International Association
for Cryptologic Research

The International Max Planck Research School for Computer Science (IMPRS-CS) is a graduate program jointly run by the Max Planck Institute for Informatics, the Max Planck Institute for Software Systems and Saarland University.

The IMPRS-CS offers a PhD program upon successful completion of which students receive a Doctoral Degree in Computer Science from Saarland University. The program is open to students who hold or are about to receive a research-oriented Master\'s degree in Computer Science (or an equivalent degree). Successful candidates will typically have ranked at or near the top of their classes, have already engaged in research and published their results, and be highly proficient in written and spoken English.

Admitted students receive a support contract that covers all living expenses and tuition fees. They enjoy a research-oriented education with close supervision by world-renowned scientists in a competitive, yet collaborative, environment rich in interaction with other students, post-docs, and scientists.

Applications are accepted all year round; the current round closes on July 31st, 2016.

Further information, including instructions on how to apply, can be found here: http://www.imprs-cs.de

Closing date for applications: 31 July 2016

Contact: Jennifer Gerling, IMPRS-CS Coordinator

E-Mail: imprs (at) mpi-inf.mpg.de

Phone: +49 681 9325 1800

This is an excellent opportunity to join a Cyber Security practice experiencing rapid growth in the United Arab Emirates.

They are currently seeking experienced Crypto Experts with the following knowledge to join their team:

- Proficient in AES algorithm design.

- Expert in block and stream cipher, key management, hybrid approach, hashing.

- Knowledge in substitution, permutation, confusion & diffusion mechanism.

- Cryptanalysis: Differential, Linear, Side channel attack, Plain & Cipher text etc,.

- Knowledge in crypto events, such as, Caesar competition.

- History of different symmetric key algorithms.

- Mathematics degree is preferred.

- Should be ready to start design algorithm as soon as join.

On offer is an attractive TAX FREE expatriate package, the opportunity to learn from some of the most highly qualified in the business and genuine career opportunities.

Contact: Hilary (at) talentboutique.ae

Closing date for applications: 19 August 2016

Logic locking is a technique that has been proposed to protect outsourced IC designs from piracy and counterfeiting by untrusted foundries. It can hide the functionality of an IC by inserting key-controlled logic gates into the original design. The locked IC preserves the correct functionality only when a correct key is provided. Recently, the security of logic locking is threatened by a new type of attack called satisfiability checking (SAT) based attack, which can decipher the correct key of most logic locking techniques within a few hours [11] even for reasonably large number of keys. This type of attack iteratively solves SAT formulas which progressively eliminate the incorrect keys till the circuit unlocked. In this paper, we present a specially designed circuit block (referred to as Anti-SAT block) to thwart the SAT attack. We show that the number of SAT attack iterations to reveal the correct key in a circuit comprising an Anti-SAT block is an exponential function of the key-size thereby making the SAT attack computationally infeasible. This is a substantial result because a) we illustrate how to construct the functionality of the Anti- SAT block and b) using a mathematically rigorous approach to prove that if chosen correctly, the Anti-SAT block makes SAT attack computationally infeasible (exponential in key-size). Moreover, through our experiments, we illustrate the effectiveness of our approach to securing modern chips fabricated in untrusted foundries.

The Learning with Rounding (LWR) problem was first introduced by Banerjee, Peikert, and Rosen (Eurocrypt 2012) as a \emph{derandomized} form of the standard Learning with Errors (LWE) problem. The original motivation of LWR was as a building block for constructing efficient, low-depth pseudorandom functions on lattices. It has since been used to construct reusable computational extractors, lossy trapdoor functions, and deterministic encryption.

In this work we show two (incomparable) dimension-preserving reductions from LWE to LWR in the case of a \emph{polynomial-size modulus}. Prior works either required a superpolynomial modulus $q$, or lost at least a factor $\log(q)$ in the dimension of the reduction. A direct consequence of our improved reductions is an improvement in parameters (i.e. security and efficiency) for each of the known applications of poly-modulus LWR.

Our results directly generalize to the ring setting. Indeed, our formal analysis is performed over ``module lattices,'' as defined by Langlois and Stehl\'{e} (DCC 2015), which generalize both the general lattice setting of LWE and the ideal lattice setting of RLWE as the single notion M-LWE. We hope that taking this broader perspective will lead to further insights of independent interest.

All known candidate indistinguishibility obfuscation (iO) schemes rely on candidate multilinear maps. Until recently, the strongest proofs of security available for iO candidates were in a generic model that only allows "honest" use of the multilinear map. Most notably, in this model the zero-test procedure only reveals whether an encoded element is 0, and nothing more.

