International Association
for Cryptologic Research

Boolean functions play an important role in many symmetric cryptosystems and are crucial for their security. It is important to design boolean functions with reliable cryptographic properties such as balancedness and nonlinearity. Most of these properties are based on specific structures such as M\"{o}bius transform and Algebraic Normal Form. In this paper, we introduce the notion of Dirichlet product and use it to study the arithmetical properties of boolean functions. We show that, with the Dirichlet product, the set of boolean functions is an Abelian monoid with interesting algebraic structure. In addition, we apply the Dirichlet product to the sub-family of coincident functions and exhibit many properties satisfied by such functions.

To the best of our knowledge, we present the first hardware implementation of isogeny-based cryptography available in the literature. Particularly, we present the first implementation of the supersingular isogeny Diffie-Hellman (SIDH) key exchange, which features quantum-resistance. We optimize this design for speed by creating a high throughput multiplier unit, taking advantage of parallelization of arithmetic in tower field, and minimizing pipeline stalls with optimal scheduling. Consequently, our results are also faster than software libraries running SIDH even on Intel Haswell processors. For our implementation at 85-bit quantum security and 128-bit classical security, we generate ephemeral public keys in 1.655 million cycles for Alice and 1.490 million cycles for Bob. We generate the shared secret in an additional 1.510 million cycles for Alice and 1.312 million cycles for Bob. On a Virtex-7, these results are approximately 1.5 times faster than the fastest known software implementations for 512-bit SIDH. Our results and observations show that the isogeny-based schemes can be implemented with high efficiency on reconfigurable hardware.

Although several methods for estimating the resistance of a random Boolean function against (fast) algebraic attacks were proposed, these methods are usually infeasible in practice for relative large input variables $n$ (for instance $n\geq 30)$ due to increased computational complexity. An efficient estimation the resistance of Boolean function (with relative large input variables $n$) against (fast) algebraic attacks appears to be a rather difficult task. In this paper, the concept of partial linear relations decomposition is introduced, which decomposes any given nonlinear Boolean function into many linear (affine) subfunctions by using the disjoint sets of input variables. Based on this result, a general probabilistic decomposition algorithm for nonlinear Boolean functions is presented which gives a new framework for estimating the resistance of Boolean function against (fast) algebraic attacks. It is shown that our new probabilistic method gives very tight estimates (lower and upper bound) and it only requires about $O(n^22^n)$ operations for a random Boolean function with $n$ variables, thus having much less time complexity than previously known algorithms.

We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash ({\em i.e.}, round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the {\em standard model} based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called ``padding-based'' encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a ``fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently {\em lossy} as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satisfies condition (1) if its hash function is $t$-wise independent for $t$ roughly proportional to the allowed message length. We clarify that this result requires the hash function to be keyed, and for its key to be included in the public-key of RSA-OAEP. We also show that RSA satisfies condition (2) under the $\Phi$-Hiding Assumption of Cachin \emph{et al.}~(Eurocrypt 1999). This is the first {\em positive} result about the instantiability of RSA-OAEP. In particular, it increases confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP's predecessor in PKCS \#1 v1.5 was shown to be vulnerable to such attacks by Coron {\em et al}.~(Eurocrypt 2000).

Nearly all verifiable e-voting schemes require trusted tallying authorities to guarantee voter privacy. An exception is the DRE-i system which removes this requirement by pre-computing all encrypted ballots before the election using related random factors that will later cancel out and allow the public to verify the tally after the election. While the removal of tallying authorities significantly simplifies election management, the pre-computation of ballots necessitates secure ballot storage, as leakage of precomputed ballots endangers voter privacy. In this paper, we address this problem and propose DRE-ip (DRE-i with enhanced privacy). Adopting a different design strategy, DRE-ip is able to encrypt ballots in real time in such a way that the election tally can be publicly verified without decrypting the cast ballots. As a result, DRE-ip achieves end-to-end verifiability without tallying authorities, similar to DRE-i, but with a significantly stronger guarantee on voter privacy. In the event that the voting machine is fully compromised, the assurance on tallying integrity remains intact and the information leakage is limited to the minimum: only the partial tally at the time of compromise is leaked.

In this paper, we investigate the efficiency of implementing a post-quantum key-exchange protocol over isogenies (PQCrypto 2011) on ARM-powered embedded platforms. We propose to employ new primes to speed up constant-time finite field arithmetic and perform isogenies quickly. Montgomery multiplication and reduction are employed to produce a speedup of 3 over the GNU Multiprecision Library. For curve arithmetic, a uniform differential addition scheme for double point multiplication and constant-time arithmetic were used to protect the private keys from side-channel analysis attacks. We analyze the recent projective isogeny formulas presented recently and conclude that affine isogeny formulas are much faster in ARM devices. We provide fast affine SIDH libraries over 512, 768, and 1024-bit primes. We provide timing results for emerging embedded ARM platforms using the ARMv7A architecture for 85-, 128-, and 170-bit quantum security levels. Our assembly-optimized arithmetic cuts the computation time for the protocol by 50% in comparison to our portable C implementation and performs approximately 3 times faster than the only other ARMv7 results found in the literature. The goal of this paper is to show that isogeny-based cryptosystems can be implemented further and be used as an alternative to classical cryptosystems on embedded devices.

