International Association
for Cryptologic Research

The Department of Computer Science at University College London (UCL) invites applications for three faculty positions at all levels in the area of Information Security. We seek world-class talent; candidates must have an outstanding research track record. Appointments will be made at the rank of Lecturer, Associate Professor, or Professor, depending on seniority.

The closing date for applications is 10 January 2019.

We seek applicants with expertise and experience that complements or builds on our current strengths, including but not limited to, the areas of cybercrime, human factors in security, systems and network security, verification and embedded systems security, and software security.

Since we are an experimental Computer Science department, and UCL is strongly committed to multi-disciplinary research, we are looking for researchers who are interested in collaboration with colleagues in the Faculty of Engineering (e.g., Crime Science) and with other research groups and centres within the Computer Science department, e.g., Systems and Networks, Computational Statistics & Machine Learning (CSML), UCL Interaction Centre (UCLIC). The main purpose of this new role is to support the growth of the Computer Department through conducting research, teaching, outreach and entrepreneurial activities in the area of Information Security as well as the supervision of undergraduate, taught graduate and/or research graduate students.

Closing date for applications: 10 January 2019

Contact: Emiliano De Cristofaro, e.decristofaro (at) ucl.ac.uk

More information: https://tinyurl.com/ucl-infosec-positions-2018

Three industrial funded PhD studentships (3-3.5 years) are available at Department of Computer Science, Surrey Centre for Cyber Security, University of Surrey. These studentships are related to industrial blockchain projects. The ideal PhD candidates (holding MSc. degree of Math, Computer Science, Engineering) should be equipped with (at least be interested in) adequate knowledge of programming (e.g., Python, C++, Java), basic knowledge of applied cryptography(e.g., signature, encryption, zero-knowledge proof)/machine learning/formal method, have good communication skill, teamwork awareness, and be willing to work with industries.

The start date of these PhDs will be in January or April 2019.

About SCCS: SCCS was established by the University of Surrey to consolidate and organise its cyber security activities across the University. SCCS is one of the 17 Academic Centres of Excellence in Cyber Security Research (ACEs-CSR) recognised by the UK National Cyber Security Centre (NCSC) in partnership with the Engineering and Physical Sciences Research Council (EPSRC).

Closing date for applications: 31 March 2019

Contact: Dr. Kaitai Liang

k.liang (at) surrey.ac.uk

The Secure embedded system & hardware security team (https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html) at Université Jean Monnet (Saint-Etienne, France) is seeking one motivated post-doctoral researcher in the area of hardware security.

The post-doctoral researcher will work with researcher of the group on topic of side-channel analysis and/or random numbers generation. The project aims to scale down randomness requirement for side-channel protected implementations.

Candidates should ideally have already completed, or close to completing a Ph.D. degree in electrical engineering, computer sciences, mathematics, or related disciplines, with strong research track record in relevant area.

This is a full-time, 1-year fixed-term position based in Saint-Etienne; starting date is negotiable from March 2019.

Since the laboratory is located in a restricted area, background of the successful candidate need to be checked by authorities, this step can last 3 months, please consider applying well in advance. There are no nationality restrictions for candidates.

Review of application will start immediately until position is filed.

Please send a CV, a list of publications and contact information for two references.

Closing date for applications: 30 September 2019

Contact: Vincent Grosso, vincent.grosso (at) univ-st-etienne.fr

Applications are invited for a PhD student (Research Assistant) position in Applied Cryptography and Network Security. The position is funded through CRISP, the Center for Research in Security and Privacy (https://www.crisp-da.de).

Job Description

The Candidate is expected to perform scientific research in the areas of cryptography and network security. The position is based in Darmstadt and will involve international travel to conduct and present research. We provide an optimal working environment and support the researcher to publish results at leading international conferences and journals.

The position is initially offered for three years but can be extended to a longer duration. The starting date is as soon as possible.

Your Profile

• Completed a Master’s degree (or equivalent) with good grades in computer science, mathematics, electrical engineering, or a closely related field.

