International Association
for Cryptologic Research

In a $t$-out-of-$n$ robust secret sharing scheme, a secret message is shared among $n$ parties who can reconstruct the message by combining their shares. An adversary can adaptively corrupt up to $t$ of the parties, get their shares, and modify them arbitrarily. The scheme should satisfy privacy, meaning that the adversary cannot learn anything about the shared message, and robustness, meaning that the adversary cannot cause the reconstruction procedure to output an incorrect message. Such schemes are only possible in the case of an honest majority, and here we focus on unconditional security in the maximal corruption setting where $n = 2t+1$.

In this scenario, to share an $m$-bit message with a reconstruction failure probability of at most $2^{-k}$, a known lower-bound shows that the share size must be at least $m + k$ bits. On the other hand, all prior constructions have share size that scales linearly with the number of parties $n$, and the prior state-of-the-art scheme due to Cevallos et al. (EUROCRYPT \'12) achieves $m + \\widetilde{O}(k + n)$.

In this work, we construct the first robust secret sharing scheme in the maximal corruption setting with $n=2t+1$, that avoids the linear dependence between share size and the number of parties $n$. In particular, we get a share size of only $m + \\widetilde{O}(k)$ bits. Our scheme is computationally efficient and relies on approximation algorithms for the minimum graph bisection problem.

PAGES+ is a family of block ciphers based on block ciphers Speck [2]

and PAGES [9]. The block length was increased vom 128 bit to 512 bit

and additional rounds were introduced to make the cipher more resistent

against attacks. The number of rounds are 64, 96, and 128. The key size

are 1024 bit, 1536 bit, and 2048 bit, respectively. The size of variables, as

with PAGES, is 128 bit. Thus the variables can be stored in registers of the

microprocessors of two leading suppliers. As with Speck, PAGES+ utilizes

instructions with a low latency, such as addition modulo 2 128 , subtraction

modulo 2 128 , XOR, and circular shifts (rotation). All these instructions are

usually carried out within a few cycles. Hence despite the number of rounds

is considerable, PAGES+ has a high software throughput. For a processor

with a frequency of 2.5 GHz, the software throughput with the optimized

version of the reference implementation is 30 megabyte per second with a

key length of 2048 bit and a number of rounds of 128. In hardware or the

implementation on a FPGA a considerable performance is expected, yet

with a limited expense.

PAGES- is a family of block ciphers based on block ciphers Speck [2]

and PAGES [9]. The block length was increased vom 128 bit to 256 bit

and additional rounds were introduced to make the cipher more resistent

against attacks. The number of rounds are 32, 48, 64, 96, and 128. The key

size are 256 bit, 384 bit, 512 bit, 768 bit, and 1024 bit, respectively. The

size of variables, as with Speck, is 64 bit. As with Speck, PAGES- utilizes

instructions with a low latency, such as addition modulo 2 64 , subtraction

modulo 2 64 , XOR, and circular shifts (rotation). All these instructions are

usually carried out within one cycle. Hence despite the number of rounds

is considerable, PAGES- has a high software throughput. For a processor

with a frequency of 2.5 GHz, the software throughput with the optimized

version of the reference implementation is 80 megabyte per second with a

key length of 1024 bit and a number of rounds of 128.

PAGES- is a family of block ciphers based on block ciphers Speck [2]

and PAGES [9]. The block length was increased vom 128 bit to 512 bit and

additional rounds were introduced to make the cipher more resistent against

attacks. The number of rounds are 32, 48, 64, 96, and 128. The key size are

512 bit, 768 bit, 1024 bit, 1536 bit, and 2048 bit respectively. The size of

variables, as with Speck, is 64 bit. For a processor with a frequency of 2.5

GHz, the software throughput with the optimized version of the reference

implementation is 65 megabyte per second with a key length of 2048 bit and

a number of rounds of 128.

This paper, examining the hardness of the search LWE problem, is a refined continuation of previous works including (Lindner-Peikert 2011, Liu-Nguyen 2013, Aono et al. 2013) using lattice reduction and lattice vector enumeration. We adopt the attack to the LWE using discrete Gaussian distribution, and propose a new bounding method named band pruning in lattice enumeration. We update the security estimations for several parameter sets proposed in the literature. Finally, using the data gained in our experiments, we derive an explicit formula linking the LWE\'s parameters with the bit security.

