International Association
for Cryptologic Research

A noisy non-uniformly distributed secret often needs to be transformed into a stable high-entropy key. Biometric systems and physically unclonable functions (PUFs) exemplify the need for this conversion. Secure sketches are a useful tool hereby as they alleviate the noisiness while keeping the corresponding min-entropy loss to a minimum. The novelty of our work is twofold. First, seven secure sketch constructions, all based on a binary $[n,k,d]$ block code, are proven to be largely interchangeable. Despite having different looks and properties, all exhibit the same min-entropy loss, when fed with the same probability distribution. Second, for PUF-induced distributions with practical relevance, we derive new unified bounds on the min-entropy loss, considerably tighter than the more general well-known $(n-k)$ bound. Our bounds allow for an efficient evaluation and are hence suitable for reducing the implementation footprint of the sketch. This is beneficial for resource-constrained devices in particular.

Designing a keystream generator which utilizes Linear Feedback

Shift Registers (LFSRs) against correlation, linear attacks is a highly

challenging task. In this paper, a new framework for keystream generators is proposed. It is comprised of a set of Linear Feedback Shift Registers (LFSRs), a Multiplicative Congruential Generator (MCG),

a vector linear function and, a Boolean function which outputs the

keystream. The framework is more generally discussed against

correlation attacks, linear attacks and distinguishing (linear) attacks. It is shown that such attacks which are applicable to LFSR based keystream generators are not possible on the proposed framework.

GOST-R is a Russian Standard Cryptographic Hash function which was first introduced in 1994 by Russian Federal for information processing, information security and digital signature. In 2012, it was updated to GOST-R 34.11-2012 and replaced older one for all its applications from January 2013. GOST-R is based on modified Merkle-Damg\\aa rd construction. Here, we present a modified version of GOST-R (MGR-hash). The modified design is based on wide pipe construction which is also a modified Merkle-Damg\\aa rd construction. MGR is much more secure as well as three times faster than GOST-R. AES like block cipher has been used in designing the compression function of MGR because AES is one of the most efficient and secure block cipher and it has been evaluated for more than 12 years. We will also analyze the MGR hash function with respect to its security and efficiency.

Leakage-resilient cryptography builds systems that withstand partial adversary knowledge of secret state. Ideally, leakage-resilient systems withstand current and future attacks; restoring confidence in the security of implemented cryptographic systems. Understanding the relation between classes of leakage functions is an important aspect.

In this work, we consider the memory leakage model, where the leakage class contains functions over the system\'s entire secret state. Standard classes include functions with bounded output length, functions that retain (pseudo)~entropy in the secret, and functions that leave the secret computationally unpredictable.

Standaert, Pereira, and Yu (Crypto, 2013) introduced a new class of leakage functions they call simulatable leakage. A leakage function is simulatable if a simulator can produce indistinguishable leakage without access to the true secret state. We extend their notion to general applications and consider two versions. For weak simulatability: the simulated leakage must be indistinguishable from the true leakage in the presence of public information. For strong simulatability, this requirement must also hold when the distinguisher has access to the true secret state. We show the following:

* Weakly simulatable functions retain computational unpredictability.

* Strongly simulatability functions retain pseudoentropy.

* There are bounded length functions that are not weakly simulatable.

* There are weakly simulatable functions that remove pseudoentropy.

* There are leakage functions that retain computational unpredictability are not weakly simulatable.

The notion of group signatures was introduced to allow group members to sign anonymously on behalf of a group. A group manager allows a user to join a group, and another will be able to open a signature to revoke its anonymity. Several schemes have already been proposed to fulfil these properties, however very few of them are proven in the standard model. Of those proven in the standard model, most schemes rely on a so called q-assumption. The underlying idea of a q-assumptions is that to prove the security of the scheme, we are given a challenge long enough to allow the simulator to answer queries. Another common solution is to rely on interactive hypothesis. We provide one of the first schemes proven in the standard model, requiring a constant-size non-interactive hypothesis. We then compare its efficiency to existing schemes, and show that this trade-off is acceptable as most schemes with better efficiency rely on either an interactive or a q-hypothesis. The exception to this is the recent independent of our work Libert, Peters and Yung (CRYPTO 2015), who presented an efficient group signature scheme in the standard model relying on standard assumptions.

The discrete logarithm over finite fields of small characteristic

can be solved much more efficiently than previously thought.

