International Association
for Cryptologic Research

Modular reduction is the basic building block of many public-key cryptosystems. BCH codes require repeated polynomial reductions modulo the same constant polynomial. This is conceptually very similar to the implementation of public-key cryptography where repeated modular reduction in $\\mathbb{Z}_n$ or $\\mathbb{Z}_p$ are required for some fixed $n$ or $p$. It is hence natural to try and transfer the modular reduction expertise developed by cryptographers during the past decades to obtain new BCH speed-up strategies.

Error correction codes (ECCs) are deployed in digital communication systems to enforce transmission accuracy. BCH codes are a particularly popular ECC family. This paper generalizes Barrett\'s modular reduction to polynomials to speed-up BCH ECCs. A BCH$(15,7,2)$ encoder was implemented in Verilog and synthesized. Results show substantial improvements when compared to traditional polynomial reduction implementations. We present two BCH code implementations (regular and pipelined) using Barrett polynomial reduction. These implementations, are respectively 4.3 and 6.7 faster than an improved BCH LFSR design.

The regular Barrett design consumes around 53$\\%$ less power than the BCH LFSR design, while the faster pipelined version consumes 2.3 times more power than the BCH LFSR design.

Secure computation in the presence of tamper-proof hardware tokens is proven under the assumption that the holder of the token is only given black-box access to the functionality of the token. Starting with the work of Goldreich and Ostrovsky [GoldreichO96], a long series of works studied tamper-proof hardware for realizing two-party functionalities in a variety of settings.

In this work we focus our attention on two important complexity measures of token-based secure computation: round complexity and hardness assumptions and present the following results in the two-party setting:

(1) A round optimal generic secure protocol in the plain model assuming one-way functions, where the tokens are created by a single party.

(2) A round optimal generic UC secure protocol assuming one-way functions.

Our constructions only make black-box use of the underlying primitives and are proven in the real/ideal paradigm with security in the presence of static malicious adversaries.

Project Description

It is not known how to design cryptographic algorithms that remain secure if the attacker has also access to the intermediate results. Therefore, the current research concentrates on implementation techniques that ensure that the intermediate results of the cryptographic algorithm are statistically independent of the secret key.

A new method to construct provably secure against side-channel attacks implementations (called Threshold Implementation) has been proposed by researchers from COSIC. The approach is based on secret sharing and multi-party computation methods. Proof-of-concept implementations have been proposed already for several ciphers including Present and AES.

We can prove security against attacks that are based on correlating a secret variable to the expected values of the power consumption or any other side-channel of a device.

Research

Currently, we are investigating how we can achieve security against more advanced attacks. The research combines mathematical methods and insights with statistical methods and circuit design techniques. We are also interested to learn how our approach will be affected by the use of future technologies, which can further scale down cost and power while allowing more signal processing complexity.

The student will research issues related to one or more of the following work-packages:

1. Extending the mathematical framework of the Threshold Implementation approach,

2. Assessing real-life effects that occur in modern CMOS technologies, when countermeasures are applied,

3. Determining the overhead introduced by our protection measures and to evaluate its cost and effectiveness by doing experiments in an emerging technology.

The ARM Internet of Things Business Unit are looking for someone to join their security team, responsible for development of the mbed TLS library (formerly named PolarSSL). As an open source project, the mbed TLS library provides support for the TLS/SSL protocol and necessary cryptographic primitives to embedded devices, servers and the emerging field of Internet of Things.

The ideal candidate will have a strong interest in security and cryptography as well as the emerging field of IoT devices. You will have the opportunity to help us deliver a vital part of future IoT devices, helping to ensure they will stay robust and secure.

The role offers unique challenges working in a new business space where you can help shape the future of IoT and the security of these emerging technologies.

From January 4 to January 7
Location: Tel Aviv, Israel
More Information: http://crypto.biu.ac.il/6th-biu-winter-school

The School of Informatics, Computing, and Cyber Systems (SICCS) at Northern Arizona University invites applications from exceptional candidates for multiple tenured and tenure-track positions at all levels. These faculty positions will support a multi-year hiring initiative with a focus on the application of computing to key areas of national need. These positions are research-centric with a long-term institutional commitment to ensuring low teaching loads.

