International Association
for Cryptologic Research

Event date: 18 September to 20 September 2017
Submission deadline: 31 May 2017
Notification: 25 June 2017

Event date: 6 April to 7 April 2017
Submission deadline: 27 February 2017

The chair of Embedded Security at Horst Goertz Institute for IT-Security (HGI) at Ruhr-University Bochum (Germany) has openings for PhD and Postdoc positions. We are looking for outstanding candidates with strong background in Electrical/Computer Engineering, and/or Cryptography.

The available positions are fully funded for three years.

The focus of the project is on practical as well as theoretical side-channel analysis of cryptographic devices. Applicants are required to have completed (or be close to completing) a Master (or an equivalent) with excellent grades in Computer/Electrical Engineering, Computer Science, Cryptography, or closely related areas. In addition to the usual computer and electrical engineering background, the candidate is expected to be able to deal with either hardware designs (e.g., VHDL/verilog) or software designs (e.g., ARM processors) which is essential for the project.

Please send your application via e-mail as a single pdf containing a CV, copies of transcripts and certificates, and (if possible) names of references. Review of the applications will start immediately until the position has been filled. Note that only short-listed candidates will be notified.

Send your applications to emsec+apply (at) rub (dot) de

Starting date: earliest possible

Founded in 2001, the Horst Goertz Institute at Ruhr-University Bochum is a leading interdisciplinary research center dedicated to research and education covering all aspects of IT security, with an excellent record of research in cryptography. The Horst Goertz Institute has more than 15 professors and over 80 PhD students.

Closing date for applications: 31 March 2017

Contact: Amir Moradi

More information: https://www.emsec.rub.de

We specify Issue First Activate Later (IFAL). This is an ETSI type of V2X Public Key Infrastructure based on short-lived pseudonymous certificates without Certificate Revocation Lists. IFAL certificates are valid in the future but can only be used together with periodically provided activation codes. IFAL supports controlled de-pseudonymization enabling provisioning to stop for misbehaving vehicles. IFAL allows for flexible policies, trade-offs between three essential V2X properties: trust, privacy and usability. IFAL activation codes are small and can be sent in an SMS, through roadside equipment or even broadcasted. Like the Butterfly scheme, IFAL uses key derivation with one base private/public key pair. However in IFAL the security module can be simple as it can be kept oblivious of key derivation.

In this paper we introduce NewHope-Simple, a variant of the NewHope Ring-LWE-based key exchange that is using a straight-forward transformation from Ring-LWE encryption to a passively secure KEM (or key-exchange scheme). The main advantage of NewHopeLP-Simple over NewHope is simplicity. In particular, it avoids the error-reconciliation mechanism originally proposed by Ding. The explanation of his method, combined with other tricks, like unbiasing the key following Peikert's tweak and using the quantizer $D_4$ to extract one key bit from multiple coefficients, takes more than three pages in the NewHope-Simple paper.

The price for that simplicity is small: one of the exchanged messages increases in size by $6.25%$ from $2048$ bytes to $2176$ bytes. The security of NewHopeLP is the same as the security of NewHope; the performance is very similar.

We give an overview of the scripting languages used in existing cryptocurrencies, and in particular we review in some detail the scripting languages of Bitcoin, Nxt and Ethereum, in the context of a high-level overview of Distributed Ledger Technology and cryptocurrencies. We survey different approaches, and give an overview of critiques of existing languages. We also cover technologies that might be used to underpin extensions and innovations in scripting and contracts, including technologies for verification, such as zero knowledge proofs, proof-carrying code and static analysis, as well as approaches to making systems more efficient, e.g. Merkelized Abstract Syntax Trees.

Template attacks have been shown to be among the strongest attacks when it comes to side–channel attacks. An essential ingredient there is to calculate the inverse of a covariance matrix. In this paper we make a comparative study of the effectiveness of some 24 different variants of template attacks based on different approximations of this covariance matrix. As an example, we have chosen a recent smart card where the plain text, cipher text, as well as the key leak strongly. Some of the more commonly chosen approximations to the covariance matrix turn out to be not very effective, whilst others are.

We present the first signature schemes whose security relies on computational assumptions relating to isogeny graphs of supersingular elliptic curves. We give two schemes. The first one is obtained from an interactive identification protocol due to De Feo, Jao and Plut. The second signature scheme uses novel ideas that have not been used in cryptography previously, and is based on a more standard and potentially stronger computational problem.

