International Association
for Cryptologic Research

Applications are invited for a fixed-term post-doctoral researcher position (Security in Cyber Physical Systems) at University College Cork, Ireland. The position is within the the Security Group in the Department of Computer Science in conjunction with the recently established CONNECT Research Centre. The researcher will be part of the IRC/Chist-ERA programme funded project DYPOSIT: Dynamic Policies for Shared Cyber-Physical Infrastructures Under Attack. This project is being undertaken in collaboration with the Lancaster University, UK and Katholieke Universiteit Leuven, Belgium.

DYPOSIT will investigate the problem of large, shared cyber physical systems under attack. The project will consider the challenge of dynamically formulating and adapting security controls, rapidly and on-demand, in the face of unfolding attacks on a shared cyber physical system fabric integrating multiple applications run by a variety of stakeholders. The Post-Doctoral Researcher will primarily contribute to the development and implementation of a distributed security model for cyber physical systems in which trade-offs between threats, controls and other constraints, can be reasoned about in managing security policy deployment.

From November 1 to November 3
Location: Beijing, China
More Information: http://tcc2016b.sklois.cn/

Authentication and authenticated encryption with associated data (AEAD) are applied in cryptographic protocols to provide message integrity. The definitions in the literature and the constructions used in practice all protect against forgeries, but offer varying levels of protection against replays, reordering, and drops. As a result of the lack of a systematic hierarchy of authentication and AEAD security notions, gaps have arisen in the literature, specifically in the provable security analysis of the Transport Layer Security (TLS) protocol. We present a hierarchy of authentication and AEAD security notions, interpolating between the lowest level of protection (against forgeries) and the highest level (against forgeries, replays, reordering, and drops). We show generically how to construct higher level schemes from a basic scheme and appropriate use of sequence numbers, and apply that to close the gap in the analysis of TLS record layer encryption.

Many techniques for secure or private execution depend on executing programs in a data-oblivious way, where the same instructions execute independent of the private inputs which are kept in encrypted form

throughout the computation. Designers of such computations today must either put substantial effort into constructing a circuit representation of their algorithm, or use a high-level language and lose the opportunity to make important optimizations or experiment with protocol variations. We show how extensibility can be

improved by judiciously exposing the nature of data-oblivious computation. We introduce a new language that allows application developers to program secure computations without being experts in cryptography, while enabling programmers to create abstractions such as oblivious RAM and width-limited integers, or even new protocols without needing to modify the

compiler. This paper explains the key language features that safely enable such extensibility and describes the simple implementation approach we use to ensure security properties are preserved.

Leakage resilient codes (LRCs) are probabilistic encoding schemes that guarantee message hiding even under some bounded leakage on the codeword.

We introduce the notion of \\emph{fully} leakage resilient codes (FLRCs), where the adversary can leak some $\\lambda_0$ bits from the encoding process, i.e., the message and

the randomness involved during the encoding process. In addition the adversary can as usual leak from the codeword.

We give a simulation-based definition requiring that the adversary\'s leakage from the encoding process and the codework can be simulated given just $\\lambda_0$ bits of leakage from the message. For $\\lambda_0 = 0$ our new simulation-based notion is equivalent to the usual game-based definition. A FLRC would be interesting in its own right and would be useful in building other leakage-resilient primitives in a composable manner.

We give a fairly general impossibility result for FLRCs in the popular split-state model, where the codeword is broken into independent parts and where the leakage occurs independently on the parts. We show that if the leakage is allowed to be any poly-time function of the secret and if collision-resistant hash functions exist,

then there is no FLRC for the split-state model. The result holds only when the message length can be linear in the security parameter. However,

we can extend the impossibility result to FLRCs for constant-length messages under assumptions related to differing-input obfuscation. These results show that it is highly unlikely that we can build FLRCs for the split-state model when the leakage can be any poly-time function of the secret state.

We then give two feasibility results for weaker models.

First, we show that for $\\NC^0$-bounded leakage from the randomness and arbitrary poly-time leakage from the parts of the codeword the inner-product construction proposed by Dav\\\'{i} \\etal (SCN\'10) and successively improved by Dziembowski and Faust (ASIACRYPT\'11) is a FLRC for the split-state model. Second, we provide a compiler from any LRC to a FLRC in the common reference string model for any fixed leakage family of small cardinality. In particular, this compiler applies to the split-state model but also to many other models.

