International Association
for Cryptologic Research

So far, the topic of merged mining has mainly been considered in a security context, covering issues such as mining power centralization or crosschain attack scenarios. In this work we show that key information for determining blockchain metrics such as the fork rate can be recovered through data extracted from merge mined cryptocurrencies. Specifically, we reconstruct a long-ranging view of forks and stale blocks in Bitcoin from its merge mined child chains, and compare our results to previous findings that were derived from live measurements. Thereby, we show that live monitoring alone is not sufficient to capture a large majority of these events, as we are able to identify a non-negligible portion of stale blocks that were previously unaccounted for. Their authenticity is ensured by cryptographic evidence regarding both, their position in the respective blockchain, as well as the Proof-of-Work difficulty.

Furthermore, by applying this new technique to Litecoin and its child cryptocur rencies, we are able to provide the first extensive view and lower bound on the stale block and fork rate in the Litecoin network. Finally, we outline that a recovery of other important metrics and blockchain characteristics through merged mining may also be possible.

This paper proposes two closely related asymmetric key (or a public key) schemes for key exchange whose security is based on the notion of ideal secrecy. In the first scheme, the private key consists of two singular matrices, a polar code matrix and a random permutation matrix all over the binary field. The sender transmits addition of two messages over a public channel using the public key of the receiver. The receiver can decrypt individual messages using the private key. An adversary, without the knowledge of the private key, can only compute multiple equiprobable solutions in a space of sufficiently large size related to the dimension of the kernel of the singular matrices. This achieves security in the sense of ideal secrecy. The next scheme extends over general matrices. The two schemes are cryptanalyzed against various attacks.

We present Ouroboros Crypsinous, the first privacy-preserving proof-of-stake (PoS) blockchain protocol. To model its security we give a thorough treatment of private ledgers in the universal composition (UC) setting that might be of independent interest. To prove our protocol secure against adaptive attacks, which are particularly critical in the PoS setting, we introduce a new coin evolution technique that relies on a SNARKs mechanism and key-private forward secure encryption. The latter primitive---and the associated construction---can be of independent interest. We stress that existing approaches to private blockchains, such as the proof-of-work-based Zerocash are analyzed only against static corruptions.

Cloud storage enables its users to store confidential information as encrypted files in the cloud. A cloud user (say Alice) can share her encrypted files with another user (say Bob) by availing proxy re-encryption services of the cloud. Proxy Re-Encryption (PRE) is a cryptographic primitive that allows transformation of ciphertexts from Alice to Bob via a semi-trusted proxy, who should not learn anything about the shared message. Typically, the re-encryption rights are enabled only for a bounded, fixed time and malicious parties may want to decrypt or learn messages encrypted for Alice, even beyond that time. The basic security notion of PRE assumes the proxy (cloud) is semi-trusted, which is seemingly insufficient in practical applications. The proxy may want to collude with Bob to obtain the private keys of Alice for later use. Such an attack is called collusion attack, allowing colluders to illegally access all encrypted information of Alice in the cloud. Hence, achieving collusion resistance is indispensable to real-world scenarios. Realizing collusion-resistant PRE has been an interesting problem in the ID-based setting. To this end, several attempts have been made to construct a collusion-resistant IB-PRE scheme and we discuss their properties and weaknesses in this paper. We also present a new collusion-resistant IB-PRE scheme that meets the adaptive CCA security under the decisional bilinear Diffie-Hellman hardness assumption and its variant in the random oracle model.

The Coefficients H Technique (also called H-technique), by Patarin, is a tool to obtain upper bound on the distinguishing advantage. The tool is known for providing quite simpler and tight bound proofs as compared to some other well-known tools such as Game-playing technique and Random Systems methodology. In this paper, we aim to provide a brief survey on the H-technique. The survey is in three parts: First, we redevelop the necessary nomenclatures and tools required to study the security of symmetric key designs. Second, we give a full description of the H-technique and show that it can provide optimal bounds on the distinguishing advantage. Third, we give simpler proofs for some popular symmetric key designs, across different paradigms, using the H-technique.

Indistinguishability obfuscation constructions based on matrix branching programs generally proceed in two steps: first apply Kilian's randomization of the matrix product computation, and then encode the matrices using a multilinear map scheme. In this paper we observe that by applying Kilian's randomization after encoding, the complexity of the best attacks is significantly increased for CLT13. This implies that much smaller parameters can be used, which improves the efficiency of the constructions by several orders of magnitude.

