International Association
for Cryptologic Research

Applications are invited for a PhD position in the field of cryptography at the Department of Information and Communication Technologies at Universitat Pompeu Fabra in Barcelona, Spain, to be co-supervised by Dr. Vanesa Daza and Dr. Carla Ràfols. The successful applicant will do research in theoretical cryptography, more specifically in the design of secure cryptographic protocols. He/she will be funded by the Spanish Government through the FPI program (Formación de Personal Investigador). The starting date will be around Oct. 2016.

The candidate should hold or be about to receive a master\'s degree by Oct. 2016 in computer science, mathematics or a related area.

Applications should start with a a short motivation letter, include a full CV, a copy of grade transcript(s) of completed studies and one name of reference.

To apply or request further information, please contact cryptophdapplications (at) upf.edu. Review of applications will start immediately until the position is filled.

Closing date for applications: 15 June 2016

Contact: cryptophdapplications (at) upf.edu

At EUROCRYPT 2015, Todo proposed the division property. Since then, many researches about the division property had occurred in succession. Inspired by the bit-based division property on SIMON introduced by Todo and Morri at FSE 2016, we give a further understanding of bit-based division property and come up with a new method to reconsider the \textbf{Substitution} rule given by Todo. By integrating the method of division property with the concrete boolean function expressions of S-box, this new idea can help us trace the propagation of division property at the bit level and escape the tedious and direct application of the original propagation rules. Benefit from this fact, this method can be applied to find integral distinguishers for some bit-oriented block ciphers other than SIMON. Since this method replaces the \textbf{Substitution} rules with a subtle propagation table, we call it table-aided bit-based division property. In order to verify our new method, we apply it to find integral distinguishers for CipherFour. The experimental results indicate that the table-aided bit-based division property is indeed a valid and efficient tool to search for integral distinguishers for some bit-oriented block ciphers. To handle the huge memory complexity of utilizing this new method, we apply early reduce technique, which was proposed by Zhang and Wu at INDOCRYPT 2015. With the help early reduce technique, a 8-round higher-order integral distinguisher for RECTANGLE can be constructed, which attains one more round than the previous one proposed by the designers. For PRESENT, we can find new 5-round and 6-round integral distinguishers. As to SPONGENT-88, a new 14-round zero-sum distinguisher with data complexity $2^{80}$ can be found by combining our new method with previous techniques. The table-aided bit-based division property can also be applied to find integral distinguishers for some word-oriented block ciphers, like TWINE and LBlock. Although we do not find any new integral distinguishers for these two ciphers, we believe that considering the S-box at the bit level is of great importance even for a word-oriented block cipher.

Recently we proposed a method for a random split of Staircase-Generator codes (St-Gen codes) to counter the weaknesses found in the previous constructions of public key schemes using St-Gen codes. The initial proposal for the random split addressed only the encryption scheme, and we left the problem of how to apply the random splitting on the signature scheme open. In this work we solve that open problem and describe a digital signature scheme based on random split of St-Gen codes.

Indistinguishability obfuscation is a central primitive in cryptography. Security of existing multilinear maps constructions on which current obfuscation candidates are based is poorly understood. In a few words, multilinear maps allow for checking if an arbitrary bounded degree polynomial on hidden values evaluates to zero or not. All known attacks on multilinear maps depend on the information revealed on computations that result in encodings of zero. This includes the recent annihilation attacks of Miles, Sahai and Zhandry [EPRINT 2016/147] on obfuscation candidates as a special case.

Building on a modification of the Garg, Gentry and Halevi [EUROCRYPT 2013] multilinear maps (GGH for short), we present a new obfuscation candidate that is resilient to these vulnerabilities. Specifically, in our construction the results of all computations yielding a zero provably hide all the secret system parameters. This is the first obfuscation candidate that weakens the security needed from the zero-test.

Formally, we prove security of our construction in a weakening of the idealized graded encoding model that accounts for all known vulnerabilities on GGH maps.

Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1, . . . , kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Enc_ki (kj ) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity leveraging” loses a factor exponential in n, which makes the proof practically meaningless. We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth l, Panjwani gave a reduction that loses only a factor exponential in l (not n). To date, this is the only non-trivial result known for GSD. In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n^(3 log n+5). Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwani’s on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the “nested hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs.

Design secure Authenticated Key Exchange (AKE) protocol without NAXOS approach is remaining as an open problem. NAXOS approach \cite{4} is used to hide the secret ephemeral key from an adversary even if the adversary in somehow may obtain the ephemeral secret key. Using NAXOS approach will cause two main drawbacks, (i) leaking of the static secret key which will be used in computing the exponent of the ephemeral public key. (ii) maximize of using random oracle when applying to the exponent of the ephemeral public key and session key derivation. In this paper, we present another AKE-secure without NAXOS approach based on decision linear assumption in the random oracle model. We fasten our security using games sequences tool which gives tight security for our protocol.

