International Association
for Cryptologic Research

A recent NFS attack against pairings made it necessary to increase the key sizes of the most popular families of pairings : BN, BLS12, KSS16, KSS18 and BLS24. The attack applies to other families of pairings but not to all. In this paper we compute the key sizes required for more than 150 families of pairings to verify if there are any other families which are better than BN. The security estimation is not straightforward because it is not a mathematical formula, but rather one has to instantiate the Kim-Barbulescu attack by proposing polynomials and parameters.

After estimating the practical security of an extensive list of families, we compute the complexity of the optimal Ate pairing at 128 and 192 bits of security. For some of the families the optimal Ate has never been studied before. We show that a number of families of embedding degree 9, 14 and 15 are very competitive with $BN$, $BLS12$ and $KSS16$ at 128 bits of security. We identify a set of candidates for 192 bits and 256 bits of security.

This paper introduces new p^rq-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat-Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli n_i = p_i 2q_i and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the ni's match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. The case of 8th-power residue symbols is fully detailed along with an efficient implementation thereof. Given of their very unique design the proposed signature schemes seem to be overlooked missing species in the corpus of known signature algorithms

Motivated by the application of delegating computation, we revisit the design of filter permutators as a general approach to build stream ciphers that can be efficiently evaluated in a fully homomorphic manner. We first introduce improved filter permutators that allow better security analyses, instances and implementations than the previously proposed FLIP family of stream ciphers. We also put forward the similarities between these improved constructions and a popular PRG design by Goldreich. Then, we exhibit the relevant cryptographic parameters of two families of Boolean functions, direct sums of monomials and XOR-MAJ functions, which give candidates to instantiate the improved filter permutator paradigm. We develop new Boolean functions techniques to study them, and refine Goldreich's PRG locality bound for this purpose. We give an asymptotic analysis of the noise level of improved filter permutators instances using both kind of functions, and recommend them as good candidates for evaluation with a third-generation FHE scheme. Finally, we propose a methodology to evaluate the performance of such symmetric cipher designs in a FHE setting, which primarily focuses on the noise level of the symmetric ciphertexts (hence on the amount of operations on these ciphertextsthat can be homomorphically evaluated). Evaluations performed with HElib show that instances of improved filter permutators using direct sums of monomials as filter outperform all existing ciphers in the literature based on this criteria. We also discuss the (limited) overheads of these instances in terms of latency and throughput.

We show that a future adversary with access to a quantum computer, historic network traffic protected by WireGuard, and knowledge of a WireGuard user's long-term static public key can likely decrypt many of the WireGuard user's historic messages. We propose a simple, efficient alteration to the WireGuard protocol that mitigates this vulnerability, with negligible additional computational and memory costs. Our changes add zero additional bytes of data to the wire format of the WireGuard protocol. Our alteration provides transitional post-quantum security for any WireGuard user who does not publish their long-term static public key -- it should be exchanged out-of-band.

In this paper we give an efficient and compact reformulation of NIST collision estimate test given in SP-800 90B. We correct an error in the formulation of the test and show that the test statistic can be computed in a much easier way. We also propose a revised algorithm for the test based on our findings.

Along with blockchain technology, smart contracts have found intense interest in lots of practical applications. A smart contract is a mechanism involving digital assets and some parties, where the parties deposit assets into the contract and the contract redistributes the assets among the parties based on provisions of the smart contract and inputs of the parties. Recently, several smart contract systems are constructed that use zk-SNARKs to provide privacy-preserving payments and interconnections in the contracts (e.g. Hawk [IEEE S&P, 2016] and Gyges [ACM CCS, 2016]). Efficiency of such systems severely are dominated by efficiency of the underlying UC-secure zk-SNARK that is achieved using COCO framework [Kosba et al., 2015] applied on a non-UC-secure zk-SNARK. In this paper, we show that recent progresses on zk-SNARKs, allow one to simplify the structure and also improve the efficiency of both systems with a UC-secure zk-SNARK that has simpler construction and better efficiency in comparison with the currently used ones. More precisely, with minimal changes, we present a variation of Groth and Maller's zk-SNARK from Crypto 2017, and show that it achieves UC-security and has better efficiency than the ones that currently are used in Hawk and Gyges. We believe, new variation can be of independent interest.

