International Association
for Cryptologic Research

The Modular Approach to Cloud Security (MACS) is an NSF Frontier project that is building information systems with meaningful multi-layered security guarantees. It is a multi-institution research project with 13 PIs at four universities: Boston University, MIT, Northeastern, and the University of Connecticut.

The MACS team are looking for excellent postdoctoral fellows in the following areas:

• Cryptography: theoretical and applied
• Database security
• Hardware security
• High performance computing
• Network security
• Security modeling and analysis
• Virtualization and operating system security

Preference will be given to candidates with expertise and interest in multiple areas. Fellows will work closely with multiple PIs on the MACS team and will be affiliated with all four host universities.

Candidates should send their CV, research statement, and list of references to macs-postdoc (at) cs.bu.edu

Closing date for applications: 30 June 2016

Contact: Mayank Varia, MACS director, macs-postdoc (at) cs.bu.edu

More information: http://www.bu.edu/macs

Potential candidates are required to have interests in public-key encryption and its applications to big data environments, like data privacy, performance on encrypted data and so on.

This position is fully supported by The Chinese University Program, which is one of the Chinese Government Scholarship programs. It is a full scholarship to support Chinese universities to enroll outstanding international students for graduate studies in China.

Qualification:

• Very good Master degree in Computer Science or Mathematics.
• Solid background in provable security, e.g., demonstrated by publications.

Closing date for applications: 20 March 2016

Contact: Please send your questions or application (CV, transcripts and certificates, names of references) by e-Mail to: xuerui(at)iie.ac.cn

Referendum on parallel sessions: In the three IACR General Conferences (Eurocrypt, Crypto, Asiacrypt) of 2015 a significant portion of the talks were held in parallel sessions.

Results:

• I wish to continue with parallel sessions: 358
• I wish to return to all sessions being single-track: 71

Change to the Bylaws: The Board proposes to change the bylaws, the main change is to formally rename IACR Workshops to IACR Area Conferences.

Results:

• Yes, I approve the change of the bylaws: 407
• No, I reject the change of the bylaws: 24

Election verification data can be found at https://vote.heliosvoting.org/helios/e/IACR2016-vote

Searchable symmetric encryption (SSE) enables a client to store a database on an untrusted server while supporting keyword search in a secure manner. Despite the rapidly increasing interest in SSE technology, experiments indicate that the performance of the known schemes scales badly to large databases. Somewhat surprisingly, this is not due to their usage of cryptographic tools, but rather due to their poor locality (where locality is defined as the number of {\em non-contiguous} memory locations the server accesses with each query). The only known schemes that do not suffer from poor locality suffer either from an impractical space overhead or from an impractical read efficiency (where read efficiency is defined as the ratio between the number of bits the server reads with each query and the actual size of the answer).

We construct the first SSE schemes that simultaneously enjoy optimal locality, optimal space overhead, and nearly-optimal read efficiency. Specifically, for a database of size $N$, under the modest assumption that no keyword appears in more than $N^{1 - 1/\log\log N}$ documents, we construct a scheme with read efficiency $\tilde{O}(\log \log N)$. This essentially matches the lower bound of Cash and Tessaro (EUROCRYPT '14) showing that any SSE scheme must be sub-optimal in either its locality, its space overhead, or its read efficiency. In addition, even without making any assumptions on the structure of the database, we construct a scheme with read efficiency $\tilde{O}(\log N)$.

Our schemes are obtained via a two-dimensional generalization of the classic balanced allocations (``balls and bins'') problem that we put forward. We construct nearly-optimal two-dimensional balanced allocation schemes, and then combine their algorithmic structure with subtle cryptographic techniques.

The purpose of this paper is to investigate fixed point arithmetic in ring-based Somewhat Homomorphic Encryption (SHE) schemes. We provide three main contributions: Firstly, we investigate the representation of fixed point numbers. We analyse the two representations from Dowlin et al, representing a fixed point number as a large integer (encoded as a scaled polynomial) versus a polynomial-based fractional representation. We show that these two are, in fact, isomorphic by presenting an explicit isomorphism between the two that enables us to map the parameters from one representation to another. Secondly, given a computation and a bound on the fixed point numbers used as inputs and scalars within the computation, we achieve a way of producing lower bounds on the plaintext modulus $p$ and the degree of the ring $d$ needed to support complex homomorphic operations. Finally, we investigate an application in homomorphic image processing. We have an image given in encrypted form and are required to perform the standard image processing pipeline of Fourier Transform--Hadamard Product--Inverse Fourier Transform. In particular we examine applications in which the specific matrices involved in the Hadamard multiplication are also encrypted. We propose a mixed Fourier Transform Algorithm which aims to strike a compromise between the number of homomorphic multiplications and the parameter sizes of the underlying SHE scheme.