The term "Internet of Things (IoT)" expresses a huge network of smart and connected objects which can interact with other devices without our interposition. Radio frequency identification (RFID) is a great technology and an interesting candidate to provide communications for IoT networks, but numerous security and privacy issues need to be considered. In this paper, we analyze the security and the privacy of a new RFID authentication protocol proposed by Shi et al. in 2014. We prove that although Shi et al. have tried to present a secure and untraceable authentication protocol, their protocol still suffers from several security and privacy weaknesses which make it vulnerable to various security and privacy attacks. We present our privacy analysis based on a well-known formal privacy model which is presented by Ouafi and Phan in 2008. Moreover, to stop such attacks on the protocol and increase the performance of Shi et al.’s scheme, we present some modifications and propound an improved version of the protocol. Finally, the security and the privacy of the proposed protocol were analyzed against various attacks.

Event date: 24 October 2016
Submission deadline: 22 July 2016
Notification: 2 September 2016

Coding and Cryptography Research Group at Nanyang Technological University is currently looking for two postdoctoral fellows to work on the design, the analysis, and the implementation of Homomorphic Encryption and lattice-based/coded-based cryptography.

Applicants should have a Ph.D. in a relevant subject or equivalent, have a strong publication record and interest of the areas. The position is initially for 10 months to one year. Review of applications will begin immediately until the positions have been filled. Applicants should send the CV to Prof Wang Huaxiong directly.

Closing date for applications: 29 July 2016

Contact: Prof Wang Huaxiong

hxwang (at) ntu.edu.sg

We introduce the concept of canary numbers, to be used in health tests for true random number generators. Health tests are essential components of true random number generators because they are used to detect defects and failures of the entropy source. These tests need to be lightweight, low-latency and highly reliable. The proposed solution uses canary numbers which are an extra output of the entropy source of lower quality. This enables an early-warning attack detection before the output of the generator is compromised. We illustrate the idea with 2 case studies of true random number generators implemented on a Xilinx Spartan-6 FPGA.

Evaluating the practical security of Ring-LWE based cryptography has attracted lots of efforts recently. Indeed, some differences from the standard LWE problem enable new attacks. In this paper we discuss the security of Ring-LWE as found in Fully Homomorphic Encryption (FHE) schemes. These schemes require parameters of very special shapes, that an attacker might use to its advantage. First we present the specificities of this case and recall state-of-the-art attacks, then we derive a new special-purpose attack. Our experiments show that this attack has unexpected performance and confirm that we need to study the security of special parameters sets carefully.

Filter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function. However, Rønjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent generators. They usually offer different security levels since they involve filtering functions of the form F(x^k) where k is coprime to (2^n-1) and n denotes the LFSR length. It is proved here that this monomial equivalence does not affect the resistance of the generator against algebraic attacks, while it usually impacts the resistance to correlation attacks. Most importantly, a more efficient attack can often be mounted by considering non-bijective monomial mappings. In this setting, a divide-and-conquer strategy applies based on a search within a multiplicative subgroup of F_{2^n}^*. Moreover, if the LFSR length n is not a prime, a fast correlation involving a shorter LFSR can be performed.

Multivariate Public Key Cryptography (MPKC) is one of the main candidates for secure communication in a post-quantum era. Recently, Yasuda and Sakurai proposed in [24] a new multivariate encryption scheme called SRP, which offers effcient decryption, a small blow up factor between plaintext and ciphertext and resists all known attacks against multivariate schemes. However, similar to other MPKC schemes, the key sizes of SRP are quite large. In this paper we propose a technique to reduce the key size of the SRP scheme, which enables us to reduce the size of the public key by up to 54%. Furthermore, we can use the additional structure in the public key polynomials to speed up the encryption process of the scheme by up to 50%. We show by experiments that our modifications do not weaken the security of the scheme.

This paper accelerates FPGA computations of discrete logarithms on elliptic curves over binary fields. As an illustration, this paper reports successful completion of an attack against the SECG standard curve {\tt sect113r2}, a binary elliptic curve that was not removed from the standard until 2010 and was not disabled in OpenSSL until June 2015. This is a new size record for ECDL computations, using a prime order very slightly larger than the previous record holder. More importantly, this paper uses FPGAs much more efficiently, saving a factor close to $3/2$ in the size of each high-speed ECDL core and allowing 3 cores to be squeezed into a low-cost Spartan-6 FPGA. The paper also covers much larger curves over 127-bit fields.

Event date: 11 December to 14 December 2016
Submission deadline: 25 July 2016
Notification: 12 September 2016

Applications are invited for a Research Associate or Senior Research Associate position in the Cryptography group within the Department of Computer Science at the University of Bristol. The group has significant funding and we are usually looking to recruit research staff in the following areas:

• Practical aspects of Multi-Party Computation and other areas related to computing on encrypted data.

• Theoretical aspects of Multi-Party Computation.

• Areas related to the evaluation of the security of cryptographic implementations.

• Designing and implementing cryptography that is resilient against real world attacks.

