International Association
for Cryptologic Research

We explore the function field of the jacobian JH of a hyperelliptic curve H of genus 2 in order to find reduced coordinates to represent points of JH and do arithmetic. We show how this relates to the usual Mumford representation of points of JH. Moreover we identify the open subsets of JH where our reduced coordinates are defined, characterizing the elements which can be reduced and we discuss the group operation with them.

In this paper high-speed hardware architectures of point multiplication based on Montgomery ladder algorithm for binary Edwards and generalized Hessian curves in Gaussian normal basis are presented. Computations of the point addition and point doubling in the proposed architecture are concurrently performed by pipelined digit-serial finite field multipliers. The multipliers in parallel form are scheduled for lower number of clock cycles. The structure of proposed digit-serial Gaussian normal basis multiplier is constructed based on regular and low-cost modules of exponentiation by powers of two and multiplication by normal elements. Therefore, the structures are area efficient and have low critical path delay. Implementation results of the proposed architectures on Virtex-5 XC5VLX110 FPGA show that then execution time of the point multiplication for binary Edwards and generalized Hessian curves over GF(2163) and GF(2233) are 8.62µs and 11.03µs respectively. The proposed architectures have high-performance and high-speed compared to other works.

The department of research & development of Wordline, an Atos Group Company and the department of mathematics and information security of XLIM, University of Limoges - France are conjointly conducting a study on code-based cryptography. The successful applicant will be working on the code-based submissions for standardization of the NIST post-quantum project.

Applicants who have a Master degree in mathematics, computer science or related areas are encouraged to apply. Skills in error-correcting codes, complexity and software development will also be appreciated.

The position is fully funded for 3 years to work within our research teams. Additionally, the candidate may be proposed a six-month internship before the beginning of the Ph.D. Review of applications will start immediately until position is filled.

Closing date for applications: 1 September 2017

Contact: Applications should be directed to: slim.bettaieb [at] worldline.com, loic.bidoux [at] worldline.com and gaborit [at] unilim.fr

Job Responsibilities

•Design and build financial technology applications using Blockchain / Distributed Ledger Technologies

•Work closely with the banking industry to create high values Blockchain applications

•Conduct research on cryptographic schemes for Blockchain / Distributed Ledger Technologies

•Design and develop innovative yet high quality application software for cybersecurity and FinTech initiatives.

•Collaborate with the energetic team to develop impactful Blockchain Proof-of-Concept and production applications.

Requirements

•Bachelor’s degree in Computer Science or related disciplines with 6+ years’ experience or Master’s degree of equivalent education with 3+ years’ experience or Ph.D degree holder with less experience. Candidates with less experience will be considered as Engineer.

•Knowledge in Blockchain technology and good understanding of the cryptographic principles. Understanding of Blockchain platform such as Bitcoin, Ethereum, HyperLedger, etc. is a big plus.

•Understanding of distributed system and experience in implementing cryptographic protocols is a plus.

•Hands-on experience in one or more programming languages: Java, Scala, Python, JavaScript, C/C++, Go, etc.

•Good understanding of data structure, algorithm and design patterns.

•Must possess excellent interpersonal, verbal, and written communication skills.

•Must have collaborative mind set, be a team-player and be keen to share knowledge.

•Ability to work independently and thrive in learning new technologies.

Closing date for applications: 15 January 2017

Contact: charlenechoo (at) astri.org

More information: http://www.astri.org

NXP Semiconductors is looking for an excellent, motivated, self-driven doctoral student to work in the area of side-channel evaluation on embedded devices.

The PhD position is for three years and will be located in Hamburg (Germany) within the Innovation Center for Cryptography and Security of NXP and it will be supervised at the academic level by Pr. François-Xavier Standaert (Université Catholique de Louvain). It will be funded by the REASSURE European research project focusing on improving the efficiency of security evaluations with respect to side-channel analysis.

Education and Requirements

--------------------

- A Master degree in computer science, security or mathematics

- A proven interest in cryptography and side-channel analysis

- Excellent communication and presentation skills on tactical as well as executive level (internally and externally)

- Strong analytical skills

- Team player

- Fluent in spoken and written English

Background in cryptography and embedded security will be a plus. Knowledge of German is not required.

Applications will be considered on a rolling basis until the position is filled.

Closing date for applications:

Contact: Vincent Verneuil

More information: https://nxp.wd3.myworkdayjobs.com/careers/job/Hamburg/PhD-student-in-Side-Channel-Analysis--m-f-_R-10001468-1

The IMDEA Software Institute invites applications for a postdoctoral position in the area of Cryptography. The successful candidate will do research in the analysis and design of provably-secure cryptographic protocols, supported by a project within the area of verifiable computation and zero-knowledge proofs.

