International Association
for Cryptologic Research

We introduce the problem of private signaling. In this problem, a sender posts a message to a certain location of a public bulletin board, and then computes a signal that allows only the intended recipient (and no one else) to learn that it is the recipient of the posted message. Besides privacy, this problem has the following crucial efficiency requirements. First, the sender and recipient do not participate in any out-of-band communication, and second, the overhead of the recipient should be asymptotically better than scanning the entire board.

Existing techniques, such as the server-aided fuzzy message detection (Beck et al., CCS’21), could be employed to solve the private signaling problem. However, this solution requires that the computational effort of the recipient grows with the amount of privacy desired, providing no saving over scanning the entire board if the maximum privacy is required.

In this work, we present a server-aided solution to the private signaling problem that guar- antees full privacy for all recipients, while requiring only constant amount of work for both the recipient and the sender. We provide the following contributions. First, we provide a formal definition of private signaling in the Universal Composability (UC) framework and show that it generalizes several real-world settings where recipient anonymity is desired. Second, we present two protocols that UC-realize our definition: one using a single server equipped with a trusted execution environment, and one based on two servers that employs garbled circuits. Third, we provide an open-source implementation of both of our protocols and evaluate their performance and show that they are practical.

A full funded (at UK/EU-home rate) PhD studentship is available at UWE Bristol. The studentship is themed around fuzzing and the candidate should have an interest in Software Security and AI. UWE is an accredited (by the UK's National Cyber Security Centre (NCSC)) Centre of Excellence in Cyber Security Education. You will be joining the Cyber Security team (http://www.cems.uwe.ac.uk/~pa-legg/uwecyber/) part of the Computer Science Research Centre (https://www.uwe.ac.uk/research/centres-and-groups/csrc). The student will be supervised by Dr Panagiotis Andriotis, and Prof Jun Hong. The deadline for applications is 1st July 2021. When applying, please use the Application Reference: 2021-OCT-FET03 For any queries, contact Dr Panagiotis Andriotis (Panagiotis.Andriotis@uwe.ac.uk)

Closing date for applications:

Contact: Dr Panagiotis Andriotis (Panagiotis.Andriotis@uwe.ac.uk)

More information: https://www.uwe.ac.uk/research/postgraduate-research-study/how-to-apply/studentship-opportunities/fet-phd-studentships#section-5

In the project SEC4FACTORY financed by the Swedish Foundation for Strategic Research, we are developing the future security solutions for interconnected factories or what is often referred to Industry 4.0 systems. The project objectives are to investigate how cloud based resources can be used to control and supervise production system while at the same time offering a high level of information security, availability and performance. We are in particular looking into how one can use digital twins to improve security in production systems. Especially, we welcome candidates interested in the combination of AI and security for these applications The project is developing a large demonstrator showing how the new security mechanisms work in practice. We are now looking for a new post-doc that can join the project and give significant contributions to the research.

Closing date for applications:

Contact: Christian Gehrmann

More information: https://lu.varbi.com/en/what:job/jobID:411795/

The College of Science and Engineering (CSE) in Hamad Bin Khalifa University (HBKU) is seeking to recruit a full-time Post-Doctoral Research Fellow (PDRF) to work in the area of Physical Layer Security (PLS). The position is available for 2-3 years (minimum), renewable every year based on performance.

Post description
The PDRF will work with a member of the CSE faculty on topics related to PLS. In particular, the PDRF will join international academic and industry teams as part of 3 externally funded projects focusing on PLS in IOT, Satellite Communication and Underwater Communication (with collective fund of 1.5M USD). The PDRF will have the opportunity to work with other faculty and postdocs within CSE on related areas within or outside the scope of the projects above, but still in PLS.

Duration
Initially, the post is for 12 months, then based on satisfactory performance, the contract can be renewed for several years. Although the resource will work on externally funded projects, this is an internally funded position and is not bound to a fixed-term external fund.

Qualifications
Candidates are expected to have a PhD in relevant disciplines with excellent research track record and to have published on reputable venues.

