International Association
for Cryptologic Research

Tweakable block cipher (TBC), a stronger notion than standard block ciphers, has wide-scale applications in symmetric-key schemes. At a high level, it provides flexibility in design and (possibly) better security bounds. In multi-keyed applications, a TBC with short tweak values can be used to replace multiple keys. However, the existing TBC construction frameworks, including TWEAKEY and XEX, are designed for general purpose tweak sizes. Specifically, they are not optimized for short tweaks, which might render them inefficient for certain resource constrained applications. So a dedicated paradigm to construct short-tweak TBCs (tBC) is highly desirable. In this paper, we present a dedicated framework, called the Elastic-Tweak framework (ET in short), to convert any reasonably secure SPN block cipher into a secure tBC. We apply the ET framework on GIFT and AES to construct efficient tBCs, named TweGIFT and TweAES. We present hardware and software results to show that the performance overheads for these tBCs are minimal. We perform comprehensive security analysis and observe that TweGIFT and TweAES provide sufficient security without any increase in the number of block cipher rounds when compared to GIFT and AES. We also show some concrete applications of ET-based tBCs, which are better than their block cipher counterparts in terms of key size, state size, number of block cipher calls, and short message processing. Some notable applications include, Twe-FCBC (reduces the key size of FCBC and gives better security than CMAC), Twe-LightMAC Plus (better rate than LightMAC Plus), Twe-SUNDAE, Twe-CLOC, and Twe-SILC (reduces the number of block cipher calls and simplifies the design of SUNDAE, CLOC and SILC).

In Side Channel Analysis, masking is known to be a reliable and robust counter-measure. Recently, several papers have focused on the application of the Deep Learning (DL) theory to improve the efficiency of side channel attacks against implementations protected with this approach. Even if these seminal works have demonstrated the practical interest of DL in the side-channel context, they did not argue on their theoretical soundness nor quantify their efficiency, especially with respect to the optimality bounds published so far in the literature. This paper aims at addressing this question of optimality, in particular when masking is applied. We argue that minimizing the Negative Log Likelihood during the training of Deep Learning models is actually asymptotically equivalent to maximizing a lower bound of the mutual information between the observations and the target secret chunk, or equivalently to minimizing an upper bound on underlying side-channel efficiency. Also, we argue that training a Deep Neural Networks consists in finding the parameters that maximize the Perceived Information introduced by Renauld et al. at EUROCRYPT 2011. These theoretical results allowed us to formally study the impact of masking counter-measures against Deep Learning based Side Channel attacks. In particular, and as expected, we verified, both on simulations and on experimental traces, that Boolean masking is sound against such a class of Side Channel attacks.

Ensuring secure deduplication of encrypted data is a very active topic of research because deduplication is effective at reducing storage costs. Schemes supporting deduplication of encrypted data that are not vulnerable to content guessing attacks (such as Message Locked Encryption) have been proposed recently [Bellare et al. 2013, Li et al. 2015]. However in all these schemes, there is a key derivation phase that solely depends on a short hash of the data and not the data itself. Therefore, a file specofic key can be obtained by anyone possessing the hash. Since hash values are usually not meant to be secret, a desired solution will be a more robust oblivious key generation protocol where file hashes need not be kept private. Motivated by this use-case, we propose a new primitive for oblivious pseudorandom function (OPRF) on committed vector inputs in the universal composable (UC) framework. We formalize this functionality as $\mathcal{F}_\mathsf{OOPRF}$, where $\mathsf{OOPRF}$ stands for Ownership-based Oblivious PRF. $\mathcal{F}_\mathsf{OOPRF}$ produces a unique random key on input a vector digest provided the client proves knowledge of a (parametrisable) number of random positions of the input vector. To construct an efficient $\mathsf{OOPRF}$ protocol, we carefully combine a hiding vector commitment scheme, a variant of the PRF scheme of Dodis- Yampolskiy [Dodis et al. 2005] and a homomorphic encryption scheme glued together with concrete, efficient instantiations of proofs of knowledge. To the best of our knowledge, our work shows for the first time how these primitives can be combined in a secure, efficient and useful way. We also propose a new vector commitment scheme with constant sized public parameters but $(\log n)$ size witnesses where n is the length of the committed vector. This can be of independent interest.