The position is based in Madrid, Spain, where the IMDEA Software Institute is situated. Salaries are internationally competitive and include attractive conditions such as access to an excellent public healthcare system. The working language at the institute is English.

Applicants should have already completed, or be close to completing, a PhD in computer science, mathematics, or a related discipline. Applicants should have an excellent research track record demonstrated by publications at major cryptography/security venues, and should have significant experience in the design of cryptographic protocols and provable security. Solid programming skills and experience in implementing cryptographic protocols will be considered positively. The application requires, among other document, a CV, a research statement, and the names of 3 persons that can provide references about you and your work.

The postdoctoral position is for one year. The starting date is negotiable but expected to be mid 2017.

Applicants interested in the position should send an email to Dario Fiore and submit the application documents at https://careers.imdea.org/software/. Applications are accepted until the position is filled.

Closing date for applications: 31 May 2017

Contact: For enquiries about the position, please contact: Dario Fiore, dario.fiore (at) imdea.org

More information: https://software.imdea.org/open_positions.html

Surrey Centre for Cyber Security invites applications for a fully-funded PhD position (tax-free stipend of 22000 GBP per year for a total of 3,5 years) in Cryptography to work on a research project focusing on the design, analysis and development of cryptographic protocols for privacy-preserving authentication in vehicular communications.

Successful applicants are expected to hold Bachelor degree or Master degree in Information Security, Computer Science or Mathematics accomplished with at least 2:1 honours and have strong background knowledge and technical skills (incl. programming skills) in cryptography and/or information/cyber security. We particularly welcome applications from ongoing students who are projected to fulfil the above criteria and complete their degree in 2017.

This position is funded by HM Government and is available only to UK citizens. Applications are welcome from UK citizens who are prepared to undergo security vetting conducted by respective UK authorities. The initial stage of vetting may last up to 3 months and needs to be accomplished successfully before the applicant can commence with their PhD studies and become eligible for the stipend.

This is a rolling advert with the nominal closing date. Applications are accepted until the position is filled.

Closing date for applications: 31 March 2017

Contact: Dr Mark Manulis, m.manulis (at) surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=093316

Job Responsibilities

•To design and develop cryptographic protocols and schemes

•To design, analyze and implement cryptographic systems and related systems such as blockchain

•To study the latest cryptographic algorithms and protocols

Requirements

•Master degree in computer science, electronic engineering or other relevant disciplines with 3+ years experience; less experience for PhD holders.

•Experience on cryptographic system design and cryptanalysis

•Deep knowledge on number theory and security proofs

•Hands-on experience with C/C++ and Java

•Preferably having experiences on using cryptographic libraries such as OpenSSL, MIRACL, PBC, etc.

•Experience on developing cloud computing systems an advantage, but not a must

•Strong interpersonal and communications skills

•Good command of both written and spoken English

Closing date for applications: 15 January 2017

Contact: charlenechoo (at) astri.org

More information: http://www.astri.org

A one year postdoc/research fellow in the Coding and Crypto Research Group at Nanyang Technological University, Singapore is available immediately. The suitable candidate is to work on code and/or lattice based crypto.

Closing date for applications: 29 January 2017

Contact: Huaxiong wang

email: hxwang (at) ntu.edu.sg

Event date: 17 July to 19 July 2017
Submission deadline: 6 March 2017
Notification: 26 April 2017

Functional Encryption (FE) is a new paradigm supporting restricted decryption keys of function $f$ that allows one to learn $f(x_j)$ from encryptions of messages $x_j$. A natural and practical security requirements for FE is to keep not only messages $x_1,\ldots,x_q$ but also functions $f_1,\ldots f_q$ confidential from encryptions and decryptions keys, except inevitable information $\{f_i(x_j)\}_{i,j\in[q]}$, for any polynomial a-priori unknown number $q$, where $f_i$'s and $x_j$'s are adaptively chosen by adversaries. Such the security requirement is called {\em full function privacy}. In this paper, we particularly focus on function-private FE for inner product functionality in the {\em private key setting} (simply called Inner Product Encryption (IPE)). To the best of our knowledge, there are two approaches for fully function-private IPE schemes in the private key setting. One of which is to employ a general transformation from (non-function-private) FE for general circuits (Brakerski and Segev, TCC 2015). This approach requires heavy crypto tools such as indistinguishability obfuscation (for non-function-private FE for general circuits) and therefore inefficient. The other approach is relatively practical; it directly constructs IPE scheme by using {\em dual pairing vector spaces (DPVS)} (Bishop et al. ASIACRYPT 2015, Datta et al. PKC 2016, and Tomida et al. ISC 2016).

