International Association
for Cryptologic Research

Designing public key cryptosystems that resist attacks by quantum computers is an important area of current cryptographic research and standardization. To retain confidentiality of today's communications against future quantum computers, applications and protocols must begin exploring the use of quantum-resistant key exchange and encryption. In this paper, we explore post-quantum cryptography in general and key exchange specifically. We review two protocols for quantum-resistant key exchange based on lattice problems: BCNS15, based on the ring learning with errors problem, and Frodo, based on the learning with errors problem. We discuss their security and performance characteristics, both on their own and in the context of the Transport Layer Security (TLS) protocol. We introduce the Open Quantum Safe project, an open-source software project for prototyping quantum-resistant cryptography, which includes liboqs, a C library of quantum-resistant algorithms, and our integrations of liboqs into popular open-source applications and protocols, including the widely used OpenSSL library.

This paper presents highly efficient designs of double authentication preventing signatures (DAPS). In a DAPS, signing two messages with the same first part and differing second parts reveals the signing key. In the context of PKIs we suggest that CAs who use DAPS to create certificates have a court-convincing argument to deny big-brother requests to create rogue certificates, thus deterring certificate subversion. We give two general methods for obtaining DAPS. Both start from trapdoor identification schemes. We instantiate our transforms to obtain numerous specific DAPS that, in addition to being efficient, are proven with tight security reductions to standard assumptions. We implement our DAPS schemes to show that they are not only several orders of magnitude more efficient than prior DAPS but competitive with in-use signature schemes that lack the double authentication preventing property.

User convenience and strong security are often at odds, and most security applications need to find some sort of balance between these two (often opposing) goals. The Resource Public Key Infrastructure (RPKI) [8], a security infrastructure built on top of interdomain routing, is not exempt from this issue. The RPKI uses the maxLength attribute to reduce the amount of information that must be explicitly recorded in its cryptographic objects. MaxLength also allows operators to easily reconfigure their networks with- out modifying their RPKI objects. However, we argue that the maxLength attribute strikes the wrong balance between security and user convenience. In particular, we argue that maxLength is commonly configured in a manner that either obviates the security benefis provided by the RPKI or causes legitimate routes to appear invalid, without providing performance improvements. Therefore, we argue that the maxLength attribute should be eliminated from the RPKI.

In 2010, Resch and Plank proposed a computationally secure secret sharing scheme, called the AONT-RS scheme. We present a generalisation of their scheme and discuss two ways in which information is leaked if the scheme is used to distribute small ciphertexts. We then discuss how to prevent such leakage and provide a proof of computational privacy in the random oracle model. Next, we extend the scheme to be robust, ensuring the distributed data is recoverable even if a bounded number of players submit incorrect shares. We prove the robust AONT-RS scheme achieves computational privacy and recoverability in the random oracle model. Finally, we compare the security, share size and complexity of the robust AONT-RS scheme with a refined version of Krawczyk's robust scheme by Bellare and Rogaway.

Signal is a new security protocol that provides end-to-end encryption for instant messaging. It has recently been adopted by WhatsApp, Facebook Messenger and Google Allo among many others; the first two of these have at least 1 billion active users. Signal includes several uncommon security properties (such as ``future secrecy'' or ``post-compromise security''), enabled by a novel technique called ratcheting in which session keys are updated with every message sent. Despite its importance and novelty, there has been little to no academic analysis of the Signal protocol.

We conduct the first security analysis of Signal's Key Agreement and Double Ratchet as a multi-stage key exchange protocol. We extract from the implementation a formal description of the abstract protocol, define a security model which can capture the ``ratcheting'' key update structure, and prove the security of Signal's core in our model. Our presentation and results can serve as a starting point for other analyses of this widely adopted protocol.

Anonymous credential systems enable users to authenticate themselves in a privacy-preserving manner. At the conference ESORICS 2016, Kaaniche and Laurent presented an anonymous certification scheme based on a new attribute based signature. In this note, we provide several attacks on their scheme.

Ph.D. student in the H2020 SODA (Scalable Oblivious Data Analytics) project.

