International Association
for Cryptologic Research

SQUARE is an iterated block cipher proposed by Daemen et.al. in FSE1997. Inspired by Bogdanov et.al.’s recent works [12], we first present an improved biclique attack, i.e. stat-based independent biclique attack on full rounds SQUARE in this paper. We construct a one round stat-based independent biclique for the initial round, and utilize matching with precomputation techniques to recover the whole key from the remaining rounds. The computing complexity of our attack is about $2^(126.17)$ encryptions and required data can be reduced to a single plaintext-ciphertext pair. To be the best of our knowledge, our attack has an optimal computing complexity and data complexity of biclique attack on full rounds SQUARE.

Differential and linear cryptanalysis are the general purpose tools to analyze various cryptographic primitives. Both techniques have in common that they rely on the existence of good differential or linear characteristics. The difficulty of finding such characteristics depends on the primitive. For instance, AES is designed to be resistant against differential and linear attacks and therefore, provides upper bounds on the probability of possible linear characteristics. On the other hand, we have primitives like SHA-1, SHA-2, and Keccak, where finding good and useful characteristics is an open problem. This becomes particularly interesting when considering, for example, competitions like CAESAR. In such competitions, many cryptographic primitives are waiting for analysis. Without suitable automatic tools, this is a virtually infeasible job. In recent years, various tools have been introduced to search for characteristics. The majority of these only deal with differential characteristics. In this work, we present a heuristic search tool which is capable of finding linear characteristics even for primitives with a relatively large state, and without a strongly aligned structure. As a proof of concept, we apply the presented tool on the underlying permutations of the first round CAESAR candidates Ascon, Icepole, Keyak, Minalpher and Proest.

In this work we describe a message packing and unpacking method for homomorphic ciphertexts. Messages are packed into the coefficients of plaintext polynomials. We propose an unpacking procedure which allows to obtain a ciphertext for each packed message. The packing and unpacking of ciphertexts represents a solution for reducing the transmission bottleneck in cloud based applications, in particular when sending homomorphic calculations results. The results we obtain (packing ratio, unpacking time) are compared to existing packing methods based on trans-ciphering.

We investigate a method for finding small integer solutions of a univariate modular equation, that was introduced by Coppersmith and extended by May. We will refer this method as the Coppersmith technique.

This paper provides a way to analyze a general limitations of the lattice construction for the Coppersmith technique. Our analysis upper bounds the possible range of $U$ that is asymptotically equal to the bound given by the original result of Coppersmith and May. This means that they have already given the best lattice construction. In addition, we investigate the optimality for the bivariate equation to solve the small inverse problem, which was inspired by Kunihiro's argument. In particular, we show the optimality for the Boneh-Durfee's equation used for RSA cryptoanalysis,

To show our results, we establish framework for the technique by following the relation of Howgrave-Graham, and then concretely define the conditions in which the technique succeed and fails. We then provide a way to analyze the range of $U$ that satisfies these conditions. Technically, we show that the original result of Coppersmith achieves the optimal bound for $U$ when constructing a lattice in the standard way. We then provide evidence which indicates that constructing a non-standard lattice is generally difficult.

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and it is becoming increasingly popular. Until 2010 researchers unanimously agreed that: “despite considerable cryptanalytic efforts spent in the past 20 years, GOST is still not broken”, and in 2010 it was submitted to ISO 18033 to become a worldwide industrial encryption standard. In 2011 it was suddenly discovered that GOST can be broken and it is insecure on more than one account. There is a substantial variety of recent innovative attacks on GOST. We have reflection attacks, attacks with double, triple and even quadruple reflections, a large variety of self-similarity and black-box reduction attacks, some of which do not use any reflections whatsoever and few other. The final key recovery step in various attacks is in many cases a software algebraic attack or/and a Meet-In-The-Middle attack. In differential attacks key bits are guessed and confirmed by the differential properties and there have already been quite a few papers about advanced differential attacks on GOST. There is also several even more advanced “combination” attacks which combine the complexity reduction approach based on high-level self-similarity of with various advanced differential properties with 2,3 or 4 points. In this paper we consider some recent differential attacks on GOST and show how to further improve them. We present a single-key attack against full 32-round 256-bit GOST with time complexity of 2^179 which is substantially faster than any previous single key attack on GOST.

