International Association
for Cryptologic Research

Hierarchical identity-based encryption (HIBE) is an extension of identity-based encryption (IBE) where an identity of a user is organized as a hierarchical structure and a user can delegate the private key generation to another user. Providing a revocation mechanism for HIBE is highly necessary to keep a system securely. Revocable HIBE (RHIBE) is an HIBE scheme that can revoke a user\'s private key if his credential is expired or revealed. In this paper, we first propose an unbounded HIBE scheme where the maximum hierarchy depth is not limited and prove its selective security under a q-type assumption. Next, we propose an efficient unbounded RHIBE scheme by combining our unbounded HIBE scheme and a binary tree structure, and then we prove its selective security. By presenting the unbounded RHIBE scheme, we solve the open problem of Seo and Emura in CT-RSA 2015.

RC4 suffered from a range of plaintext-recovery attacks using statistical biases, which use substantial, albeit close-to-practical, amounts of known keystream in applications such as TLS or WEP/WPA. Spritz was recently proposed at the rump session of CRYPTO 2014 as a slower redesign of RC4 by Rivest and Schuldt, aiming at reducing the statistical biases that lead to these attacks on RC4.

Even more devastating than those plaintext-recovery attacks from large amounts of keystream would be state- or key-recovery attacks from small amounts of known keystream. For RC4, there is unsubstantiated evidence that they may exist, the situation for Spritz is however not clear, as resistance against such attacks was not a design goal.

In this paper, we provide the first cryptanalytic results on Spritz and introduce three different state recovery algorithms. Our first algorithm recovers an internal state, requiring only a short segment of keystream, with an approximated complexity of $2^{1400}$, which is much faster than exhaustive search through all possible states, but is still far away from a practical attack. Furthermore, we introduce a second algorithm that uses a pattern in the keystream to reduce the number of guessed values in our state recovery algorithm. Our third algorithm uses a probabilistic approach by considering the permutation table as probability distribution.

All in all, rather than showing a weakness, our analysis supports the conjecture that compared to RC4, Spritz may also provide higher resistance against potentially devastating state-recovery attacks.

While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.

We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks.

Combining the efficient cross-polytope locality-sensitive hash family of Terasawa and Tanaka with the heuristic lattice sieve algorithm of Micciancio and Voulgaris, we show how to obtain heuristic and practical speedups for solving the shortest vector problem (SVP) on both arbitrary and ideal lattices. In both cases, the asymptotic time complexity for solving SVP in dimension n is 2^(0.298n).

For any lattice, hashes can be computed in polynomial time, which makes our CPSieve algorithm much more practical than the SphereSieve of Laarhoven and De Weger, while the better asymptotic complexities imply that this algorithm will outperform the GaussSieve of Micciancio and Voulgaris and the HashSieve of Laarhoven in moderate dimensions as well. We performed tests to show this improvement in practice.

For ideal lattices, by observing that the hash of a shifted vector is a shift of the hash value of the original vector and constructing rerandomization matrices which preserve this property, we obtain not only a linear decrease in the space complexity, but also a linear speedup of the overall algorithm. We demonstrate the practicability of our cross-polytope ideal lattice sieve IdealCPSieve by applying the algorithm to cyclotomic ideal lattices from the ideal SVP challenge and to lattices which appear in the cryptanalysis of NTRU.

We construct both randomizable and strongly existentially unforgeable structure-preserving signatures for messages consisting of many group elements. To sign a message consisting of N=mn group elements we have a verification key size of $m$ group elements and signatures contain n+2 elements. Verification of a signature requires evaluating n+1 pairing product equations.

We also investigate the case of fully structure-preserving signatures where it is required that the secret signing key consists of group elements only. We show a variant of our signature scheme allowing the signer to pick part of the verification key at the time of signing is still secure. This gives us both randomizable and strongly existentially unforgeable fully structure-preserving signatures. In the fully structure preserving scheme the verification key is a single group element, signatures contain m+n+1 group elements and verification requires evaluating n+1 pairing product equations.

ID Quantique is seeking to recruit one Marie Sklodowska-Curie Research Fellows in Cryptography to start in September 2015. Candidates should be eligible to the Marie Curie Individual Fellowship criteria.

Experience & Background

• Minimum 3 years of experience in a R&D departement and R&D activities.
• Minimum 3 years of experience in an international, multicultural business environment.
• Proven ability to communicate with stakeholders including senior management, technical experts and academic researchers.

Qualifications

• Advanced university degree in Applied Cryptography.
• Strong programming skills in C/C++.
• Fluent in English. French and/or German a strong assets.

Personal skills

• Strong analysis and synthesis capabilities.
• Sense of service and customer relations.
• Dynamic, with strong interpersonal and communication skills.
• Strong team player, yet able to take initiatives and autonomous.
• Capability to work on several tasks in parallel with multiple interfaces.

Benefits

• Exposure to international high-profile markets such as banking and governments
• Exposure to highly innovative technology
• Work in an agile and motivated team

The symmetric cryptography group at the Horst Görtz Institute for IT-Security (HGI) at Ruhr- University Bochum has openings Ph. D. students. We are looking for candidates with outstanding Master/Diplom in the fields of computer science, electrical engineering, mathematics or related areas.

Our research focuses on the design and analysis of symmetric primitives.

