International Association
for Cryptologic Research

IEEE 802.15.4 is a wireless standard used by a variety of higher-level protocols, including many used in the Internet of Things (IoT). A number of system on a chip (SoC) devices that combine a radio transceiver with a microcontroller are available for use in IEEE 802.15.4 networks. IEEE 802.15.4 supports the use of AES-CCM* for encryption and authentication of messages, and a SoC normally includes an AES accelerator for this purpose. This work measures the leakage characteristics of the AES accelerator on the Atmel ATMega128RFA1, and then demonstrates how this allows recovery of the encryption key from nodes running an IEEE 802.15.4 stack. While this work demonstrates the attack on a specific SoC, the results are also applicable to similar wireless nodes and to protocols built on top of IEEE 802.15.4.

In this paper we analyze the security of the compression function of SHA-1 against collision attacks, or equivalently free-start collisions on the hash function. While a lot of work has been dedicated to the analysis of SHA-1 in the past decade, this is the first time that free-start collisions have been considered for this function.

We exploit the additional freedom provided by this model by using a new start-from-the-middle approach in combination with improvements on the cryptanalysis tools that have been developed for SHA-1 in the recent years. This results in particular in better differential paths than the ones used for hash function collisions so far.

Overall, our attack requires about $2^{50}$ evaluations of the compression function in order to compute a one-block free-start collision for a 76-step reduced version, which is so far the highest number of steps reached for a collision on the SHA-1 compression function. We have developed an efficient GPU framework for the highly branching code typical of a cryptanalytic collision attack and used it in an optimized implementation of our attack on recent GTX-970 GPUs.

We report that a single cheap US$350 GTX-970 is sufficient to find the collision in less than 5 days. This showcases how recent mainstream GPUs seem to be a good platform for expensive and even highly-branching cryptanalysis computations. Finally, our work should be taken as a reminder that cryptanalysis on SHA-1 continues to improve. This is yet another proof that the industry should quickly move away from using this function.

We give generic constructions of several fundamental cryptographic primitives based on a new encryption primitive that combines circular security for bit encryption with the so-called reproducibility property (Bellare et al. PKC 2003). At the heart of our constructions is a novel technique which gives a way of de-randomizing reproducible public-key bit-encryption schemes and also a way of reducing one-wayness conditions of a constructed trapdoor-function family (TDF) to circular security of the base scheme. The main primitives that we build from our encryption primitive include k-wise one-way TDFs (Rosen and Segev TCC 2009), CCA2-secure encryption and deterministic encryption. Our results demonstrate a new set of applications of circularly- secure encryption beyond fully-homomorphic encryption and symbolic soundness. Finally, we show the plausibility of our assumptions by showing that the DDH-based circularly-secure scheme of Boneh et al. (Crypto 2008) and the subgroup indistinguishability based scheme of Brakerski and Goldwasser are both reproducible.

\\textit{Khudra} is a block cipher proposed in the SPACE\'2014 conference, whose main design goal is to achieve suitability for the increasingly popular Field Programmable Gate Array (FPGA) implementation. It is an 18-round lightweight cipher based on recursive Feistel structure, with a 64-bit block size and 80-bit key size. In this paper, we compute the minimum number of active $F$-functions in differential characteristics in the related-key setting, and give a more accurate measurement of the resistance of \\textit{Khudra} against related-key differential cryptanalysis. We construct a related-key boomerang quartet with probability $2^{-48}$ for the 14-round \\textit{Khudra}, which is better than the highest probability related-key boomerang quartet of the 14-round \\textit{Khudra} of probability at most $2^{-72}$ claimed by the designers. Then we propose a related-key rectangle attack on the 16-round \\textit{Khudra} without whitening key by constructing a related-key rectangle distinguisher for 12-round \\textit{Khudra} with a probability of $2^{-23.82}$. The attack has time complexity of $2^{78.68}$ memory accesses and data complexity of $2^{57.82}$ chosen plaintexts, and requires only four related keys. This is the best known attack on the round-reduced \\textit{Khudra}.

Applications are invited for a PhD position in the field of cryptography at the Universitat Pompeu Fabra in Barcelona, Spain.

The applicant will join the research group in Wireless Communications and will be co-supervised by Dr. Vanesa Daza and Dr. Carla Ràfols. The topic of research will be interactions between multiparty computation and zero-knowledge proofs.