Remuneration
HBKU offers an attractive compensation package that includes a tax-free salary and benefits (up to 85,000 USD per annum + benefits)

Deadline
Applications will be reviewed on a rolling basis until the position is filled. However, successful applicant should expect around 3-4 months hiring process.

Apply and further information
For further information and to apply, please send your CV, research statement and cover letter to Dr. Saif Al-Kuwari smalkuwari@hbku.edu.qa. The personal statement should include information about the candidate’s qualification and relevant research experience (highlighting research directly related to PLS in IOT, Satellite, Underwater communication).

Closing date for applications:

Contact: Dr. Saif Al-Kuwari, smalkuwari@hbku.edu.qa

More information: https://www.hbku.edu.qa

We introduce a new technique for indexing joins in encrypted SQL databases called partially precomputed joins which achieves lower leakage and bandwidth than those used in prior constructions. These techniques are incorporated into state-of-the-art structured encryption schemes for SQL data, yielding a hybrid indexing scheme with both partially and fully precomputed join indexes. We then introduce the idea of leakage-aware query planning by giving a heuristic that helps the client decide, at query time, which index to use so as to minimize leakage and stay below a given bandwidth budget. We conclude by simulating our constructions on real datasets, showing that our heuristic is accurate and that partially-precomputed joins perform well in practice.

This paper extends the two-candidate's protocol of Spadafora et al. to the multi-candidate case, making it applicable to elections where each voter expresses $P$ preferences among $M$ possible choices. The generalized protocol still achieves coercion and vote-selling resistance while being transparent, fully verifiable and receipt-based. The protocol relies on a generic blockchain with standard properties, and we prove the security of the construction under the standard Decisional Diffie Hellman assumption.

The threat of quantum computers has sparked the development of a new kind of cryptography to resist their attacks. Isogenies between elliptic curves are one of the tools used for such cryptosystems. They are championed by SIKE (Supersingular isogeny key encapsulation), an "alternate candidate" of the third round of the NIST Post-Quantum Cryptography Standardization Process. While all candidates are believed to be mathematically secure, their implementations may be vulnerable to hardware attacks. In this work we investigate for the first time whether Ti's 2017 theoretical fault injection attack is exploitable in practice. We also examine suitable countermeasures. We manage to recover the secret thanks to electromagnetic fault injection on an ARM Cortex A53 using a correct and an altered public key generation. Moreover we propose a suitable countermeasure to detect faults that has a low overhead as it takes advantage of a redundancy already present in SIKE implementations.

This paper presents a side-channel analysis (SCA) on key encapsulation mechanism (KEM) based on Fujisaki–Okamoto (FO) transformation. FO transformation has been widely used for realizing actively secure KEMs from passively secure public key encryption (PKE), as it is employed in most of NIST post-quantum cryptography (PQC) candidates for KEM. The proposed attack exploits side-channel leakage from target implementation during execution of psuedorandom function (PRF) in re-encryption of KEM decapsulation as a plaintext-checking oracle that tells whether the PKE decryption result is equivalent to the reference plaintext. Due to the generality and practicality of the plaintext-checking oracle, the proposed attack can attain a full key recovery of various KEMs where an active attack on the underlying PKE is known. This paper demonstrates that the proposed attack can perform a full key recovery on most NIST PQC third-round candidates for KEM, namely, Kyber, Saber, FrodoKEM, NTRU Prime, NTRU, HQC, BIKE, and SIKE. For BIKE, the proposed attack achieves a partial key recovery. The applicability to Classic McEliece is unclear because no active attack on Classic McEliece using a plaintext-checking oracle is known. This paper also presents a side-channel distinguisher design based on deep learning (DL) for mounting the proposed attack on practical implementation, which requires no profiling device. This paper validates the attack feasibility through experimental attacks on various PRF implementations (herein, a SHAKE software, an AES software, a masked AES software, and a masked AES hardware). As a result, we confirm the practicality as the proposed attack is successful for all implementation used in the experiment, including masked hardware based on threshold implementation.