• Solid background in information security, cryptography, discrete mathematics, and algorithms.

• Fluent in English, both verbal and written, and good communication skills.

• Motivated to conduct research work and ability to work independently.

• Proficiency in computer programming, computer networks, Latex, and system administration are considered beneficial but not necessary.

How To Apply

Please submit your application in English consisting of a motivation letter stating why you are interested and qualify for the position, your current curriculum vitae including two references, and copies of relevant certificates and detailed transcripts with grades. Please send your application in a single PDF file to Jean Paul Degabriele (jeanpaul [dot] degabriele [at] crisp-da [dot] de) with the subject line “PhD Application”. Review of applications will start immediately and continue until the position is filled.

Closing date for applications:

Applications are invited for a one-year, full-time doctoral student position starting at the earliest on 01.02.2019 in an Academy of Finland project at the CWC-NS research unit. A trial period of 6 months is applied in the position.

The student selected for the task will be working on the design of secure and/or privacy-preserving protocols and architectures for 5G and beyond 5G networks. The main application area will be network Software Defined Networking (SDN), Network Function Virtualization (NFV) and Network Slicing based 5G and Industrial IoT networks where applications are typically latency-sensitive and produce high amounts of data requiring fast processing and refining. During the studies, the student should be applying (a combination of) various advanced cryptographic technologies, such as light weight authentication mechanisms, encryption algorithms, machine learning and novel technologies such as blockchain, secure transaction methods and smart contracts to design secure communication solutions that achieve a good balance between security, user privacy and usability. The work will include real-world prototyping with relevant technologies. Good knowledge in applied mathematics and experience in software implementations highly required.

The position is supervised by Adj. Prof. Madhusanka Liyanage (technical supervision) and. Assoc. Prof. Mika Ylianttila (responsible supervisor).

Closing date for applications: 31 December 2018

Contact: Contact: Adj. Prof. Madhusanka Liyanage, madhusanka.liyanage(at)oulu.fi;

More information: https://rekry.saima.fi/certiahome/open_job_view.html?did=5600&jc=1&id=00006567&lang=en

This PhD project will investigate implementation aspects of lattice-based cryptography on hardware and software platforms.

Required skills and experience:

Honours undergraduate degree and/or postgraduate degree with Distinction (or an international equivalent) in Electrical/Electronics Engineering or Computer Science or Mathematical Engineering or closely related discipline.

Familiar with cryptography, low-level programming or hardware architecture design using VHDL/Verilog.

More information: https://www.findaphd.com/phds/project/implementation-of-lattice-based-cryptography/?p104419

Closing date for applications: 14 January 2019

Contact: Sujoy Sinha Roy (s.sinharoy (AT) cs.bham.ac.uk)

The TCC steering committee is holding a straw poll regarding some TCC policy issues (see below). You can participate in this straw poll by visiting the form at:

• https://docs.google.com/forms/d/e/1FAIpQLSdG4W8Yy-x8o1g1R3TKLyW49d3nlRizV2AJYjVkJSTmgmU5AA/viewform

The deadline for participating in this straw poll is December 21, 2018.

Event date: 8 July 2019
Submission deadline: 1 March 2019
Notification: 10 April 2019