As an application, we describe the first concrete implementation of non-interactive Diffie-Hellman key exchange secure against existing attacks. Key exchange was originally the most straightforward application of multilinear maps; however it was quickly broken for the three known families of multilinear maps (GGH13, CLT13 and GGH15). Here we describe the first implementation of key exchange based on CLT13 that is resistant against the Cheon et al. attack. For N=4 users and a medium (62 bits) level of security, our implementation requires 8 GB of public parameters, and a few minutes for the derivation of a shared key. Without Kilian's randomization of encodings our construction would be completely unpractical, as it would require more than 100 TB of public parameters.

Direct Anonymous Attestation (DAA) is an anonymous signature scheme, which is designed to allow the Trusted Platform Module (TPM), a small chip embedded in a host computer, to attest to the state of the host system, while preserving the privacy of the user. DAA provides two signature modes: fully anonymous signatures and pseudonymous signatures. To generate a DAA signature, the calculations are divided between the TPM and the host. One goal for designing new DAA schemes is to reduce the signing burden on the TPM as much as possible, since the TPM has only limited resources when compared to the host and the computational overhead of the TPM dominates the whole signing performance. In an optimal DAA scheme, the signing workload on the TPM will be no more than that required for a normal signature. DAA has developed about fifteen years, but no scheme has achieved this optimal signing efficiency for both signature modes. In this paper, we propose the first DAA scheme which achieves this optimal TPM signing efficiency for both signature modes. In particular, the TPM takes only a single exponentiation in a prime-order group when generating a DAA signature. Additionally, this single exponentiation can be precomputed, which enables our scheme to achieve fast online signing time. Our DAA scheme is provably secure under the DDH, DBDH and q-SDH assumptions in the Universally Composable (UC) security model. Our scheme can be implemented using the existing TPM 2.0 commands, and thus is compatible with the TPM 2.0 specification. There are three important use cases for DAA: quoting platform configuration register values, certifying a key and signing a message. We have implemented and benchmarked the commands needed for these use cases on an Infineon TPM 2.0 chip. Based on these benchmark results, our scheme is about twice as fast as the existing DAA schemes supported by TPM 2.0 in terms of signing efficiency. In addition, our DAA scheme supports selective attribute disclosure, which can satisfy more application requirements. We also extend our DAA scheme to support signature-based revocation and to guarantee privacy against subverted TPMs. The two extended DAA schemes keep the TPM signing efficiency optimal for both signature modes, and outperform existing related schemes in terms of signing performance.

This paper introduces Freestyle, a randomized, and variable round version of the ChaCha cipher. Freestyle demonstrates the concept of hash based halting condition, where a decryption attempt with an incorrect key is likely to take longer time to halt. This makes it resistant to key-guessing attacks i.e. brute-force and dictionary based attacks. Freestyle uses a novel approach for ciphertext randomization by using random number of rounds for each block of message, where the exact number of rounds are unknown to the receiver in advance. Due to its inherent random behavior, Freestyle provides the possibility of generating up to $2^{256}$ different ciphertexts for a given key, nonce, and message; thus resisting key and nonce reuse attacks. This also makes cryptanalysis through known-plaintext, chosen-plaintext, and chosen-ciphertext attacks difficult in practice. Freestyle is highly customizable, which makes it suitable for both low-powered devices as well as security-critical applications. It is ideal for: (i) applications that favor ciphertext randomization and resistance to key-guessing and key reuse attacks; and (ii) situations where ciphertext is in full control of an adversary for carrying out an offline key-guessing attack.

To deal with message streams, which is required by many symmetric cryptographic functionalities (MAC, AE, HASH), we propose a lightweight round function called Thin Sponge. We give a framework to construct all these functionalities (MAC, AE, and HASH) using the same Thin Sponge round function. Besides the common security assumptions behind traditional symmetric algorithms, the security of our schemes depends on the hardness of problems to find collisions of some states. We give a class of constructions of Thin Sponge, which is improvement of the round function of Trivium and ACORN. We give simple criteria for determining parameters. According to these criteria, we give an example, which achieves all functionalities in a single round function and hence can be realized by the same hardware. Our algorithm is also efficient in software.

A landmark security property of smart contracts is liquidity: in a non-liquid contract, it may happen that some funds remain frozen. The relevance of this issue is witnessed by a recent liquidity attack to the Ethereum Parity Wallet, which has frozen 160M USD within the contract, making this sum unredeemable by any user. We address the problem of verifying liquidity of Bitcoin contracts. Focussing on itML, a contracts DSL with a computationally sound compiler to Bitcoin, we study various notions of liquidity. Our main result is that liquidity of BitML contracts is decidable, in all the proposed variants. To prove this, we first transform the infinite-state semantics of BitML into a finite-state one, which focusses on the behaviour of any given set of contracts, abstracting the moves of the context. With respect to the chosen contracts, this abstraction in sound and complete. Our decision procedure for liquidity is then based on model-checking the finite space of states of the abstraction. The computational soundness of the BitML compiler allows to lift this result from the symbolic to the computational level: if our decision procedure establishes that a contract is liquid, then it will be such also under a computational adversary, and vice versa.

