

In this paper, we extend the SPDZ compiler so that it can work with general underlying protocols. Our SPDZ extensions were made in mind to enable the use of SPDZ for arbitrary protocols and to make it easy for others to integrate existing and new protocols. We integrated three different types of protocols, an honest-majority protocol for computing arithmetic circuits over a field (for any number of parties), a three-party honest majority protocol for computing arithmetic circuits over the ring of integers $\Z_{2^n}$, and the multiparty BMR protocol for computing Boolean circuits. We show that a single high-level SPDZ-Python program can be executed using all of these underlying protocols (as well as the original SPDZ protocol), thereby making SPDZ a true general run-time MPC environment.

In order to be able to handle both arithmetic and non-arithmetic operations, the SPDZ compiler relies on conversions from field elements to bits and back. However, these conversions do not apply to ring elements (in particular, they require element division), and we therefore introduce new bit decomposition and recomposition protocols for the ring over integers with replicated secret sharing. These conversions are of independent interest and utilize the structure of $\Z_{2^n}$ (which is much more amenable to bit decomposition than prime-order fields), and are thus much more efficient than all previous methods.

We demonstrate our compiler extensions by running a complex SQL query and a decision tree evaluation over all protocols.