However, this model is inadequate: there have been several attacks on multilinear maps that exploit extra information revealed by the zero-test procedure. In particular, the authors [Crypto’16] recently gave a polynomial-time attack on several iO candidates when instantiated with the multilinear maps of Garg, Gentry, and Halevi [Eurocrypt’13], and also proposed a new "weak multilinear map model" that captures all known polynomial-time attacks on GGH13.

Subsequent to those attacks, Garg, Mukherjee, and Srinivasan [ePrint’16] gave a beautiful new candidate iO construction, using a new variant of the GGH13 multilinear map candidate, and proved its security in the weak multilinear map model assuming an explicit PRF in NC^1.

In this work, we give a simpler candidate iO construction, which can be seen as a small modification or generalization of the original iO candidate of Garg, Gentry, Halevi, Raykova, Sahai, and Waters [FOCS’13], and we prove its security in the weak multilinear map model. Our work has a number of benefits over that of GMS16.

• Our construction and analysis are simpler. In particular, the proof of our security theorem is 4 pages, versus 15 pages in GMS16.

• We do not require any change to the original GGH13 multilinear map candidate.

• We prove the security of our candidate under a more general assumption. One way that our assumption can be true is if there exists a PRF in NC^1.

• GMS16 required an explicit PRF in NC^1 to be "hard-wired" into their obfuscation candidate. In contrast, our scheme does not require any such hard-wiring. In fact, roughly speaking, our obfuscation candidate will depend only on the minimal size of such a PRF, and not on any other details of the PRF.

We present the Bash family of hashing algorithms based on the sponge paradigm. A core element of this family is the Bash-f sponge function which refers to the LRX (Logical-Rotation-Xor) class of symmetric cryptography schemes. We describe the components of Bash-f: a nonlinear mapping, linear diffusion mappings, a permutation of words of a hash state. For each component, we establish reasonable quality criteria as detailed as possible to make the choice of the component maximally objective and transparent.

Application Programming Interfaces (APIs) to cryptographic tokens like smartcards and Hardware Security Modules (HSMs) provide users with commands to manage and use cryptographic keys stored on trusted hardware. Their design is mainly guided by industrial standards without clear security promises.

In this paper we propose cryptographic models for the security of such APIs. The key feature of our approach is that it enables modular analysis. Specifically, we show that a secure cryptographic API can be obtained by combining a secure API for key-management together with secure implementations of, for instance, encryption or message authentication. Our models are the first to provide such compositional guarantees while considering realistic adversaries that can adaptively corrupt keys stored on tokens. We also provide a proof of concept instantiation (from a deterministic authenticated-encryption scheme) of the key-management portion of cryptographic API.

Under the Decisional Diffie-Hellman (DDH) assumption, we present a 2-out-of-2 secret sharing scheme that supports a compact evaluation of branching programs on the shares. More concretely, there is an evaluation algorithm $\Eval$ with a single bit of output, such that if an input $w\in\{0,1\}^n$ is shared into $(w^0,w^1)$, then for any deterministic branching program $P$ of size $S$ we have that $\Eval(P,w^0)\oplus \Eval(P,w^1)=P(w)$ except with at most $\delta$ failure probability. The running time of the sharing algorithm is polynomial in $n$ and the security parameter $\lambda$, and that of $\Eval$ is polynomial in $S,\lambda$, and $1/\delta$. This applies as a special case to boolean formulas of size $S$ or boolean circuits of depth $\log S$. We also present a public-key variant that enables homomorphic computation on inputs contributed by multiple clients. The above result implies the following DDH-based applications:

- A secure 2-party computation protocol for evaluating any branching program of size $S$, where the communication complexity is linear in the input size and only the running time grows with $S$.

- A secure 2-party computation protocol for evaluating any layered boolean circuit of size $S$ and $m$ outputs with communication complexity $O(S/\log S)+m\cdot\poly(\lambda)$.

-A 2-party {\em function secret sharing} scheme, as defined by Boyle et al. (Eurocrypt 2015), for general branching programs (with inverse polynomial error probability).

- A 1-round 2-server {\em private information retrieval} scheme supporting general searches expressed by branching programs.

Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we study the possibility of implementing an infrastructure for MPC. We propose an infrastructure based on oblivious transfer (OT), which would consist of OT channels between some pairs of parties in the network. We devise information-theoretically secure protocols that allow additional pairs of parties to establish secure OT correlations using the help of other parties in the network in the presence of a dishonest majority. Our main technical contribution is an upper bound that matches a lower bound of Harnik, Ishai, and Kushilevitz (Crypto 2007), who studied the number of OT channels necessary and sufficient for MPC. In particular, we characterize which n-party OT graphs G allow t-secure computation of OT correlations between all pairs of parties, showing that this is possible if and only if the complement of G does not contain the complete bipartite graph K_{n-t,n-t} as a subgraph.

