International Association
for Cryptologic Research

Two PhD studentships are available at the Mathematical Institute, University of Oxford, to work in the areas of mathematical and post-quantum cryptography. The studentships are fully funded for 3 years and a half, including standard stipends and College and University fees. The studentships are attached to St Hughs College.

Candidates must have an excellent background in mathematics, computer science or physics and the ability and willingness to work on inter-disciplinary research projects. Acquaintance with cryptography concepts and/or quantum algorithms as well as some programming skills will be considered as strong assets. Candidates must be able to obtain a DV security clearance prior to starting their D Phil; in particular they must be UK citizens.

There is a possibility to slightly extend the deadline below as long as the candidate can still obtain their DV clearance before September 2017. Please contact us informally if needed.

Closing date for applications: 6 January 2017

Contact: Christophe Petit, Ali El Kaafarani

More information: https://www.maths.ox.ac.uk/node/24010

The positions are connected to the project “Construction of optimal Boolen functions”.

The prime objectives of this project are Boolean functions with optimal resistance to various cryptographic attacks (differential, linear, algebraic et al.) and their applications in discrete mathematics (such as commutative semifields, o-polynomials, difference sets, dual hyperovals, regular graphs, m-sequences, codes et al.).

For further information and for application for POSTDOC position see the webpage:

https://www.jobbnorge.no/en/available-jobs/job/132032/researcher-position-at-the-department-of-informatics

For further information and for application for PhD STUDENT positions see the webpage:

https://www.jobbnorge.no/en/available-jobs/job/132261/phd-position-in-boolean-functions-2-positions

All applicants are advised to apply also for the following open postdoc and PhD positions related to the whole Department of Informatics:

https://www.jobbnorge.no/en/available-jobs/job/132026/postdoctoral-fellow-in-informatics

https://www.jobbnorge.no/en/available-jobs/job/131983/research-fellow-phd-candidates-in-informatics-computer-science-3-positions

Closing date for applications: 15 February 2017

Contact: Dr. Lilya Budaghyan lilya.budaghyan (at) uib.no

This paper proposes an authenticated encryption scheme, called SIVx, that preserves BBB security also in the case of unlimited nonce reuses. For this purpose, we propose a single-key BBB-secure message authentication code with 2n-bit outputs, called PMAC2x, based on a tweakable block cipher. PMAC2x is motivated by PMAC_TBC1k by Naito; we revisit its security proof and point out an invalid assumption. As a remedy, we provide an alternative proof for our construction, and derive a corrected bound for PMAC_TBC1k.

In this article, we investigate the construction of lightweight MDS matrices. The key contribution of present paper is constructing MDS matrices over matrix polynomial residue ring. To the best of our knowledge, it is the first time that MDS matrices is constructed over matrix polynomial residue ring. In our method, we not only construct vast lightest MDS matrices, but also our algorithm is obvious more efficient than previous papers.

Cogliati et al. introduced the tweakable Even-Mansour cipher constructed from a single permutation and an almost-XOR-universal (AXU) family of hash functions with tweak and key schedule. Most of previous papers considered the security of the (iterated) tweakable Even-Mansour cipher in the single-key setting. In this paper, we focus on the security of the tweakable Even-Mansour cipher in the multi-key and related-key settings. We prove that the tweakable Even-Mansour cipher with related-key-AXU hash functions is secure against multi-key and related-key attacks, and derive a tight bound using H-coefficients technique, respectively. Our work is of high practical relevance because of rekey requirements and the inevitability of related keys in real-world implementations.

This book is a survey on the state of the art in block cipher design and analysis.

It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months.

However, it is also in a self-contained, useable, and relatively polished state, and for this reason I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much.

At some point I will produce a final version -- whatever being a ``final version'' means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people.

Kiasu-BC is a tweakable block cipher proposed by Jean et al. at ASIACRYPT 2014 alongside their TWEAKEY framework. The cipher is almost identical to the AES-128 except for the tweak, which renders it an attractive primitive for various modes of operation and applications requiring tweakable block ciphers. Therefore, studying how the additional tweak input affects security compared to that of the AES is highly valuable to gain trust in future instantiations. This work proposes impossible-differential and boomerang attacks on eight rounds of Kiasu-BC in the single-key model, using the core idea that the tweak input allows to construct local collisions. While our results do not threat the security of the full-round version, they help concretize the security of Kiasu-BC in the single-key model.