A framework is introduced for efficiently computing with encrypted data. We assume a semi-honest security model with two computing parties. Two different coding techniques are used with additively homomorphic encryption, such that many values can be put into one large encryption, and additions and multiplications can be performed on all values simultaneously. For more complicated operations such as comparisons and equality tests, bit-wise secret sharing is proposed as an additional technique that has a low computational and communication complexity, and which allows for precomputing. The framework is shown to significantly improve the computational complexity of state-of-the-art solutions on generic operations such as secure comparisons and secure set intersection.

The Noise protocol framework is a suite of channel establishment protocols, of which each individual protocol ensures various security properties of the transmitted messages, but keeps specification, implementation, and configuration relatively simple. Implementations of the Noise protocols are themselves, due to the employed primitives, very performant. Thus, despite its relative youth, Noise is already used by large-scale deployed applications such as WhatsApp and Slack. Though the specification describes and claims the security properties of the protocol patterns very precisely, there has been no computational proof yet. We close this gap.

Noise uses only a limited number of cryptographic primitives which makes it an ideal candidate for reduction-based security proofs. Due to its patterns' characteristics as channel establishment protocols, and the usage of established keys within the handshake, the authenticated and confidential channel establishment (ACCE) model (Jager et al. CRYPTO 2012) seems perfectly fit for an analysis of Noise. However, the ACCE model strictly divides protocols into two non-overlapping phases: the pre-accept phase (i.e., the channel establishment) and post-accept phase (i.e., the channel). Using the example of Noise, we show that this separation originates from the historic background of the TLS 1.2 proof, rather than it depicting the natural core of a channel establishment protocol. Similarly to TLS 1.3, Noise allows the transmission of encrypted messages as soon as a key is established (for instance, before any authentication between parties has taken place).

By proposing a generalization of the original ACCE model, we catch security properties of these earlier messages precisely. As our generalized model is aimed to capture security of multiple different channel establishment protocols, we then add flexibility to the security definition, comparable to the multi-stage key exchange model (Fischlin and Günther CCS 2014). We furthermore provide a broad discussion on the relations among and dimensions of the considered security properties as this plays a crucial role when defining security flexibly. Based on this, we observe that each message sent during the channel establishment can add new security properties, while inheriting those established in previous stages.

We give full security proofs for eight of the 15 basic Noise patterns to illustrate the flexibility and validity of this approach.

Nazarbayev University is seeking highly-qualified faculty at the assistant and associate professor ranks to join its rapidly growing Mathematics Department in the School of Science and Technology. All areas of mathematics will be considered but preference will be given to applied mathematics and statistics (broadly interpreted).

Successful candidates should hold a PhD in mathematics, statistics or in a related field and have excellent English-language communication skills and experience with Western higher education. Applicants for associate professor positions should have considerable experience in supervising students at the graduate level, possess strong teaching skills and experience, and a demonstrated rank-appropriate research accomplishment and service. Applicants for assistant professor level should demonstrate a potential for excellence in teaching, research, and service.

Position responsibilities include: teaching undergraduate and graduate level of courses (2-2 teaching load), supervision of graduate students, curricular and program development, ongoing engagement in professional and research activities, general program guidance and leadership, and other activities related to the intellectual and cultural environment of the university.

Nazarbayev University offers an attractive benefits package, including:

competitive compensation;

free housing based on family size and rank;

relocation allowance;

no-cost medical insurance, with global coverage;

educational allowance for children

air tickets to home country, twice per year

Closing date for applications: 31 May 2019

Contact: Applicants should send a detailed CV, teaching and research statements, and list of publications to sst.cv (at) nu.edu.kz

More information: http://sst.nu.edu.kz

The crypto group at NTNU is looking for outstanding candidates for a postdoc position working on topics related to public-key cryptography (including encryption, signature and NIZK schemes). The successful candidate will work with Jiaxin Pan who will start an Associate Professor position at the Department of Mathematical Sciences in fall 2019. Currently, topics of interest include (but not limited to):

- Tight security,

- Structure-preserving cryptography, and

- Lattice-based cryptography.