\quad We present a new approach for practical function-private IPE schemes that does not employ DPVS but generalizations of Brakerski-Segev transformation. Our generalizations of Brakerski-Segev transformation are easily combinable with existing (non-function-private) IPE schemes as well as (non-function-private) FE schemes for general circuits in several levels of security. Our resulting IPE schemes achieve better performance in comparison with Bishop et al. IPE scheme as well as Datta et al. IPE scheme while preserving the same security notion under the same complexity assumption. In comparison with Tomida et al. IPE scheme, ours have comparable performance in the size of both ciphertext and decryption key, but better performance in the size of master key.

The “Internet of Things” (IoT) promises ubiquitous, cheap, connected devices. Unfortunately, most of these devices are hastily developed and will never receive code updates. Part of the IoT’s security problem is cryptographic, but established cryptographic solutions seem too heavy or too inflexible to adapt to new use cases.

Here we describe Strobe, a new lightweight framework for building both cryptographic primitives and network protocols. Strobe is a sponge construction in the same family as Markku Saarinen’s BLINKER framework.

The Strobe framework is simple and extensible. It is suitable for use as a hash, authenticated cipher, pseudorandom generator, and as the symmetric component of a network protocol engine. With an elliptic curve or other group primitive, it also provides a flexible Schnorr signature variant.

Strobe can be instantiated with different sponge functions for different purposes. We show how to instantiate Strobe as an instance of NIST’s draft cSHAKE algorithm. We also show a lightweight implementation which is especially suitable for 16- and 32- bit microcontrollers, and also for small but high-speed hardware.

We present a generalized tweakable blockcipher HPH, which is constructed from a public random permutation $P$ and an almost-XOR-universal (AXU) hash function $H$ with a tweak and key schedule $(t_1,t_2,K)\in \mathcal{T}\times \mathcal{K}$, and defined as $y=HPH_K((t_1,t_2),x)=P(x\oplus H_K(t_1))\oplus H_K(t_2)$, where the key $K$ is chosen from a key space $\mathcal{K}$, the tweak $(t_1,t_2)$ is chosen from a tweak space $\mathcal{T}$, $x$ is a plaintext, and $y$ is a ciphertext. We prove that HPH is a secure strong tweakable pseudorandom permutation. Then we focus on the security of HPH against multi-key and related-key attacks. We prove that HPH is multi-key-secure and HPH with related-key-AXU hash functions is related-key-secure, and derive a tight bound, respectively. HPH can be extended to wide applications. It is directly applied to authentication and authenticated encryption modes, and makes them provably security in the multi-key and related-key settings.

In this paper we provide new algebraic tools to study the relationship between different Matrix Diffie-Hellman (MDDH) Problems, which are recently introduced as a natural generalization of the so-called Linear Problem. Namely, we provide an algebraic criterion to decide whether there exists a generic black-box reduction, and in many cases, when the answer is positive we also build an explicit reduction with the following properties: it only makes a single oracle call, it is tight and it makes use only of operations in the base group.

It is well known that two MDDH problems described by matrices with a different number of rows are separated by an oracle computing certain multilinear map. Thus, we put the focus on MDDH problems of the same size. Then, we show that MDDH problems described with a different number of parameters are also separated (meaning that a successful reduction cannot decrease the amount of randomness used in the problem instance description).

When comparing MDDH problems of the same size and number of parameters, we show that they are either equivalent or incomparable. This suggests that a complete classification into equivalence classes could be done in the future. In this paper we give some positive and negative partial results about equivalence, in particular solving the open problem of whether the Linear and the Cascade MDDH problems are reducible to each other.

The results given in the paper are limited by some technical restrictions in the shape of the matrices and in the degree of the polynomials defining them. However, these restrictions are also present in most of the work dealing with MDDH Problems. Therefore, our results apply to all known instances of practical interest.

Microarchitechtural attacks have gained popularity in recent years since they use only standard resources, e.g. memory and cache access timing. Such privileges are available to applications at the lowest privilege levels. Further, microarchitechtural attacks have proven successful on shared cloud instances across VMs, on smartphones with sandboxing, and on numerous embedded platforms. Given the rise of malicious code in app stores and in online repositories it becomes essential to scan applications for such stealthy attacks. We present a static code analysis tool, MASScan , capable of scanning for ever evolving microarchitectural attacks. Our proposed tool MASScan can be used by app store service providers to perform large scale fully automated analysis of applications. The initial MASScan suite is built to include attack vectors to cover popular cache/DRAM access attacks and rowhammer. Further, our tool is easily extensible to cover newer attack vectors as they emerge.