The SODA project aims at enabling practical privacy-preserving analytics on Big Data. Our focus is on making the performance of multi-party computation techniques for privacy-preserving shared Big Data processing practical for real-world use cases, moving beyond the traditional privacy-utility trade-off. One of the central themes is combining privacy-preserving processing with rigorous bounds on the privacy leakage of aggregated data analytics results. A range of Big Data processing challenges needs to be addressed in this context. The successful Post-Doc candidate will be appointed with the Data Mining group and Ph.D. student with the Coding and Crypto group.

Requirements:

• solid background in Mathematics and/or Computer Science with specialization in cryptography (demonstrated by a relevant MSc)

• strong interest in cryptographic protocols and secure multi-party computation;

• experience with secure multiparty computation is a plus;

• experience with development of efficient data mining techniques is a plus.

Accepting applications until position is filled.

Closing date for applications: 18 November 2016

Contact: Berry Schoenmakers

TU Eindhoven

Department Mathematics and Computer Science

e-mail: berry (at) win.tue.nl

More information: http://jobs.tue.nl/en/vacancy/phd-student-in-the-h2020-soda-project-scalable-oblivious-data-analytics-284211.html

Post-Doc in the H2020 SODA (Scalable Oblivious Data Analytics) project.

The SODA project aims at enabling practical privacy-preserving analytics on Big Data. Our focus is on making the performance of multi-party computation techniques for privacy-preserving shared Big Data processing practical for real-world use cases, moving beyond the traditional privacy-utility trade-off. One of the central themes is combining privacy-preserving processing with rigorous bounds on the privacy leakage of aggregated data analytics results. A range of Big Data processing challenges needs to be addressed in this context. The successful Post-Doc candidate will be appointed with the Data Mining group and Ph.D. student with the Coding and Crypto group.

Requirements:

• solid background in Computer Science with specialization in data mining, machine learning or related areas (demonstrated

  by a relevant PhD);

• strong interest in privacy-preserving analytics and secure multi-party computation;

• being enthusiastic about collaboration between data mining and crypto;

• experience with distributed data mining and streaming algorithms is a plus;

• hands on experience with development of efficient data mining techniques in a plus.

Closing date for applications: 11 November 2016

Contact: prof.dr. Mykola Pechenizkiy

TU Eindhoven

Department Mathematics and Computer Science

e-mail: m.pechenizkiy (at) tue.nl

More information: http://jobs.tue.nl/en/vacancy/postdoc-position-h2020-soda-project-scalable-oblivious-data-analytics-283849.html

In this work, we describe a new polynomial-time attack on the multilinear maps of Coron, Lepoint, and Tibouchi (CLT13), when used in candidate iO schemes. More specifically, we show that given the obfuscation of the simple branching program that computes the always zero functionality previously considered by Miles, Sahai and Zhandry (Crypto 2016), one can recover the secret parameters of CLT13 in polynomial time via an extension of the zeroizing attack of Coron et al. (Crypto 2015). Our attack is generalizable to arbitrary oblivious branching programs for arbitrary functionality, and allows (1) to recover the secret parameters of CLT13, and then (2) to recover the randomized branching program entirely. Our analysis thus shows that several of the single-input variants of iO over CLT13 are insecure.

The Resource Public Key Infrastructure (RPKI) binds IP address blocks to owners’ public keys. RPKI enables routers to perform Route Origin Validation (ROV), thus preventing devastating attacks such as IP prefix hijacking. Yet, despite extensive effort, RPKI’s deployment is frustratingly sluggish, leaving the Internet largely insecure. We tackle fundamental questions regarding today’s RPKI’s deployment and security: What is the adoption status of RPKI and ROV? What are the implications for global security of partial adoption? What are the root-causes for slow adoption? How can deployment be pushed forward? We address these questions through a combination of empirical analyses, a survey of over 100 network practitioners, and extensive simulations. Our main contributions include the following.We present the first study measuring ROV enforcement, revealing disappointingly low adoption at the core of the Internet. We show, in contrast, that without almost ubiquitous ROV adoption by large ISPs significant security benefits cannot be attained. We next expose a critical security vulnerability: about a third of RPKI authorizations issued for IP prefixes do not protect the prefix from hijacking attacks. We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certificates and inter-organization dependencies, and present recommendations for addressing these challenges.