The Ring Learning-With-Errors (LWE) problem, whose security is based on hard ideal lattice problems, has proven to be a promising primitive with diverse applications in cryptography. There are however recent discoveries of faster algorithms for the principal ideal SVP problem, and attempts to generalize the attack to non-principal ideals. In this work, we study the LWE problem on group rings, and build cryptographic schemes based on this new primitive. One can regard the LWE on cyclotomic integers as a special case when the underline group is cyclic, while our proposal utilizes non-commutative groups that eliminates the weakness associated with the principal ideal lattices. In particular, we show how to build public key encryption schemes from dihedral group rings, which maintains the efficiency of the Ring-LWE, and improves its security. We also propose a simple modification of the Peikert-Vaikuntanathan-Waters cryptosystem, which is an amortized version of Regev's original proposal based on LWE. Our modification improves the encryption and decryption complexity per bit to sublinear in the security level, without affecting the security.

Zero-knowledge proofs are a core building block for a broad range of cryptographic protocols. This paper introduces a generic zero-knowledge proof system capable of proving the correct computation of any circuit. Our protocol draws on recent advancements in multiparty computation and its security relies only on the underlying commitment scheme. Furthermore, we optimize this protocol for use with multivariate quadratic systems of polynomials, leading to provably secure signatures from multivariate quadratic systems, with keys that scale linearly and signatures that scale quadratically with the security parameter.

Abstract: The basic objective of this work is to construct an efficient and secure mechanism for mobile commerce applying the concept of financial cryptography and secure multi-party computation. The mechanism (MCM) is defined by various types of elements: a group of agents or players, actions, a finite set of inputs of each agent, a finite set of outcomes as defined by output function, a set of objective functions and constraints, payment function, a strategy profile, dominant strategy and revelation principle. The mechanism adopts a set of intelligent moves as dominant strategies: (a) flexible use of hybrid payment system which supports cash, e-payment and m-payment, (b) secure multi-party computation to ensure information security and privacy and (c) call intelligent analytics to assess and mitigate possible threats on m-commerce service. The mechanism supports three different types of transaction processing protocols (P1, P2 and P3) and calls a cryptographic protocol (Pc). The cryptographic protocol performs a set of functions sequentially such as authentication, authorization, correct identification, privacy verification and audit of correctness, fairness, rationality, accountability and transparency of secure multi-party computation on each m-transaction. The basic building blocks of the cryptographic protocol are signcryption, proofs of knowledge, commitments and secret sharing. This work also presents the complexity analysis of the mechanism in terms of computational cost, communication cost, security and business intelligence. Keywords: Secure multi-party computation, Financial cryptography, Mobile commerce mechanism, Threat analytics, Digital economy

When a group key exchange protocol is executed, the session key is typically extracted from two types of secrets; long-term keys (for authentication) and freshly generated (often random) values. The leakage of this latter so-called ephemeral keys has been extensively analyzed in the 2-party case, yet very few works are concerned with it in the group setting. We provide a generic {group key exchange} construction that is strongly secure, meaning that the attacker is allowed to learn both long-term and ephemeral keys (but not both from the same participant, as this would trivially disclose the session key). Our design can be seen as a compiler, in the sense that it builds on a 2-party key exchange protocol which is strongly secure and transforms it into a strongly secure group key exchange protocol by adding only one extra round of communication. When applied to an existing 2-party protocol from Bergsma et al., the result is a 2-round group key exchange protocol which is strongly secure in the standard model, thus yielding the first construction with this property.

A redactable signature scheme is one that allows the original signature to be used, usually along with some additional data, to verify certain carefully` specified changes to the original document that was signed, namely the removal or redaction of subdocuments. For redactable signatures, the term "transparency" has been used to describe a scheme that hides the number and locations of redacted subdocuments. We present here two efficient transparent redactable signature schemes, which are the first such schemes in the literature that are based solely on tools of symmetric cryptography, along with a single application of an ordinary digital signature.

As with several previous schemes for redactable signatures, we sign a sequence of randomized commitments that depend on the contents of the subdocuments of the document to be signed. In order to hide their number and location, we randomize their order, and mix them with a sequence of "dummy nodes" that are indistinguishable from commitment values. Our first scheme uses a data structure of size quadratic in the number of subdocuments, encoding all the precedence relations between pairs of subdocuments. By embedding these precedence relations in a smaller family of graphs, our second scheme is more efficient, with expected cost linear in the number of subdocuments in the document to be signed. We introduce a quantified version of the transparency property, precisely describing the uncertainty about the number of redacted subdocuments that is guaranteed by the two schemes.

We prove that our schemes are secure, i.e. unforgeable, private, and transparent, based on the security of collision-free hash functions, pseudorandom generators, and digital signature schemes. While providing such strong security, our scheme is also efficient, in terms of both computation and communication.