LoRaWAN is an IoT protocol deployed worldwide. Whereas the first version 1.0 has been shown to be weak against several types of attacks, the new version 1.1 has been recently released, and aims, in particular, at providing corrections to the previous release. It introduces also a third entity, turning the original 2-party protocol into a 3-party protocol. In this paper, we provide the first security analysis of LoRaWAN 1.1 in its 3-party setting using a provable approach, and show that it suffers from several flaws. Based on the 3(S)ACCE model of Bhargavan et al., we then propose an extended framework that we use to analyse the security of LoRaWAN-like 3-party protocols, and describe a generic 3-party protocol provably secure in this extended model. We use this provable security approach to propose a slightly modified version of LoRaWAN 1.1. We show how to concretely instantiate this alternative, and formally prove its security in our extended model.

Post-quantum cryptography is an important and growing area of research due to the threat of quantum computers, as recognised by the National Institute of Standards and Technology (NIST) recent call for standardisation. Lattice-based signatures have been shown in the past to be susceptible to side-channel attacks. Falcon is a lattice-based signature candidate submitted to NIST, which has good performance but lacks in research with respect to implementation attacks and resistance. This research proposes the first fault attack analysis on Falcon and finds its lattice trapdoor sampler is as vulnerable to fault attacks as the GPV sampler used in alternative signature schemes. We simulate the post-processing component of this fault attack and achieve a 100% success rate at retrieving the private-key. This research then proposes an evaluation of countermeasures to prevent this fault attack and timing attacks on Falcon. We provide cost evaluations on the overheads of the proposed countermeasures which shows that Falcon has only up to 30% deterioration in performance of its key generation, and only 5% in its signing, compared to without countermeasures.

In the context of the excellence research project “Dependable Internet of Things in Adverse Environments” of Graz University of Technology, we offer nine new PhD positions. One of the core topics of the research of this project is information security.

Graz University of technology offers a very active research environment with more than 70 researchers on all aspects of information security.

Candidates for a PhD in information security should have experience/interest in at least one of the following fields:

* Side Channels

* Operating system security

* Software isolation techniques

* Applied Cryptography

* Formal methods

* Code analysis and compilers

For details on the position and the application process see: https://www.tugraz.at/projekte/dependablethings/jobs/

Closing date for applications: 9 June 2019

Contact: Stefan Mangard, Email: Stefan.Mangard (at) iaik.tugraz.at

More information: https://www.tugraz.at/projekte/dependablethings/jobs/

IOHK is looking for a talented, specialized cryptographic engineer to join our growing in-house cryptography team. You’ll be responsible for cryptographic implementations and their use.

You will have a good understanding of cryptography (e.g. mathematics, information theory, primitives, implementations) and the ability to deliver working implementation related to these domains. The ideal candidate should understand and follow best engineering processes and practices and should demonstrate a working knowledge of a functional programming language (preference is for Haskell), and system languages (preferably Rust or C).

Skills & Requirements:

Skills and Knowledge – - A solid understanding of cryptography: basic theory & use. System programming experience. Ability to translate specifications (e.g. cryptography research papers, RFCs) into working code. Know when and how to use basic cryptographic primitives. Can reason about complex & abstract problems

Responsibilities - Read & review cryptographic research papers and implement them as a prototype. Improve existing implementations of common cryptographic primitives and/or interface/translate them to a different programming language. Transform prototypes into production level projects. Interact and coordinate with research, engineering and product management teams

Completion of a relevant degree such as Computer Science, Software Engineering, Mathematics or a related technical discipline.

Desired competencies - We are particularly interested in at least one of them having the following profile: Familiarity and/or experience with privacy enhancing cryptographic technologies, e.g., zero-knowledge proofs and/or SNARKs, multi-party computation, and differential privacy. Functional programming experience (Preferably Scala or Haskell)

When you apply… Please include an up-to-date resume. We also strongly encourage you to include a cover letter explaining why you’re interested in working at IOHK.

Closing date for applications: 1 July 2019

Contact: David Rountree

david.rountree (at) iohk.io

More information: https://iohk.io/careers/#op-286193-specialized-cryptography-engineer-

Event date: 10 June to 14 June 2019

Cryptography, Security & Privacy Research Group at Koç University has multiple openings at every level. Accepted applicants will receive competitive scholarships including tuition waiver, housing, monthly stipend, computer, travel support, etc.