In this paper, we extend the tower number field sieve~(TNFS) proposed by

Barbulescu, Gaudry, and Kleinjung in Asaicrypt 2015.

Our generalization based on the JLSV algorithm (by Joux, Lercier, Smart, and Vercautern, Crypto 2006) shows that one can solve the discrete logarithm over

the field $\\F_Q := \\F_{p^n}$ in time complexity,

L_Q( 1/3, (64/9)^{1/3} ), for p = L_Q( \\ell_p) with some \\ell_p > 1/3.

This should be compared that the previous NFS algorithms only assures

this bound either when $\\ell_p > 2/3$ (the JLSV algorithm) or

when $p$ is of special form when $1/3 < \\ell_p < 2/3$

(by Joux and Pierrot, Pairing 2013).

Even more, when we apply some variants (such as the multiple number field sieve

or the special number field sieve) to our algorithm, then we show that the above

complexity is further improved.

One of the crucial factors for enabling fast and secure computations in the Zettabyte era is the use of incremental cryptographic primitives. For files ranging from several megabytes up to hundreds of gigabytes, incremental cryptographic primitives offer speedup factors measured in multiple orders of magnitude. In this paper we define two incremental hash functions iSHAKE128 and iSHAKE256 based on the recent NIST proposal for SHA-3 Extendable-Output Functions SHAKE128 and SHAKE256. We give two practical implementation aspects of a newly introduced hash functions and compare them with already known tree based hash scheme. We show the trends of efficiency gains as the amount of data increases in comparisons between our proposed hash functions and the standard tree based incremental schemes. Our proposals have the security levels against collision attacks of 128 and 256 bits.

Due to the numerous security and privacy risks, applications deployed in wireless networks require strong cryptographic protection. Reducing the energy cost of cryptographic algorithms and protocols that run on wireless embedded devices, is a crucial requirement when developing security and privacy solutions for wireless networks. The goal of this work is to give an insight to the global energy cost of secure wireless communications. We will compare the energy cost of different wireless standards and a wide range of cryptographic primitives. To illustrate these numbers, we will evaluate the energy consumption of several authentication schemes for RFID. The results show that both computation and communication cost are important factors in the energy budget, and clearly connected to the security and privacy properties of the wireless applications.

Graz University of Technology (TU Graz) has recently established an Excellence Research Center entitled “Dependable Internet of Things in Adverse Environments”, for further information see http://dependablethings.tugraz.at. The mission of this long-term center is to foster a highly interdisciplinary research team spanning the computer science and electrical engineering faculties to lay the scientific foundations for an Internet of Things that is highly reliable, safe, and secure in order to enable critical applications that require guaranteed performance even in adverse environments. The center is seeking to fill 10 PhD positions with excellent candidates, who will work closely together in four subprojects that focus on the following topics:

• Dependable Wireless Communication and Localization
• Dependable Embedded Computing
• Dependable Composition of Smart Things
• Dependable Networked Control

One of the open PhD positions is dedicated to cryptography and security in the Internet of Things. A main focus in this context is in particular on security against all kinds of side-channel attacks.

For more details on the project and on the application procedure, please follow the link provided below.

Transaction processing speed is one of the major considerations

in cryptocurrencies that are based on proof of work (POW) such as Bitcoin. At an intuitive level it is widely understood that processing speed is at odds with the security aspects of the underlying POW based consensus mechanism of such protocols, nevertheless the tradeoff between the two properties is still not well understood.

In this work, motivated by recent work \\cite{GKL15}

in the formal analysis of the Bitcoin backbone protocol,

we investigate the tradeoff between provable security and transaction processing speed viewing the latter as a function of the block generation rate.

%

We introduce a new formal property of blockchain protocols,

called {\\em chain growth}, and we show it is fundamental

for arguing the security of a robust transaction ledger.

%

We strengthen the results of \\cite{GKL15} showing for the

first time that reasonable security bounds hold even for the faster (than Bitcoin\'s) block

generation rates that have been adopted by several major ``alt-coins\'\' (including Litecoin, Dogecoin etc.).

%

We then provide a first formal security proof of the GHOST rule for blockchain protocols. The GHOST rule was put forth in \\cite{SZ13} as a mechanism to improve transaction processing speed and a variant of the rule is adopted by Ethereum.