Let $\Omega$ be a finite set of operation symbols. We initiate the study of (weakly) pseudo-free families of computational $\Omega$-algebras in arbitrary varieties of $\Omega$-algebras. Most of our results concern (weak) pseudo-freeness in the variety $\mathfrak O$ of all $\Omega$-algebras. A family $(H_d)_{d\in D}$ of computational $\Omega$-algebras (where $D\subseteq\{0,1\}^*$) is called polynomially bounded (resp., having exponential size) if there exists a polynomial $\eta$ such that for all $d\in D$, the length of any representation of every $h\in H_d$ is at most $\eta(\lvert d\rvert)$ (resp., $\lvert H_d\rvert\le2^{\eta(\lvert d\rvert)}$). First, we prove the following trichotomy: (i) if $\Omega$ consists of nullary operation symbols only, then there exists a polynomially bounded pseudo-free family in $\mathfrak O$; (ii) if $\Omega=\Omega_0\cup\{\omega\}$, where $\Omega_0$ consists of nullary operation symbols and the arity of $\omega$ is $1$, then there exist an exponential-size pseudo-free family and a polynomially bounded weakly pseudo-free family (both in $\mathfrak O$); (iii) in all other cases, the existence of polynomially bounded weakly pseudo-free families in $\mathfrak O$ implies the existence of collision-resistant families of hash functions. Second, assuming the existence of collision-resistant families of hash functions, we construct a polynomially bounded weakly pseudo-free family and an exponential-size pseudo-free family of computational $m$-ary groupoids (both in $\mathfrak O$), where $m\ge1$. In particular, for arbitrary $m\ge2$, polynomially bounded weakly pseudo-free families of computational $m$-ary groupoids in $\mathfrak O$ exist if and only if collision-resistant families of hash functions exist. Moreover, we present some simple constructions of cryptographic primitives from pseudo-free families satisfying certain additional conditions. These constructions demonstrate the potential of pseudo-free families.

Public-key cryptography applications often require structuring decryption rights according to some hierarchy. This is typically addressed with re-encryption procedures or relying on trusted parties, in order to avoid secret-key transfers and leakages. Using a novel approach, Goubin and Vial-Prado (2016) take advantage of the Multikey FHE-NTRU encryption scheme to establish decryption rights at key-generation time, thus preventing leakage of all secrets involved (even by powerful key-holders). Their algorithms are intended for two parties, and can be composed to form chains of users with inherited decryption rights. In this article, we provide new protocols for generating Excalibur keys under any DAG-like hierarchy, and present formal proofs of security against semi-honest adversaries. Our protocols are compatible with the homomorphic properties of FHE-NTRU, and the base case of our security proofs may be regarded as a more formal, simulation-based proof of said work.

In Identity-based cryptography, in order to generalize one receiver encryption to multi-receiver encryption, wildcards were introduced: WIBE enables wildcard in receivers' pattern and Wicked-IBE allows one to generate a key for identities with wildcard. However, the use of wildcard makes the construction of WIBE, Wicked-IBE more complicated and significantly less efficient than the underlying IBE. The main reason is that the conventional identity's binary alphabet is extended to a ternary alphabet $\{0,1,*\}$ and the wildcard $*$ is always treated in a convoluted way in encryption or in key generation. In this paper, we show that when dealing with multi-receiver setting, wildcard is not necessary. We introduce a new downgradable property for IBE scheme and show that any IBE with this property, called DIBE, can be efficiently transformed into WIBE or Wicked-IBE.

While WIBE and Wicked-IBE have been used to construct Broadcast encryption, we go a step further by employing DIBE to construct Attribute-based Encryption of which the access policy is expressed as a boolean formula in the disjunctive normal form.

Mobile communications are used by more than two thirds of the world population who expect security and privacy guarantees. The 3rd Generation Partnership Project (3GPP) responsible for the worldwide standardization of mobile communication has designed and mandated the use of the AKA protocol to protect the subscribers' mobile services. Even though privacy was a requirement, numerous subscriber location attacks have been demonstrated against AKA, some of which have been fixed or mitigated in the enhanced AKA protocol designed for 5G.

In this paper, we reveal a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do. Our attack exploits a new logical vulnerability we uncovered that would require dedicated fixes. We demonstrate the practical feasibility of our attack using low cost and widely available setups. Finally we conduct a security analysis of the vulnerability and discuss countermeasures to remedy our attack.

We analyze the size vs. security trade-offs that are available when selecting parameters for perfectly correct key encapsulation mechanisms based on NTRU.

At CRYPTO’98, Bleichenbacher published his seminal paper which described a padding oracle attack against RSA implementations that follow the PKCS #1 v1.5 standard.