Today, recommender systems are playing an indispensable role in our daily life. However, nothing is for free -- such systems have also upset the society with severe privacy concerns. In this paper, we first revisit the concept of computing recommendations based on inputs from both a user\'s friends and a set of randomly chosen strangers. We propose two security models to formalize information leakages in recommender systems. We then clarify two protocols by Tang and Wang at ESORICS 2015, analyse their security in our security models, and investigate their performances according newly-constructed Twitter datasets and MovieLens 100k dataset. Our experiments show that the single prediction protocol is efficient and can be considered practical in reality. We finally propose a new decentralized single prediction protocol and compare it to the centralized (clarified) protocol.

There is a vacancy for a PhD position at the Department of Informatics, University of Bergen, Norway (www.uib.no/en/ii) within cryptology. The position is for a fixed term period of 3 years and funded by the project “Modern Methods and Tools for Theoretical and Applied Cryptology” (CryptoWorld) awarded by the Research Council of Norway.

About the project/work tasks

Analyze, design and implement symmetric cryptographic lightweight primitives. Establish new methods of algebraic cryptanalysis and implement them efficiently. Advance the theoretical understanding of the use of Nonlinear Feedback Shift Registers (NLFSRs) for the needs of symmetric key cryptography.

The research training

The PhD candidate should have a strong background in computer science or/and mathematics with relevance to cryptography and must participate in an approved educational program for a PhD degree within a period of 3 years.

In this note, we show how to transform a large class of erroneous cryptographic schemes into perfectly correct ones. The transformation works for schemes that are correct on every input with probability noticeably larger than half, and are secure under parallel repetition. We assume the existence of one-way functions and of functions with deterministic (uniform) time complexity $2^{O(n)}$ and non-deterministic circuit complexity $2^{\\Omega(n)}$. The transformation complements previous results showing that public-key encryption and indistinguishability obfuscation that err on a noticeable fraction of inputs can be turned into ones that are often correct {\\em for all inputs}.

The technique relies on the idea of ``reverse randomization\'\' [Naor, Crypto 1989] and on Nisan-Wigderson style derandomization, which was previously used in cryptography to obtain non-interactive witness-indistinguishable proofs and commitment schemes [Barak, Ong and Vadhan, Crypto 2003].

Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms

to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

In security proofs of lattice based cryptography, bounding the closeness of two probability distributions is an important procedure. To measure the closeness, the R\\\'enyi divergence has been used instead of the classical statistical distance. Recent results have shown that the R\\\'enyi divergence offers security reductions with better parameters,

e.g. smaller deviations for discrete Gaussian distributions. However, since previous analyses used a fixed order R\\\'enyi divergence, i.e., order two, they lost tightness of reductions. To overcome the deficiency, we adaptively optimize the orders based on the advantages of the adversary for several lattice-based schemes. The optimizations enable us to prove the security with both improved efficiency and tighter reductions. Indeed, our analysis offers security reductions with smaller parameters than the statistical distance based analysis and the reductions are tighter than those of previous R\\\'enyi divergence based analyses. As applications, we show tighter security reductions for sampling discrete Gaussian distributions with smaller precomputed tables for Bimodal Lattice Signature Scheme (BLISS), and the variants of learning with errors (LWE) problem and the small integer solution (SIS) problem called k-LWE and k-SIS, respectively.

Recently, Monz, et al. [arXiv:1507.08852] have reported the demonstration of factoring 15 using a scalable Shor algorithm with an ion-trap quantum computer. We remark that the report is flawed because there are three flaws in the proposed circuit diagram of Shor algorithm. We also remark that the principles behind the demonstration have not been explained properly, including its correctness and complexity.

This work describes the design and implementation of \\lol, a

general-purpose software library for lattice cryptography, written in

the functional and strongly typed language Haskell. In comparison

with several prior implementations of lattice-based cryptographic

schemes, \\lol has several novel and distinguishing features,

which include:

* \\emph{Generality and modularity:} \\lol defines simple but

general interfaces for the lattice cryptography ``toolbox,\'\'

allowing for a wide variety of cryptographic schemes to be expressed

very naturally and concisely. For example, we implement an advanced

fully homomorphic encryption (FHE) scheme in as few as 2--5 lines of

code per feature, via code that very closely matches the scheme\'s

mathematical definition.

* \\emph{Parallelism:} \\lol automatically exploits multi-core

parallelism, achieving nearly linear speedups per core. It also

allows for the use of other parallel ``backends\'\' (e.g., based on

GPUs or other specialized hardware), with no changes to application

code.

* \\emph{Theory affinity:} \\lol is designed from the ground-up

around the specialized ring representations, fast algorithms, and

worst-case hardness proofs that have been developed for the Ring-LWE

problem and its cryptographic applications. In particular, \\lol

implements fast algorithms for sampling from

\\emph{theory-recommended} error distributions over \\emph{arbitrary}

cyclotomic rings, and provides tools for maintaining tight control

of error growth in cryptographic schemes.

