International Association
for Cryptologic Research

Secure multicast communication has application in growing number of applications. Forward secrecy is of prime importance and insures message confidentiality even long-term private key compromised. We present an efficient construction of multi message multi receiver signcryption with forward secrecy on elliptic curves. It provides confidentiality, integrity, authenticity, non-repudiation, public verifiability, unforgeability and forward secrecy of multi message multicast. It is efficient in computation cost and communication overhead and suitable for resource constrained IP-based secure multi message multicast systems.

Session key agreement protocol using smart card is extremely popular in client-server environment for secure communication. Remote user authentication protocol plays a crucial role in our daily life such as e-banking, bill-pay, online games, e-recharge, wireless sensor network, medical system, ubiquitous devices etc. Recently, Djellali et al. proposed a session key agreement protocol using smart card for ubiquitous devices. The main focus of this paper is to analyze security pitfalls of smart card and password based user authentication scheme. We have carefully reviewed Djellali et al.\'s scheme and found that the same scheme suffers from several security weaknesses such as off-line password guessing attack, privileged insider attack. Moreover, we demonstrated that the Djellali et al.\'s scheme does not provide proper security protection on the secret key of the server and presents inefficient password change phase.

In this paper, we present novel randomized techniques to enhance Montgomery powering ladder. The proposed techniques increase the resistance against side-channel attacks and especially recently published correlation collision attacks in the horizontal setting. The first of these operates by randomly changing state such that the difference between registers varies, unpredictably, between two states. The second algorithm takes a random walk, albeit tightly bounded, along the possible addition chains required to compute an exponentiation. We also generalize the Montgomery powering ladder and present randomized (both left-to-right and right-to-left) $m$-ary exponentiation algorithms.

Security mechanisms to protect our systems and data from malicious adversaries have become essential. Strong encryption algorithms are an important building block of these solutions. However, each application has its own requirements and it is not always possible to find a cipher that meets them all. This work compares unrolled combinatorial hardware implementations of six lightweight block ciphers, along with an AES implementation as a baseline. Up until now, the majority of such ciphers were designed for area-constrained environments where speed is often not crucial, but recently the need for single-cycle, low-latency block ciphers with limited area requirements has arisen to build security architectures for embedded systems. Our comparison shows that some designers are already on this track, but a lot of work still remains to be done.

Generating and standardizing elliptic curves to use

them in a cryptographic context is a hard task.

In this note, we don\'t make an explicit proposal

for an elliptic curve, but we deal with the following

issues.

Security: We give a list of criteria that should be

satisfied by a secure elliptic curve. Although a few

of these criteria are incompatible, we detail what we

think are the best choices for optimal security.

Transparency: We sketch a way to generate a

curve in a fully transparent way so that it can be

trusted and not suspected to belong to a (not publicly

known to be) vulnerable class. In particular, since the

computational cost of verifying the output of such a

process may be quite high, we sketch out the format

of a certificate that eases the computations. We think

that this format might deserve being standardized.

Gaussian sampling over lattices is a cornerstone of lattice-based cryptography as it allows to build numerous cryptographic primitives. There are two main algorithms performing this task. The first one is due to Klein (SODA 2000) and Gentry, Peikert and Vaikuntanathan (STOC 2008), and outputs vectors of good quality but runs rather slowly, in quadratic time. The second one is due to Peikert (CRYPTO 2010) and outputs vectors of slightly worse quality, but can be made to run in quasilinear time in the ring setting.

We present a Gaussian Sampler optimized for lattices over the ring of integer of a cyclotomic number field. At a high-level it works as Klein\'s sampler but uses an efficient variant of Peikert\'s sampler as a subroutine. The result is a new sampler that samples vectors with a quality close to Klein\'s sampler and achieves the same quasilinear complexity as Peikert\'s sampler. In practice, we get close to the best of both worlds.

At FSE \'93, Anderson presented a modern byte-oriented ro-

tor machine that is suitable for fast software implementation. Building

on a combination of chosen ciphertexts and chosen plaintexts, we show

that in a setting with multiple recipients the recovery of an (equivalent) secret key can be feasible within minutes in a standard computer algebra system.

The Department of Computer Science at the University of Surrey invites applications for two permanent posts of Lecturer (Assistant Professor) in Secure Systems.

The Department of Computer Science embodies the ethos of “applying theory into practice” across its research and teaching activities and is currently ranked 8th in the Guardian League table. Its research activities are focused into two research groups: Secure Systems, and Nature Inspired Computing and Engineering (NICE). These appointments are to enhance the activities of the Secure Systems group. Surrey is recognised as an Academic Centre of Excellence for Cyber Security Research by GCHQ. This is an exciting opportunity in a department that is growing its reputation for delivering quality interdisciplinary and applied research based on strong fundamental principles.