Our security analysis of the ``GHOST backbone\'\' matches our new analysis for Bitcoin in terms of the common prefix property but falls short in terms of chain growth where we provide an attack that substantially

reduces the chain speed compared to Bitcoin. While our results establish the GHOST variant as a provably secure alternative to standard Bitcoin-like transaction ledgers they also highlight potential shortcomings in terms of processing speed compared to Bitcoin.

%

We finally present attacks and simulation results against blockchain protocols (both for Bitcoin and GHOST) that present natural upper barriers for the speed-security tradeoff.

By combining our positive and negative results we map the speed/security domain for blockchain protocols and list open problems for future work.

We explore the risk that network attackers can exploit unauthenticated Network Time Protocol (NTP) traffic to alter the time on client systems. We first discuss how an on-path attacker, that hijacks traffic to an NTP server, can quickly shift time on the server\'s clients. Then, we present a extremely low-rate (single packet) denial-of-service attack that an off-path attacker, located anywhere on the network, can use to disable NTP clock synchronization on a client. Next, we show how an off-path attacker can exploit IPv4 packet fragmentation to dramatically shift time on a client. We discuss the implications on these attacks on other core Internet protocols, quantify their attack surface using Internet measurements, and suggest a few simple countermeasures that can improve the security of NTP.

We propose adaptively secure attribute-based encryption (ABE) schemes for boolean formulas over large universe attributes from the decisional linear (DLIN) assumption, which allow an arbitrary number of attribute reuse in an available formula without the previously employed redundant multiple encoding technique. Based on the key-policy (KP-)ABE scheme, we have an adaptively secure communication-efficient non-interactive verifiable computation (NI-VC) from DLIN. While any previous adaptive NI-VC from a static assumption has multiplicatively dependent communication cost on the input variable multiplicity, we remove the dependency. For achieving the results, we develop a new encoding method for access policy matrix for ABE, by decoupling linear secret sharing (LSS) into its matrix and randomness, and partially randomizing the LSS shares in simulation. The new techniques are of independent interest and we expect it will find another application than ABE.

We survey recent work on the elliptic curve discrete logarithm problem. In particular we review index calculus algorithms using summation polynomials, and claims about their complexity.

Present constructions of indistinguishability obfuscation (iO) create obfuscated programs where the size of the obfuscated program is at least a factor of a security parameter larger than the size of the original program.

In this work, we construct the first iO scheme that achieves only a constant multiplicative overhead (in fact, the constant is 2) in the size of the program. The security of our construction requires the existence of sub-exponentially secure iO for circuits (that has any polynomial multiplicative overhead in the circuit size) and one-way functions.

Number Theoretic Transform (NTT) based polynomial multiplication is the most important operation for Lattice-based cryptography. In this paper, we implement the parallel NTT computation over ARM-NEON architecture. Our contributions include the following optimizations: (1) we vectorized the Iterative Number Theoretic Transform, (2) we propose the 32-bit wise Shifting-Addition-Multiplication-Subtraction-Subtraction (SAMS2) techniques for speeding up the modular coefficient multiplication, (3) we exploit the incomplete arithmetic for representing the coefficient to ensure the constant time modular reduction. For medium-term security level, our optimized NTT implementation requires only 27; 160 clock cycles. Similarly for long-term security level, it takes 62; 160 clock cycles. These results are faster than the state-of-art sequential implementations by 31% and 34% respectively.

Applications are invited to fill one or more research-faculty positions with the Engineering Systems Group of the University of Michigan Transportation Research Institute (UMTRI). Applicants are sought who qualify for the rank of Assistant Research Scientist having recently received a doctoral degree and preferably served one or more years in a post-doctoral position. The successful candidate(s) will conduct applied vehicle cybersecurity and privacy research. The responsibilities of the position include collaborating with faculty, staff, and students on research projects, initiating research projects and programs by soliciting and obtaining funding, interacting with sponsors and external collaborators, writing technical reports, conference papers, and journal articles, and presenting at conferences and technical meetings.