The classic work of Gorbunov, Vaikuntanathan and Wee (CRYPTO 2012) and follow-ups provided constructions of bounded collusion Functional Encryption (FE) for circuits from mild assumptions. In this work, we improve the state of affairs for bounded collusion FE in several ways:

1. $New$ $Security$ $Notion$. We introduce the notion of $dynamic$ bounded collusion FE, where the declaration of collusion bound is delayed to the time of encryption. This enables the encryptor to dynamically choose the collusion bound for different ciphertexts depending on their individual level of sensitivity. Hence, the ciphertext size grows linearly with its own collusion bound and the public key size is independent of collusion bound. In contrast, all prior constructions have public key and ciphertext size that grow at least linearly with a fixed bound $Q$.

2. $CPFE$ $for$ $circuits$ $with$ $Dynamic$ $Bounded$ $Collusion$. We provide the first CPFE schemes for circuits enjoying dynamic bounded collusion security. By assuming identity based encryption (IBE), we construct CPFE for circuits of $unbounded$ size satisfying $non-adaptive$ simulation based security. By strengthening the underlying assumption to IBE with receiver selective opening security, we obtain CPFE for circuits of $bounded$ size, output length and depth enjoying $adaptive$ simulation based security. Moreover, we show that IBE is a necessary assumption for these primitives.

Moreover, by relying on the Learning With Errors (LWE) assumption, we obtain the first $succinct$ CPFE for circuits, i.e. supporting circuits with unbounded size, but fixed output length and depth. This scheme achieves $adaptive$ simulation based security.

3. $KPFE$ $for$ $circuits$ $with$ $dynamic$ $bounded$ $collusion$. We provide the first KPFE for circuits of unbounded size, but bounded depth and output length satisfying dynamic bounded collusion security. Our construction relies on LWE and achieves $adaptive$ simulation based security. This improves the security of succinct KPFE by Goldwasser et al. [GKPVZ13b].

4. $KP$ $and$ $CP$ $FE$ $for$ $TM/NL$ $with$ $dynamic$ $bounded$ $collusion$. We provide the first KPFE and CPFE constructions of bounded collusion functional encryption for Turing machines in the public key setting from LWE. Our constructions achieve non-adaptive simulation based security. Both the input and the machine in our construction can be of $unbounded$ polynomial length but the ciphertext size grows with the upper bound on the running time of the Turing machine on the given input. Given RAM access to the ciphertext, the scheme enjoys input specific decryption time.

We provide a variant of the above scheme that satisfies $adaptive$ security, but at the cost of supporting a smaller class of computation, namely Nondeterministic Logarithmic-space (NL). Since NL contains Nondeterministic Finite Automata (NFA), this result subsumes $all$ prior work of bounded collusion FE for uniform models from standard assumptions [AMY19,AS17].

Functional Encryption is a powerful notion of encryption in which each decryption key is associated with a function $f$ such that decryption recovers the function evaluation $f(m)$. Informally, security states that a user with access to function keys $\mathsf{sk}_{f_1}, \mathsf{sk}_{f_2}, \ldots$ (and so on) can only learn $f_1(m), f_2(m), \ldots$ (and so on) but nothing more about the message. The system is said to be $q$-bounded collusion resistant if the security holds as long as an adversary gets access to at most $q = q(\lambda)$ function keys. A major drawback of such \emph{statically} bounded collusion systems is that the collusion bound $q$ must be declared at setup time and is fixed for the entire lifetime of the system.

We initiate the study of \emph{dynamically} bounded collusion resistant functional encryption systems which provide more flexibility in terms of selecting the collusion bound, while reaping the benefits of statically bounded collusion FE systems (such as quantum resistance, simulation security, and general assumptions). Briefly, the virtues of a dynamically bounded scheme can be summarized as:

(i) [Fine-grained individualized selection.] It lets each encryptor select the collusion bound by weighing the trade-off between performance overhead and the amount of collusion resilience.

(ii) [Evolving encryption strategies.] Since the system is no longer tied to a single collusion bound, thus it allows to dynamically adjust the desired collusion resilience based on any number of evolving factors such as the age of the system, or a number of active users, etc.