• For applying online, and questions about the application-process for M.Sc. and Ph.D. positions, visit

  https://gsse.ku.edu.tr/en/admissions/application-requirements/

  All applications must be completed online. Deadline is 7 June 2019.

• For postdoctoral researcher positions, contact Assoc. Prof. Alptekin Küpçü directly, including full CV, sample publications, a research proposal, and 2-3 reference letters sent directly by the referees.

  http://home.ku.edu.tr/~akupcu

  Dates are flexible.

Applications with missing documents will not be considered.

Closing date for applications: 15 September 2019

Contact: gsse (at) ku.edu.tr

More information: https://crypto.ku.edu.tr/work-with-us/

The Institute of Applied Mathematics (IAM), Middle East Technical University (METU) offers academic positions in Cryptography. To this aim, we invite all scholars who are interested in full-time faculty positions starting from Assistant Professor level based on the academic profile of the applicant. We encourage you to send us your information if you have a solid research history with a strong publication record in all areas of cryptography.

Members of the institute are expected to pursue a vigorous research program, attract external research funding, and contribute strongly to the institute\'s teaching program at graduate level. Interested candidates are invited to submit an application online with following documents:

- Curriculum Vitae;

- Research Statement;

- Teaching Statement;

- Name and address of three references.

Closing date for applications: 15 June 2019

More information: https://iam.metu.edu.tr/open-faculty-positions

We are looking for post-doctoral researchers in symmetric crypto, mainly to evaluate the security of lightweight ciphers recently submitted to the NIST but topics are open.

The position is for 1 year, renewable twice.

Requirements:

- PhD degree in computer sciences or mathematics

- good programming skill

- publications in top IACR conferences

Closing date for applications:

Contact: Patrick Derbez: patrick.derbez (at) irisa.fr

SIX academic posts in the Department of Computer Science, University of Surrey

Salary: 32,236 to 95,462 GBP, depending on Qualifications, Experience and Role applied for.

The Department of Computer Science wishes to appoint up to SIX posts to support its ambitious strategic growth in student numbers, strengthening of its research directions and collaborations with industry. We are looking to attract talented individuals who will inspire, lead, and make a significance impact in research and on the student experience. There is an opportunity for posts to be aligned in new research areas to increase diverse research activity within the Department.

The Department has an international reputation for research and teaching. Research in the department is currently focused on two main areas - Nature Inspired Computing and Engineering (NICE), and Secure Systems, with expertise in security by design, cryptography, authentication, verification, distributed ledger technologies, trusted systems, IoT security, program analysis and cloud security. Surrey is recognised by NCSC as an ACE-CSR: Academic Centre of Excellence in Cyber Security Research.

The teaching posts offer an opportunity to contribute to teaching on undergraduate and postgraduate programmes. The Department is launching a new MSc in Data Science which includes a year in industry. The Department is also building a new 200 seater computer science teaching lab to support student growth and this offers exciting opportunities to innovate in teaching and pedagogical approaches to teaching.

The academic posts aim to strengthen the research of our existing research, especially at the interface between security and machine learning and in data science. We are also looking to diversify our research directions, for example in the areas of software engineering and programming language principles. There is an opportunity for posts to be aligned together to drive forward new research directions.

Closing date for applications: 9 June 2019

Contact: Dr Helen Treharne (h.treharne (at) surrey.ac.uk),

Head of Department

Professor Steve Schneider (s.schneider (at) surrey.ac.uk)

Director, Surrey Centre for Cyber Security

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=024919

Modern secure messaging protocols such as Signal can offer strong security guarantees, in particular Post-Compromise Security (PCS). The core PCS mechanism in these protocols is inherently pairwise, which causes bad scaling behaviour and makes PCS inefficient for large groups. To address this, two recently proposed designs for secure group messaging, ART and MLS Draft-04, use group keys derived from tree structures to efficiently enable PCS mechanisms in large groups.