Candidates should be able to show their strong expertise in cryptography in form of publications at major crypto or security conferences. The position is for 2 years and the department may offer a twelve months extension for teaching. Knowledge of the Norwegian language is not mandatory for this position. The working language in the group is English. All students and people in the city (Trondheim) speak very good English.

More information is given in the following link and one can only apply this position through the same link: https://www.jobbnorge.no/en/available-jobs/job/169418/postdoctoral-fellowships-in-public-key-cryptography.

If you would like to have further information or any questions, please feel free to contact Jiaxin Pan.

Closing date for applications: 16 May 2019

Contact: Jiaxin Pan (jiaxin.pan at ntnu.no)

The crypto group at NTNU is looking for outstanding candidates for two PhD positions (one on public-key cryptography and one on cryptographic voting systems).

The successful candidate in public-key cryptography will work with Jiaxin Pan who will start an Associate Professor position at the Department of Mathematical Sciences in fall 2019. Currently, topics of interest include (but not limited to):

- Tight security,

- Structure-preserving cryptography, and

- Lattice-based cryptography.

The successful candidate in cryptographic voting systems will work with Professor Kristian Gjøsteen at the Department of Mathematical Sciences. Topics of interest include (but not limited to):

- User confidence in cryptographic voting systems,

- Security proofs for such systems, and

- Long-term security, including post-quantum security.

The applicants should have a master’s degree in mathematics, or a master’s degree in computer science, communications technology or related areas, with a strong mathematical component. A background including experience with cryptography or computational complexity is desirable. Candidates completing their master degree in 2019 are encouraged to apply.

Norway needs candidates that can be security cleared. The PhD work itself does not require a security clearance, but candidates that can be security cleared may be preferred.

The positions are for 3 years. The Department may offer a twelve month extension as a teaching assistant. The candidates for the position must be fluent in English, both oral and written.

More information is given in the following links and one can only apply these positions through the corresponding links:

* https://www.jobbnorge.no/en/available-jobs/job/169454/doctoral-fellowship-in-public-key-cryptography

* https://www.jobbnorge.no/en/available-jobs/job/169452/phd-fellowship-in-cryptographic-voting

Closing date for applications: 16 May 2019

Contact: Jiaxin Pan (jiaxin.pan at ntnu.no) or Kristian Gjøsteen (kristian.gjosteen at ntnu.no)

We search for a talented Ph.D. student who is interested in the topic of privacy-preserving machine learning. Our ideal candidate has a M.Sc. degree with excellent grades from a well-renowned university and a background in machine learning and privacy-enhancing technologies. Knowledge in FPGA programming is a plus.

Ulm University is a young research university with a focus on natural sciences, medicine and technology. Located in an economically strong region, the University with its more than 10,000 students offers a dynamic work environment with attractive networking and development prospects. The Institute of Distributed Systems is a leading research group in areas like automotive security and privacy engineering.

Closing date for applications: 30 June 2019

Contact: Interested candidates should send their application to vs-jobs (at) uni-ulm.de.

More information: https://www.uni-ulm.de/in/vs/

*As a Cryptanalyst, you will:

- Analyze, evaluate and target any weaknesses security systems which range from single crypto-primitives to entire protocols, from classical ciphers to the newest lightweight or post-quantum schemes.

- Develop mathematical and statistical models to analyze and solve security data problems.

- Be involved in the analysis of developed cryptosystems within DarkMatter products.

- Collaborate with skillful software, hardware, and telecommunication engineers.

- Work closely with the secure communications team and other teams in the organization.

- Work with latest software and test your code on state-of-the-art High-Performance Devices.

- Conduct research in theoretical and practical cryptanalysis.

- Attend personalized in-house trainings with top cryptographers and international conferences and workshops.

*To bring your dream to life, you’ll need:

- PhD degree in Cryptography, Applied Cryptography, Information Theory and Mathematics, Computer Science or any relevant Engineering degree.