This algorithmic breakthrough is based

on heuristic polynomial time algorithms to

compute the factor base discrete logarithm.

In this paper, we concentrate on the Kummer extension

$ \\F_{q^{2(q-1)}}. $ We design a new heuristic algorithm with

an improved bit complexity $ \\tilde{O}(q^{1+ \\theta} ) $ (or algebraic complexity

$\\tilde{O}(q^{\\theta} )$) to compute the discrete logarithms of elements in

a factor base of cardinality $q^2$, where $ \\theta < 2.373 $ is

the matrix multiplication exponent.

We reduce the correctness of the algorithm to a conjecture

concerning the determinant of a simple $ (q+1)-$dimensional lattice,

rather than to elusive smoothness assumptions.

We verify the conjecture numerically for all $ q $\'s such that

$ \\log_2(q^{2(q-1)}) \\leq 5000 $, and provide theoretical

supporting evidences.

In a selective opening (SO) attack an adversary breaks into a subset of honestly created ciphertexts and tries to learn information on the plaintexts of some untouched (but potentially related) ciphertexts. Contrary to intuition, standard security notions do not always imply security against this type of adversary, making SO security an important standalone goal. In this paper we study {\\em receiver security}, where the attacker is allowed to obtain the decryption keys corresponding to some of the ciphertexts.

First we study the relation between two existing security definitions, one based on simulation and the other based on indistinguishability, and show that the former is strictly stronger. We continue with feasibility results for both notions which we show can be achieved from (variants of) non-committing encryption schemes. In particular, we show that indistinguishability-based SO security can be achieved from a tweaked variant of non-committing encryption which, in turn, can be instantiated from a variety of basic, well-established, assumptions. We conclude our study by showing that SO security is however strictly weaker than all variants of non-committing encryption that we consider, leaving potentially more efficient constructions as an interesting open problem.

Iterated Even-Mansour scheme (IEM) is a generalization of the basic 1-round proposal (ASIACRYPT \'91). The scheme can use one key, two keys, or completely independent keys.

Most of the published security proofs for IEM against relate-key and chosen-key attacks focus on the case where all the round-keys are derived from a single master key. Whereas results beyond this barrier are relevant to the cryptographic problem whether a secure blockcipher with key-size twice the block-size can be built by mixing two \\emph{relatively independent} keys into IEM and iterating sufficiently many rounds, and this strategy actually has been used in designing blockciphers for a long-time.

This work makes the first step towards breaking this barrier and considers IEM with Interleaved Double \\emph{independent} round-keys:

$$\\text{IDEM}_r((k_1,k_2),m)=k_i\\oplus (P_r(\\ldots k_1\\oplus P_2(k_2\\oplus P_1(k_1\\oplus m))\\ldots)),$$

where $i=2$ when $r$ is odd, and $i=1$ when $r$ is even. As results, this work proves that 15 rounds can achieve (full) indifferentiability from an ideal cipher with $O({q^{8}}/{2^n})$ security bound. This work also proves that 7 rounds is sufficient and necessary to achieve sequential-indifferentiability (a notion introduced at TCC 2012) with $O({q^{6}}/{2^n})$ security bound, so that $\\text{IDEM}_{7}$ is already correlation intractable and secure against any attack that exploits evasive relations between its input-output pairs.

We invite applications for a postdoctoral researcher position in Cybersecurity in the Department of Computer and Information Science. This position requires a Ph.D. in Computer Science or a closely related area with a specialization in cybersecurity. Those with expertise in network security, software security, cyber-physical systems, computer forensics, wireless security, biometrics-based security, e-Systems Security, and related areas of cybersecurity are encouraged to apply. This postdoctoral researcher will conduct high-quality research in cybersecurity and teach courses for MS program in Cybersecurity. The selected candidate can apply and compete for a tenure track position that will be available next year.