Exceptional candidates or coordinated group applications for highly desirable cluster hires in all SICCS areas are encouraged to apply. Specific areas of interest include:

• Cybersecurity, including trustworthy systems, data provenance, attack awareness, next generation defensive measures, mobile and cloud security, and usable security.
• Heterogeneous and reconfigurable systems, including software engineering methodologies, self-* systems and frameworks, machine learning and inference, and distributed and decentralized systems.
• Cyber-physical systems, including large-scale wireless and sensor networks, decentralized architectures, and ubiquitous computing.
• Big Data and data science, including data mining and machine learning, high-performance and cloud computing, natural language processing, and data visualization.

Minimum qualifications include a PhD or equivalent degree in an area of interest by August 22, 2016. See details at nau.edu/Human-Resources/Careers/Faculty-and-Administrator-Openings under Job ID 602174 (direct link: https://goo.gl/r3mxR6)

We are looking for an excellent, motivated, self-driven doctoral student to work in the area of information security and cryptography. The position is for five years at the Department of Computer Science and Engineering.

The PhD student will join Katerina Mitrokotsa’s group and will be funded by a project funded by the Swedish research council focusing on security and privacy issues in resource constrained devices.

The PhD student is expected to have a MSc degree or equivalent, and strong background in mathematics and/or theoretical computer science, with some background in cryptography.

Successful candidates will help to design and evaluate cryptographically reliable and privacy-preserving authentication protocols.

The position is fully funded for five years.

For any inquiries or to apply for the positions, submit a full research curriculum-vitae (cv), names of two references, and a research statement to Prof. Katerina Mitrokotsa (aikmitr (at) chalmers.se).

The call for expressions of interest will remain open until a suitable candidate is appointed

The Cryptology & Information Security (C&IS) lab at KAIST in Korea is looking for a highly motivated Post-Doc in the area of Post Quantum Cryptography (PQC) and its implementation. The position has an initial contract of a single year, but there are possibilities for extensions upon successful performance.

Conditions

- The candidates are expected to perform valuable research in the area of PQC

- Knowledge of PQC is recommended to apply this job.

- It is recommended to have experience in building cryptography primitives based on the hardness of quantum-resistant problems.

- The applicants should be fluent in written and spoken English for communications, but they don’t need to be fluent in Korean.

Please send your inquiries and CV to Kwangjo Kim (kkj (at) kaist.ac.kr)

hi everybody What do you think about my report : https://eprint.iacr.org/2014/946.pdf Kind Regards Samir From: 2015-08-09 07:20:08 (UTC)

We formalize the standard application of identity-based encryption (IBE), namely non-interactive secure communication, as realizing an ideal system which we call delivery controlled channel (DCC). This system allows users to be registered (by a central authority) for an identity and to send messages securely to other users only known by their identity.

Quite surprisingly, we show that existing security definitions for IBE are not sufficient to realize DCC. In fact, it is impossible to do so in the standard model. We show, however, how to adjust any IBE scheme that satisfies the standard security definition IND-ID-CPA to achieve this goal in the random oracle model.

We also show that the impossibility result can be avoided in the standard model by considering a weaker ideal system that requires all users to be registered in an initial phase before any messages are sent. To achieve this, a weaker security notion, which we introduce and call IND-ID1-CPA, is actually sufficient. This justifies our new security definition and might open the door for more efficient schemes. We further investigate which ideal systems can be realized with schemes satisfying the standard notion and variants of selective security.

As a contribution of independent interest, we show how to model features of an ideal system that are potentially available to dishonest parties but not guaranteed, and which such features arise when using IBE.

An Oblivious RAM (ORAM), introduced by Goldreich and Ostrovsky (JACM 1996), is a (probabilistic) RAM that hides its access pattern, i.e. for every input the observed locations accessed are similarly distributed. Great progress has been made in recent years in minimizing the overhead of ORAM constructions, with the goal of obtaining the smallest overhead possible.

We revisit the lower bound on the overhead required to obliviously simulate programs, due to Goldreich and Ostrovsky. While the lower bound is fairly general, including the offline case, when the simulator is given the reads and writes ahead of time, it does assume that the simulator behaves in a \"balls and bins\" fashion. That is, the simulator must act by shuffling data items around, and is not allowed to have sophisticated encoding of the data.

We prove that for the offline case, showing a lower bound without the above restriction is related to the size of the circuits for sorting. Our proof is constructive, and uses a bit-slicing approach which manipulates the bit representations of data in the simulation. This implies that without obtaining yet unknown superlinear lower bounds on the size of such circuits, we cannot hope to get lower bounds on offline (unrestricted) ORAMs.