Since 2012, it is publicly known that the bitstream encryption feature of modern Xilinx FPGAs can be broken by side-channel analysis. Presented at CT-RSA 2012, using graphics processing units (GPUs) the authors demonstrated power analysis attacks mounted on side-channel evaluation boards optimized for power measurements. In this work, we extend such attacks by moving to the EM side channel to examine their practical relevance in real-world scenarios. Furthermore, by following a certain measurement procedure we reduce the search space of each part of the attack from 2^{32} to 2^8, which allows mounting the attacks on ordinary workstations. Several Xilinx FPGAs from different families - including the 7 series devices - are susceptible to the attacks presented here.

In this short note we report on invariant subspaces in Simpira in the case of four registers. In particular, we show that the whole input space (respectively output space) can be partitioned into invariant cosets of dimension $56$ over $\F_{2^8}^{64}$. These invariant subspaces are found by exploiting the \emph{non-invariant} subspace properties of AES together with the particular choice of Feistel configuration. Though we give the invariant subspaces for $b=4$ in this paper, we remark that there are invariant subspaces in several of the Simpira instances; these can be determined with only minor adjustments to the analysis in this paper.

Function secret sharing(FSS) was introduced by Boyle et al. in Eurocrypt 2015, which allowed a dealer to split a secret function f into n separate pieces such that each piece enables the server who owns it to generate a secret share of the evaluation of f(x). However, when just only one collusive server returns a wrong result, reconstructing the secret will fail. Therefore, we are required to nd an applicable approach to check the correctness of result returned by the untrusted server. To solve this issue, we rstly introduce a primitive called Public Veriable Function Secret Sharing (PVFSS), and dene three new important properties: public delegation, public verication and high eciency. Then we ini- tiate a systematic study of PVFSS and construct a PVFSS scheme for point function. Not only captures our scheme these three properties, but also allows the client to verify the outcome in time constant i.e., in indeed substantially less time than performing the computation locally. We conducted a performance analysis, which manifested that our scheme can be applied into practice such as cloud/outsource computing.

In order to remember long passwords, it is not uncommon users are recommended to create a sentence which then is assembled to form a long password, a passphrase. However, theoretically a language is very limited and predictable, why a linguistically correct passphrase according to Shannon's definition of information theory should be relatively easy to crack compared to bruteforce. This work focuses on cracking linguistically correct passphrases, partly to determine to what extent it is advisable to base a password policy on such phrases for protection of data, and partly because today, widely available effective methods to crack passwords based on phrases are missing. Within this work, phrases were generated for further processing by available cracking applications, and the language of the phrases were modeled using a Markov process. In this process, phrases were built up by using the number of observed instances of subsequent characters or words in a source text, known as n-grams, to determine the possible/probable next character/word in the phrases. The work shows that by creating models of language, linguistically correct passphrases can be broken in a practical way compared to an exhaustive search. In the tests, passphrases consisting of up to 20 characters were broken.

The program of FSE 2016 is now available online. FSE will be held 20-23 March in Bochum, Germany.

A cryptographic contract and enforcement technology would guarantee release of a data decryption key to an authorized party if and only if predetermined contract requirements are satisfied. Threshold secret sharing can be used to eliminate the need for access to the hidden key under normal circumstances. It can also eliminate the liability and burden normally carried by device manufacturers or service providers when they store the decryption keys of their customers. Blockchain technology provides a mechanism for a public audit trail of the creation and release of the hidden key. The use of peer-to-peer mix-net network overlay technology can be added to insure that the blockchain audit trail documents the release of the key even if an all-powerful entity forces actors to act under duress.

Simpira is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity 2^82.62 for the recommended full 15 rounds (truncated 256-bit hash value), and complexity 2^110.16 for 16 rounds (full 512-bit hash value). These attacks violate the designers' security claims that there are no structural distinguishers below 2^128.

In PKC 1999, Fujisaki and Okamoto showed how to convert any public key encryption (PKE) scheme secure against chosen plaintext attacks (CPA) to a PKE scheme which is secure against chosen ciphertext attacks (CCA) in the random oracle model. Surprisingly, the resulting CCA secure scheme has almost the same efficiency as the underlying CPA secure scheme. Moreover, in J. Cryptology 2013, they proposed the more efficient conversion by using the hybrid encryption framework. In this work, we clarify whether these two constructions are also secure in the sense of key dependent message security against chosen ciphertext attacks (KDM-CCA security), under exactly the same assumptions on the building blocks as those used by Fujisaki and Okamoto. Specifically, we show two results: Firstly, we show that the construction proposed in PKC 1999 does not satisfy KDM-CCA security generally. Secondly, on the other hand, we show that the construction proposed in J. Cryptology 2013 satisfies KDM-CCA security.