The School of Computing at the University of Utah seeks applications for multiple tenure-track faculty positions at the rank of Assistant Professor, beginning Fall 2016. Exceptional candidates at higher ranks will also be considered. Applications in all areas of computer science are encouraged, but the School is particularly interested (for one of the positions) in candidates with experience in security, and particularly in cryptography and applications.

The University of Utah is a Carnegie Research I Institution, and the School of Computing is an exciting, growing school with a 50-year history of excellence in computer science education, innovation, and research. The University of Utah is located in Salt Lake City, the hub of a large metropolitan area with excellent cultural and recreational opportunities. Additional information about the school and our current faculty can be found at http://www.cs.utah.edu.

Candidates may apply through the following URL: http://utah.peopleadmin.com/postings/45876

Review of applications will begin after November 15 and will continue until the positions are filled.

Closing date for applications: 30 January 2016

Contact: Suresh Venkatasubramanian, Associate Professor (suresh (at) cs.utah.edu)

More information: http://www.cs.utah.edu/people/faculty-hiring/#SoC

The security of HMAC is proven under the assumption that its compression function is a dual PRF, meaning a PRF when keyed by either of its two inputs. But, not only do we not know whether particular compression functions really are dual PRFs, we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption for HMAC. For this purpose we introduce and construct symmetric PRFs, which may be of independent interest.

We introduce a homomorphic batching technique that can be used to pack multiple ciphertext messages into one ciphertext for parallel processing. One is able to use the method to batch or unbatch messages homomorphically to further improve the flexibility of encrypted domain evaluations. In particular, we show various approaches to implement Number Theoretic Transform (NTT) homomorphically in FFT speed. Also, we present the limitations that we encounter in application of these methods. We implement homomorphic batching in various settings and present concrete performance figures. Finally, we present an implementation of a homomorphic NTT method which we process each element in an independent ciphertext. The advantage of this method is we are able to batch independent homomorphic NTT evaluations and achieve better amortized time.

The recent notion of encryption switching protocol (ESP) allows two players to obliviously switch between two encryption schemes. Instantiated from multiplicatively homomorphic encryption and additively homomorphic encryption, ESPs provide a generic solution to two-party computation and lead to particularly efficient protocols for arithmetic circuits in terms of interaction and communication. In this paper, we further investigate their applications and show how ESPs can be used as an alternative to fully-homomorphic encryption (FHE) to outsource computation on sensitive data to cloud providers. Our interactive solution relies on two non-colluding servers which obliviously perform the operations on encrypted data, and eventually send back the outcome in an encrypted form to the appropriate players. Our solution makes use of a nice combination of the Paillier encryption scheme and the Damgard-Jurik variant with multiple trapdoors, which notably allows cross-user evaluations on encrypted data.

Homomorphic encryption has progressed rapidly in both efficiency and versatility since its emergence in 2009. Meanwhile, a multitude of pressing privacy needs --- ranging from cloud computing to healthcare management to the handling of shared databases such as those containing genomics data --- call for immediate solutions that apply fully homomorpic encryption (FHE) and somewhat homomorphic encryption (SHE) technologies. Further progress towards these ends requires new ideas for the efficient implementation of algebraic operations on word-based (as opposed to bit-wise) encrypted data. While the arithmetic operations that are essential for cloud computing have known boolean representations, most of them require access to each bit individually, such as comparison and we lack solutions on a word domain. In this work, we tackle this challenging problem of finding ways to solve algebraic problems -including comparison and homomorphic division- in word-based encryption via an SHE scheme. We present concrete performance figures for all proposed primitives.

With the rapid progress in fully homomorpic encryption (FHE) and somewhat homomorphic encryption (SHE) schemes, we are wit- nessing renewed efforts to revisit privacy preserving protocols. Several works have already appeared in the literature that provide solutions to these problems by employing FHE or SHE techniques. These applications range from cloud computing to computation over confidential patient data to several machine learning problems such as classifying privatized data. One application where privacy is a major concern is web search – a task carried out on a daily basis by billions of users around the world. In this work, we focus on a more surmountable yet essential version of the search problem, i.e. autocomplete. By utilizing a SHE scheme we propose concrete solutions to a homomorphic autocomplete problem. To investigate the real-life viability, we tackle a number of problems in the way towards a practical implementation such as communication and computational efficiency.

In this paper we study authenticated encryption algorithms inspired by the OCB mode (Offset Codebook). These algorithms use secret offsets (masks derived from a whitening key) to turn a block cipher into a tweakable block cipher, following the XE or XEX construction.