The Ring-LWE (RLWE) problem is expected to be a computationally-hard problem even with quantum algorithms. The Poly-LWE (PLWE) problem is closely related to the RLWE problem, and in practice a security base for various recently-proposed cryptosystems. In 2014, Eisentraeger et al. proposed attacks against the decision-variant of the PLWE problem (and in 2015, Elias et al. precisely described and extended their attacks to be applied for that of the RLWE problem). Their attacks against the decision-PLWE problem succeed with sufficiently high probability in polynomial time under certain assumptions, one of which is that the defining polynomial of the PLWE instance splits completely over the ground field. In this paper, we present polynomial-time attacks against the search-variant of the PLWE problem. Our attacks are viewed as search-case variants of the previous attacks, but can deal with more general cases where the defining polynomial of the PLWE problem does not split completely over the ground field.

Evaluation of side channel vulnerability of a cryptosystem has seen significant advancement in recent years. Researchers have proposed several metrics like Test Vector Leakage Assessment Methodology (TVLA), Normalized Inter Class Variance (NICV), Signal to Noise Ratio (SNR), Guessing Entropy to determine side channel security of crypto implementations. Among these, TVLA has emerged as the front-runner as it can determine side channel vulnerability of a crypto-system irrespective of the underlying leakage model and hence can be integrated into the testing mechanism very easily. TVLA which is actually similar to statistical t-test acts as a powerful tool which provides a pass-fail testing mechanism of crypto-implementations. More precisely it can determine whether the system is secure or not, it does not quantify the security of the crypto-implementations in terms of number of side channel traces required or signal-to-noise ratio (SNR) of the crypro-implementations. Statistical F test, on the other hand, can easily compute the SNR, which in turn can quantify the side channel vulnerability in terms of number of side channel traces required. In this work, we aim to connect the TVLA metric to the computation of SNR, leading to establishing lower bound for the number of traces for a successful attack. This work will also show the equivalence of the required existing side channel evaluation metrics.

In a classic digital signature scheme, the global community is capable of verifying a signature. In a designated verifier scheme (DVS), only the designated verifier has this capability. In a classic DVS scheme the signer themselves ``designates'' the entity that will have the capability of verifying their signature. In a pure identity-based signature scheme a Trusted Authority is introduced, and is responsible for issuing secret signing keys to all participants. In our proposed scheme it is this TA, not the signer, that designates the verifier, and to this end the TA issues the designated verifier with its own secret. Finally we propose a variation that supports non-repudiation, plus a multi-factor signature capability.

The Cocks Identity Based Encryption (IBE) scheme, proposed in 2001 by Clifford Cocks, has been the standard for Quadratic Residue-based IBE. It had been long believed that this IBE did not have enough structure to have homomorphic properties. In 2013, Clear, Hughes, and Tewari (Africacrypt 2013) created a Cocks scheme derivative where they viewed ciphertexts as polynomials modulo a quadratic. While the scheme was homomorphic, it required sending twice as much information per ciphertext as the original Cocks scheme. A recent result by Joye (PKC 2016) used complex algebraic structures to demonstrate the fact that Cocks IBE, on its own, is additively homomorphic.

In this work, we build upon the results from CHT and Joye. We take the simple intuition from CHT, that ciphertexts can be seen as polynomials, but also demonstrate that we only need to send as much data as in the original Cocks scheme. This perspective leads to better intuition as to why these ciphertexts are homomorphic and to explicit efficient algorithms for computing this homomorphic addition.

We believe that our approach will facilitate other extensions of Cocks IBE. As an example, we exhibit a two-way proxy re-encryption algorithm, which arises as a simple consequence of the structure we propose. That is, given a re-encryption key, we can securely convert a ciphertext under one key to a ciphertext under the other key and vice-versa (hence two-way).

Radio-Frequency Identification tags are used for several applications requiring authentication mechanisms, which if subverted can lead to dire consequences. Many of these devices are based on low-cost Integrated Circuits which are designed in off-shore fabrication facilities and thus raising concerns about their trust. Recently, a lightweight entity authentication protocol called LCMQ was proposed, which is based on Learning Parity with Noise, Circulant Matrix, and Multivariate Quadratic problems. This protocol was proven to be secure against Man-in-the-middle attack and cipher-text only attacks. In this paper, we show that in the standard setting, although the authentication uses two $m$ bit keys, $\mathbf{K_1}$ and $\mathbf{K_2}$, knowledge of only $\mathbf{K_2}$ is sufficient to forge the authentication. Based on this observation, we design a stealthy malicious modification to the circuitry based on the idea of Safe-errors to leak $\mathbf{K_2}$ and thus can be used to forge the entire authentication mechanism. We develop a Field Programmable Gate Array prototype of the design which is extremely lightweight and can be implemented using four Lookup tables.