- Start: earliest possible

-Duration: 36 month

- Competitive salary (TV-L 13)

- Application: Send your documents to gregor (dot) leander (at) rub (dot) de

- Required documents: CV, certificates (Bachelor, Master/Diplom, Ph.D.), transcripts, motivation for applying (1 page), names of at least two people who can provide reference letters (email addresses are sufficient)

-Deadline: September 15

Founded in 2001, the Horst-Görtz Institute at Ruhr-University Bochum is a world-leading interdisciplinary research center dedicated to research and education covering all aspects of IT security, with an excellent record of research in cryptography. The Horst-Görtz Institute has 15 professors and over 80 PhD students. It hosts the only German Research Training Group for Doctoral students in Cryptology.

From January 6 to January 8
Location: Palo Alto, USA
More Information: http://www.realworldcrypto.com/rwc2016

The notion of extended nested dual system groups (ENDSG) was recently proposed by Hofheinz et al. [PKC 2015] for constructing almost-tight identity based encryptions (IBE) in the multi-instance, multi-ciphertext setting. However only the composite-order instantiation was provided and more efficient prime-order instantiations are absent. The paper fills the blank by presenting two constructions.

- We revisit the notion of ENDSG and realize it using asymmetric prime-order bilinear groups based on Chen and Wee\'s prime-order instantiation of nested dual system groups [CRYPTO 2013]. This yields the first almost-tight IBE in the prime-order setting achieving weak adaptive security in the multi-instance, multi-ciphertext scenario under the $d$-linear assumption (in the asymmetric setting). We further extended the ENDSG to capture stronger security notions, including $B$-weak adaptive security and full adaptive security, and show that our prime-order instantiation is $B$-weak adaptive secure without any additional assumption and full adaptive secure under the $d$-linear assumption.

- We also try to provide better solution by fine-tuning ENDSG again and realizing it following the work of Chen, Gay, and Wee [EUROCRYPT 2015]. This leads to an almost-tight fully adaptively secure IBE in the same setting with better performance than our first IBE scheme but requires a non-standard assumption, $d$-linear assumption with auxiliary input. However we note that, the $2$-linear assumption with auxiliary input is implied by the external decisional linear assumption. Or we can realize the second instantiation using \\emph{symmetric} bilinear pairings in which case the security relies on standard decisional linear assumption.

We present a general framework for developing and analyzing homomorphic cryptosystems whose security relies on the difficulty of solving systems of nonlinear equations over Z/nZ, n being an RSA modulus. In this framework, many homomorphic cryptosystems can be conceptualized. Based on symmetry considerations, we propose a general assumption that ensures the security of these schemes.

To highlight this, we present an additive homomorphic private-key cryptosystem and we prove its security. Finally, we propose two motivating perspectives of this work. We first propose an FHE based on the previous scheme by defining a simple multiplicative operator.

Secondly, we propose ways to remove the factoring assumption in order to get pure multivariate schemes.

A re-encryption program (or a circuit) converts a ciphertext encrypted under Alice\'s public key pk_1 to a ciphertext of the same message encrypted under Bob\'s public key pk_2. Hohenberger et al. (TCC 2007) constructed a pairing-based obfuscator for a family of circuits implementing the re-encryption functionality under a new notion of obfuscation called as average-case secure obfuscation. Chandran et al. (PKC 2014) proposed a lattice-based construction for the same.

The construction given by Hohenberger et al. could only support encryptions of messages from a polynomial space and the decryption algorithm would have to perform a polynomial number of pairing operations in the worst case. The construction given by Chandran et al. satisfies only a relaxed notion of correctness.

In this work, we propose a simple and efficient obfuscator for the re-encryption functionality which not only supports encryption of messages from an exponential space but also involves only a constant number of group operations. Besides, our construction satisfies the strongest notion of correctness given by Hada (Eurocrypt 2010). We also strengthen the black-box security model for encryption - re-encryption system proposed by Hohenberger et al. and prove the average-case virtual black box property of our obfuscator as well as the security of our encryption - re-encryption system (in the strengthened model) under the DDH assumption. All our proofs are in the standard model.

From October 8 to October 8
Location: Bochum, Germany
More Information: http://cryptool.hgi.rub.de/index.html

Submission: 20 November 2015
Notification: 1 February 2016
From May 31 to June 3
Location: Xi'an, China
More Information: http://meeting.xidian.edu.cn/conference/AsiaCCS2016/index.html

Submission: 27 January 2016
Notification: 25 March 2016
From June 19 to June 22
Location: London, United Kingdom
More Information: http://acns2016.sccs.surrey.ac.uk/

From November 10 to November 11
Location: Bristol, United Kingdom
More Information: https://www.cs.bris.ac.uk/~nigel/ECRYPT-MPC/

From March 28 to March 31
Location: Amsterdam, Netherlands
More Information: http://www.iacr.org/meetings/pkc/

From August 16 to August 19
Location: Santa Barbara, USA
More Information: http://www.iacr.org/meetings/ches/

From December 3 to December 7
Location: Hong Kong, China
More Information: http://www.iacr.org/meetings/asiacrypt/

From May 15 to May 18
Location: Paris, France
More Information: http://www.iacr.org/meetings/eurocrypt/

A cryptosystem for wireless communications, recently proposed by T.~Dean and A.~Goldsmith, is considered. That system can be regarded as a second revolution in cryptography because the confidentiality of the messages transmitted over a wireless massive MIMO-based channel is provided by the difference in the space locations of legal and illegal users and it does not require any secret key distribution. However our investigation shows that there is a chance of eavesdropping the cipher texts by using a suboptimal algorithm. Therefore we investigate some additional conditions for channel matrices and additive noises in order to provide a desired security. A combination of wiretap channel coding with a MIMO-based cryptosystem is also considered.