* \\emph{Advanced features:} \\lol exposes the rich \\emph{hierarchy}

of cyclotomic rings to cryptographic applications. We use this to

give the first-ever implementation of a set of FHE operations

collectively known as ``ring switching,\'\' and also describe a more

efficient variant that we call ``ring tunneling.\'\'

Finally, we document a variety of perspectives, objects, and

algorithms related to practical and theoretically sound usage of

Ring-LWE in cyclotomic rings, which we believe will serve as a useful

reference for future implementations.

In the past few years, lightweight cryptography has become a popular research discipline with a number of ciphers and hash functions proposed. The designers\' focus has been predominantly to minimize the hardware area, while other goals such as low latency have been addressed rather recently only. However, the optimization goal of low energy for block cipher design has not been explicitly addressed so far. At the same time, it is a crucial measure of goodness for an algorithm. Indeed, a cipher optimized with respect to energy has wide applications, especially in constrained environments running on a tight power/energy budget such as medical implants.

This paper presents the block cipher Midori that is optimized with respect to the energy consumed by the circuit per bit in encryption or decryption operation. We deliberate on the design choices that lead to low energy consumption in an electrical circuit, and try to optimize each component of the circuit as well as its entire architecture for energy. An added motivation is to make both encryption and decryption functionalities available by small tweak in the circuit that would not incur significant area or energy

overheads.

We propose two energy-efficient block ciphers Midori128 and Midori64 with block sizes equal to 128 and 64 bits respectively. These ciphers have the added property that a circuit that provides both the functionalities of encryption and decryption can be designed with very little overhead in terms of area and energy. We compare our results with other ciphers with similar characteristics: it was found that the energy consumptions of Midori64 and Midori128 are by far better when compared ciphers like PRINCE and NOEKEON.

The efficiency of fully homomorphic encryption is a big question at present. To improve efficiency of fully homomorphic encryption, we use the technique of packed ciphertexts to construct a multi-bit fully homomorphic encryption based on Learning with Errors problem. Our scheme has a short public key. Since our fully homomorphic encryption scheme builds on the basic encryption scheme that choose Learning with Errors samples from Gaussian distribution and add Gaussian error to it, which result in that the number of Learning with Errors samples decrease from 2nlogq to n+1. We prove that our fully homomorphic encryption scheme is feasible and its security relies on the hardness of Learning with Errors problem. In addition we adapt the optimization for the process of key switching from GHS13 and formal this new process of key switching for multi-bit fully homomorphic encryption. At last, we analyze the concert parameters and compare these parameters between our scheme and GHS13 scheme. The data show that our scheme has public key smaller by a factor of about logq than it in GHS13 scheme.

Password-Authenticated Key Exchange allows users to generate a strong cryptographic key based

on a shared \\human-memorable\" password without requiring a public-key infrastructure. It is one of the most

widely used and fundamental cryptographic primitives. Unfortunately, mass password theft from organizations

is continually in the news and, even if passwords are salted and hashed, brute force breaking of password

hashing is usually very successful in practice.

In this paper, we propose two ecient protocols where the password database is somehow shared among two

servers (or more), and authentication requires a distributed computation involving the client and the servers.

In this scenario, even if a server compromise is doable, the secret exposure is not valuable to the adversary since

it reveals only a share of the password database and does not permit to brute force guess a password without

further interactions with the parties for each guess. Our protocols rely on smooth projective hash functions and

are proven secure under classical assumption in the standard model (i.e. do not require idealized assumption,

such as random oracles).

In 2010, van Dijk, Gentry, Halevi, and Vaikuntanathan described the first fully homomorphic encryption over the integers, called DGHV. The scheme is based on a set of $m$ public integers $c_i=pq_i+r_i$, $i=1,\\cdots,m$, where the integers $p$, $q_i$ and $r_i$ are secret. In this paper, we describe two lattice-based attacks on DGHV. The first attack is applicable when $r_1=0$ and the public integers $c_i$ satisfy a linear equation $a_2c_2+\\ldots+a_mc_m=a_1q_1$ for suitably small integers $a_i$, $i=2,\\ldots,m$. The second attack works when the positive integers $q_i$ satisfy a linear equation $a_1q_1+\\ldots+a_mq_m=0$ for suitably small integers $a_i$, $i=1,\\ldots,m$. We further apply our methods for the DGHV recommended parameters as specified in the original work of van Dijk, Gentry, Halevi, and Vaikuntanathan.