The Cryptology Group at CWI in Amsterdam has an opening for a PhD position (4 yrs) in the area of ``mathematical aspects of cryptology,`` e.g., the intersection between algebraic coding theory and secure multiparty computation. The successful applicant will also be part of the Mathematical Institute, Leiden University.

Requirements:

You should hold a Master degree (or expect to obtain it soon) in mathematics or computer science (or a comparable subject) with excellent grades, and you should have successfully demonstrated your research abilities, e.g. by completion of an (undergraduate) research project with outstanding results. Furthermore, preferably, you:

• have some background in cryptography;

• enjoy mathematics;

• possess good academic writing and presentation skills;

• are fluent in spoken and written English.

Application:

Your application should include the following information:

• a curriculum vitae;

• a letter of motivation (at most 1 page) explaining why you are interested in this position;

• a list of all university courses taken, including a transcript of grades;

• a report from an undergraduate research project you have done;

• the name and contact details (including email address) of two to three referees who can provide details about your profile (one of whom should be the main supervisor of your Master thesis).

The applications will be reviewed upon receipt and until the position is filled.

Closing date for applications: 1 February 2019

Contact: Please send your application to Ronald Cramer (CWI & Leiden U) and Serge Fehr (CWI & Leiden U), using ``Application CWI PhD Position`` as subject. Email: {cramer,fehr} (at) cwi.nl

We have 1 year Post-doc Position on Constraint Programming for Cryptanalysis of Symmetric Encryption Schemes in LIMOS, Clermont-Ferrand, France

Your Profile:

A PhD in Computer Science, Applied Mathematics, Cryptography or related field.

Competitive research record in symmetric cryptography or in constraint programming.

Commitment, team working and a critical mind.

Fluent written and verbal communication skills in English are essential

Closing date for applications: 1 September 2019

Contact: email your cover letter, your CV, your PhD, reports of the reviewers of your PhD, a selection of your best papers related to the post-doc offer, some recommandation

letters, contact information for 3 referees and any information that might help us to choose you.

More information: http://sancy.univ-bpclermont.fr/~lafourcade/post-doc-LIMOS.pdf

Rambus is seeking for a dynamic, highly motivated, experienced Senior Security Engineer. The ideal candidate will be team oriented, and have a strong knowledge of the HW security including side-channel analysis and fault analysis. In addition, She/he possesses an in-depth knowledge of front end digital design process and related design flows.

Responsibilities

• Design and implement secure cryptographic hardware IP blocks as part of cryptography research’s security IP portfolio.
• Implement fault and side-channel analysis countermeasures and verify resistance to state-of-the-art attack techniques
• Invent, patent and publish new techniques in the fields of DPA countermeasures, fault resistance and efficient hardware designs
• Supports FAEs, customers, and Rambus sales and marketing team in Europe and Asia and work closely with our offices in Sunnyvale, San Francisco, and Bangalore
• Collaborates with different teams to support all technical aspects of the sales cycle
• Represent Rambus CRD at international workshops, conferences and trade shows.
• Author technical collateral and whitepapers on CRD’s cryptographic hardware technologies

Closing date for applications:

More information: https://careers.rambus.com/jobs/smts-ii-security-engineering-rotterdam-netherlands

We are looking for research fellow (post-doc), research associate, research assistant, research assistant, project interns, phd students to join our group.

Candidates for research fellow/associate should have completed (or close to completing) a PhD degree in computer science, mathematics or a related discipline. Research assistants/project interns are expected to have an honours degree or an equivalent qualification.

Research Fellow/Associates are expected to have solid experience in Public Key Cryptography and Provable Security. Research assistants and project interns should have respectable academic record and an interest in the above area. Specific topic of interest:

- Lattice-Based Anonymous Credentials

- Empirical Analysis on Strength of Ideal Lattice

- Ring Signatures & Linkable Ring Signatures

- Different kinds of zero-knowledge proof/argument systems

- Transaction Privacy in Public and Consortium Blockchain

These positions have flexible starting dates. The initial appointment will be for 12 months, with a strong possibility for further appointment.

Closing date for applications: 31 March 2019

Contact: Dr. Man Ho Au (csallen (at) comp.polyu.edu.hk)

More information: http://www.comp.polyu.edu.hk/~csallen

Event date: 5 August to 8 August 2019
Submission deadline: 20 March 2019
Notification: 25 April 2019

Event date: 15 May to 17 May 2019
Submission deadline: 25 January 2019
Notification: 1 March 2019

The discrete logarithm problem in an interval of size $N$ in a group $G$ is: Given $g, h \in G$ and an integer $ N$ to find an integer $0 \le n \le N$, if it exists, such that $h = g^n$. Previously the best low-storage algorithm to solve this problem was the van Oorschot and Wiener version of the Pollard kangaroo method. The heuristic average case running time of this method is $(2 + o(1)) \sqrt{N}$ group operations.

