International Association
for Cryptologic Research

We present a high-speed, high-security implementation of the recently proposed elliptic curve FourQ (ASIACRYPT 2015) for 32-bit ARM processors with NEON support. Exploiting the versatile and compact arithmetic of this curve, we design a vectorized implementation that achieves high-performance across a large variety of ARM architectures. Our software is fully protected against timing and cache attacks, and showcases the impressive speed of FourQ when compared with other curve-based alternatives. For example, one single variable-base scalar multiplication is computed in about 235,000 Cortex-A8 cycles or 132,000 Cortex-A15 cycles which, compared to the fastest genus 2 Kummer and Curve25519 implementations on the same platforms, offers speedups between 1.3x-1.7x and between 2.1x-2.4x, respectively. In comparison with the NIST standard curve K-283, we achieve speedups above 4x and 5.5x.

Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA's B-Safe product, a modified Dual-EC in Juniper's operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public). We present two ways of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor: a composite modulus with a hidden subgroup (CMHS) and a composite modulus with a smooth order (CMSO). We then explain how we were able to subtly implement and exploit it in a local copy of an open source library using the TLS protocol.

Event date: 18 July to 22 July 2016

Event date: 19 December to 20 December 2016
Submission deadline: 15 August 2016
Notification: 22 September 2016

The research will be conducted under the supervision of Prof P Y A Ryan, head of the APSIA (Applied Security and Information Assurance) research group, http://wwwde.uni.lu/snt/research/apsia.

APSIA specializes in the mathematical foundations of information assurance: the mathematical modelling and analysis of information flows, the design and analysis of cryptographic primitives and protocols (both classical and quantum), secure verifiable voting systems, and anonymous marking systems and game-theoretic analysis of non-interference and coercion-resistance. The group has expertise in both the symbolic (formal methods) and the computational (“provable security”) styles of analysis and is investigating the links and synergies between them. The group has also established itself as a leading centre for the socio-technical aspects of security.

The topic lies both in Authenticated Key Exchange (AKE) and Quantum Key Distribution (QKD). Currently, complexity-theoretic definitions of security for AKEs are abundant but their relations are poorly understood, and the advent of QKD – in which both complexity theoretic and quantum mechanisms are intertwined - is further complicating matters. The research challenge is twofold: 1) to aid in finding fundamental definitions of security for AKE and 2) to develop a rigorous framework for reasoning about the composition of classical and quantum mechanisms, and in particular to examine to what extent definitions for AKE can be adapted to the QKD case.

Closing date for applications: 12 July 2016

Contact: Dr Jean Lancrenon, jean.lancrenon (at) uni.lu or Prof Dr Peter Y A Ryan peter.ryan (at) uni.lu

More information: http://emea3.mrted.ly/13lls

The postdoc and PhD position will be funded by the ERC project SOPHIA, which starts September 1st, 2016. The project focuses on securing software execution on IoT devices not only against network attacks, but also against physical side-channel and fault attacks. The project combines research on system security architectures (hardware and software), side-channel/fault attacks, cryptography, fault tolerant design as well as formal methods. For the open positions we are in particular looking for postdocs with experience and PhD students with interest in at least one of the following fields:

• Side-channel and fault attacks
• Operating system security
• Software isolation techniques
• Control-flow integrity
• Memory security
• Software testing
• Formal methods
• Code analysis and compilers

In case you are interested in joining our team, please send your application by email to Stefan Mangard.

Applications should include a curriculum vitae, a statement of motivation, a transcript of records as well as names and email addresses of two persons that can provide references. Please send all attachments as PDFs. We are looking forward to your application.

The open postions are available in the Secure Systems Group, which is a team of about 10 researches. In total, Graz University of Technology employs about 60 researchers in the area of information security. More information on our research topics and our team can be found at http://www.iaik.tugraz.at/sesys.

Closing date for applications: 31 August 2016

Contact: Stefan Mangard

More information: http://www.iaik.tugraz.at/content/research/sesys/jobs/

The University of Twente is seeking applications from excellent candidates in Computer Science, with a convincing research and education track record in Systems Security, broadly conceived, in any one or more of the following areas:

- Operating systems security and/or hardware security;

- Distributed systems security and/or cloud computing security;

- Mobile systems security and/or web security.