The candidate should have completed his/her master´s degree by Oct. 2015 in computer science, mathematics or a related area.

The starting date will be around Oct. 2015 and the student will receive a PhD stipend from the Universitat Pompeu Fabra (http://www.upf.edu/dtic_doctorate/_pdf/dtic_upf_phd_calll_2015_16.pdf)

Applications should start with a a short motivation letter, include a full CV, a copy of grade transcript(s) of completed studies and (when possible) one name of reference.

To apply or request further information, please send an email to

cryptoPhDapplications (at) upf.edu. The review of applications will start on June 15th and continue until the position is filled.

Submission: 17 December 2015
Notification: 23 January 2016
From April 13 to April 15
Location: Fes, Morocco
More Information: http://africacrypt2016.aui.ma/index.html

Digital signature is a fundamental primitive with numerous applications. Following the development of pairing-based cryptography, several taking advantage of this setting have been proposed. Among them, the Camenisch-Lysyanskaya (CL) signature scheme is one of the most flexible and has been used as a building block for many other protocols. Unfortunately, this scheme suffers from a linear size in the number of messages to be signed which limits its use in many situations.

In this paper, we propose a new signature scheme with the same features as CL-signatures but without the linear-size drawback: our signature consists of only two elements, whatever the message length, and our algorithms are more efficient. This construction takes advantage of using type 3 pairings, that are already widely used for security and efficiency reasons.

We prove the security of our scheme without random oracles but in the generic group model. Finally, we show that protocols using CL-signatures can easily be instantiated with ours, leading to much more efficient constructions.

We propose new generic key recovery attacks on Feistel-type block ciphers. The

proposed attack is based on the all subkeys recovery approach presented in SAC 2012, which

determines all subkeys instead of the master key. This enables us to construct a key recovery

attack without taking into account a key scheduling function. With our advanced techniques,

we apply several key recovery attacks to Feistel-type block ciphers. For instance, we show

8-, 9- and 11-round key recovery attacks on n-bit Feistel ciphers with 2n-bit key employing

random keyed F-functions, random F-functions, and SP-type F-functions, respectively.

Moreover, thanks to the meet-in-the-middle approach, our attack leads to low-data complexity.

To demonstrate the usefulness of our approach, we show a key recovery attack on the

8-round reduced CAST-128, which is the best attack with respect to the number of attacked

rounds. Since our approach derives the lower bounds on the numbers of rounds to be secure

under the single secret key setting, it can be considered that we unveil the limitation of

designing an efficient block cipher by a Feistel scheme such as a low-latency cipher.

Profiled side-channel attacks are understood to be powerful when applicable: in the best case when an adversary can comprehensively characterise the leakage, the resulting model leads to attacks requiring a minimal number of leakage traces for success. Such `complete\' leakage models are designed to capture the scale, location and shape of the profiling traces, so that any deviation between these and the attack traces potentially produces a mismatch which renders the model unfit for purpose. This severely limits the applicability of profiled attacks in practice and so poses an interesting research challenge: how can we design profiled distinguishers that can tolerate (some) differences between profiling and attack traces?

This submission is the first to tackle the problem head on: we propose distinguishers (utilising unsupervised machine learning methods, but also a `down-to-earth\' method combining mean traces and PCA) and evaluate their behaviour across an extensive set of distortions that we apply to representative trace data. Our results show that the profiled distinguishers are effective and robust to distortions to a surprising extent.

Securely sharing the same secret key among multiple parties

is the main concern in symmetric cryptography that is the workhorse

of modern cryptography due to its simplicity and fast speed. Typically asymmetric cryptography is used to set up a shared secret between parties, after which the switch to symmetric cryptography can be made. In this paper, we introduce a novel key exchange protocol based on physical hardware implementation to establish a shared secret between parties rather than relying on mathematical implementation of asymmetric cryptography. In particular, the key exchange is dependent on a new security concept named as virtual proof of reality or simply virtual proof (VP) that enables proof of a physical statement over untrusted digital communication channels between two parties (a prover and a verifier) residing in two separate local systems. We firstly exploit the VP to secure key exchange and further prove it by using experimental data. The key transferred in this protocol is only seen by the prover and hidden from not only the adversary but also the verifier. While only the verifier can successfully discover it.