Homomorphic encryption methods provide a way to outsource computations to the cloud while protecting the confidentiality of the data. In order to deal with the large and growing data sets that are being processed nowadays, good encryption performance is an important step for practicality of homomorphic encryption methods.

In this article, we study the encryption performance of the Paillier cryptosystem, a partially homomorphic cryptosystem that allows to perform sums on encrypted data without having to decrypt first. With a combination of both new and known methods, we increase the encryption performance by orders of magnitude compared to a na\\\"ive implementation. The new methods reduce the bottleneck of noise calculation by using pre-computed noise to generate new noise in a much faster way than by using standard methods.

Secure multiparty computation can be done with a deck of playing cards. For example, den Boer (EUROCRYPT \'89) devised his

famous \"five-card trick\", which is a secure two-party AND protocol using five cards. However, the output of the protocol is revealed in the process and it is therefore not suitable for general circuits with

hidden intermediate results. To overcome this limitation, protocols in committed format, i.e., with concealed output, have been introduced, among them the six-card AND protocol of (Mizuki and Sone, FAW 2009). In their paper, the authors ask whether six cards are minimal for committed format AND protocols.

We give a comprehensive answer to this problem: there is a four-card AND protocol with a runtime that is finite in expectation (i.e., a Las Vegas protocol), but no protocol with finite runtime. Moreover, we show that five cards are sufficient for finite runtime. In other words, improving on (Mizuki, Kumamoto and Sone, ASIACRYPT 2012) \"The Five-Card Trick can be done with four cards\", our results can be stated as \"The Five-Card Trick can be done in committed format\" and furthermore it \"can be done with four cards in Las Vegas committed format\".

By devising a Las Vegas protocol for any $k$-ary boolean function using $2k$ cards, we address the open question posed by

(Nishida et al., TAMC 2015) on whether $2k+6$ cards are necessary for computing any $k$-ary boolean function. For this we use the shuffle abstraction as introduced in the computational model of card-based protocols in (Mizuki and Shizuya, Int.~J.~Inf.~Secur., 2014). We augment this result by a discussion on implementing such general shuffle operations.

In this note we provide a more-or-less unified framework to talk about the functionality and security of graded encoding schemes, describe some variations of recent schemes, and discuss their security. In particular we describe schemes that combine elements from both the GGH13 scheme of Garg, Gentry and Halevi (EUROCRYPT 2013) and the GGH15 scheme of Gentry, Gorbunov and Halevi (TCC 2015). On one hand, we show how to use techniques from GGH13 in the GGH15 construction to enable encoding of arbitrary plaintext elements (as opposed to only small ones) and to introduce \"levels/subsets\" (e.g., as needed to implement straddling sets). On the other hand, we show how to modify the GGH13 scheme to support graph-induced constraints (either instead of, or in addition to, the levels from GGH13).

Turning to security, we describe zeroizing attacks on the GGH15 scheme, similar to those described by Cheon et al. (EUROCRYPT 2015) and Coron et al. (CRYPTO 2015) on the CLT13 and GGH13 constructions. As far as we know, however, these attacks to not break the GGH15 multi-partite key-agreement protocol. We also describe a new multi-partite key-agreement protocol using the GGH13 scheme, which also seems to resist known attacks. That protocol suggests a relatively simple hardness assumption for the GGH13 scheme, that we put forward as a target for cryptanalysis.

Since its introduction, pseudorandom functions (PRFs) have become one of the main building blocks of cryptographic protocols. In this work, we revisit two recent extensions of standard PRFs, namely multilinear and aggregate PRFs, and provide several new results for these primitives. In the case of aggregate PRFs, one of our main results is a proof of security for the Naor-Reingold PRF with respect to read-once boolean aggregate queries under the standard Decision Diffie-Hellman problem, which was an open problem. In the case of multilinear PRFs, one of our main contributions is the construction of new multilinear PRFs achieving indistinguishability from random symmetric and skew-symmetric multilinear functions, which was also left as an open problem. In order to achieve these results, our main technical tool is a simple and natural generalization of the recent linear independent polynomial framework for PRFs proposed by Abdalla, Benhamouda, and Passelègue in Crypto 2015, that can handle larger classes of PRF constructions. In addition to simplifying and unifying proofs for multilinear and aggregate PRFs, our new framework also yields new constructions which are secure under weaker assumptions, such as the decisional $k$-linear assumption.