OCB has a security proof up to 2^n/2 queries, and a matching forgery attack was described by Ferguson, where the main step of the attack recovers the whitening key. In this work we study recent authenticated encryption algorithms inspired by OCB, such as Marble, AEZ, and COPA. While Ferguson’s attack is not applicable to those algorithms, we show that it is still possible to recover the secret mask with birthday complexity. Recovering the secret mask easily leads to a forgery attack, but it also leads to more devastating attacks, with a key-recovery attack against Marble and AEZ v2 and v3 with birthday complexity.

For Marble, this clearly violates the security claims of full n-bit security. For AEZ, this matches the security proof, but we believe it is nonetheless a quite undesirable property that collision attacks allow to recover the master key, and more robust designs would be desirable.

Our attack against AEZ is generic and independent of the internal permutation (in particular, it still works with the full AES), but the key-recovery is specific to the key derivation used in AEZ v2 and v3. Against Marble, the forgery attack is generic, but the key-recovery exploits the structure of the E permutation (4 AES rounds). In particular, we introduce a novel cryptanalytic method to attack 3 AES rounds followed by 3 inverse AES rounds, which can be of independent interest.

Fully homomorphic encryption (FHE) has been dubbed the holy grail of cryptography, an elusive goal which could solve the IT world's problems of security and trust. Research in the area exploded after 2009 when Craig Gentry showed that FHE can be realised in principle. Since that time considerable progress has been made in finding more practical and more efficient solutions. Whilst research quickly developed, terminology and concepts became diverse and confusing so that today it can be difficult to understand what the achievements of different works actually are. The purpose of this paper is to address three fundamental questions: What is FHE? What can FHE be used for? What is the state of FHE today? As well as surveying the field, we clarify different terminology in use and prove connections between different FHE notions.

Formally bounding side-channel leakage is important to bridge the gap between the theory and practice in cryptography. However, bounding side-channel leakages is difficult because leakage in a crypto-system could be from several sources. Moreover the amount of leakage from a source may vary depending on the implementation of the cipher and the form of attack. To formally analyze the security of a crypto-system against a form of attack, it is therefore essential to consider each source of leakage independently. This paper considers data prefetching, which is used in most modern day cache memories to reduce the miss penalty. To the best of our knowledge, we show for the first time that micro-architectural features like prefetching is a major source of leakage in profiled cache-timing attacks. We further quantify the leakage due to important data prefetching algorithms, namely sequential and arbitrary-stride prefetching. The analytical results, with supported experimentation, brings out interesting facts like the effect of placement of tables in memory and the cipher’s implementation on the leakage in profiled cache-timing attacks.

With the growing popularity of remote storage, the ability to outsource a large private database yet be able to search on this encrypted data is critical. Searchable symmetric encryption (SSE) is a practical method of encrypting data so that natural operations such as searching can be performed on this data. It can be viewed as an efficient private-key alternative to powerful tools such as fully homomorphic encryption, oblivious RAM, or secure multiparty computation. The main drawbacks of existing SSE schemes are the limited types of search available to them and their leakage. In this paper, we present a construction of a private outsourced database in the two-server model (e.g. two cloud services) which can be thought of as an SSE scheme on a B-tree that allows for a wide variety of search features such as range queries, substring queries, and more. Our solution can hide all leakage due to access patterns (``metadata'') between queries and features a tunable parameter that provides a smooth tradeoff between privacy and efficiency. This allows us to implement a solution that supports databases which are terabytes in size and contain millions of records with only a 5x slowdown compared to MySQL when the query result size is around 10% of the database, though the fixed costs dominate smaller queries resulting in over 100x relative slowdown (under 1 second actual).

In addition, our solution also provides a mechanism for allowing data owners to set filters that prevent prohibited queries from returning any results, without revealing the filtering terms. Finally, we also present the benchmarks of our prototype implementation. This is the full version of the extended abstract to appear at CT-RSA 2016.

In this paper, we present an invariant subspace attack against block cipher Midori64 which has recently been proposed by Banik et al. at Asiacrypt 2015 to achieve low energy consumption. We show that when each nibble of the key has the value 0 or 1 and each nibble of the plaintext has the value 8 or 9, each nibble of the ciphertext also has the value 8 or 9 with probability one regardless of the number of rounds applied. This fact indicates that Midori64 has a class of $2^{32}$ weak keys that can be distinguished with a single query. It also indicates that the number of keys generated uniformly at random for Midori64 must not exceed $2^{96}$, i.e., the pseudorandom-permutation security of Midori64 is only up to 96 bits instead of 128 bits. Interestingly, given the information that the key is from the $2^{32}$ weak key subspace, key recovery can be performed within time complexity $2^{16}$ and data complexity $2^1$. We have confirmed the correctness of the analysis by implementing the attack. At the current stage, our attacks do not apply to Midori128.