In 2000, Canetti, Goldreich, Goldwasser and Micali (STOC'00) proposed the notion of resettable zero-knowledge, which considers the scenario where a malicious verifier can reset the prover and force it to reuse its random tape. They provided a construction that resists such attacks, and in the following, the notion of resettability was considered in various other scenarios. Starting with resettably-sound zero-knowledge, over general resettable computation with one resettable party, to protocols where all parties are resettable.

Most of these results are only concerned with the feasibility of resettable computation, while efficiency is secondary. There is a considerable gap in the round- and communication-efficiency between actively secure protocols and resettably secure protocols. Following the work of Goyal and Sahai (EUROCRYPT'09), we study the round- and communication-efficiency of resettable two-party computation in the setting where one of the two parties is resettable, and close the gap between the two notions of security:

- We construct a fully simulatable resettable CRS in the plain model that directly yields constant-round resettable zero-knowledge and constant-round resettable two-party computation protocols in the plain model.

- We present a new resettability compiler that follows the approach of Ishai, Prabhakaran and Sahai (CRYPTO'08) and yields constant-rate resettable two-party computation.

Ownership Transfer Protocols for RFID allow transferring the rights over a tag from a current owner to a new owner in a secure and private way. Recently, Kapoor and Piramuthu have proposed two schemes which solve most of the security weaknesses detected in previously published protocols. However, this paper reviews this work and points out that such schemes still present some practical and security issues. We then propose some modifications in these protocols that overcome such problems.

Smart contracts are computer programs that can be correctly executed by a network of mutually distrusting nodes, without the need of an external trusted authority. Since smart contracts handle and transfer assets of considerable value, besides their correct execution it is also crucial that their implementation is secure against attacks which aim at stealing or tampering the assets. We study this problem in Ethereum, the most well-known and used framework for smart contracts so far. We analyse the security vulnerabilities of Ethereum smart contracts, providing a taxonomy of common programming pitfalls which may lead to vulnerabilities. We show a series of attacks which exploit these vulnerabilities, allowing an adversary to steal money or cause other damage.

For decades, the Network Time Protocol (NTP) has been used to synchronize computer clocks over untrusted network paths. This work takes a new look at the security of NTP’s datagram protocol. We argue that NTP’s datagram protocol in RFC5905 is both underspecified and flawed, which has lead to vulnerabilities in NTP’s reference implementation. We then present three new attacks that remote attackers can use to maliciously alter a target’s time. We show that vulnerabilities arise because NTP’s symmetric mode and NTP’s client/server mode have conflicting security requirements that are not respected by the specifications. We use network scans to find millions of IPs that are vulnerable to our attacks. Finally, we move beyond identifying attacks by developing a cryptographic model and using it to prove the security of two improved client/server protocols for NTP.

Very recently, the {\sf Atomic AES} architecture that provides dual functionality of the AES encryption and decryption module was proposed. It was surprisingly compact and occupied only around 2645 GE of silicon area and took 226 cycles for both the encryption and decryption operations. In this work we further optimize the above architecture to provide the dual encryption/decryption functionality in only 2263 GE and latency of 246/326 cycles for the encryption and decryption operations respectively. We take advantage of clock gating techniques to achieve Shiftrow and Inverse Shiftrow operations in 3 cycles instead of 1. This helps us replace many of the scan flip-flops in the design with ordinary flip-flops. Furthermore we take advantage of the fact that the Inverse Mixcolumn matrix in AES is the cube of the forward Mixcolumn matrix. Thus by executing the forward Mixcolumn operation three times over the state, one can achieve the functionality of Inverse Mixcolumn. This saves some more gate area as one is no longer required to have a combined implementation of the Forward and Inverse Mixcolumn circuit.