The Computer Science department at the University of Auckland seeks 2 Ph.D. Students to join the cloud security team led by Dr. Giovanni Russello.

This research will take place in a new MBIE-funded Cyber Security STRATUS (Security Technologies Returning Accountability, Transparency and User-centric Services to the Cloud) project and will be in collaboration with University of Waikato, UniTech, the Cloud Security Alliance, and several New Zealand-based industrial partners (https://stratus.org.nz). The aim is to research novel yet practical cloud security tools to be adopted by the industry partners.

The research conducted by the University of Auckland’s team will focus on applied cryptography for retrieval and processing of encrypted data in outsourced and untrusted environments. This involves a substantial program of research to develop, implement and apply to industrial case studies.

Applicants are required to have completed (or be close to completing) a Master degree (or equivalent) with outstanding grades in Computer Science, Mathematics, or closely related areas. Additional knowledge in related disciplines such as, e.g., complexity theory or IT security is welcome.

The candidate should be able not only to design but also implement working prototypes of the crypto scheme developed during the research period.

The STRATUS project will provide a stipend of 25,000 NZD p.a. and cover the costs of the tuition fee for 3 years.

Link: http://careers.uniservices.co.nz/research-development-jobs/research-scientist-ph-d-students-computer-science/232874

The Computer Science department at the University of Auckland seeks a Research Fellow/Postdoctoral Researcher to join the cloud security team led by Dr. Giovanni Russello.

This research will take place in a new MBIE-funded Cyber Security STRATUS (Security Technologies Returning Accountability, Transparency and User-centric Services to the Cloud) project and will be in collaboration with University of Waikato, UniTech, the Cloud Security Alliance, and several New Zealand-based industrial partners (https://stratus.org.nz). The aim is to research novel yet practical cloud security tools to be adopted by the industry partners.

The research conducted by the University of Auckland’s team will focus on applied cryptography for retrieval and processing of encrypted data in outsourced and untrusted environments. This involves a substantial program of research to develop, implement and apply to industrial case studies.

This is a full time post for a fixed-term of 2 years. Salary starts at 74000 NZD per annum.

Applicants should have a Ph.D. in computer science in a relevant field (cloud security with emphasis on crypto solutions) a demonstrable research interest in the area of applied crypto with emphasis in homomorphic encryption for encrypted data processing and retrieval focusing on cloud computing, and experience in designing, analysing, and efficiently implement novel crypto algorithms. Previous experience in the area of big data with emphasis on privacy/confidentiality would be advantageous.

Link: http://careers.uniservices.co.nz/research-development-jobs/research-assistant-research-fellow-postdoctoral-researcher-computer-science/232873

Submission: 10 August 2015
Notification: 8 October 2015
From November 1 to November 3
Location: Beijing, China
More Information: http://inscrypt.cn/

In this paper, we present a single round two-party attribute-based authenticated key exchange protocol. Since pairing is a costly operation and the composite order groups must be very large to ensure security, we focus on pairing free protocols in prime order groups. We propose a new protocol that is pairing free, working in prime order group and having tight reduction to Strong Diffie Hellman (SDH) problem under the Attribute-based CK model which is a natural extension of the CK model for the public key setting. Our proposed attribute based authenticated key exchange protocol (ABAKE) also does not depend on any underlying attribute based encryption schemes unlike the previous solutions for ABAKE. Ours is the first scheme that removes this restriction. Thus, the first major advantage is that smaller key sizes are sufficient to achieve comparable security. Our scheme has several other advantages. The major one being the capability to handle active adversaries. Most of the previous Attribute-Based authenticated key exchange protocols can offer security only under passive adversaries. Our protocol recognizes the corruption by an active adversary and aborts the process. In addition to this property, our scheme satisfies other security properties that are not covered by CK model such as forward secrecy, key compromise impersonation attacks and ephemeral key compromise impersonation attacks.

We present a new, decentralized, efficient, and secure digital cryptocurrency, in which the ordinary users themselves keep turns to ensure that the systems works well.