Designing attribute-based systems supporting highly expressive access policies has been one of the principal focus of research in attribute-based cryptography. While attribute-based encryption (ABE) enables fine-grained access control over encrypted data in a multi-user environment, attribute-based signature (ABS) provides a powerful tool for preserving signer anonymity. Attributebased signcryption (ABSC), on the other hand, is a combination of ABE and ABS into a unified cost-effective primitive. In this paper, we start by presenting a key-policy ABE supporting general polynomial-size circuit realizable decryption policies and featuring compactness. More specifically, our ABE construction exhibits short ciphertexts and shorter decryption keys compared to existing similar works. We then proceed to design a key-policy ABSC scheme which enjoys several interesting properties that were never achievable before. It supports arbitrary polynomial-size circuits, thereby handles highly sophisticated control over signing and decryption rights. Besides, it generates short ciphertext as well. Our ABE construction employs multilinear map of level $n + l + 1$, while that used for our ABSC scheme has level $n + n' + l + 1$, where $n$, $n'$, and $l$ represent respectively the input length of decryption policy circuits, input size of signing policy circuits, and depth of both kinds of circuits. Selective security of our constructions are proven in the standard model under the Multilinear Decisional Diffie-Hellman and Multilinear Computational Diffie-Hellman assumptions which are standard complexity assumptions in the multilinear map setting. Our key-policy constructions can be converted to the corresponding ciphertext-policy variants achieving short ciphertext by utilizing the technique of universal circuits.

Event date: 8 September to 9 September 2016
Submission deadline: 1 June 2016
Notification: 1 August 2016

CSE PhD Openings at University of Nebraska Lincoln

Dr. Qiben Yan’s lab in University of Nebraska Lincoln has multiple Ph.D. TA/RA openings starting from Fall 2016. The successful candidates are expected to work on exciting research areas in Cyber Security, including: Internet and web security, mobile/wireless networks and security, spectrum and cognitive radio security, applied cryptography, network monitoring and intrusion detection, botnet and mobile malware defense. Preferred candidates should be self-motivated, responsible, and have the curiosity and determination to explore the path to develop himself/herself into an outstanding security researcher. Candidates with CS, EE or other relevant backgrounds will be considered, and an earned Master degree is a plus. A solid background in either of the following will be a plus: wireless communications & networking, security/cryptography, data mining/machine learning, optimization, game theory/control, or strong system implementation skills. If you are interested, please send your CV/resume, transcripts, GRE and TOEFL scores, and any other information that you believe is helpful for your application in one email to Prof. Yan at yan (at) unl.edu. For more information, please visit http://cse.unl.edu/~qyan.

Closing date for applications: 28 February 2016

Contact: Dr. Qiben Yan

More information: http://cse.unl.edu/~qyan

Applications are invited for a PhD studentship on cybersecurity, in particular, Internet of Things (IoT) security, at the School of Computing Science, Newcastle University, UK. This studentship involves close collaboration with I2R, Singapore, and includes annual return air tickets to Singapore during the 4 years study. Any nationality can apply.

The successful applicant will join a vibrant and growing Secure and Resilient Systems (SRS) research group at the School of computing Science, Newcastle University. So far research works in the group have been largely driven by tackling real-world security problems, with some of the research outcomes adopted by international standards and deployed in large-scale commercial applications.

About us: The School of Computing Science at Newcastle University is recognised as one of the fourteen Academic Centres of Excellence in Cyber Security Research (ACEs-CSR) in the UK. In the latest 2014 Research Excellence Framework (REF) assessment which included all UK universities, Newcastle University CS was ranked the 1st in the UK for its Research Impact.

How to apply: follow the online application link below (Look for project title: Secure IoT Platform for A Smart Nation, School: Computing Science, Ref: NSS16). To help speed up the process, please also send your CV and a brief cover letter to feng.hao (at) ncl.ac.uk.

Closing date for applications: 26 February 2016

Contact: feng.hao (at) ncl.ac.uk

More information: http://www.ncl.ac.uk/sage/study/postgrad/singapore/index.htm