Security against hardware trojans is currently becoming an essential ingredient to ensure trust in information systems. A variety of solutions have been introduced to reach this goal, ranging from reactive (i.e., detection-based) to preventive (i.e., trying to make the insertion of a trojan more difficult for the adversary). In this paper, we show how testing (which is a typical detection tool) can be used to state concrete security guarantees for preventive approaches to trojan-resilience. For this purpose, we build on and formalize two important previous works which introduced ``input scrambling" and ``split manufacturing" as countermeasures to hardware trojans. Using these ingredients, we present a generic compiler that can transform any circuit into a trojan-resilient one, for which we can state quantitative security guarantees on the number of correct executions of the circuit thanks to a new tool denoted as ``testing amplification". Compared to previous works, our threat model covers an extended range of hardware trojans while we stick with the goal of minimizing the number of honest elements in our transformed circuits. Since transformed circuits essentially correspond to redundant multiparty computations of the target functionality, they also allow reasonably efficient implementations, which can be further optimized if specialized to certain cryptographic primitives and security goals.

Annihilation attacks, introduced in the work of Miles, Sahai, and Zhandry (CRYPTO 2016), are a class of polynomial-time attacks against several candidate indistinguishability obfuscation ($i\mathcal{O}$) schemes, built from Garg, Gentry, and Halevi (EUROCRYPT 2013) multilinear maps. In this work, we provide a general efficiently-testable property of two branching programs, called ``partial inequivalence'', which we show is sufficient for our variant of annihilation attacks on several obfuscation constructions based on GGH13 multilinear maps.

We give examples of pairs of natural $\mathsf{NC}^1$ circuits, which -- when processed via Barrington's Theorem -- yield pairs of branching programs that are partially inequivalent. As a consequence we are also able to show examples of ``bootstrapping circuits,'' used to obtain obfuscations for all circuits (given an obfuscator for $\mathsf{NC}^1$ circuits), in certain settings also yield partially inequivalent branching programs. Prior to our work, no attacks on any obfuscation constructions for these settings were known.

We describe an efficient and secure decryption protocol to the Norwegian Internet voting project. We first adapt Groth’s shuffle-decryption from 2010 to our purpose, and we prove all security properties in the random oracle model. We then describe the complete decryption algorithm, and prove that it maintains the security of the rest of the protocol.

There is an open position for a Post-Doc in the area of post-quantum cryptography and implementations. Interested applicants with PhD need to demonstrate prior work and related publications. Please send your CV for consideration. The position is for one year with the possibility of extension for another year.

Closing date for applications: 1 January 2017

Contact: Dr. Reza Azarderakhsh at razarderakhsh (at) fau.edu.

[version française ci-dessous]

Department of Mathematics and Statistics

Tenure track position in Number Theory, McGill University

The Department of Mathematics and Statistics at McGill University invites applications for a tenure-track position in arithmetic geometry or automorphic forms, broadly interpreted. The Department expects to appoint at the Assistant Professor level, but more senior applicants will also be considered.

Candidates must have a doctoral degree at the date of appointment, and must have demonstrated excellence in mathematical research. They must also have the desire and potential to contribute to the educational programs of the Department at the graduate and undergraduate levels.

Applications should be made through MathJobs.Org (Position ID: NUMTH) and should include a curriculum vitae, a list of publications, a research outline, a teaching statement which includes an account of teaching experience, and at least four references (with one addressing the teaching record). Candidates are also encouraged to provide web links for up to three selected reprints or preprints, or to upload them to MathJobs.Org.

Candidates must ensure that letters of reference are submitted preferably through http://mathjobs.org, although in exceptional circumstances they may be emailed to numtheory.mathstat (at) mcgill.ca

Review of applications will begin on November 15 and will continue until the position has been filled. For further details or clarifications, please email numtheory.mathstat (at) mcgill.ca

McGill University is committed to diversity and equity in employment. It welcomes applications from: women, Aboriginal persons, persons with disabilities, ethnic minorities, persons of minority sexual orientation or gender identity, visible minorities, and others who may contribute to diversification. All qualified applicants are encouraged to apply; however, in accordance with Canadian immigration requirements, Canadians and permanent residents will be given priority.

Closing date for applications: 15 November 2016