We give a simple heuristic sieving algorithm for the $m$-dimensional

exact shortest vector problem

(SVP) which runs in time $2^{0.3112m +o(m)}$. Unlike previous time-memory

trade-offs, we do not increase the memory, which stays at its bare minimum

$2^{0.2075m +o(m)}$. To achieve this complexity, we borrow a recent tool

from coding theory, known as nearest neighbor search for binary code

words. We simplify its analysis, and show that it can be adapted to solve

this variant of the fixed-radius nearest neighbor search problem:

Given a list of exponentially many unit vectors of $\\mR^m$, and an

angle $\\gamma\\pi$, find all pairs of

vectors whose angle $\\leq\\gamma\\pi$. The complexity is sub-quadratic which leads to the improvement for lattice sieves.

Recently, there has been huge progress in the field of concretely efficient secure computation, even while providing security in the presence of malicious adversaries. This is especially the case in the two-party setting, where constant-round protocols exist that remain fast even over slow networks. However, in the multi-party setting, all concretely efficient fully-secure protocols, such as SPDZ, require many rounds of communication.

In this paper, we present an MPC protocol that is fully-secure in the presence of malicious adversaries and for any number of corrupted parties. Our construction is based on the constant-round BMR protocol of Beaver et al., and is the first fully-secure version of that protocol that makes black-box usage of the underlying primitives, and is therefore concretely efficient.

Our protocol includes an online phase that is extremely fast and mainly consists of each party locally evaluating a garbled circuit. For the offline phase we present both a generic construction (using any underlying MPC protocol), and a highly efficient instantiation based on the SPDZ protocol. Our estimates show the protocol to be considerably more efficient than previous fully-secure multi-party protocols.

We provide a formal treatment of security of digital signatures against *subversion attacks* (SAs).

Our model of subversion generalizes previous work in several directions, and is inspired by the proliferation of software attacks (e.g.,\\ malware and buffer overflow attacks), and by the recent revelations of Edward Snowden about intelligence agencies trying to surreptitiously sabotage cryptographic algorithms.

The main security requirement we put forward demands that a signature scheme should remain unforgeable even in the presence of an attacker applying SAs (within a certain class of allowed attacks) in a fully-adaptive and *continuous* fashion.

Previous notions---e.g.,\\ the notion of security against algorithm-substitution attacks introduced by Bellare et al. (CRYPTO \'14) for symmetric encryption---were non-adaptive and non-continuous.

In this vein, we show both positive and negative results for the goal of constructing subversion-resilient signature schemes.

-Negative results. As our main negative result, we show that a broad class of randomized signature schemes is unavoidably insecure against SAs, even if using just a single bit of randomness.

This improves upon earlier work that was only able to attack schemes with larger randomness space. When designing our new attack we consider undetectability as an explicit adversarial goal, meaning that the end-users (even the ones knowing the signing key) should not be able to detect that the signature scheme was subverted.

-Positive results. We complement the above negative results by showing that signature schemes with *unique* signatures are subversion-resilient against all attacks that meet a basic undetectability requirement. A similar result was shown by Bellare et al. for symmetric encryption, who proved the necessity to rely on *stateful* schemes; in contrast unique signatures are *stateless*, and in fact they are among the fastest and most established digital signatures available.

We finally show that it is possible to devise signature schemes secure against arbitrary tampering with the computation, by making use of an un-tamperable cryptographic reverse firewall (Mironov and Stephens-Davidowitz, EUROCRYPT \'15), i.e., an algorithm that \"sanitizes\" any signature given as input (using only public information). The firewall we design allows to successfully protect so-called re-randomizable signature schemes (which include unique signatures as special case).

As an additional contribution, we extend our model to consider multiple users and show implications and separations among the various notions we introduced.

While our study is mainly theoretical, due to its strong practical motivation, we believe that our results have important implications in practice and might influence the way digital signature schemes are selected or adopted in standards and protocols.

The selfish-mine strategy in Bitcoin allows a miner to gain mining rewards more than her fair share. Prior defenses focus on preventing the attacker from winning a block race of equal-length chains. However, an attacker with more than one third of the computational power can still earn more block rewards even if she loses all equal-length block races. In this work we propose a novel defense mechanism. Our defense requires miners to publish intermediate blocks, or in-blocks for short, blocks that are valid with slightly lower puzzle difficulty, and mine on each others\' in-blocks. When a fork happens, the branch with most total amount of work, rather than the longest chain, will be adopted. Under our scheme, a selfish miner needs to have almost half of the computational power of the network to gain an unfair advantage, thus the selfish-mine strategy is no longer a threat to the system.