International Association
for Cryptologic Research

With the evidence on comprised cryptographic standards in the context of elliptic curves, the IETF TLS working group has issued a request to the IETF Crypto Forum Research Group (CFRG) to recommend new elliptic curves that do not leave a doubt regarding their rigidity or any backdoors. This initiative has recently published RFC 7748 proposing two elliptic curves, known as Curve25519 and Curve448, for use with the next generation of TLS. This choice of elliptic curves was already picked up by the IETF working group curdle for adoption in further security protocols, such as DNSSEC. Hence it can be expected that these two curves will become predominant in the Internet and will form one basis for future secure communication. Unfortunately, both curves were solely designed and optimized for pure software implementation; their implementation in hardware or their physical protection against side-channel attacks were not considered at any time. However, for Curve25519 it has been shown recently that efficient implementations in hardware along with side-channel protection are possible. In this work we aim to close this gap and demonstrate that fortunately the second curve can be efficiently implemented in hardware as well. More precisely, we demonstrate that the high-security Curve448 can be implemented on a Xilinx XC7Z7020 at moderate costs of just 963 logic and 30 DSP slices and performs a scalar multiplication in 2.5ms.

Event date: 8 August to 9 August 2016

Event date: 18 July to 19 July 2016

Reporting to the Director of Security and Data Sciences, the Engineer is responsible for the following:

• Conduct research on advanced ethical hacking, penetration testing, reverse engineering.
• Conduct assessment on network infrastructure, web and mobile security.
• Assisting in IT security enforcement and enhancement.
• Design secure application testing approaches, integrate quality assurance testings with security functionalities.
• Candidate with strong programming background will also be involved in security tool/signature development.
• Design and implement preventive security controls, application code review and analysis, code scanning and testing tools, web application scanning and penetration tests.
• Manage vendor and service provider on security tools and technologies project engagement and delivery.

Requirements

• Bachelor’s degree or above in Computer Science, Electrical Engineering or other relevant disciplines with a minimum of 5 years of experience in security assessment. Candidates with less experience will also be considered for the Engineer level.
• Experience in financial industry is preferred but not mandatory.
• Demonstrate wide working knowledge of application security.
• Experience in application development life cycle, application testing and code scanning, with exposure in penetration test, finding exploits, vulnerabilities, unauthorized access, or other malicious activities in computer systems.
• Proficient in English, spoken and written.
• High integrity and professional work practice.
• Appreciation of people and cultures of different countries.

Closing date for applications: 15 April 2016

Contact: charlenechoo (at) astri.org

More information: http://www.astri.org/careers/work-at-astri/jobs/senior-engineerengineer-cyber-security-assessment-multiple-openings-6/

Event date: 12 May 2016

The \emph{learning with errors over rings} (Ring-LWE) problem---or more accurately, family of problems---has emerged as a promising foundation for cryptography due to its practical efficiency, conjectured quantum resistance, and provable \emph{worst-case hardness}: breaking certain instantiations of Ring-LWE is at least as hard as quantumly approximating the Shortest Vector Problem on \emph{any} ideal lattice in the ring.

Despite this hardness guarantee, several recent works have shown that certain instantiations of Ring-LWE can be broken by relatively simple attacks. While the affected instantiations are not supported by worst-case hardness theorems (and were not ever proposed for cryptographic purposes), this state of affairs raises natural questions about what other instantiations might be vulnerable, and in particular whether certain classes of rings are inherently unsafe for Ring-LWE.

This work comprehensively reviews the known attacks on Ring-LWE and vulnerable instantiations. We give a new, unified exposition which reveals an elementary geometric reason why the attacks work, and provide rigorous analysis to explain certain phenomena that were previously only exhibited by experiments. In all cases, the insecurity of an instantiation is due to the fact that its error distribution is insufficiently ``well spread'' relative to its ring. In particular, the insecure instantiations use the so-called \emph{non-dual} form of Ring-LWE, together with \emph{spherical} error distributions that are much narrower and of a very different shape than the ones supported by hardness proofs.

On the positive side, we show that any Ring-LWE instantiation which satisfies (or only almost satisfies) the hypotheses of the ``worst-case hardness of search'' theorem is \emph{provably immune} to broad generalizations of the above-described attacks: the running time divided by advantage is at least exponential in the degree of the ring. This holds for the ring of integers in \emph{any} number field, so the rings themselves are not the source of insecurity in the vulnerable instantiations. Moreover, the hypotheses of the worst-case hardness theorem are \emph{nearly minimal} ones which provide these immunity guarantees.

When analyzing the round complexity of multi-party cryptographic protocols, one often overlooks the fact that underlying resources, such as a broadcast channel, can be by themselves expensive to implement. For example, it is well known that it is impossible to implement a broadcast channel by a (deterministic) protocol in a sub-linear (in the number of corrupted parties) number of rounds.