(iii) [Ease and simplicity of updatability.] None of the system parameters have to be updated when adjusting the collusion bound. That is, the same key $\mathsf{sk}_f$ can be used to decrypt ciphertexts for collusion bound $q = 2$ as well as $q = 2^\lambda$.

We construct such a dynamically bounded functional encryption scheme for the class of all polynomial-size circuits under the general assumption of Identity-Based Encryption.

This is team SmartPools’ submission for the first Ergo Hackathon. It suggests that Ergo lacks the decentralization, and focus on regular people that it was designed for, and presents a potential solution for these problems in laying the framework for crowdfunded smart contract pools compatible with non-outsourceabilty. It should allow for pool formation with a greater level of decentralization than previously possible by including metrics for diminishing returns on over-contributing hash power to pools with data gathered from Ergo Oracles. This work is informal and preliminary. Further research is required to formalize this work and attempt to provide functional proof for its arguments; readers are highly encouraged to read the included references, and their references, for greater clarity.

Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-based digital signatures base their security on one-way functions that in practice are instantiated by hash functions. Hash-based signatures are widely studied and are part of NIST's post-quantum standardization effort.

In this paper we present a multi-target attack that we call Intermediate Secret-Guessing attack on two hash-based signatures: XMSS^MT (Draft SP 800-208 that was considered by NIST for standardization), and K2SN-MSS (AsiaCCS 2019). The attack allows an adversary to forge a signature on an arbitrary message. We describe the intuition behind the attack and give details of its application on the attacked schemes together with corresponding theoretical analysis. The attack implies that the effective security levels of XMSS (a special case of XMSS^MT), XMSS^MT, and K2SN-MSS are 10, 39 and 12 bits lower than their designed security levels given access to $2^{20}$, $2^{60}$, and $2^{20}$ signatures, respectively.

We implement the attack for each scheme, and give our results for reduced security parameters that validate our theoretical analysis. We also show that the attack can be avoided by modifying the application of a pseudorandom function for key generation. Our work shows the subtleties of replacing randomness with pseudo-randomness in the key generation of hash-based signatures, and the need for careful analysis of such designs.

We show in this note that bounded KEM IND-CCA security (IND-qCCA) is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in the Fujisaki-Okamoto transform. Such KEMs could be used in the recently proposed KEMTLS protocol [ACM CCS 2020] that requires IND-1CCA ephemeral key-exchange mechanisms. We also highlight and briefly discuss several use cases of IND-1CCA KEMs in TLS and ratcheting primitives.

Starting with the work of Rivest et al. in 1996, timed assumptions have found many applications in cryptography, building e.g. the foundation of the blockchain technology. They also have been used in the context of classical MPC, e.g. to enable fairness. We follow this line of research to obtain composable generic MPC in the plain model. This approach comes with a major advantage regarding environmental friendliness, a property coined by Canetti et al. (FOCS 2013). Informally, this means that our constructions do not “hurt” game-based security properties of protocols that hold against polynomial-time adversaries when executed alone. As an additional property, they can be plugged into any UC-secure protocol without loss of security. Towards proving the security of our constructions, we introduce a variant of the UC security notion that captures timed cryptographic assumptions. Combining standard timed commitments and standard polynomial-time hardness assumptions, we construct a composable commitment scheme in the plain model. As this construction is constant-round and black-box, we obtain the first fully environmentally friendly composable constant-round black-box generic MPC protocol in the plain model from standard (timed) assumptions.

Modern cryptography fundamentally relies on the assumption that the adversary trying to break the scheme is computationally bounded. This assumption lets us construct cryptographic protocols and primitives that are known to be impossible otherwise. In this work we explore the effect of bounding the adversary's power in other information theoretic proof-systems and show how to use this assumption to bypass impossibility results.