In this work we highlight a previously unexplored difference between the pairwise and group-key based approaches. We show that without additional mechanisms, both ART and MLS Draft-04 offer significantly lower PCS guarantees than those offered by groups based on pairwise PCS channels. In particular, for MLS Draft-04, it seems that the protocol does not yet meet the informal PCS security guarantees described in the draft.

We explore the causes of this problem and lay out the design space to identify solutions. Optimizing security and minimizing overhead leads us to a promising solution based on (i) global updates and (ii) post-compromise secure signatures. While rotating signatures had been discussed before as options for both MLS and ART, our work indicates that combining specific update patterns for all groups with a post-compromise secure signature scheme, may be strictly necessary to achieve any reasonable PCS guarantee.

Using modular addition as a source of nonlinearity is frequently used in many symmetric-key structures such as ARX and Lai--Massey schemes. At FSE'16, Fu \etal proposed a Mixed Integer Linear Programming (MILP)-based method to handle the propagation of differential trails through modular additions assuming that the two inputs to the modular addition and the consecutive rounds are independent. However, this assumption does not necessarily hold. In this paper, we study the propagation of the XOR difference through the modular addition at the bit level and show the effect of the carry bit. Then, we propose a more accurate MILP model to describe the differential propagation through the modular addition taking into account the dependency between the consecutive modular additions. The proposed MILP model is utilized to launch a differential attack against Bel-T-256, which is a member of the Bel-T block cipher family that has been adopted recently as a national standard of the Republic of Belarus. In particular, we employ the concept of partial Differential Distribution Table to model the 8-bit S-Box of Bel-T using a MILP approach in order to automate finding a differential characteristic of the cipher. Then, we present a $4\frac{1}{7}$-round (out of 8) differential attack which utilizes a $3$-round differential characteristic that holds with probability $2^{-111}$. The data, time and memory complexities of the attack are $2^{114}$ chosen plaintexts, $ 2^{237.14} $ $4\frac{1}{7}$-round encryptions, and $2^{224}$ 128-bit blocks, respectively.

Two standard security properties of a non-interactive zero-knowledge (NIZK) scheme are soundness and zero-knowledge. But while standard NIZK systems can only provide one of those properties against unbounded adversaries, dual-mode NIZK systems allow to choose dynamically and adaptively which of these properties holds unconditionally. The only known dual-mode NIZK systems are Groth-Sahai proofs (which have proved extremely useful in a variety of applications), and the concurrent and independent FHE-based NIZK constructions of Canetti et al. and Peikert et al. However, all these constructions rely on specific algebraic settings.

Here, we provide a generic construction of dual-mode NIZK systems for all of NP. The public parameters of our scheme can be set up in one of two indistinguishable ways. One way provides unconditional soundness, while the other provides unconditional zero-knowledge. Our scheme relies on subexponentially secure indistinguishability obfuscation and subexponentially secure one-way functions, but otherwise only on comparatively mild and generic computational assumptions. These generic assumptions can be instantiated under any one of the DDH, k-LIN, DCR, or QR assumptions.

As an application, we reduce the required assumptions necessary for several recent obfuscation-based constructions of multilinear maps. Combined with previous work, our scheme can be used to construct multilinear maps from obfuscation and a group in which the strong Diffie-Hellman assumption holds. We also believe that our work adds to the understanding of the construction of NIZK systems, as it provides a conceptually new way to achieve dual-mode properties.

This paper presents the results of a new approach to the cryptanalysis of SIMON-$32/64$, a cipher published by NSA in 2013. Our cryptanalysis essentially considers combinatorial properties. These properties allow us to recover a secret key from two plaintext/ciphertext pairs, in a time ranging from a few hours to a few days, with rather limited computing resources. The efficiency of our cryptanalysis technique compared to all known cryptanalyses (including key exhaustive search) is a justification for not revealing the cryptanalysis techniques used. We have adopted a zero-knowledge-inspired method of proof which was initiated in \cite{filiol_e0}.

Multivariate public key signature scheme has a good performance on speed and signature size. But most of them have a huge public key size. In this paper, we propose a new method to reduce the public key size of unbalance oil and vinegar (UOV) signature scheme. We can reduce the public key size of UOV scheme to about 4KB for 128 bits security level. This method can be used to reduce the public key sizes of other multivariate public key cryptosystems.