The seminal works of Rabin and Ben-Or from the early 80's demonstrated that limitations as the above can be overcome by using randomization and allowing parties to terminate at different rounds, igniting the study of protocols over point-to-point channels with probabilistic termination and expected {\em constant} round complexity. However, absent a rigorous simulation-based definition, the suggested protocols are proven secure in a property-based manner or via {\em ad hoc} simulation-based frameworks, therefore guaranteeing limited, if any, composability.

In this work, we put forth the first simulation-based treatment of multi-party cryptographic protocols with probabilistic termination. We define secure multi-party computation (MPC) with probabilistic termination in the UC framework, and prove a universal composition theorem for probabilistic-termination protocols. Our theorem allows to compile a protocol using deterministic-termination hybrids into a protocol that uses expected-constant-round protocols for emulating these hybrids, preserving the expected round complexity of the calling protocol.

We showcase our definitions and compiler by providing for the first time simulation-based (therefore composable) protocols and security proofs for the following primitives relying on point-to-point channels: (1) Expected-constant-round perfect Byzantine agreement, (2) expected-constant-round perfect parallel broadcast, and (3) perfectly secure MPC with round complexity independent of the number of parties.

Event date: 16 December to 20 December 2016
Submission deadline: 29 July 2016
Notification: 15 September 2016

Event date: 17 January to 21 January 2017
Submission deadline: 1 August 2016
Notification: 30 September 2017

While impossible differential cryptanalysis is a well-known and popular cryptanalytic method, errors in the analysis are often discovered and many papers in the literature present flaws. Wishing to solve that, Boura \textit{et al.} presented at ASIACRYPT'14 a generic vision of impossible differential attacks with the aim of simplifying and helping the construction and verification of this type of cryptanalysis. In particular, they gave generic complexity analysis formulas for mounting such attacks and develop new ideas for optimizing them. In this paper we carefully study this generic formula and show impossible differential attacks for which the real time complexity is much higher than estimated by it. In particular, we show that the impossible differential attack against 25-round TWINE-128, presented at FSE'15 by Biryukov \textit{et al.}, actually has a complexity higher than the natural bound of exhaustive search.

By using a recently introduced framework for non-perfect secret sharing, several known results on perfect secret sharing are generalized. Specifically, we discuss about ideal secret sharing schemes, constructions of efficient linear secret sharing schemes, and the search for lower bounds on the length of the shares. Similarly to perfect secret sharing, matroids and polymatroids are very useful to analyze these questions.

Ciphertext Policy Attribute Based Encryption (CP - ABE) is a public key primitive in which a user is only able to decrypt a ciphertext if the attributes associated with secret key and the access policy connected with ciphertext matches. CP-ABE provides both confidentiality and access control to the data stored in public cloud. Anonymous CP-ABE is an adaptation of ABE where in addition to data confidentiality and access control, receiver anonymity is also provided. Recently, Koo et al. (2013) proposed a scheme in the area of anonymous CP-ABE. We found security flaws in Koo et al.’s scheme. Their scheme does not support anonymity of the intended receiver, which was the main security claim in [8]. In this paper, we show how one can identify the receiver in Koo et al.’s scheme.

Recently, a new framework, called secure server-designation public key encryption with keyword search (SPEKS), was introduced to improve the security of dPEKS (which suffers from the on-line keyword guessing attack) by defining a new security model ‘original ciphertext indistinguishability’. In this paper, we note that off-line keyword guessing attack can be launched by a malicious server to find the keyword used for generating the trapdoor, which was not considered in the related work. SPEKS can suffer from this kind of attack. Moreover, the security model defined for TD-IND in SPEKS is incomplete. Owing to the shown weaknesses, the existing security models are enhanced for trapdoor indistinguishability by defining two new security models. Finally, we propose a new framework.

Many online services adopt a password-based user authentication system because of its usability. However, several problems have been pointed out on it, and one of the well-known problems is that a user forgets his/her password and cannot login the services. To solve this problem, most online services support a mechanism with which a user can reset a password. In this paper, we consider a provable security treatment for a password reset protocol. We formalize a model and security definitions, propose a generic construction based on a pseudorandom function and public key encryption. In addition, we implement a prototype of our protocol to evaluate its efficiency.

In this paper we are proposing an ultra lightweight, a very compact block cipher ‘PICO’. PICO is a substitution and permutation based network, which operates on a 64 bit plain text and supports a key length of 128 bits. It has a VERY compact structure that requires GEs for a 128 bit key length. The PICO cipher uses strong bit permutation layer which only needs wires for implementation this reduces overall gate count. Its unique design helps to generate a large number of active S - boxes in fewer rounds which thwart the linear and differential attacks on the cipher. PICO shows good performance on both the hardware and the software platforms. PICO consumes only 2504 bytes of Flash memory which is less than ultra lightweight cipher PRESENT. PICO has a very strong Substitution layer(S- box) which not only makes the design robust but also introduces a great avalanche effect. PICO has strong and compact key scheduling which is motivated from latest NSA designed cipher SPECK. PICO consumes 28mW of dynamic power which is less than the PRESENT cipher (31mW). In this paper we have presented the security analysis of PICO and its performance as an ultra lightweight compact cipher. PICO resists linear, differential, biclique, zero correlation, meet in the middle and key related attacks.