Many online services let users query public datasets such as maps, flight prices, or restaurant reviews. Unfortunately, the queries to these services reveal highly sensitive information that can compromise users’ privacy. This paper presents Splinter, the first system to protect users’ queries on public data while scaling to realistic applications. A user splits her query into multiple parts and sends each part to a different provider that holds a copy of the data. As long as any one of the providers is honest and does not collude with the others, the providers cannot determine the query. Splinter uses and extends a new cryptographic primitive called Function Secret Sharing (FSS) that makes it significantly more efficient than prior systems based on Private Information Retrieval and garbled circuits. We develop protocols that extend FSS to new types of queries, such as maximum and top-K queries, as well as an optimized implementation of FSS using AES- NI instructions and multicores. Splinter achieves latencies below 1.2 seconds for realistic workloads including a Yelp clone, flight search, and map routing.

Recently, Nie et al. proposed a certificateless aggregate signature scheme. In the standard security model considered in certificateless cryptography, we are dealing with two types of adversaries. In this paper, we show that Nie et al.'s scheme is insecure against the adversary of the first type. In other words, although they claimed that their proposed scheme is existentially unforgeable against adaptive chosen message attack considering the adversaries in certificateless settings, we prove that such a forgery can be done.

A major open problem is to protect leveled homomorphic encryption from adaptive attacks that allow an adversary to learn the private key. The only positive results in this area are by Loftus, May, Smart and Vercauteren. They use a notion of "valid ciphertexts" and obtain an IND-CCA1 scheme under a strong knowledge assumption, but they also show their scheme is not secure under a natural adaptive attack based on a "ciphertext validity oracle". However, due to recent cryptanalysis their scheme is no longer considered secure.

The main contribution of this paper is to explore a new approach to achieving this goal, which does not rely on a notion of "valid ciphertexts". The idea is to generate a "one-time" private key every time the decryption algorithm is run, so that even if an attacker can learn some bits of the one-time private key from each decryption query, this does not allow them to compute a valid private key.

This is the full version of the paper. The short version, which appeared in Provsec 2016, presented a variant of the Gentry-Sahai-Waters (GSW) levelled homomorphic encryption scheme. Damien Stehle pointed out an attack on our variant of this scheme that had not been anticipated in the Provsec paper; we explain the attack in this full version. This version of the paper also contains a new "dual" version of the GSW scheme. We give an explanation of why the known attacks no longer break the system. It remains an open problem to develop a scheme for which one can prove IND-CCA1 security.

Differential power analysis targets S-boxes to break ciphers that resist cryptanalysis. We relax cryptanalytic constraints to lower S-box leakage, as quantified by the transparency order. We apply genetic algorithms to generate 8-bit S-boxes, optimizing transparency order and nonlinearity as in existing work (Picek et al. 2015). We apply multiobjective evolutionary algorithms to generate a Pareto front. We find a tight relationship where nonlinearity drops substantially before transparency order does, suggesting the difficulty of finding S-boxes with high nonlinearity and low transparency order, if they exist. Additionally, we show that the cycle crossover yields more efficient single objective genetic algorithms for generating S-boxes than the existing literature. We demonstrate this in the first side-by-side comparison of the genetic algorithms of Millan et al. 1999, Wang et al. 2012, and Picek et al. 2015. Finally, we propose and compare several methods for avoiding fixed points in S-boxes; repairing a fixed point after evolution in a way that preserves fitness was superior to including a fixed point penalty in the objective function or randomly repairing fixed points during or after evolution.

Event date: 25 September to 28 September 2017
Submission deadline: 17 March 2017
Notification: 6 June 2017

This is a full-time, permanent post and the successful candidate will join a Department with a widely recognised reputation for teaching Computer Science in the heart of London. The Department hosts several well-established undergraduate and postgraduate courses for both full-time and part-time students.

The appointee will be expected to join an energetic and innovative team of academic staff who deliver undergraduate and postgraduate teaching. In collaboration with our current team in cyber security, the applicant will contribute to teaching in our postgraduate courses and embed cyber security in all levels of our undergraduate courses. The cyber security curriculum in our programmes was recently redesigned around the CISSP themes so they are kept aligned with (ICS)2 both in current state and in the way our modules get updated. Supervision of student projects forms an important component of our staff’s professional practice.

Staff are also encouraged to develop their external research profile and the appointee to this post will be expected to contribute to one or more of the Faculty of Science and Technology’s multidisciplinary Research Groups that include the Cyber Security research group, the Centre for Parallel Computing, Distributed and Intelligent Systems, Software Systems Engineering.

Job reference number: 50042930

Salary: £39,502– £43,870 per annum (incl. L.W.A.)

Interviews are likely to be held in the week commencing 27th February 2017

Closing date for applications: 3 February 2017

Contact: For an informal discussion on the post please contact: Dr Aleka Psarrou, Head of Department of Computer Science at psarroa (at) westminster.ac.uk or telephone 020 7911 4846.

More information: https://vacancies.westminster.ac.uk/Hrvacancies/default.aspx?id=50042930

Event date: 29 November to 1 December 2017
Submission deadline: 25 July 2017
Notification: 9 September 2017