How to apply: Send a detailed CV, research statement, teaching statement, and a list of info of 3-5 references with e-mail addresses in a single pdf file to sajalbhatia (at) gmail.com. Include job-code “POSTDOC-Cybersecurity” in subject line. Review of applications will begin immediately and continue until the position is filled

The Department of Computer and Information Science is currently in the process of expanding its undergraduate and graduate programs in order to serve students entering the growing fields of computer science, information science, and interdisciplinary areas. The faculty of the Department of Computer and Information Science represent a wide range of academic backgrounds, research and professional interests. Serving undergraduate majors in computer science, information science, and interdisciplinary programs in Fordham College at Rose Hill (Bronx), Fordham College at Lincoln Center (Manhattan), and the School of Professional and Continuing Education (all 3 campuses), the department also offers an MS program in Computer Science in the Graduate School of Arts and Sciences and an MS in Cybersecurity in the School of Professional and Continuing Studies. An MS program in Data Analytics is in its final p

We are looking for an excellent, motivated, self-driven doctoral student to work in the area of information security and cryptography. The position is for five years at the Department of Computer Science and Engineering.

The PhD student will join Katerina Mitrokotsa’s group and will be funded by a project funded by the Swedish research council focusing on security and privacy issues in resource constrained devices.

The PhD student is expected to have a MSc degree or equivalent, and strong background in mathematics and/or theoretical computer science, with some background in cryptography.

Successful candidates will help to design and evaluate cryptographically reliable and privacy-preserving authentication protocols.

The position is fully funded for five years.

For any inquiries or to apply for the positions, submit a full research curriculum-vitae (cv), names of two references, and a research statement to Prof. Katerina Mitrokotsa (aikmitr (at) chalmers.se).

The call for expressions of interest will remain open until a suitable candidate is appointed.

Huawei Technologies, Paris, are offering fully funded PhD (CIFRE) positions.

The ideal candidate(s) will have an advanced degree (MEng, MSc, or equivalent) in Mathematics or Computer Science and have an interest in applying their expertise to the development of disruptive security technologies. We are particularly interested in candidates that want to advance state-of-the-art research in accountability, authentication, encryption, privacy, and verifiability.

Huawei is a leading information and communications technology solutions provider, whose business spans telecommunication infrastructure, consumer electronics, and business IT solutions. We are seeking highly motivated and talented individuals to work on the theoretical underpinnings of challenging security problems in areas such as communications, the internet of things, cloud computing, and big data.

Potential applications are encouraged to contact Ben Smyth, Lead Security Researcher, (ben.smyth (at) huawei.com) or Elizabeth Quaglia, Senior Security Researcher, (elizabeth.quaglia (at) huawei.com) to discuss opportunities further.

Successful candidate(s) will receive a competitive salary and will be affiliated with one of our prestigious academic partners.

To apply, please send your CV and a covering letter explaining your expertise and research interests. You will also need to include two referees (at least one of them from academia).

Applications should be submitted by email to both hegaoning (at) huawei.com and sonia.rodriguez (at) huawei.com by 25 September 2015.

In this paper we consider a two party key-exchange protocol

proposed by Grigoriev and Shpilrain

which uses tropical matrix algebra as a platform.

Our analysis shows that the scheme is not secure.

The cryptography and privacy group of the IBM Research - Zurich laboratory in Switzerland is looking for a highly motivated Ph.D. student, Post-Doc, or Software Engineer in the area of cryptography and security. The Ph.D. position has an initial contract of 3 years, whereas the other two positions begin with an 18 month contract. There are possibilities for extensions upon successful performance.

The main task of the candidate will be to perform scientific research and proof-of-concept implementations in the area of Lattice-Based Cryptography. Building primitives and protocols based on the hardness of lattice problems is one of the most promising avenues for achieving quantum-resistance of public key cryptographic constructions. This research therefore has real potential for wide-ranging practical use.

The ideal candidate should already be a proficient programmer and have excellent familiarity with basic internet security protocols (TLS, IKE, etc.). It is also preferable that the applicant has experience (or strong interest) in scientific computing, as part of the research will involve coming up with and implementing specialized algorithms for linear algebra and number theory operations. Knowledge of lattice-based cryptography and of the “provable security” paradigm for constructing protocols is not required, but the candidate should be a motivated learner of these topics.

For administrative reasons, the applicant should be a citizen of one of the EU-25 nations (Romania, Bulgaria, Iceland, Liechtenstein, and Norway also OK) and be fluent in written and spoken English. Knowledge of German is not required.