This work addresses a basic problem of security systems that operate on very sensitive information, such as healthcare data. Specifically, we are interested in the problem of privately handling medical data represented by rational numbers. Considering the complicated computations on encrypted medical data, one of the natural and powerful tools for ensuring privacy of the data is fully homomorphic encryption (FHE). However, because the plaintext domain of known FHE schemes is restricted to a set of quite small integers, it is not easy to obtain efficient algorithms for encrypted rational numbers in terms of space and computation costs. Our observation is that this inefficiency can be alleviated by using a different representation of rational numbers instead of naive expressions. For example, the na\"{i}ve decimal representation considerably restricts the choice of parameters in employing an FHE scheme, particularly the plaintext size.

The starting point of our technique in this work is to encode rational numbers using continued fractions. Because continued fractions enable us to represent rational numbers as a sequence of integers, we can use a plaintext space with a small size while preserving the same quality of precision. However, this encoding technique requires performing very complex arithmetic operations, such as division and modular reduction. Theoretically, FHE allows the evaluation of any function, including modular reduction at encrypted data, but it requires a Boolean circuit of very high degree to be constructed. Hence, we primarily focus on developing an approach to solve this efficiency problem using homomorphic operations with small degrees.

We study the complexity of black-box constructions of pseudorandom functions (PRF) from one-way functions (OWF) that are secure against non-uniform adversaries. We show that if OWF do not exist, then given as an oracle any (inefficient) hard-to-invert function, one can compute a PRF in polynomial time with only k(n) oracle queries, for any k(n) = \omega(1) (e.g. k(n) = log^* n). Combining this with the fact that OWF imply PRF, we show that unconditionally there exists a (pathological) construction of PRF from OWF making at most k(n) queries. This result shows a limitation of a certain class of techniques for proving efficiency lower bounds on the construction of PRF from OWF. Our result builds on the work of Reingold, Trevisan, and Vadhan (TCC ’04), who show that when OWF do not exist there is a pseudorandom generator (PRG) construction that makes only one oracle query to the hard-to-invert function. Our proof combines theirs with the Nisan-Wigderson generator (JCSS ’94), and with a recent technique by Berman and Haitner (TCC ’12).

Working in the same context (i.e. when OWF do not exist), we also construct a poly-time PRG with arbitrary polynomial stretch that makes non-adaptive queries to an (inefficient) one-bit-stretch oracle PRG. This contrasts with the well-known adaptive stretch-increasing construction due to Goldreich and Micali.

Both above constructions simply apply an affine function (parity or its complement) to the query answers. We complement this by showing that if the post-processing is restricted to only taking projections then non-adaptive constructions of PRF, or even linear-stretch PRG, can be ruled out.

We show that two well-known and widely employed public-key encryption schemes -- RSA Optimal Asymmetric Encryption Padding (RSA-OAEP) and Diffie-Hellman Integrated Encryption Scheme (DHIES), instantiated with a one-time pad, -- are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model. Both schemes are obtained via known generic transformations that transform relatively weak primitives (with security in the sense of one-wayness) to IND-CCA secure encryption schemes. We also show a similar result for the well-known Fujisaki-Okamoto transformation that can generically turn a one-way secure public key encryption system and a one-time pad into a INDCCA-secure public-key encryption system. We prove that selective opening security comes for free in these transformations. Both DHIES and RSA-OAEP are important building blocks in several standards for public key encryption and key exchange protocols. The Fujisaki-Okamoto transformation is very versatile and has successfully been utilised to build efficient lattice-based cryptosystems. The considered schemes are the first practical cryptosystems that meet the strong notion of simulation-based selective opening (SIM-SO-CCA) security.

Event date: 12 December to 15 December 2016
Submission deadline: 15 June 2016
Notification: 15 August 2016

One Ph.D. position is available immediately for exceptional applicants. The research areas include cryptographic engineering, post-quantum cryptography, side-channel attacks, and ECC. Excellent background in VHDL/Verilog, FPGA/ASIC design, and mathematics of cryptology is desired. BS and MS degrees need to be in ECE.

Please contact both Dr. Mehran Mozaffari Kermani (m.mozaffari (at) rit.edu) and Dr. Reza Azarderakhsh (rxaeec (at) rit.edu) and enclose your CV, statement of interest, and transcripts.

Closing date for applications: 31 May 2016