Over the last twenty years researchers and implementors had spent a huge amount of effort in developing and deploying numerous mitigation techniques which were supposed to plug all the possible sources of Bleichenbacher-like leakages. However, as we show in this paper most implementations are still vulnerable to several novel types of attack based on leakage from various microarchitectural side channels: Out of nine popular implementations of TLS that we tested, we were able to break the security of seven implementations with practical proof-of-concept attacks. We demonstrate the feasibility of using those Cache-like ATacks (CATs) to perform a downgrade attack against any TLS connection to a vulnerable server, using a BEAST-like Man in the Browser attack.

The main difficulty we face is how to perform the thousands of oracle queries required before the browser’s imposed timeout (which is 30 seconds for almost all browsers, with the exception of Firefox which can be tricked into extending this period). The attack seems to be inherently sequential (due to its use of adaptive chosen ciphertext queries), but we describe a new way to parallelize Bleichenbacher-like padding attacks by exploiting any available number of TLS servers that share the same public key certificate.

With this improvement, we could demonstrate the feasibility of a downgrade attack which could recover all the 2048 bits of the RSA plaintext (including the premaster secret value, which suffices to establish a secure connection) from five available TLS servers in under 30 seconds. This sequential-to-parallel transformation of such attacks can be of independent interest, speeding up and facilitating other side channel attacks on RSA implementations.

Current estimation techniques for the probability of decryption failures in Ring/Mod-LWE/LWR based schemes assume independence of the failures in individual bits of the transmitted message to calculate the full failure rate of the scheme. In this paper we disprove this assumption both theoretically and practically for schemes based on Ring/Mod-Learning with Errors/Rounding. We provide a method to estimate the decryption failure probability, taking into account the bit failure dependency. We show that the independence assumption is suitable for schemes without error correction, but that it might lead to underestimating the failure probability of algorithms using error correcting codes. In the worst case, for LAC-128, the failure rate is $2^{48}$ times bigger than estimated under the assumption of independence. This higher-than-expected failure rate could lead to more efficient cryptanalysis of the scheme through decryption failure attacks.

We design and implement, PwoP, an efficient and scalable system for intrusion-tolerant and privacy-preserving multi-sensor fusion. PwoP develops and unifies techniques from dependable distributed systems and modern cryptography, and in contrast to prior works, can 1) provably defend against pollution attacks where some malicious sensors lie about their values to sway the final result, and 2) perform within the computation and bandwidth limitations of cyber-physical systems.

PwoP is flexible and extensible, covering a variety of application scenarios. We demonstrate the practicality of our system using Raspberry Pi Zero W, and we show that PwoP is efficient in both failure-free and failure scenarios.

We give the first positive results about instantiability of the widely implemented and standardized RSA-OAEP encryption scheme of Bellare and Rogaway (EUROCRYPT 1994) and variants under chosen-ciphertext attack. Recall that RSA-OAEP adds redundancy and randomness to a message before composing two rounds of an underlying Feistel transform, whose round functions are modeled as random oracles (ROs), with RSA. First, we show that either of the two oracles (while still modeling the other as a RO) can be instantiated in RSA-OAEP under IND-CCA2 using mild standard model assumptions. Ours are the first ``partial instantiation'' results for RSA-OAEP. We obtain them by exploiting (generalizations of) algebraic properties of RSA proven by Barthe, Pointcheval, and Baguelin (CCS 2012). Second, we show that both oracles can be instantiated simultaneously for two variants of RSA-OAEP, called ``$t$-clear'' and ``$s$-clear'' RSA-OAEP. In particular, we are the first show positive results for $s$-clear RSA-OAEP, and our results for it yield the most efficient RSA-based IND-CCA2 secure scheme (under plausible assumptions) in the standard model to date. We obtain it by leveraging a new hierarchy of extractability-style assumptions in the sense of Canetti and Dakdouk (TCC 2010) on the round functions, as well as novel yet plausible ``XOR-type'' assumptions on RSA. Notably, our full instantiation results avoid impossibility results of Shoup (J. Cryptology 2002), Kiltz and Pietrzak (EUROCRYPT 2009), and Bitansky et al.` (STOC 2014).