How to flexibly change the access policy after the initial data access policy has been set is a critical problem to promote attribute-based encryption (ABE) from a theoretical tool to a practical tool. Since the first ABE scheme emerges, many schemes have been proposed to solve the problem but the problem remains unsolved yet. The reason is that the overheads of changing an old access policy to a new one are larger than that of generating a ciphertext with the new access policy directly. Recently, in IEEE Transactions on Parallel and Distributed Systems (DOI:10.1109/TPDS.2014.2380373), Yang et al. proposed a multi-authority ciphertext-policy (CP) ABE scheme with ciphertext updating function. The authors declared that the access policy of the ciphertext can be dynamically modified with the old ciphertext and the scheme is correct, complete, secure, and efficient. However, after revisiting this paper, we found that the scheme is not correct under the system model defined by the authors. Some necessary algorithms are missing such that users cannot decrypt the updated ciphertexts. Moreover, if new algorithms are added into the system model to ensure that the scheme is correct, complete, and secure, the scheme will be not as efficient as the authors declared. Consequently, the scheme fails to achieve the claimed results.

Extensions of linear cryptanalysis making use of multiple approximations such as multidimensional linear cryptanalysis are an important tool in symmetric-key cryptanalysis, among others being responsible for the best known attacks on ciphers such as Serpent and PRESENT. At CRYPTO 2015, Huang et al. provided a refined analysis of the key-dependent capacity leading to a refined key equivalence hypothesis, however at the cost of additional assumptions. Their analysis was recently extended by Blondeau and Nyberg to also cover an updated wrong key randomization hypothesis, using similar assumptions. As a consequence, the effectiveness of multidimensional linear attacks seems significantly reduced, e.g. to only 24 rounds for PRESENT. It is therefore an important open problem how to take key dependent behaviour for both right and wrong keys into account without introducing other limiting assumptions in the process.

In this paper, we address this issue by proposing multivariate linear cryptanalysis as a new technique for using multiple linear approximations. Based on multivariate statistics and featuring a novel distinguishing technique based on quadratic discriminant analysis, it allows more realistic modelling of key dependence, while not relying on the limiting assumptions of previous work. Furthermore, it comes with a flexible signal/noise decomposition approach to allow for a realistic estimation of correlations. As an application of multivariate linear cryptanalysis, we provide attacks on 26 and 27 rounds (the latter marginally faster than exhaustive search) of PRESENT under much more realistic assumptions than previous work.

Resilient substitution boxes (S-boxes) with high nonlinearity are important cryptographic primitives in the design of certain encryption algorithms. There are several trade-offs between the most important cryptographic parameters and their simultaneous optimization is regarded as a difficult task. In this paper we provide a construction technique to obtain resilient S-boxes with so-called strictly almost optimal (SAO) nonlinearity for a larger number of output bits $m$ than previously known. This is the first time that the nonlinearity bound $2^{n-1}-2^{n/2}$ of resilient $(n,m)$ S-boxes, where $n$ and $m$ denote the number of the input and output bits respectively, has been exceeded for $m>\lfloor\frac{n}{4}\rfloor$. Thus, resilient S-boxes with extremely high nonlinearity and a larger output space compared to other design methods have been obtained.

A private set intersection protocol consists of two parties, a Sender and a Receiver, each with a secret input set. The protocol aims to have the Receiver output an intersection of the two sets while keeping the elements in the sets secret. This thesis thoroughly analyzes four recently published set intersection protocols, where it explains each protocol and checks whether it satisfies its corresponding security definition. The first two protocols [PSZ14, PSSZ15a] use random oblivious transfer where [PSSZ15a] is an optimized version of [PSZ14]. In the optimized protocol a correctness error is identified and prevented at a minor increase in run-time. An attempt to make [PSSZ15a] secure against a malicious adversary is shown, where the resulting protocol is proven secure against a semi-honest Sender and malicious Receiver. The third protocol [DCW13] is based on Bloom filters combined with oblivious transfer, and proposes protocols for two different security levels. The semi-honestly secure protocol satisfies its definition, while their proposal for a maliciously secure protocol is insufficient. This thesis shows two attacks a malicious Sender is capable of, without finding efficient countermeasures. The last protocol [DC16] allows computing four different set operations, where five errors are identified. Each error is explained and a proposal to avoid the issue is shown.