The security of fully homomorphic encryption is often studied at the primitive level, and a lot of questions remain open when the cryptographer needs to choose between incompatible options, like IND- CCA1 security versus circular security or search-to-decision reduction. The aim of this report is to emphasize the well known (and often under- estimated) fact that the ability to compute every function, which is the most desired feature of Homomorphic Encryption schemes, is also their main weakness. We show that it can be exploited to perform very realistic attacks in the context of secure homomorphic computations in the cloud. In order to break a fully homomorphic system, the cloud provider who runs the computation will not target the primitive but the overall system. The attacks we describe are a combination between safe-errors attacks (well known in the smart cards domain) and reaction attacks, they are easy to perform and they can reveal one secret key bit per query. Furthermore, as homomorphic primitives gets improved, and become T times faster with K times smaller keys, these attacks become KT times more practical. Our purpose is to highlight the fact, that if a semantically-secure model is in general enough to design homomorphic primitives, additional protections need to be adopted at a system level to secure cloud applications. We do not attack a specific construction but the entire idea of homomorphic encryption, by pointing out all the possible targets of this attack (encrypted data, bootstrapping keys, trans-ciphering keys, etc.). We also propose some possible countermeasures (or better precautions) in order to prevent the loss of information.

In recent years, there has been a growing trend towards outsourcing of computational tasks with the development of cloud services. The Gentry’s pioneering work of fully homomorphic encryption (FHE) and successive works have opened a new vista for secure and practical cloud computing. In this paper, we consider performing statistical analysis on encrypted data. To improve the efficiency of the computations, we take advantage of the batched computation based on the Chinese-Remainder-Theorem. We propose two building blocks that work with FHE: a novel batch greater-than primitive, and matrix primitive for encrypted matrices. With these building blocks, we construct secure procedures and protocols for different types of statistics including the histogram (count), contingency table (with cell suppression) for categorical data; k-percentile for ordinal data; and principal component analysis and linear regression for numerical data. To demonstrate the effectiveness of our methods, we ran experiments in five real datasets. For instance, we can compute a contingency table with more than 50 cells from 4000 of data in just 5 minutes, and we can train a linear regression model with more than 40k of data and dimension as high as 6 within 15 minutes. We show that the FHE is not as slow as commonly believed and it becomes feasible to perform a broad range of statistical analysis on thousands of encrypted data.

We show generic attacks on unbalanced Feistel ciphers based on the meet-in-the-middle technique. We analyze two general classes of unbalanced Feistel structures, namely contracting Feistels and expanding Feistels. In both of the cases, we consider the practical scenario where the round functions are keyless and known to the adversary. In the case of contracting Feistels with 4 branches, we show attacks on 16 rounds when the key length k (in bits) is as large as the block length n (in bits), and up to 24 rounds when k = 2n. In the case of expanding Feistels, we consider two scenarios: one, where different nonlinear functions without particular structures are used in the round function, and a more practical one, where a single nonlinear is used but different linear functions are introduced in the state update. In the former case, we propose generic attacks on 13 rounds when k = n, and up to 21 rounds when k = 2n. In the latter case, 16 rounds can be attacked for k = n, and 24 rounds for k = 2n.

Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016 which can be used to construct high throughput block ciphers using the Even-Mansour construction, permutation-based hashing and wide-block authenticated encryption. In this paper, we give a 9-round impossible differential of Simpira-4, which turns out to be the first 9-round impossible differential. In order to get some efficient key recovery attacks on its block cipher mode (EM construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight different 6-round impossible differentials, we propose a series of 7-round key recovery attacks on the block cipher mode, each 6-round impossible differential helps to recover 32-bit of the master key (512-bit) and totally half of the master key bits are recovered. The attacks need $2^{57}$ chosen plaintexts and $2^{57}$ 7-round encryptions. Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode, which recover the full key space (512-bit) with the data complexity of $2^{170}$ chosen plaintexts and time complexity of $2^{170}$ 8-round encryptions. Those are the first attacks on round-reduced Simpira v2 and do not threaten the EM mode with the full 15-round Simpira-4.

QARMA is a recently published lightweight tweakable block cipher, which has been used by the ARMv8 architecture to support a software protection feature. In this paper, using the method of MITM, we give the first distinguisher of QARMA block cipher. It is made up of the \emph{Pseudo-Reflector} construction with two forward rounds and three backward rounds. By adding two rounds on the top and three rounds on the bottom of the distinguisher, together with the idea of the differential enumeration technique and the key-dependent sieve skill, we achieve a 10-round (of 16-round) key recovery attack with memory complexity of $2^{116}$ 192-bit space, data complexity of $2^{53}$ chosen plaintexts and time complexity of $2^{70.1}$ encryption units. Furthermore, we use the same distinguisher to attack QARMA-128 which also includes 10 (of 24) round functions and the $\emph{Pseudo-Refector}$ construction. The memory complexity is $2^{232}$ 384-bit space, the data complexity is $2^{105}$ chosen plaintexts and the time complexity is $2^{141.7}$ encryption units. These are the first attacks on QARMA and do not threaten the security of full round QARMA.