We offer a challenging full-time position in an inspiring multidisciplinary and international environment. The successful candidate will be employed for the duration of 3 years as an Assistant Professor at the chair of Services, Cyber Security, and Safety (SCS). The salary, depending on your experience and qualifications, will range from € 3.400,-- to € 4.654,-- gross per month. In addition, the University of Twente offers attractive employment conditions (for example 8% holiday allowance and 8,3% end-of-year bonus), excellent support for research and facilities for professional and personal development.

Applications should include a letter of motivation (including a short research and education statement), a detailed curriculum vitae, a list of publications and three references (including at least one international reference).

Closing date for applications: 5 August 2016

Contact: Questions regarding this position can be addressed to Prof. Dr. Roel Wieringa, chairman of Services, Cyber Security and Safety (r.j.wieringa (at) utwente.nl, +31 (0)53 489 4189), or to Dr. Andreas Peter, in the same group (a.peter (at) utwente.nl, +31 (0)53 489 2918).

More information: https://www.utwente.nl/en/organization/careers/vacancies/!/vacature/662159

Event date: 28 June 2016

The Drexel University Cybersecurity Institute invites applications for a postdoctoral scholar or research staff scientist with expertise in cybersecurity.

The individual will be an integral part of the highly interdisciplinary team of more than fifteen tenure and tenure- track faculty across the Drexel University campus actively engaged in cybersecurity research. S/he will have the opportunity to work with leading scholars in areas such as i) malware detection, classification, and mitigation, ii) anomaly detection, iii) active user authentication, iv) wireless channel and wireless network security, v) media forensics and anti-?forensics, vi) privacy, anonymity, and stylometry, vii) hardware and electronic security, viii) social networking threat analysis, and others. The successful candidate will have a publication record in cybersecurity and related fields, and a demonstrated ability to lead the submission of interdisciplinary cybersecurity research proposals to government funding agencies, such as the National Science Foundation (NSF) or the various agencies of the Department of Defense (DoD).

Recent Ph.D. in Electrical and Computer Engineering or Computer Science or other closely related discipline. Strong background in any research area of cyber security. Experience in proposal authoring and capture of new business and research opportunities.

The researcher will conduct high quality research in cybersecurity, prepare and submit related grant proposals, and have the opportunity to teach in related areas.

Enter requisition # 7507 at DrexelJobs.com

Closing date for applications: 1 December 2016

Contact: Steven Weber, Ph.D.

Director

Drexel Cybersecurity Institute

More information: https://www.drexeljobs.com

We consider the situation where a large number $n$ of players want to securely compute a large function $f$ with security against an adaptive, malicious adversary which might corrupt $t < cn$ of the parties for some given $c \in [0,1)$. In other words, only some arbitrarily small constant fraction of the parties are assumed to be honest. For any fixed $c$, we consider the asymptotic complexity as $n$ and the size of $f$ grows. We are in particular interested in the computational overhead, defined as the total computational complexity of all parties divided by the size of $f$. We show that it is possible to achieve poly-logarithmic computational overhead for all $c < 1$. Prior to our result it was only known how to get poly-logarithmic overhead for $c < \frac{1}{2}$. We therefore significantly extend the area where we can do secure multiparty computation with poly-logarithmic overhead. Since we allow that more than half the parties are corrupted, we can only get security with abort, i.e., the adversary might make the protocol abort before all parties learn their outputs. We can, however, for all $c$ make a protocol for which there exists $d > 0$ such that if at most $d n$ parties are actually corrupted in a given execution, then the protocol will not abort. Our result is solely of theoretical interest.

In recent years there have been several attempts to build white-box block ciphers whose implementation aims to be incompressible. This includes the weak white-box ASASA construction by Bouillaguet, Biryukov and Khovratovich from Asiacrypt 2014, and the recent space-hard construction by Bogdanov and Isobe at CCS 2016. In this article we propose the first constructions aiming at the same goal while offering provable security guarantees. Moreover we propose concrete instantiations of our constructions, which prove to be quite efficient and competitive with prior work. Thus provable security comes with a surprisingly low overhead.