- Extensive experience in theoretical and practical cryptanalysis

Valuable publications in the field of cryptanalysis

- Extensive experience in performing side-channel attacks.

- Deep understanding of various hardware security vulnerabilities and threats.

Closing date for applications: 29 July 2019

Contact: Mehdi Messaoudi

Talent Acquisition Specialist

mehdi.messaoudi (at) darkmatter.ae

More information: https://boards.greenhouse.io/darkmatter/jobs/1090184

As a Post-Quantum Crypto Researcher, you will:

- Design, implement and deploy quantum-safe cryptographic algorithms covering both but not limited to: key exchange algorithms and digital signature schemes.

- Conduct research and development in lattice-based, code-based or hash-based cryptosystems.

- Perform security assessments of either crypto-primitives or cryptosystems at the theoretical and implementation level.

- Work closely with the secure communications team and other teams in the organization to design end-to-end secure communication protocols using state-of-the art and customized cryptographic algorithms and primitives.

- Be involved in the integration of developed cryptosystems within DarkMatter products.

To bring your dream to life, you’ll need:

- PhD degree in Cryptography, Applied Cryptography, Information Theory and Mathematics or Computer Science.

- Extensive experience developing in various programming languages.

Closing date for applications: 29 August 2019

Contact: Mehdi Messaoudi

Talent Acquisition Specialist

mehdi.messaoudi (at) darkmatter.ae

More information: https://boards.greenhouse.io/darkmatter/jobs/1030431

Cosmian is a young and ambitious software publisher started by three seasoned entrepreneurs, backed by a leading Venture Capital Fund and which has established strong ties with academic research (Paris-based Ecole Normale Superieure, in particular).

Our ambition is to solve the Private Data paradox: how to provide data intelligence to a rapidly rising data economy without compromising privacy.

Job Description

Your main responsibility will be to lead our cryptographic research and development. Cosmian implements the latest research in fully-homomorphic encryption, functional encryption and secure MPC, to provide better protection of privacy.

Your daily mission will include

- managing the collaborations with the academic and research worlds, working with some of the best world cryptographers including the crypto team from École Normale Supérieure Paris,

- understand how their latest research can be leveraged,

- design new implementation algorithms with Cosmian Rust/C++ developers,

- lead certification and/or patenting where appropriate,

- and more generally get our work known and recognized by a larger cryptography community.

The job is full-time and located in Paris, France. Remote work may be envisaged with specific requirements. The package includes stock options.

Required skills/qualifications

You must have a strong background in maths and in cryptography (Master and/or PhD) and must demonstrate

the ability to communicate complex ideas to a less maths-savvy audience.

A working command of French is not mandatory.

Closing date for applications: 1 October 2019

Contact: Bruno GRIEDER, bruno.grieder (at) cosmian.com, +33 6 33 27 46 85

or

Raphaël AUPHAN, raphael.auphan (at) cosmian.com

More information: https://cosmian.com/chief_scientist/

Pompeu Fabra University and Nokia Bell Labs announce 4 Marie Sk?odowska­-Curie European PhD Positions for the ITN BAnDIT H2020 project. PhD students will be supervised by researchers from UPF and Bell Labs (effectively spending 50% of the time at each institution), and collaborating with both Rovira i Virgili University and Caelum Labs for secondments.

We are looking for highly motivated young researchers with a Master degree (or equivalent) in Computer Science, Engineering, Mathematics, Economics or related disciplines, willing to study and do research at the leading edge of blockchain technologies.

PhD students will be appointed for 36 months. All the fellowships provide a highly competitive remuneration package, complemented by mobility and family allowances (for eligible candidates).

The evaluation committee will assess candidates on a continuous basis until the positions are filled. First evaluation will be at the end of May , and afterwards regularly at the end of every month until all candidates are selected. Once evaluated will be contacted, and if pre-selected interviews will be arranged either via telco or by inviting you to one of the partners. Selected ESRs will be published on the website.