The candidates for the Lectureships will conduct research in areas such as security analysis of systems, cyber-physical and embedded systems security, data privacy or mobile security. We are seeking individuals who can contribute to fundamental research and turn it into practice. An ability to produce high quality outputs is also required.

We are looking for individuals who can inspire students through their curiosity for leading-edge aspects of technology. In particular, the teaching duties of the role includes: delivering high quality teaching to all levels of students, supervising undergraduate project students and postgraduate dissertations and contributing to the teaching of security and other practical areas of Computer Science, such as networking and software engineering.

These are full-time and permanent positions. We would expect appointed candidates to start from September 2015 or as soon as possible thereafter.

Submission: 1 September 2015
Notification: 2 November 2015
From December 7 to December 9
Location: Cambridge, UK
More Information: http://www.cl.cam.ac.uk/events/passwords2015

Submission: 3 July 2015
From July 17 to July 17
Location: Utrecht, Netherlands
More Information: http://chae.cr.yp.to/workshop.html

Homomorphic signature schemes are an important primitive for many applications and since their introduction numerous solutions have been presented. Thus, in this work we provide the first exhaustive, complete, and up-to-dated survey about the state of the art of homomorphic signature schemes. First, the general framework where homomorphic signatures are defined is described and it is shown how the currently available types of homomorphic signatures, these are the linearly homomorphic signature schemes, the homomorphic schemes supporting polynomial functions, the fully homomorphic signature schemes, and the homomorphic aggregate signature schemes, can then be derived from such a framework. In addition, this work also presents a description of each of the schemes presented so far together with the properties it provides. Furthermore, three use cases, electronic voting, smart grids, and electronic health records, where homomorphic signature schemes can be employed are described. For each of these applications the requirements that a homomorphic signature scheme should fulfill are defined and the suitable schemes already available are listed. This also highlights the shortcomings of current solutions. Thus, this work concludes with several ideas for future research in the direction of homomorphic signature schemes.

Conventional cryptographic services such as hardware-security modules and software-based key-management systems offer the ability to apply a pseudorandom function (PRF) such as HMAC to inputs of a client\'s choosing. These services are used, for example, to harden stored password hashes against offline brute-force attacks.

We propose a modern PRF service called PYTHIA designed to offer a level of flexibility, security, and ease- of-deployability lacking in prior approaches. The keystone of PYTHIA is a new cryptographic primitive called a verifiable partially-oblivious PRF that reveals a portion of an input message to the service but hides the rest. We give a construction that additionally supports efficient bulk rotation of previously obtained PRF values to new keys. Performance measurements show that our construction, which relies on bilinear pairings and zero-knowledge proofs, is highly practical. We also give accompanying formal definitions and proofs of security.

We implement PYTHIA as a multi-tenant, scalable PRF service that can scale up to hundreds of millions of distinct client applications on commodity systems. In our prototype implementation, query latencies are 15 ms in local-area settings and throughput is within a factor of two of a standard HTTPS server. We further report on implementations of two applications using PYTHIA, showing how to bring its security benefits to a new enterprise password storage system and a new brainwallet system for Bitcoin.

An efficient Dynamic Provable Data Possession scheme with Public Verifiability and Data Privacy was recently published in ACISP\'15.

It appears that three attacks menace this scheme.

The first one enables the server to store only one block of a file $m$ and still pass the data integrity verification on any number of file blocks.

The second attack permits the server to keep the old version of a file block $m_{i}$ and the corresponding verification metadata $T_{m_{i}}$ after the client asked to modify them by sending the new version of these elements, and still pass the data integrity

verification.

The last attack allows the Third Party Auditor (TPA) to distinguish files when processing the data integrity checking.

In this paper, we propose several solution to overcome all the aforementioned issues.

For the two first attacks, we give two new constructions of the scheme, one using index-hash tables and the other based on the Merkle hash trees.

We compare the efficiency of these two new systems with the previous one.

For the third attack, we suggest a weaker security model for data privacy without modifying the current scheme and a new construction to enhance the security and to achieve the strongest data privacy notion.

We demonstrate the first attacks on the SPN ciphers with 6, 7, 8, and 9 secret components. In particular, we show a decomposition attack on the SASASASAS scheme when the S-box size $m$ and the block length $n$ satisfy the condition $m^2\\leq n$ (for example, 8-bit S-box and 128-bit block).