Recent advances in block-cipher theory deliver security analyses in

models where one or more underlying components (e.g., a function or

a permutation) are {\\em ideal} (i.e., randomly chosen). This paper

addresses the question of finding {\\em new} constructions achieving

the highest possible security level under minimal assumptions in

such ideal models.

We present a new block-cipher construction, derived from the

Swap-or-Not construction by Hoang et al. (CRYPTO \'12). With $n$-bit

block length, our construction is a secure pseudorandom permutation

(PRP) against attackers making $2^{n - O(\\log n)}$ block-cipher

queries, and $2^{n - O(1)}$ queries to the underlying component

(which has itself domain size roughly $n$). This security level is

nearly optimal. So far, only key-alternating ciphers have been known

to achieve comparable security levels using $O(n)$ independent

random permutations. In contrast, here we only assume that a {\\em

single} {\\em function} or {\\em permutation} is available, while

achieving similar efficiency.

Our second contribution is a generic method to enhance a block

cipher, initially only secure as a PRP, to achieve related-key

security with comparable quantitative security.

A somewhere statistically binding (SSB) hash, introduced by Hubacek and Wichs (ITCS \'15), can be used to hash a long string $x$ to a short digest $y = H_{\\hk}(x)$ using a public hashing-key $\\hk$. Furthermore, there is a way to set up the hash key $\\hk$ to make it statistically binding on some arbitrary hidden position $i$, meaning that: (1) the digest $y$ completely determines the $i$\'th bit (or symbol) of $x$ so that all pre-images of $y$ have the same value in the $i$\'th position, (2) it is computationally infeasible to distinguish the position $i$ on which $\\hk$ is statistically binding from any other position $i\'$. Lastly, the hash should have a local opening property analogous to Merkle-Tree hashing, meaning that given $x$ and $y = H_{\\hk}(x)$ it should be possible to create a short proof $\\pi$ that certifies the value of the $i$\'th bit (or symbol) of $x$ without having to provide the entire input $x$. A similar primitive called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC \'15) further supports dynamic updates of the hashed value. These tools, which are interesting in their own right, also serve as one of the main technical components in several recent works building advanced applications from indistinguishability obfuscation (iO).

The prior constructions of SSB hashing and positional accumulators required fully homomorphic encryption (FHE) and iO respectively. In this work, we give new constructions of these tools based on well studied number-theoretic assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction from lossy/injective functions.

We revisit the question, originally posed by Yao (1982), of whether encryption security may be characterized using computational information. Yao provided an affirmative answer, using a compression-based notion of computational information to give a characterization equivalent to the standard computational notion of semantic security. We give two other equivalent characterizations. The first uses a computational formulation of Kelly\'s (1957) model for \"gambling with inside information\", leading to an encryption notion which is similar to Yao\'s but where encrypted data is used by an adversary to place bets maximizing the rate of growth of total wealth over a sequence of independent, identically distributed events. The difficulty of this gambling task is closely related to Vadhan and Zheng\'s (2011) notion of KL-hardness, which in certain cases is equivalent to a conditional form of the pseudoentropy introduced by Hastad et. al. (1999). Using techniques introduced to prove this equivalence, we are also able to give a characterization of encryption security in terms of conditional pseudoentropy. Finally, we reconsider the gambling model with respect to \"risk neutral\" adversaries in an attempt to understand whether assumptions about the rationality of adversaries may impact the level of security achieved by an encryption scheme.

From September 27 to September 29
Location: Singapore, Singapore
More Information: http://www1.spms.ntu.edu.sg/~diac2015/

About three decades ago it was realized that implementing private channels between parties which can be adaptively corrupted requires an encryption scheme that is secure against selective opening attacks. Whether standard (IND-CPA) security implies security against selective opening attacks has been a major open question since. The only known reduction from selective opening to IND-CPA security loses an exponential factor. A polynomial reduction is only known for the very special case where the distribution considered in the selective opening security experiment is a product distribution, i.e., the messages are samples independent from each other.

In this paper we give a reduction whose loss is quantified via the dependence graph (where message dependencies correspond to edges) of the underlying message distribution. In particular, for some concrete distributions including Markov distributions, our reduction is polynomial.