In the Conditional Disclosure of Secrets (CDS) problem (Gertner et al., J. Comput. Syst. Sci., 2000) Alice and Bob, who hold $n$-bit inputs $x$ and $y$ respectively, wish to release a common secret $z$ to Carol (who knows both $x$ and $y$) if and only if the input $(x,y)$ satisfies some predefined predicate $f$. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some shared randomness, and the goal is to minimize the communication complexity while providing information-theoretic security.

Despite the growing interest in this model, very few lower-bounds are known. In this paper, we relate the CDS complexity of a predicate $f$ to its communication complexity under various communication games. For several basic predicates our results yield tight, or almost tight, lower-bounds of $\Omega(n)$ or $\Omega(n^{1-\epsilon})$, providing an exponential improvement over previous logarithmic lower-bounds.

We also define new communication complexity classes that correspond to different variants of the CDS model and study the relations between them and their complements. Notably, we show that allowing for imperfect correctness can significantly reduce communication -- a seemingly new phenomenon in the context of information-theoretic cryptography. Finally, our results show that proving explicit super-logarithmic lower-bounds for imperfect CDS protocols is a necessary step towards proving explicit lower-bounds against the class AM, or even $\text{AM}\cap \text{co-AM}$ -- a well known open problem in the theory of communication complexity. Thus imperfect CDS forms a new minimal class which is placed just beyond the boundaries of the ``civilized'' part of the communication complexity world for which explicit lower-bounds are known.

The recently proposed Oblivious Cross-Tags (OXT) protocol (CRYPTO 2013) has broken new ground in designing efficient searchable symmetric encryption (SSE) protocol with support for conjunctive keyword search in a single-writer single-reader framework. While the OXT protocol offers high performance by adopting a number of specialised data-structures, it also trades-off security by leaking ‘partial’ database information to the server. Recent attacks have exploited similar partial information leakage to breach database confidentiality. Consequently, it is an open problem to design SSE protocols that plug such leakages while retaining similar efficiency. In this paper, we propose a new SSE protocol, called Hidden Cross-Tags (HXT), that removes ‘Keyword Pair Result Pattern’ (KPRP) leakage for conjunctive keyword search. We avoid this leakage by adopting two additional cryptographic primitives - Hidden Vector Encryption (HVE) and probabilistic (Bloom filter) indexing into the HXT protocol. We propose a ‘lightweight’ HVE scheme that only uses efficient symmetric-key building blocks, and entirely avoids elliptic curve-based operations. At the same time, it affords selective simulation-security against an unbounded number of secret-key queries. Adopting this efficient HVE scheme, the overall practical storage and computational overheads of HXT over OXT are relatively small (no more than 10% for two keywords query, and 21% for six keywords query), while providing a higher level of security.

In a network of $n$ nodes (modelled as a digraph), the goal of a perfectly secret message transmission (PSMT) protocol is to replicate sender's message $m$ at the receiver's end without revealing any information about $m$ to a computationally unbounded adversary that eavesdrops on any $t$ nodes. The adversary may be mobile too -- that is, it may eavesdrop on a different set of $t$ nodes in different rounds. We prove a necessary and sufficient condition on the synchronous network for the existence of $r$-round PSMT protocols, for any given $r > 0$; further, we show that round-optimality is achieved without trading-off the communication complexity; specifically, our protocols have an overall communication complexity of $O(n)$ elements of a finite field to perfectly transmit one field element. Apart from optimality/scalability, two interesting implications of our results are: (a) adversarial mobility does not affect its tolerability: PSMT tolerating a static $t$-adversary is possible if and only if PSMT tolerating mobile $t$-adversary is possible; and (b) mobility does not affect the round optimality: the fastest PSMT protocol tolerating a static $t$-adversary is not faster than the one tolerating a mobile $t$-adversary.