We present two new low-storage algorithms for the discrete logarithm problem in an interval of size $N$. The first algorithm is based on the Pollard kangaroo method, but uses 4 kangaroos instead of the usual two. We explain why this algorithm has heuristic average case expected running time of $(1.715 + o(1)) \sqrt{N}$ group operations. The second algorithm is based on the Gaudry-Schost algorithm and the ideas of our first algorithm. We explain why this algorithm has heuristic average case expected running time of $(1.661 + o(1)) \sqrt{N}$ group operations. We give experimental results that show that the methods do work close to that predicted by the theoretical analysis.

This is a revised version since the published paper that contains a corrected proof of Theorem 6 (the statement of Theorem 6 is unchanged). We thank Ravi Montenegro for pointing out the errors.

In a seminal work, Katz (Eurocrypt 2007) showed that parties being able to issue tamper-proof hardware can implement universally composable secure computation without a trusted setup. Our contribution to the line of research initiated by Katz is a construction for general, information-theoretically secure, universally composable two-party computation based on a single stateful tamper-proof token. We provide protocols for multiple one-time memories, multiple commitments in both directions, and also bidirectional oblivious transfer. From this, general secure two-party computation (and even one-time programs) can be implemented by known techniques. Moreover, our protocols have asymptotically optimal communication complexity.

The central part of our work is a construction for oblivious affine function evaluation (OAFE), which can be seen as a generalization of the oblivious transfer primitive: Parametrized by a finite field F and a dimension k, the OAFE primitive allows a designated sender to choose an affine function f:F->F^k, such that hidden from the sender a designated receiver can learn f(x) for exactly one input x in F of his choice. All our abovementioned results build upon this primitive and it may also be of particular interest for the construction of garbled arithmetic circuits.

Post-doctoral Research Fellow in Post-Quantum Cryptography, Mathematics Department, University of Auckland.

Two years duration

The aim of this role is to conduct research at an international level on post-quantum cryptography and related mathematics. The successful applicant will be working in collaboration with Professor Steven Galbraith, his students, and other collaborators. The ability to work as part of a team and independently is essential. PhD in Mathematics or a related discipline (eg Computer Science) desired.

The Mathematics department at the University of Auckland was ranked 45th worldwide in the 2018 QS World University Rankings. Professor Galbraith\'s research group contains approx 6 post-grad students working in mathematical crypto.

The minimum salary for a research fellow at the University of Auckland in 2019 is NZD 81963.00.

Closing date for applications: 15 January 2019

Contact: Steven Galbraith

Professor of Pure Mathematics

s.galbraith (at) auckland.ac.nz

More information: https://opportunities.auckland.ac.nz/jobid/20285/1/1

Ada Lovelace Post-Doc Fellowships with the Quantum Software Consortium (QSC).

QSC is a project of University of Amsterdam, Leiden University, Delft University of Technology, Centrum Wiskunde & Informatica (CWI) and Vrije Universiteit Amsterdam, funded by NWO.

We are inviting applications for our program of prestigious 3 year Ada Lovelace postdoctoral Fellowships, which has the explicit aim of hiring talented female researchers.

The consortium is organized around three themes of algorithmic development: for quantum computers, for quantum networks, and for quantum(-safe) cryptography. A fourth hardware theme, the demonstrator, provides a distributed quantum computing network linking the three sites of the consortium and The Hague, to test designs arising from the three software themes. World class hardware for demonstrating quantum algorithms is furthermore available via QuTech, Leiden, and Amsterdam outside this proposal.

The subject matter of a candidate’s proposed research is free, as long as it contributes to the scientific program of the QSC. The first call for Ada Lovelace Fellowships will be open until January 31th 2019. Candidates can be proposed in the following two ways:

(1) proposal by one of the QSC Senior Researchers.

(2) application by the candidate, accompanied by a supporting letter by a QSC Senior Researcher.

In both cases, the proposal should include CV and list of publications, description of proposed research, description of embedding in the QSC (preferred location, collaborators), up to three names of scientists who can be contacted for reference letters

You can submit your application to the QSC office. Email: office (at) quantumsc.nl. Deadline for applications is January 31st 2019. In the current round up to two fellowships can be granted.

Closing date for applications: 31 January 2019

Contact: Ronald Cramer (cramer (at) cwi.nl, cramer (at) math.leidenuniv.nl)

More information: http://quantumsc.nl/Research/Overview/