IBM Research - Zurich offers a stimulating international research environment among experts in computer science, physics, and mathematics. The laboratory is located in Rüschlikon, Switzerland, at 10km from the city of Zurich and on the coast of Lake Zurich. A very competitive salary will be offered. <

A major challenge in the study of cryptography is characterizing the necessary and sufficient assumptions required to carry out a given cryptographic task. The focus of this work is the necessity of a broadcast channel for securely computing symmetric functionalities (where all the parties receive the same output) when one third of the parties, or more, might be corrupted. Assuming all parties are connected via a peer-to-peer network, but no broadcast channel (nor a secure setup phase) is available, we prove the following characterization:

* A symmetric $n$-party functionality can be securely computed facing $n/3\\le t

In the last few years, the field of lightweight cryptography

has seen an influx in the number of block ciphers and hash functions

being proposed. One of the metrics that define a good lightweight design is the energy consumed per unit operation of the algorithm. For block ciphers, this operation is the encryption of one plaintext. By studying the energy consumption model of a CMOS gate, we arrive at the conclusion that the total energy consumed during the encryption operation of an r-round unrolled architecture of any block cipher is a quadratic function in r. We then apply our model to 9 well known lightweight block ciphers, and thereby try to predict the optimal value of r at which an r-round unrolled architecture for a cipher is likely to be most energy efficient. We also try to relate our results to some physical design parameters like the signal delay across a round and algorithmic parameters like the number of rounds taken to achieve full diffusion of a difference in the plaintext/key.

A generic way to design lightweight cryptographic primitives is to construct simple rounds using small nonlinear components such as 4x4 S-boxes and use these iteratively (e.g., PRESENT and SPONGENT). In order to efficiently implement the primitive, efficient implementations of its internal components are needed. Multiplicative complexity of a function is the minimum number of AND gates required to implement it by a circuit over the basis (AND, XOR, NOT). It is known that multiplicative complexity is exponential in the number of input bits n. Thus it came as a surprise that circuits for all 65 536 functions on four bits were found which used at most three AND gates. In this paper, we verify this result and extend it to five-variable Boolean functions. We show that the multiplicative complexity of a Boolean function with five variables is at most four.

In a celebrated paper published in 1951, von Neumann presented

a simple procedure allowing to correct the bias of random sources.

This device outputs bits at irregular intervals. However, cryptographic hardware is usually synchronous.

This paper proposes a new building block called Pace Regulator, inserted between the randomness consumer and the von Neumann regulator to streamline the pace of random bits.

In Ciphertext-Policy Attribute-Based Encryption (CP-ABE), access policies associated with the ciphertexts are generally role-based and the attributes satisfying the policies are generally \\emph{shared} by multiple users. If a malicious user, with his attributes shared with multiple other users, created a decryption blackbox for sale, this malicious user could be difficult to identify from the blackbox. Hence in practice, a useful CP-ABE scheme should have some tracing mechanism to identify this `traitor\' from the blackbox.

In this paper, we propose the first CP-ABE scheme which simultaneously achieves (1) fully collusion-resistant blackbox traceability in the standard model, (2) full security in the standard model, and (3) on prime order groups. When compared with the latest fully collusion-resistant blackbox traceable CP-ABE schemes, this new scheme achieves the same efficiency level, enjoying the sub-linear overhead of $O(\\sqrt{N})$, where $N$ is the number of users in the system. This new scheme is highly expressive and can take any monotonic access structures as ciphertext policies.

The iterated Even-Mansour construction defines a block cipher from a tuple of public $n$-bit permutations $(P_1,\\ldots,P_r)$ by alternatively xoring some $n$-bit round key $k_i$, $i=0,\\ldots,r$, and applying permutation $P_i$ to the state. The \\emph{tweakable} Even-Mansour construction generalizes the conventional Even-Mansour construction by replacing the $n$-bit round keys by $n$-bit strings derived from a master key \\emph{and a tweak}, thereby defining a tweakable block cipher. Constructions of this type have been previously analyzed, but they were either secure only up to the birthday bound, or they used a nonlinear mixing function of the key and the tweak (typically, multiplication of the key and the tweak seen as elements of some finite field) which might be costly to implement. In this paper, we tackle the question of whether it is possible to achieve beyond-birthday-bound security for such a construction by using only linear operations for mixing the key and the tweak into the state. We answer positively, describing a 4-round construction with a $2n$-bit master key and an $n$-bit tweak which is provably secure in the Random Permutation Model up to roughly $2^{2n/3}$ adversarial queries.

From September 30 to October 3
Location: Singapore, Singapore
More Information: http://www1.spms.ntu.edu.sg/~ask/2015/