Closing date for applications:

Contact: bandit (at) upf.edu

More information: https://www.upf.edu/web/bandit

Event date: 15 July to 19 July 2019

Event date: 21 August to 24 August 2019
Submission deadline: 31 May 2019
Notification: 30 June 2019

Event date: 3 December to 7 December 2019
Submission deadline: 30 June 2019
Notification: 1 August 2019

In CT-RSA 2019, Bauer et al. have analyzed the case when the public key is reused for the NewHope key encapsulation mechanism (KEM), a second-round candidate in the NIST Post-quantum Standard process. They proposed an elegant method to recover coefficients ranging from -6 to 4 in the secret key. We repeat their experiment but there are two fundamental problems. First, even for coefficients in [-6,4] we cannot recover at least 262 of them in each secret key with 1024 coefficients. Second, for the coefficient outside [-6,4], they suggested an exhaustive search. But for each secret key on average there are 10 coefficients that need to be exhaustively searched, and each of them has 6 possibilities. This makes Bauer et al.'s method highly inefficient. We propose an improved method, which with 99.22% probability can recover all the elements ranging from -6 to 4 in the secret key. Then, inspired by Ding et al.'s key mismatch attack, we propose an efficient strategy which with a probability of 96.88% succeeds in recovering all the coefficients in the secret key. Experiments show that our proposed method is very efficient, which completes the attack in about 137.56 ms using the NewHope parameters.

We introduce and study the notion of keyless fuzzy search (KlFS) which allows to mask a publicly available database in such a way that any third party can retrieve content if and only if it possesses some data that is “close to” the encrypted data – no cryptographic keys are involved. We devise a formal security model that asks a scheme not to leak any information about the data and the queries except for some well-defined leakage function if attackers cannot guess the right query to make. In particular, our definition implies that recovering high entropy data protected with a KlFS scheme is costly. We propose two KlFS schemes: both use locality-sensitive hashes (LSH), cryptographic hashes and symmetric encryption as building blocks. The first scheme is generic and works for abstract plaintext domains. The second scheme is specifically suited for databases of images. To demonstrate the feasibility of our KlFS for images, we implemented and evaluated a prototype system that supports image search by object similarity on a masked database.

Secure channel establishment protocols such as TLS are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing the latency (the number of interactions between parties) in such protocols has become an important design goal to improve user experience. The most important protocols addressing this goal are TLS 1.3 over TCP Fast Open (TFO), Google’s QUIC over UDP, and QUIC[TLS] (a new design for QUIC that uses TLS 1.3 key exchange) over UDP. There have been a number of formal security analyses for TLS 1.3 and QUIC, but their security, when layered with their underlying transport protocols, cannot be easily compared. Our work is the first to thoroughly compare the security and availability properties of these protocols. Towards this goal, we develop novel security models that permit “layered” security analysis. In addition to the standard goals of server authentication and data privacy and integrity, we consider the goals of IP spoofing prevention, key exchange packet integrity, secure channel header integrity, and reset authentication, which capture a range of practical threats not usually taken into account by existing security models that focus mainly on the crypto cores of the protocols. Equipped with our new models we provide a detailed comparison of the above three protocols. We hope that our results will help protocol designers in their future protocol analyses and practitioners to better understand the advantages and limitations of novel secure channel establishment protocols.

It was recently proved that twisted Reed--Solomon codes represent a family of codes which contain a large amount of MDS codes, non-equivalent to Reed--Solomon codes. As a consequence, they were proposed as an alternative to Goppa codes for the McEliece cryptosystem, resulting to a potential reduction of key sizes. In this paper, an efficient key-recovery attack is given on this variant of the McEliece cryptosystem. The algorithm is based on the recovery of the structure of subfield subcodes of twisted Reed--Solomon codes, and it always succeeds. Its correctness is proved, and it is shown that the attack breaks the system for all practical parameters in $O(n^4)$ field operations. A practical implementation is also provided and retrieves a valid private key from the public key within just a few minutes, for parameters claiming a security level of $128$ bits. We also discuss a potential repair of the scheme and an application of the attack to GPT cryptosystems using twisted Gabidulin codes.