This contribution is concerned with the question whether an adversary can automatically manipulate an unknown FPGA bitstream realizing a cryptographic primitive such that the underlying secret key is revealed. In general, if an attacker has full knowledge about the bitstream structure and can make changes to the target FPGA design, she can alter the bitstream leading to key recovery. However, this requires challenging reverse-engineering steps including that of the proprietary bitstream format. We argue that this is a major reason why bitstream fault injection attacks have been largely neglected in the past. In this paper, we show that malicious bitstream modifications are i) much easier to conduct than commonly assumed and ii) surprisingly powerful. We introduce a novel class of bitstream fault injection (BiFI) attacks which does not require any reverse-engineering to undermine cryptographic cores. Our attacks can be automatically mounted without any detailed knowledge about either the bitstream format of the design of the crypto primitive which is being attacked. Bitstream encryption features do not necessarily prevent our attack if the integrity of the encrypted bitstream is not carefully checked. We have successfully verified the feasibility of our attacks in practice by considering several publicly available AES designs. As target platforms, we have conducted our experiments on Spartan-6 and Virtex-5 Xilinx FPGAs.

In this paper, we provide a security analysis of ELmD: a block cipher based Encrypt-Linear-mix-Decrypt authentication mode. As being one of the second-round CAESAR candidate, it is claimed to provide misuse resistant against forgeries and security against block-wise adaptive adversaries as well as 128-bit security against key recovery attacks. We scrutinize ElmD in such a way that we provide universal forgery attacks as well as key recovery attacks. First, based on the collision attacks on similar structures such as Marble, AEZ, and COPA, we present universal forgery attacks. Second, by exploiting the structure of ELmD, we acquire ability to query to the block cipher used in ELmD. Finally, for one of the proposed versions of ELmD, we mount key recovery attacks reducing the effective key strength by more than 60 bits.

In the cloud computing era, in order to avoid computational burdens, many organizations tend to outsource their computations to third-party cloud servers. In order to protect service quality, the integrity of computation results need to be guaranteed. In this paper, we develop a game theoretic framework which helps the outsourcer to minimize its cost while ensuring the integrity of the outsourced computation. We then apply the proposed framework to two collaborative ltering algorithms and demonstrate the equilibriums together with the corresponding minimal costs. Finally, we show that, by including the intermediate results in the nal output, further cost reduction can be achieved.

We discuss a tweak for the domain extension called Merkle-Damg{\aa}rd with Permutation (MDP), which was presented at ASIACRYPT 2007. We first show that MDP may produce multiple independent pseudorandom functions (PRFs) using a single secret key and multiple permutations if the underlying compression function is a PRF against related-key attacks with respect to the permutations. Using this result, we then construct a hash-function-based MAC function, which we call FMAC, using a compression function as its underlying primitive. We also present a scheme to extend FMAC so as to take as input a vector of strings.

At PQCrypto'14 Porras, Baena and Ding proposed a new interesting construction to overcome the security weakness of the HFE encryption scheme, and called their new encryption scheme ZHFE. They provided experimental evidence for the security of ZHFE, and proposed the parameter set $(q,n,D)= (7,55,105)$ with claimed security level $2^{80}$ estimated by experiment. However there is an important gap in the state-of-the-art cryptanalysis of ZHFE, i.e., a sound theoretical estimation for the security level of ZHFE is missing. In this paper we fill in this gap by computing upper bounds for the Q-Rank and for the degree of regularity of ZHFE in terms of $\log_q D$, and thus providing such a theoretical estimation. For instance the security level of ZHFE(7,55,105) can now be estimated theoretically as at least $2^{96}$. Moreover for the inefficient key generation of ZHFE, we also provide a solution to improve it significantly, making almost no computation needed.