Applications are invited for the post of Lecturer in the Information Security Group at Royal Holloway, University of London

Applications are invited from researchers whose interests are related to, or complement, current strengths of the ISG. We are particularly interested in applicants who will be able to help drive forward research related to Internet of Things (IoT) security.

Applicants should have a Ph.D. in a relevant subject or equivalent, be a self-motivated researcher, and have a strong publication record. Applicants should be able to demonstrate an enthusiasm for teaching and communicating with diverse audiences, as well as show an awareness of contemporary issues relating to cyber security.

This is a full time and permanent post, with an intended start date of 1st September, 2016, although an earlier or slightly later start may be possible. This post is based in Egham, Surrey, where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

Closing date for applications: 1 April 2016

Contact: Professor Keith Mayes
Director of the Information Security Group
[contact and further details via the supplied URL]

More information: https://jobs.royalholloway.ac.uk/vacancy.aspx?ref=0216-068

In attribute-based signatures, each signer receives a signing key from the authority, which is associated with the signer's attribute, and using the signing key, the signer can issue a signature on any message under a predicate, if his attribute satisfies the predicate. One of the ultimate goals in this area is to support a wide class of predicates, such as the class of \emph{arbitrary circuits}, with \emph{practical efficiency} from \emph{a simple assumption}, since these three aspects determine the usefulness of the scheme. We present an attribute-based signature scheme which allows us to use an arbitrary circuit as the predicate with practical efficiency from the symmetric external Diffie-Hellman assumption. We achieve this by combining the efficiency of Groth-Sahai proofs, which allow us to prove algebraic equations efficiently, and the expressiveness of Groth-Ostrovsky-Sahai proofs, which allow us to prove any NP relation via circuit satisfiability.

We introduce a debiasing scheme that solves the more-noise-than-entropy problem which can occur in Helper Data Systems when the source is very biased. We perform a condensing step, similar to Index Based Syndrome coding, that reduces the size of the source space in such a way that some source entropy is lost while the noise entropy is greatly reduced. In addition, our method allows for even more entropy extraction by means of a `spamming' technique. Our method outperforms solutions based on the one-pass von Neumann algorithm.

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the Ring Learning With Errors problem (Ring-LWE) has been widely used as a building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction to ideal lattice problems. This reduction assumes a lower bound on the width of the error distribution that is often violated in practice. In this paper we show that caution is needed when doing so, by providing for any $\varepsilon > 0$, a family of number fields $K$ of increasing degree $n$ for which Ring-LWE can be broken easily as soon as the errors required by the reduction are scaled down by $|\Delta_K|^{\varepsilon/n}$ with $\Delta_K$ the discriminant of $K$.

In CRYPTO 2015, Elias, Lauter, Ozman and Stange described an attack on the non-dual decision version of the ring learning with errors problem (RLWE) for two special families of defining polynomials, whose construction depends on the modulus q that is being used. For particularly chosen error parameters, they managed to solve non-dual decision RLWE given 20 samples, with a success rate ranging from 10% to 80%. In this paper we show how to solve the search version for the same families and error parameters, using only 7 samples with a success rate of 100%. Moreover our attack works for every modulus q instead of the q that was used to construct the defining polynomial. The attack is based on the observation that the RLWE error distribution for these families of polynomials is very skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al. the smallest errors are negligible and simple linear algebra suffices to recover the secret. But enlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWE problem unsuitable for cryptographic applications. These observations also apply to dual RLWE, but do not contradict the seminal work by Lyubashevsky, Peikert and Regev.

In this work, we analyze all existing RSA-CRT countermeasures against the Bellcore attack that use binary self-secure exponentiation algorithms. We test their security against a powerful adversary by simulating fault injections in a fault model that includes random, zeroing, and skipping faults at all possible fault locations. We find that most of the countermeasures are vulnerable and do not provide sufficient security against all attacks in this fault model. After investigating how additional measures can be included to counter all possible fault injections, we present three countermeasures which prevent both power analysis and many kinds of fault attacks.

May and Ozerov proposed an algorithm for the nearest-neighbor problem of vectors over the binary field at EUROCRYPT 2015. They applied their algorithm to the decoding problem of random linear codes over the binary field and confirmed the performance improvement. We describe their algorithm generalized to work for vectors over the finite field $\mathbb{F}_{q}$ with arbitrary prime power $q$. We also apply the generalized algorithm to the decoding problem of random linear codes over $\mathbb{F}_{q}$. It is observed by our numerical analysis of asymptotic time complexity that the May-Ozerov nearest-neighbor algorithm may not contribute to the performance improvement of the Stern information set decoding over $\mathbb{F}_{q}$ with $q\geq 3$.