A common technique employed for preventing a side channel analysis is boolean masking. However, the application of this scheme is not so straightforward when it comes to block ciphers based on Addition-Rotation-Xor structure. In order to address this issue, since 2000, scholars have investigated schemes for converting Arithmetic to Boolean (AtoB) masking and Boolean to Arithmetic (BtoA) masking schemes. However, these solutions have certain limitations. The time performance of the AtoB scheme is extremely unsatisfactory because of the high complexity of $\mathcal{O}(k)$ where $k$ is the size of addition bit. At the FSE 2015, an improved algorithm with time complexity $\mathcal{O}(\log k)$ based on the Kogge-Stone carry look-ahead adder was suggested. Despite its efficiency, this algorithm cannot consider for constrained environments. Although the original algorithm naturally extends to low-resource devices, there is no advantage in time performance; we call this variant as the generic variant.

In this study, we suggest an enhanced variant algorithm to apply to constrained devices. Our solution is based on the principle of the Kogge-Stone carry look-ahead adder, and it uses a divide and conquer approach. In addition, we prove the security of our new algorithm against first-order attack. In implementation results, when $k=64$ and the register bit size of a chip is $8$, $16$ or $32$, we obtain $58$\%, $72$\%, or $68$\% improvement, respectively, over the results obtained using the generic variant. When applying those algorithms to first-order SPECK, we also achieve about $40$\% improvement. Moreover, our proposal extends to higher-order countermeasures as previous study.

Event date: 1 August 2016
Submission deadline: 1 August 2016

Event date: 15 September to 16 September 2016

Event date: 3 April to 7 April 2017
Submission deadline: 4 November 2016
Notification: 6 January 2017

Event date: 26 April to 28 April 2017
Submission deadline: 4 August 2016
Notification: 17 October 2016

Registration for Crypto 2016 is now open. Register on or before July 31 to avoid late registration surcharge. The conference will be held in Santa Barbara, August 14-18.

Event date: 4 December to 7 December 2016
Submission deadline: 24 July 2016
Notification: 25 September 2016

We are seeking experienced security engineers for penetration-testing and consulting on digital products in an agile environment.

A successful candidate will work within several multi-disciplinary agile teams to deliver a high-quality product.

Everyone in this team will be responsible for quality, however this role will have a stronger focus on continuously improving and applying security vulnerability and penetration testing in line with continues integration:

https://www.gov.uk/service-manual/operations/penetration-testing.html

You will be required to challenge and propose changes to existing processes where they do not contribute to the rapid delivery of a secure service.

Essential Skills:

• Ability to work closely with development teams to ensure secure coding is baked in to web applications and architecture

• Ability to carry application and infrastructure vulnerability and penetration testing

• Understanding of virtualisation and cloud technologies

• Ability to build automated testing to align with continuous integration

• Understanding of open source technologies, including web development frameworks and infrastructure.

• Security Testing Tools, both manual and automated

• Open Web Application Security Project (OWASP)

Desirable skills

• CREST or CHECK certifications (team leader or team member)

• Certified Ethical Hacker (CEH)

• CISSP or similar familiarity with security architecture

• Worked in Agile environments

• Physical Security

• Social Engineering

• Static program analysis

• Fuzz testing/fuzzing

Key Focus Areas:

• Applying security vulnerability and penetration testing on Digital products developed with Agile methodologies and continuous integration

• Consult with teams to ensure security is built in at all stages of a product\'s lifecycle.

Closing date for applications: 15 July 2016

Contact: Dom Tomkins, Head of Specialist Recruitment recruitment (at) digital.justice.gov.uk

More information: https://www.civilservicejobs.service.gov.uk/csr/index.cgi?SID=c2VhcmNoX3NsaWNlX2N1cnJlbnQ9MSZjc291cmNlPWNzcXNlYXJjaCZ1c2

This is an excellent opportunity to join a Cyber Security practice based in the United Arab Emirates (UAE) who is experiencing enormous growth.

They are currently recruiting some of the world’s top Cyber experts and are seeking candidates for the following roles:

Crypto Developer (Multiple roles) - Must have experience in Elliptic Curve Cryptography (ECC) and ideally some experience in commercial cryptography. PhD Mathematics is preferred.

Please note these are permanent roles which require the successful candidates to be based in the United Arab Emirates. Assistance with relocation will be provided.

On offer is an attractive TAX FREE expatriate package, the opportunity to learn from some of the most highly qualified, well renowned Cyber figures in the business and genuine career opportunities.

To apply for this role please forward a copy of your CV in English to hilary (at) talentboutique.ae.

Closing date for applications: 29 September 2016

Event date: 19 February to 21 February 2017
Submission deadline: 7 October 2016
Notification: 2 December 2016