We first consider the question of constructing succinct PCPs. These are PCPs whose length is polynomial only in the length of the original NP witness (in contrast to standard PCPs whose length is proportional to the non-deterministic verification time). Unfortunately, succinct PCPs are known to be impossible to construct under standard complexity assumptions. Assuming the sub-exponential hardness of the learning with errors (LWE) problem, we construct succinct probabilistically checkable arguments or PCAs (Zimand 2001, Kalai and Raz 2009), which are PCPs in which soundness is guaranteed against efficiently generated false proofs. Our PCA construction is for every NP relation that can be verified by a small-depth circuit (e.g., SAT, clique, TSP, etc.) and in contrast to prior work is publicly verifiable and has constant query complexity. Curiously, we also show, as a proof-of-concept, that such publicly-verifiable PCAs can be used to derive hardness of approximation results.

Second, we consider the notion of Instance Compression (Harnik and Naor, 2006). An instance compression scheme lets one compress, for example, a CNF formula $\varphi$ on $m$ variables and $n \gg m$ clauses to a new formula $\varphi'$ with only $poly(m)$ clauses, so that $\varphi$ is satisfiable if and only if $\varphi'$ is satisfiable. Instance compression has been shown to be closely related to succinct PCPs and is similarly highly unlikely to exist. We introduce a computational analog of instance compression in which we require that if $\varphi$ is unsatisfiable then $\varphi'$ is effectively unsatisfiable, in the sense that it is computationally infeasible to find a satisfying assignment for $\varphi'$ (although such an assignment may exist). Assuming the same sub-exponential LWE assumption, we construct such computational instance compression schemes for every bounded-depth NP relation. As an application, this lets one compress $k$ formulas $\phi_1,\dots,\phi_k$ into a single short formula $\phi$ that is effectively satisfiable if and only if at least one of the original formulas was satisfiable.

Event date: 16 December to 18 December 2021
Submission deadline: 26 July 2021
Notification: 6 September 2021

Event date: 2 December to 4 December 2021
Submission deadline: 31 August 2021
Notification: 31 October 2021

Event date: 9 November to 13 November 2021
Submission deadline: 7 July 2021
Notification: 30 August 2021

King Khaled University announces an opportunity to apply for an Assistant Professor and above job in Abha, Kingdom of Saudi Arabia at College of Computer Science. The College of Computer Science has 3 Programs in Information Security namely MSc in Information Security, High Diploma in Cyber Security and Information Security tracks in three BSc programs (Computer Science, Information Systems and Computer Engineering).

Closing date for applications:

Contact: Dr. Sarah Abu Ghazalah sabugazalah@kku.edu.sa

More information: https://cs.kku.edu.sa/en

We are currently seeking to recruit a Post-Doctoral Researcher in security and privacy for e-health and smart wearables. The position is funded by Holistics, a 7.4 million research project supported by the Disruptive Technologies Innovation Fund. Holistics focuses on smart human sensing for health, aging and wellness. The Post-Doctoral Researcher will investigate how to achieve privacy-preserving computation of medical and physiological information collected by wearables and other sensors. In particular, the research will focus on cryptographic protocols and privacy enhancing technologies, in order to provide data and communication security, as well as blockchain technology, to provide traceability and user control.
The researcher is expected to have a PhD, and a track record of publications in the areas of security, privacy or cryptography. Previous experience in e-health and wearable security is welcome, but not required. The Post-Doctoral Researcher will work under the supervision of Dr. Paolo Palmieri, and will collaborate with other members of the team working on security and privacy, including a number of PhD students. Funding is available for 1 year, with an end date of August 2022. Funding for travel and research costs is also available. The start date is flexible, but early availability is an asset.

Deadline for applications: 25-Jun-2021 12:00 (noon) Irish time

Closing date for applications:

Contact: For informal discussion please contact Dr. Paolo Palmieri at p.palmieri@cs.ucc.ie
Applications must be submitted by the deadline on the university HR portal (select Job ID no. 046751): https://ore.ucc.ie/pls/corerecruit/

More information: https://my.corehr.com/pls/uccrecruit/erq_jobspec_version_4.display_form?p_company=5023&p_internal_external=E&p_display_in_irish=N&p_applicant_no=&p_recruitment_id=046751&p_process_type=&p_form_profile_detail=&p_display_apply_ind=Y&p_refresh_search=Y