Side-channel attacks are a serious threat to security-critical software. To mitigate remote timing and cache-timing attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, we disclose a vulnerability in OpenSSL 1.0.1u that recovers ECDSA private keys for the standardized elliptic curve P-256 despite the library featuring both constant-time curve operations and modular inversion with microarchitecture attack mitigations. Exploiting this defect, we target the errant modular inversion code path with a cache-timing and improved performance degradation attack, recovering the inversion state sequence. We propose a new approach of extracting a variable number of nonce bits from these sequences, and improve upon the best theoretical result to recover private keys in a lattice attack with as few as 50 signatures and corresponding traces. As far as we are aware, this is the first timing attack against OpenSSL ECDSA that does not target scalar multiplication, and furthermore the first side-channel attack on cryptosystems leveraging P-256 constant-time scalar multiplication.

We propose a framework for constructing efficient code-based encryption schemes from codes that do not hide any structure in their public matrix. The framework is in the spirit of the schemes first proposed by Alekhnovich in 2003 and based on the difficulty of decoding random linear codes from random errors of low weight. We depart somewhat from Aleknovich's approach and propose an encryption scheme based on the difficulty of decoding random quasi-cyclic codes. We propose two new cryptosystems instantiated within our framework: the Hamming Quasi-Cyclic cryptosystem (HQC), based on the Hamming metric, and the Rank Quasi-Cyclic cryptosystem (RQC), based on the rank metric. We give a security proof, which reduces the IND-CPA security of our systems to a decisional version of the well known problem of decoding random families of quasi-cyclic codes for the Hamming and rank metrics (the respective QCSD and RQCSD problems). We also provide an analysis of the decryption failure probability of our scheme in the Hamming metric case: for the rank metric there is no decryption failure. Our schemes benefit from a very fast decryption algorithm together with small key sizes of only a few thousand bits. The cryptosystems are very efficient for low encryption rates and are very well suited to key exchange and authentication. Asymptotically, for $\lambda$ the security parameter, the public key sizes are respectively in $\mathcal{O}({\lambda}^2)$ for HQC and in $\mathcal{O}(\lambda^{\frac{4}{3}})$ for RQC. Practical parameter compares well to systems based on ring-LPN or the recent MDPC system.

It suffices to change the arithmetic embedded in a processor in order to cause data to remain in encrypted form throughout. The theory has been embodied in a prototype design for a superscalar pipelined general purpose processor that `works encrypted', a new approach to encrypted computation.

The prototype runs encrypted machine code on encrypted data in registers and memory and on buses. The aim is to protect user data against the operator, and so-called `Iago' attacks in general, for those computing paradigms that entail trust in data-oriented computation in remote locations, overseen by untrusted operators, or embedded unattended.

The architecture is 32-bit OpenRISC, admitting any block cipher compatible with the physical word size chosen for implementation. We are reporting performance from cycle-accurate behavioural simulations of the design running AES-128 (symmetric, keyed; the US Advanced Encryption Standard) and Paillier-72 (asymmetric, additively homomorphic, no key in-processor) encryptions in a 128-bit word, and RC2-64 encryption (symmetric, keyed) in a 64-bit word.

Non-Malleable Codes for the split state model allow to encode a mes- sage into two parts such that arbitrary independent tampering on the parts either destroys completely the content or maintains the message untouched. If the code is also leakage resilient it allows limited independent leakage from the two parts. We propose a model where the two parts can be refreshed independently. We give an abstract framework for building codes for this model, instantiate the construc- tion under the external Diffie-Hellman assumption and give applications of such split-state refreshing. An advantage of our new model is that it allows arbitrarily many tamper attacks and arbitrarily large leakage over the life-time of the systems as long as occasionally each part of the code is refreshed. Our model also tolerates that the refreshing occasionally is leaky or tampered with.

Security with respect to the operator as an adversary is considered for processors supporting unbounded general purpose homomorphic encrypted computation. An efficient machine code architecture is defined for those platforms and it is proved that user programs expressed in it are cryptographically obfuscated, guaranteeing privacy though they, their traces and (encrypted) data are visible to the operator.

It is proved that encrypted user data cannot be deciphered by the operator, nor may programs be altered to give an intended result. A compiler is defined and it is proved that any recompilation produces uniformly distributed random variations in runtime data, supporting cryptographic obfuscation.