We show how any pair of authenticated users can on-the-fly agree on an el- liptic curve group that is unique to their communication session, unpredictable to outside observers, and secure against known attacks. Our proposal is suitable for deployment on constrained devices such as smartphones, allowing them to efficiently generate ephemeral parameters that are unique to any single cryptographic application such as symmetric key agreement. For such applications it thus offers an alternative to long term usage of stan- dardized or otherwise pre-generated elliptic curve parameters, obtaining security against cryptographic attacks aimed at other users, and eliminating the need to trust elliptic curves generated by third parties.

We formalise the notion of adaptive proofs of knowledge in the random oracle model,

where the extractor has to recover witnesses for multiple, possibly adaptively chosen

statements and proofs. We also discuss extensions to simulation soundness, as typically

required for the ``encrypt-then-prove\'\' construction of strongly secure encryption

from IND-CPA schemes.

Utilizing our model we show three results:

(1) Simulation-sound adaptive proofs exist.

(2) The ``encrypt-then-prove\'\' construction with a simulation-sound

adaptive proof yields CCA security. This appears to be a ``folklore\'\' result

but which has never been proven in the random oracle model. As a corollary, we

obtain a new class of CCA-secure encryption schemes.

(3) We show that the

Fiat-Shamir transformed Schnorr protocol is _not_ adaptively secure and

discuss the implications of this limitation.

Our result not only separates

adaptive proofs from proofs of knowledge, but also gives a strong hint why

Signed ElGamal as the most prominent encrypt-then-prove example has not been

proven CCA-secure without making further assumptions.

The well-known Signed ElGamal scheme consists of ElGamal

encryption with a non-interactive Schnorr proof of knowledge. While this

scheme should be intuitively secure against chosen-ciphertext attacks

in the random oracle model, its security has not yet been proven nor

disproven so far, without relying on further non-standard assumptions

like the generic group model. Currently, the best known positive result

is that Signed ElGamal is non-malleable under chosen-plaintext attacks.

In this paper we provide evidence that Signed ElGamal may not be CCA

secure in the random oracle model. That is, building on previous work of

Shoup and Gennaro (Eurocrypt\'98), Seurin and Treger (CT-RSA 2013),

and Bernhard et al. (PKC 2015), we exclude a large class of potential

reductions that could be used to establish CCA security of the scheme.

The Kalyna block cipher was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine in 2015. Main requirements for Kalyna were both high security level and high performance of software implementation on general-purpose 64-bit CPUs. The cipher has SPN-based (Rijndael-like) structure with increased MDS matrix size, a new set of four different S-boxes, pre- and postwhitening using modulo 2^{64} addition and a new construction of the key schedule. Kalyna supports block size and key length of 128, 256 and 512 bits (key length can be either equal or double of the block size). On the time of this paper publishing, no more effective cryptanalytic attacks than exhaustive search are known. In this paper we present the adapted English translated specification of Kalyna as it is given in the national standard of Ukraine.

A persistent problem with program execution, despite numerous mitigation attempts, is its inherent vulnerability to the injection of malicious code. Equally unsolved is the susceptibility of firmware to reverse engineering, which undermines the manufacturer\'s code confidentiality. We propose an approach that solves both kinds of security problems employing instruction-level code encryption combined with the use of a physical unclonable function (PUF). Our novel Secure Execution PUF-based Processor (SEPP) architecture is designed to minimize the attack surface, as well as performance impact, and requires no significant changes to the development process. This is possible based on a tight integration of a PUF directly into the processor\'s instruction pipeline. Furthermore, cloud scenarios and distributed embedded systems alike inherently depend on remote execution; our approach supports this, as the secure execution environment needs not to be locally available at the developers site. We implemented an FPGA-based prototype based on the OpenRISC Reference Platform. To assess our results, we performed a security analysis of the processor and evaluated the performance impact of the encryption. We show that the attack surface is significantly reduced compared to previous approaches while the performance penalty is at a reasonable factor of about 1.5.

Real-world cryptographic protocols such as the widely used Transport Layer Security (TLS) protocol support many different combinations of cryptographic algorithms (called ciphersuites) and simultaneously support different versions. Recent advances in provable security have shown that most modern TLS ciphersuites are secure authenticated and confidential channel establishment (ACCE) protocols, but these analyses generally focus on single ciphersuites in isolation. In this paper we extend the ACCE model to cover protocols with many different sub-protocols, capturing both multiple ciphersuites and multiple versions, and define a security notion for secure negotiation of the optimal sub-protocol. We give a generic theorem that shows how secure negotiation follows, with some additional conditions, from the authentication property of secure ACCE protocols. Using this framework, we analyse the security of ciphersuite and three variants of version negotiation in TLS, including a recently proposed mechanism for detecting fallback attacks.