A growing body of research on Bitcoin and other permissionless cryptocurrencies that utilize Nakamoto's blockchain has shown that they do not easily scale to process a high throughput of transactions, or to quickly approve individual transactions; blocks must be kept small, and their creation rates must be kept low in order to allow nodes to reach consensus securely. As of today, Bitcoin processes a mere 3-7 transactions per second, and transaction confirmation takes at least several minutes.

We present SPECTRE, a new protocol for the consensus core of cryptocurrencies that remains secure even under high throughput and fast confirmation times. At any throughput, SPECTRE is resilient to attackers with up to 50\% of the computational power (up until the limit defined by network congestion and bandwidth constraints). SPECTRE can operate at high block creation rates, which implies that its transactions confirm in mere seconds (limited mostly by the round-trip-time in the network).

Key to SPECTRE's achievements is the fact that it satisfies weaker properties than classic consensus requires. In the conventional paradigm, the order between any two transactions must be decided and agreed upon by all non-corrupt nodes. In contrast, SPECTRE only satisfies this with respect to transactions performed by honest users. We observe that in the context of money, two conflicting payments that are published concurrently could only have been created by a dishonest user, hence we can afford to delay the acceptance of such transactions without harming the usability of the system. Our framework formalizes this weaker set of requirements for a cryptocurrency's distributed ledger. We then provide a formal proof that SPECTRE satisfies these requirements.

Dear IACR members,

As a turbulent 2016 nears its end, I would like to give you an update of current IACR activities.

First, let me thank all organizers of the eight (!) IACR conferences in 2016. They are all volunteers and take up the tremendous work of creating an event with 100s of participants and a program selected from 100s of submissions. All conferences ran smoothly and left lasting impressions.

The most recent conference I attended was Asiacrypt in Hanoi, with 2^8 participants and the first cryptology conference of IACR in Vietnam. Asiacrypt has been organized by IACR since 2000; the earlier Asiacrypt/Auscrypt conferences were predecessors to the ownership by IACR. However, Vietnamese cryptanalysts discovered in the logo of Asiacrypt 2016 that the IACR has always been part of AsIACRypt.

After the 2016 election, the Board of Directors will see a couple of new faces for 2017 onward: Welcome, Francois-Xavier Standaert and Joppe Bos; and welcome again Shai Halevi and Brian LaMacchia! In their roles as General Chairs of 2018 conferences, also Orr Dunkelman (Eurocrypt), Tal Rabin (Crypto), and Josef Pieprzyk (Asiacrypt) will join the Board. And Kenny Paterson takes over from Ivan Damgaard as Editor-in-Chief of the Journal of Cryptology.

At the same time, let me thank the leaving Board members for their longstanding service to the IACR: Nigel Smart, Martijn Stam, Christof Paar, and David Pointcheval have contributed to the organization for several decades taken together. They will enjoy future events with less responsibilities.

One important development in 2016 has been the creation of the IACR Transactions on Symmetric Cryptology (ToSC). ToSC is published as gold open access and freely available, published in electronic form by the Ruhr University of Bochum, with Gregor Leander as Managing Editor. ToSC is now available at http://tosc.iacr.org. (Sorry, HTTPS-everywhere enthusiasts, we only have HTTP for this at the moment.) The FSE conference and ToSC operate as a journal/conference hybrid and papers published in ToSC are presented at FSE.

The dates and details of IACR's future events appear on the website as they become available. The minutes of the Board meetings and the summary presentations that I give at each Asia/Euro/Crypto conference are available on the website as well, under About > Documents.

I wish you all the best for 2017 and am looking forward to seeing many of you at the next conferences!

Christian Cachin
IACR President

We provide a provable-security treatment of ``robust'' encryption. Robustness means it is hard to produce a ciphertext that is valid for two different users. Robustness makes explicit a property that has been implicitly assumed in the past. We argue that it is an essential conjunct of anonymous encryption. We show that natural anonymity-preserving ways to achieve it, such as adding recipient identification information before encrypting, fail. We provide transforms that do achieve it, efficiently and provably. We assess the robustness of specific encryption schemes in the literature, providing simple patches for some that lack the property. We discuss applications including PEKS (Public-key Encryption with Keyword Search) and auctions. Overall our work enables safer and simpler use of encryption.