Submission: 15 November 2015
Notification: 15 December 2015
From January 20 to January 20
Location: Prague, Czech Republic
More Information: http://www.cs2.deib.polimi.it/

In CRYPTO 1999, J. An and M. Bellare proposed a Merkle-Damg\\r{a}rd iteration based MAC construction called NI-MAC in order to avoid constant re-keying on multiblock messages in NMAC and to ease the security proof. In CRYPTO 2014, Gazi et al. revisited the proof of

NI-MAC in the view of structure graph introduced by Bellare et al. in

CRYPTO 2005 and gave a tight bound of order $\\frac{lq^{2}}{2^{n}}$, which is an improvement over the trivial bound of order $\\frac{l^{2}q^{2}}{2^{n}}$, for $q$ queries, each of length at most $\\ell$ blocks. But this is again restricted to the birthday security. In order to prove the security of NI-MAC, Gazi et al. (CRYPTO 2014) introduced a variant of NI-MAC, called NI2-MAC and analyzed the advantage of NI2 MAC. Then he showed that the same proof technique will be applied to the security analysis of NI-MAC. In this paper, we lift the birthday bound of NI2-MAC construction to beyond birthday $O(q^2l^4/2^{2n})$ by a small change in the existing construction with one extra invocation of a independent keyed function. Finally, we argue how to lift the security of NI-MAC to beyond birthday using the security proof for NI2-MAC.

Recent advances in encryption schemes have allowed us to go far beyond point to point encryption, the scenario typically envisioned in public key encryption. In particular, Functional Encryption (FE) allows an authority to provide users with keys corresponding to various functions, such that a user with a secret key corresponding to a function $f$, can compute $f(m)$ (and only that) from a cipher-text that encrypts $m$.

While FE is a very powerful primitive, a key downside is the requirement of a central point of trust. FE requires the assumption of a central trusted authority which performs the system setup as well as manages the credentials of every party in the system on an ongoing basis. This is in contrast to public key infrastructure which may have multiple certificate authorities and allows a party to have different (and varying) level of trust in them.

In this work, we address this issue of trust in two ways:

\\begin{itemize}

\\item First, we ask how realistic it is to have a central authority that manages all credentials and is trusted by everyone? For example, one may need to either obtain the permission of an income tax official or the permission of the police department and a court judge in order to be able to obtain specific financial information of a user from encrypted financial data. Towards that end, we introduce a new primitive that we call {\\em Multi-Authority Functional Encryption} (MAFE) as a generalization of both Functional Encryption and Multi-Authority Attribute-Based Encryption (MABE). We show how to obtain MAFE for arbitrary polynomial-time computations based on

subexponentially secure indistinguishability obfuscation and injective one-way functions.

\\item Second, we consider the notion of \\emph{delegatable} functional encryption where any user in the system may independently act as a key generation authority. In delegatable FE, any user may derive a decryption key for a policy which is ``more restrictive\" than its own. Thus, in delegatable functional encryption, keys

can be generated in a hierarchical way, instead of directly by a central authority. In contrast to MAFE, however, in a delegatable FE scheme, the trust still ``flows\'\' outward from the central authority.

\\end{itemize}

Finally, we remark that our techniques are of independent interest: we construct FE in arguably a more natural way where a decryption key for a function $f$ is simply a signature on $f$. Such a direct approach allows us to obtain a construction with interesting properties enabling multiple authorities as well as delegation.

In August 2015 the U.S. National Security Agency (NSA) released a major policy statement on the need for post-quantum

cryptography (PQC). This announcement will be a great stimulus to the development, standardization, and commercialization of new quantum-safe algorithms. However, certain peculiarities in the wording and timing of the statement have puzzled many people and given rise to much speculation concerning the NSA, elliptic curve cryptography (ECC), and quantum-safe cryptography. Our purpose is to attempt to evaluate some of the theories that have been proposed.

The Cryptography Group of Department of Computer Science at Aalto University is looking for a talented doctoral student in cryptographic engineering. The topics of this doctoral position are related to secure and efficient cryptography in wireless sensor networks and devices for the Internet of Things. The exact topic will be decided together with the doctoral student based on his/her background and research interests.

The duration of the project is three years starting from December 2015 or January 2016, and the contract is made for one year at a time. A candidate should have completed a Master (or equivalent) degree in computer science, electrical engineering, mathematics, or other related field. We expect experience at least in some of the following topics: cryptography, side-channel attacks and countermeasures, digital design, embedded systems, and programming (in particular VHDL and/or C). The candidate must be motivated, capable to take initiative, work independently, and be fluent in both written and spoken English.

Applications should include a motivation letter, a full CV with the grade transcript, and contact information for a couple of references (no reference letters). Applications should be sent by email to Kimmo Järvinen.

The applications will be reviewed immediately and the position will be filled when a suitable candidate is found.

From August 15 to August 17
Location: Calgary, Canada
More Information: http://sacconference.org/