Brzuska \etal. (Crypto 2011) proved that unconditional UC-secure computation is possible if parties have access to honestly generated physically unclonable functions (PUFs). Dachman-Soled \etal. (Crypto 2014) then showed how to obtain unconditional UC secure computation based on malicious PUFs, assuming such PUFs are stateless. They also showed that unconditional oblivious transfer is impossible against an adversary that creates malicious stateful PUFs. \begin{itemize} \item In this work, we go beyond this seemingly tight result, by allowing any adversary to create stateful PUFs with a priori bounded state. This relaxes the restriction on the power of the adversary, offering improved security guarantees. This is also motivated by practical scenarios, where the size of a physical object may be used to compute an upper bound on the size of its memory. \item As a second contribution, we introduce a new model where any adversary is allowed to generate a malicious PUF that may encapsulate other (honestly generated) PUFs within it, such that the outer PUF has oracle access to all the inner PUFs. This is again motivated by practical scenarios, and in fact, similar adversaries have been studied in the tamper-proof hardware-token model (\eg, Chandran \etal. (Eurocrypt 2008)), but no such notion has ever been considered with respect to PUFs. All previous constructions of UC secure protocols suffer from explicit attacks in this stronger model. \end{itemize} In a direct improvement over all previous results, we construct {\em UC protocols with unconditional security} in both these models.

Trusted hardware systems, such as Intel's new SGX instruction set architecture extension, aim to provide strong confidentiality and integrity assurances for applications. Recent work, however, raises serious concerns about the vulnerability of such systems to side-channel attacks.

We propose, formalize, and explore a cryptographic primitive called a {\em Sealed-Glass Proof (SGP)} that captures computation possible in an isolated execution environment with *unbounded leakage*, and thus in the face of arbitrarily powerful side-channel attacks. A SGP specifically models the capabilities of trusted hardware that can attest to *correct execution* of a piece of code, but whose execution is *transparent*, meaning that an application's secrets and state are visible to other processes on the same host.

Despite this strong threat model, we show that a SGP can support a range of practical applications. Our key observation is that a SGP permits safe verifiable computing in zero-knowledge, as information leakage results only in the prover learning her own secrets. Among other applications, we describe the implementation of an end-to-end bug bounty (or zero-day solicitation) platform that couples a SGX-based SGP with a smart contract. This platform enables a marketplace that achieves fair exchange, protects against unfair bounty withdrawals, and resists denial-of-service attacks by dishonest sellers. We also consider a slight relaxation of the SGP model that permits black-box modules instantiating minimal, side-channel resistant primitives, yielding a still broader range of applications. Our work shows how trusted hardware systems such as SGX can support trustworthy applications even in the presence of side channels.

With the advances of cloud computing, data sharing becomes easier for large-scale enterprises. When deploying privacy and security schemes in data sharing systems, fuzzy-entity data sharing, entity management, and efficiency must take into account, especially when the system is asked to share data with a large number of users in a tree-like structure. (Hierarchical) Identity-Based Encryption is a promising candidate to ensure fuzzy-entity data sharing functionalities while meeting the security requirement, but encounters efficiency difficulty in multi-user settings. This paper proposes a new primitive called Hierarchical Identity-Based Broadcast Encryption (HIBBE) to support multi-user data sharing mechanism. Similar to HIBE, HIBBE organizes users in a tree-like structure and users can delegate their decryption capability to their subordinates. Unlike HIBE merely allowing a single decryption path, HIBBE enables encryption to any subset of the users and only the intended users (and their supervisors) can decrypt. We define Ciphertext Indistinguishability against Adaptively Chosen-Identity-Vector-Set and Chosen-Ciphertext Attack (IND-CIVS-CCA2) for HIBBE, which capture the most powerful attacks in the real world. We achieve this goal in the standard model in two steps. We first construct an efficient HIBBE Scheme (HIBBES) against Adaptively Chosen-Identity-Vector-Set and Chosen-Plaintext Attack (IND-CIVS-CPA) in which the attacker is not allowed to query the decryption oracle. Then we convert it into an IND-CIVS-CCA2 scheme at only a marginal cost, i.e., merely adding one on-the-fly dummy user at the first depth of hierarchy in the basic scheme without requiring any other cryptographic primitives. Our CCA2-secure scheme natively allows public ciphertext validity test, which is a useful property when a CCA2-secure HIBBES is used to design advanced protocols and auditing mechanisms for HIBBE-based data sharing.

Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding tens of millions dollars worth of virtual coins.

In this paper, we investigate the security of running Ethereum smart contracts in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among $19,366$ existing Ethereum contracts, Oyente flags $8,519$ of them as vulnerable. We discuss the severity of attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.