Practical anonymous credential systems are generally built around sigma-protocol ZK proofs. This requires that credentials be based on specially formed signatures. Here we ask whether we can instead use a standard (say, RSA, or (EC)DSA) signature that includes formatting and hashing messages, as a credential, and still provide privacy. Existing techniques do not provide efficient solutions for proving knowledge of such a signature: On the one hand, ZK proofs based on garbled circuits (Jawurek et al. 2013) give efficient proofs for checking formatting of messages and evaluating hash functions. On the other hand they are expensive for checking algebraic relations such as RSA or discrete-log, which can be done efficiently with sigma protocols.

We design new constructions obtaining the best of both worlds: combining the efficiency of the garbled circuit approach for non-algebraic statements and that of sigma protocols for algebraic ones. We then discuss how to use these as building-blocks to construct privacy-preserving credential systems based on standard RSA and (EC)DSA signatures.

Other applications of our techniques include anonymous credentials with more complex policies, the ability to efficiently switch between commitments (and signatures) in different groups, and secure two-party computation on committed/signed inputs.

Physical Unclonable Function (PUF) is hardware analog of a one-way function which can address hardware security issues such as device authentication, generating secret keys, producing seeds for Random Number Generators, etc. Traditional silicon PUFs are based on delay (Ring Oscillator PUFs and Arbiter PUFs) or memory structures (like SRAM). In this paper, we propose a novel idea of a very fast, lightweight and robust analog PUF that exploits the susceptibility of Threshold Voltage (${V_{th}}$) of MOSFETs to process variations. We call this the Threshold Voltage PUF (TV-PUF). Extensive implementations and simulations shows improvement in quality metrics like uniformity of the PUF, intra-die distances (reliability metric of the PUF) and inter-die distances (uniqueness metric of the PUF) for 64-bit key generation. For 1 GHz clock input for sense amplifier, our design consumes 0.18$\mu$W/bit power with 50 \% uniqueness and 51\% reliability. It is also shown that TV-PUF characteristics are independent on the technology node.

Complex cryptographic protocols are often designed from simple cryptographic primitives, such as signature schemes, encryption schemes, verifiable random functions, and zero-knowledge proofs, by bridging between them with commitments to some of their inputs and outputs. Unfortunately, the known universally composable (UC) functionalities for commitments and the cryptographic primitives mentioned above do not allow such constructions of higher-level protocols as hybrid protocols. Therefore, protocol designers typically resort to primitives with property-based definitions, often resulting in complex monolithic security proofs that are prone to mistakes and hard to verify.

We address this gap by presenting a UC functionality for non-interactive commitments that enables modular constructions of complex protocols within the UC framework. We also show how the new functionality can be used to construct hybrid protocols that combine different UC functionalities and use commitments to ensure that the same inputs are provided to different functionalities.

We further provide UC functionalities for attribute tokens and revocation that can be used as building blocks together with our UC commitments. As an example of building a complex system from these new UC building blocks, we provide a construction (a hybrid protocol) of anonymous attribute tokens with revocation. Unlike existing accumulator-based schemes, our scheme allows one to accumulate several revocation lists into a single commitment value and to hide the revocation status of a user from other users and verifiers.

{\em Fine-grained cryptographic primitives} are ones that are secure against adversaries with a-priori bounded polynomial resources (time, space or parallel-time), where the honest algorithms use less resources than the adversaries they are designed to fool. Such primitives were previously studied in the context of time-bounded adversaries (Merkle, CACM 1978), space-bounded adversaries (Cachin and Maurer, CRYPTO 1997) and parallel-time-bounded adversaries (H\aa stad, IPL 1987). Our goal is to show unconditional security of these constructions when possible, or base security on widely believed separation of worst-case complexity classes. We show: \begin{enumerate} \item NC$^1$-cryptography: Under the assumption that $\ncOne \neq \pL$, we construct one-way functions, pseudo-random generators (with sub-linear stretch), collision-resistant hash functions and most importantly, {\em public-key encryption schemes}, all computable in $\ncOne$ and secure against all $\ncOne$ circuits. Our results rely heavily on the notion of randomized encodings pioneered by Applebaum, Ishai and Kushilevitz, and crucially, make {\em non-black-box} use of randomized encodings for logspace classes.