One major need in the context of Privacy Enhancing Technologies (PETs) is to bridge theoretical proposals and practical implementations. In order to foster easy deployment of PETs, the crux is on proposing standard and well-defined programming interfaces. This need is not completely fulfilled in the case of group signatures. Group signatures are key cryptographic primitives to build up privacy respectful protocols and endorsing fair management of anonymity. To the best of our knowledge, currently there exists no abstract and unified programming interface definition for group signatures. In this work we address this matter and propose a programming interface definition enclosing the functionality of current group signatures schemes. Furthermore, for the sake of abstraction and generalization, we have also endowed our interface with the means to include new group signatures schemes. Finally, we have considered three well known group signature schemes to implement an open source library of the interface using C programming language. We have also performed an analysis of the software implementation with respect to different values of the key size and other parameters of the group signatures interface.

The progress in communication and hardware technology increases the computational capabilities of personal devices.

Data is produced massively from ubiquitous devices that cannot be stored locally. Moreover, third party authorities

in order to increase their value in the market with more knowledge, seek to collect

individual data inputs, such that they can make a decision with more relevant information. Aggregators, acting as third

parties, are interested in learning a statistical function as the sum over a census of data. Users are reluctant to

reveal their information in cleartext, since it is treated as personal sensitive information. The paradoxical paradigm

of preserving the privacy of individual data while granting an untrusted third party to learn in cleartext a function

thereof, is partially addressed by the current privacy preserving aggregation protocols.

Current solutions are either focused on a honest-but-curious Aggregator who is trusted to follow the rules of the

protocol or they model a malicious Aggregator with trustworthy users. That limits the security analysis to users who

are trustworthy to not share any secret information with a malicious Aggregator. In this paper we are the first to

propose a protocol with fully malicious users who collude with a malicious Aggregator in order

to forge a message of a trusted user. We introduce the new cryptographic primitive of \\emph{convertible tag}, that

consists of a two-layer authentication tag. Users first tag their data with their secret key and then an untrusted

\\emph{Converter} converts the first layer tags in a second layer. The final tags allow the Aggregator to produce a

proof for the correctness of a computation over users\' data. Security and privacy of the scheme is preserved against

the \\emph{Converter} and the Aggregator, under the notions of \\emph{Aggregator obliviousness} and \\emph{Aggregate

unforgeability} security definitions, augmented with malicious users. Our protocol is provable secure under standard

assumptions in the random oracle model.

In CRYPTO 2003, Halevi and Rogaway proposed CMC, a tweakable enciphering scheme (TES) based on a blockcipher. It requires two blockcipher keys and it is not inverse-free (i.e., the decryption algorithm uses the inverse (decryption) of the underlying blockcipher). We present here a new inverse-free, single-keyed TES. Our construction is a tweakable strong pseudorandom permutation (tsprp), i.e., it is secure against chosen-plaintext-ciphertext adversaries assuming that the underlying blockcipher is a pseudorandom permutation (prp), i.e., secure against chosen-plaintext adversaries. In comparison, sprp assumption of the blockcipher is required for the sprp security of CMC. Our scheme can be viewed as a mixture of type-1 and type-3 Feistel cipher and so we call it FMix or mixed-type Feistel cipher.

Myers and Shelat (FOCS 2009) showed how to convert a chosen ciphertext secure (CCA secure) PKE scheme that can encrypt only $1$-bit plaintexts into a CCA secure scheme that can encrypt arbitrarily long plaintexts (via the notion of key encapsulation mechanism (KEM) and hybrid encryption), and subsequent works improved efficiency and simplicity. In terms of efficiency, the best known construction of a CCA secure KEM from a CCA secure 1-bit PKE scheme, has the public key size $\\Omega(k) \\cdot |pk|$ and the ciphertext size $\\Omega(k^2) \\cdot |c|$, where $k$ is a security parameter, and $|pk|$ and $|c|$ denote the public key size and the ciphertext size of the underlying $1$-bit scheme, respectively.

In this paper, we show a new CCA secure KEM based on a CCA secure $1$-bit PKE scheme which achieves the public key size $2 \\cdot |pk|$ and the ciphertext size $(2k + o(k)) \\cdot |c|$. These sizes are asymptotically optimal in the sense that they are (except for a constant factor) the same as those of the simplest \\lq\\lq bitwise-encrypt\'\' construction (seen as a KEM by encrypting a $k$-bit random session-key) that works for the chosen plaintext attack and non-adaptive chosen ciphertext attack settings. We achieve our main result by developing several new techniques and results on the \\lq\\lq double-layered\'\' construction (which builds a KEM from an inner PKE/KEM and an outer PKE scheme) by Myers and Shelat and on the notion of detectable PKE/KEM by Hohenberger, Lewko, and Waters (EUROCRYPT 2012).