• Design and implementation of tools, including compilation techniques, that help improve security of cryptographic implementations.

This is a “rolling advert” with a nominal close date only. Applications are welcome at any time and the timing of the selection process will be dependent on the applications received.

Closing date for applications: 31 December 2016

Contact: Nigel Smart (nigel (at) cs.bris.ac.uk)

More information: http://www.bris.ac.uk/jobs/find/list.html?keywords=cryptography

The Instituto de Telecomunicações (IT) is a research centre of public interest, and a partnership of 9 institutions with research and development in the field of Telecommunications. IT is actively involved in fundamental and applied research both at the national and international levels. IT is an internationally recognized centre of excellence in developing ICT foreground, and committed to foster higher education and training by hosting and tutoring graduate and postgraduate students.

You will join an established research group within the Wireless Communications department, and the opportunity to conduct research at the highest international level. The group has extensive expertise in wireless communication systems, and security. The group has also been involved in EU Framework Programmes 5 / 6 / 7 and H2020 projects and has wide collaboration with other research institutes, universities and industry.

We are seeking to recruit a Postdoctoral Researcher to work on a research project funded by the EU H2020 program. You will be required to have experience in network and system security. The role will involve research and development on network and mobile system security, and engaging in interdisciplinary research through collaboration with other team members. The role of the applicant will also involve developing new project proposals, and some international travel.

Candidates must have a PhD awarded (or at least PhD thesis submitted) in either Computer Science, Mathematics, Electronic Engineering, or a related area with proficiency in a programming language such as C/C++, Java, or Python. The candidate should be able to carry out exploratory research, possessing strong analytical skills with experience on practical experimentation, to be proactive and to engage with other researchers.

The ideal candidate would require advanced proficiency in either:

- Intrusion Detection Systems

- Mobile Operating Systems Security

- Security for IoT-based Applications

Closing date for applications: 1 May 2016

Contact: To apply for this position, please contact Claudia Barbosa at cbarbosa (at) av.it.pt, and include the following documents:

Covering letter

CV (including the names and contact details of two referees who may be contacted prior to interview)

A copy of your best three scientific works on this area

Circuit privacy is an important property for many applications of fully homomorphic encryption. Prior approaches for achieving circuit privacy rely on superpolynomial noise flooding or on bootstrapping. In this work, we present a conceptually different approach to circuit privacy based on a novel characterization of the noise distribution. In particular, we show that a variant of the GSW FHE for branching programs already achieves circuit privacy; this immediately yields a circuit-private FHE for NC$^1$ circuits under the standard LWE assumption with polynomial modulus-to-noise ratio. Our analysis relies on a variant of the discrete Gaussian leftover hash lemma which states that $e^t \mathbf{G}^{-1}(v)+small$ $noise$ does not depend on $v$. We believe that this result is of independent interest.

One of the most attractive problems for post-quantum secure cryptographic schemes is the LWE problem. Beside combinatorial and algebraic attacks, LWE can be solved by a lattice-based Bounded Distance Decoding (BDD) approach. We provide the first parallel implementation of an enumeration-based BDD algorithm that employs the Lindner-Peikert and Linear Length pruning strategies. We ran our algorithm on a large variety of LWE parameters, from which we derive the following interesting results. First, our parallel enumeration achieves almost perfect speed-up, which allows us to provide for the first time practical cryptanalytic results on standard LWE parameters of meaningful size. Second, we conclude that lattice-based attacks perform better than recent advanced BKW-type algorithms even for small noise, while requiring way less samples. Third, we experimentally show weaknesses for a binary matrix LWE proposal of Galbraith.

Recently, the password-authenticated key exchange protocol J-PAKE of Hao and Ryan (Workshop on Security Protocols 2008) was formally proven secure in the algebraic adversary model by Abdalla et al.(IEEE S&P 2015). In this paper, we propose and examine two variants of J-PAKE - which we call RO-J-PAKE and CRS-J-PAKE - that each makes the use of two less zero-knowledge proofs than the original protocol. We show that they are provably secure following a similar strategy to that of Abdalla et al. We also study their efficiency as compared to J-PAKE's, also taking into account how the groups are chosen. Namely, we treat the cases of subgroups of the finite fields and elliptic curves. Our work reveals that, for subgroups of finite fields, CRS-J-PAKE is indeed more efficient than J-PAKE, while RO-J-PAKE is much less efficient. On the other hand, when instantiated with elliptic curves, both RO-J-PAKE and CRS-J-PAKE are more efficient than J-PAKE, with CRS-J-PAKE being the best of the three. We illustrate this experimentally, making use of recent research by Brier et al. (CRYPTO 2010). Regardless of implementation, we note that RO-J-PAKE enjoys a looser security reduction than both J-PAKE and CRS-J-PAKE. CRS-J-PAKE has the tightest security proof, but relies on an additional trust assumption at setup time. We believe our results can be useful to anyone interested in implementing J-PAKE, as perhaps either of these two new protocols may also be options, depending on the deployment context.