\medskip \item AC$^0$-cryptography: We construct (unconditionally secure) pseudo-random generators with arbitrary polynomial stretch, weak pseudo-random functions, secret-key encryption and perhaps most interestingly, {\em collision-resistant hash functions}, computable in $\ACZ$ and secure against all $\ACZ$ circuits. Previously, one-way permutations and pseudo-random generators (with linear stretch) computable in $\ACZ$ and secure against $\ACZ$ circuits were known from the works of H\aa stad and Braverman. \end{enumerate}

Tracking bits through block ciphers and optimizing attacks at hand is one of the tedious task symmetric cryptanalysts have to deal with. It would be nice if a program will automatically handle them at least for well-known attack techniques, so that cryptanalysts will only focus on finding new attacks. However, current automatic tools cannot be used as is, either because they are tailored for specific ciphers or because they only recover a specific part of the attacks and cryptographers are still needed to finalize the analysis.

In this paper we describe a generic algorithm exhausting the best meet-in-the-middle and impossible differential attacks on a very large class of block ciphers from byte to bit-oriented, SPN, Feistel and Lai-Massey block ciphers. Contrary to previous tools that target to find the best differential / linear paths in the cipher and leave the cryptanalysts to find the attack using these paths, we automatically find the best attacks by considering the cipher and the key schedule algorithms. The building blocks of our algorithm led to two algorithms designed to find the best simple meet-in-the-middle attacks and the best impossible truncated differential attacks respectively. We recover and improve many attacks on AES, mCRYPTON, SIMON, IDEA, KTANTAN, PRINCE and ZORRO. We show that this tool can be used by designers to improve their analysis.

Event date: 14 November to 18 November 2016
Submission deadline: 15 July 2016

The Department of Mathematical Sciences at Florida Atlantic University invites applications for a tenure-track position at the assistant professor level, starting in January 2017. FAU is home to The Center for Cryptology and Information Security, which is dedicated to original, cutting-edge research in cryptology and information security and to education and training of research students and information technology professionals. FAU is recognized as a National Center of Academic Excellence in Information Assurance/Cyber Defense Research (CAE-R) for academic years 2014-2019.

Research areas of particular interest for this position include, but are not limited to, mathematical foundations of public key cryptography, post-quantum cryptography, computational algebra, and algorithmic number theory.

Applicants must possess a Ph.D. in Mathematics or a closely related field. Candidates in all areas of cryptology and information security will be considered.

For additional information, please contact us by email to mathsearch (at) fau.edu. This position is open until filled and may close without prior notice. Priority consideration will be given to applications received by August 13, 2016. To be considered for the position, all applicants must apply and complete the Faculty, Administrative, Managerial & Professional Position Application form available online through the Office of Human Resources at: https://jobs.fau.edu. Please submit a cover letter, vita, copy of your transcript, research statement and a teaching statement through this website.

In addition, please arrange to have three letters of recommendation sent by first class mail to: Chair of the Search Committee, Department of Mathematical Sciences, Florida Atlantic University, 777 Glades Rd., Boca Raton, FL 33431 or by email to mathsearch (at) fau.edu.

A background check will be required for the candidate selected for this position.

Florida Atlantic University is an Equal Opportunity/Affirmative Action Institution. Individuals with disabilities, requiring accommodation, please call 561-297-3057, 711.

Closing date for applications: 13 August 2016

Contact: Search Committee Chair, Department of Mathematical Sciences, 777 Glades RD, Boca Raton, FL 33431

Email: mathsearch (at) fau.edu

Phone: (561) 297-3340

Fax: (561) 297-2436

More information: https://jobs.fau.edu

We are looking for research scientists with expertise on cyber-physical security. The candidates should have PhD in infocomm security with track record of strong R&D capability (at least 2 publications at top security conferences - http://icsd.i2r.a-star.edu.sg/staff/jianying/conference-ranking-history.html, in the past 3 years), be able to perform deep system-level investigations of security mechanisms, be a good team player and have the potential to be a team leader, and also have good presentation and communication skills. The candidates are expected to work closely with industry partners, create valuable intellectual properties, and produce project deliverables in time.

Interested candidates please send CV to Jianying Zhou. Fresh PhD is welcome to apply. Review of applications will begin immediately and will continue until the positions are filled. Only short-listed candidates will be contacted for interview.

Closing date for applications: 31 July 2016

Contact: Dr. Jianying Zhou, Dept Head, Infocomm Security, Institute for Infocomm Research. Email: jyzhou@i2r.a-star.edu.sg

More information: http://icsd.i2r.a-star.edu.sg/

Event date: 19 October 2016
Submission deadline: 3 July 2016
Notification: 3 August 2016

Event date: 5 September to 7 September 2016

The Gran Sasso Science Institute, a recently established international PhD School and a Center for Advanced Studies in L\'Aquila (ITALY), offers 10 fully funded PhD positions in Computer Science (CS) in the area of Distributed Systems and Computing including Cryptography and Security.

For more info, see http://www.gssi.infn.it/phd/

Closing date for applications: 1 September 2016

Contact: Giuseppe Persiano (giuper (at) gmail.com) or any member of the Institute