International Association
for Cryptologic Research

Event date: 17 September to 19 September 2017

Event date: 23 April to 24 April 2018
Submission deadline: 15 December 2017
Notification: 12 February 2018

Event date: 9 July to 16 July 2017
Submission deadline: 25 May 2017
Notification: 5 June 2017

Event date: 21 August 2017
Submission deadline: 21 May 2017
Notification: 7 July 2017

This work studies the success probability of linear cryptanalysis. Complete expressions for the success probability are obtained using two different approaches, namely the order statistics and the hypothesis testing based approaches. We argue that the hypothesis testing based approach is theoretically more sound and does not require a number of assumptions and approximations which are inherent in the order statistics based approach. For analysing success probability, a unifying framework of general key randomisation hypotheses is introduced. The previously used standard key randomisation hypotheses and the adjusted wrong key randomisation hypothesis can be seen to special cases of the general framework. Derivations of expressions for the success probability are carried out under both the settings of the plaintexts being sampled with and without replacements. Finally, the complete picture of the dependence of the success probability on the data complexity is derived and it is argued that in most practical scenarios, the data complexity will be a monotone increasing function of the data complexity. We believe that compared to the extant literature, our work provides a deeper and more thorough understanding of the success probability of linear cryptanalysis.

We revisit the problem of whether the witness hiding property of classic 3-round public-coin proof systems for languages/distributions with unique witnesses are still witness hiding. Though strong black-box impossibility results are known for them, we provide some less unexpected positive results on the witness hiding security of classic protocols:

1. We develop an embedding technique and prove that the witness hiding property of the standalone Schnorr protocol based on a weaker version of one-more like discrete logarithm (DL) assumption asserting that, for an arbitrary constant $\ell$, it is infeasible for a PPT algorithm to solve $l$ DL instances with being restricted to query the DL oracle only once. Similar result holds for the Guillou-Quisquater protocol.

This improves over the positive result of Bellare and Palacio in that when applying their technique to the standalone setting, the underlying assumption is stronger and required to hold only for $\ell=2$.

2. Following the framework of Harnik and Naor, we introduce the notion of tailored instance compression to capture the essence of the known one-more like assumptions, which provides new insight into the hardness of one-more DL/RSA problems and allows us to reveal some strong consequences of breaking our weaker version of one-more like assumption,including zero knowledge protocols for the AND-DL and AND-RSA languages with extremely efficient communication and non-trivial hash combiner for hash functions based on DL problem.

These consequences can be viewed as positive evidences for the security of Schnorr and Guillou-Quisquater protocols.

3. We observe that the previously known impossibility results on the witness hiding of public-coin protocols for unique witness relation make certain restriction on the reduction. By introducing an input-distribution-switching technique, we bypass these known impossibility results and prove that, for any hard language $L$, if a distribution $(\mathbb{X}, \mathbb{W})$ over unique witness relation $R_{L}$ has an indistinguishable counterpart distribution over some multiple witnesses relation, then any witness indistinguishable protocols (including ZAPs and all known 3-round public-coin protocols, such as Blum protocol and GMW protocol) are indeed witness hiding for the distribution $(\mathbb{X}, \mathbb{W})$.

We also show a wide range of cryptographic problems with unique witnesses satisfy the ``if condition'' of this result, and thus admit constant-round public-coin witness hiding proof system.

This is the first positive result on the witness-hiding property of the classic protocols for non-trivial unique witness relations.

We are looking for a top early career academic to join our diverse and internationally renowned Department of Computer Science as a Lecturer in Digital Security. The position is part of an appealing environment of existing competencies within digital security which include undergraduate courses and a postgraduate programme and an internationally respected group of academics undertaking pure and applied research in this domain.

The successful appointee will have a PhD, demonstrated excellence in research, and a commitment to high quality research-informed teaching. The ideal candidate would have a research program that complements and builds on existing areas of strength within the department (http://www.cs.auckland.ac.nz).

The scope of the search is digital security, broadly defined. We will be particularly interested in candidates who have developed techniques for digital forensics, security testing, or software obfuscation; or who have demonstrated expertise in security or privacy for mobile devices, cyber-physical systems (esp. Internet of Things), machine-to-machine systems, and big data systems.

The appointee will be expected to teach at undergraduate and postgraduate levels in their specialist area, at introductory levels more widely, and to engage in research and publication both personally and through the supervision of research students. The appointee would also be expected to seek research funding, to engage with the profession, and to contribute to departmental service.

This is a full time, permanent position based on the University of Auckland\'s city campus.

Apply

Please apply online at www.opportunities.auckland.ac.nz job code: 18586.

Applications close Thursday 25 May 2017.

Closing date for applications: 25 May 2017

Contact: Robert Amor

More information: https://www.opportunities.auckland.ac.nz/psp/ps/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_JOB_DTL&Action=A&JobOpen

About Us

At Cloudflare, we have our eyes set on an ambitious goal: to help build a better Internet. Today, Cloudflare runs one of the world’s largest distributed networks that powers more than 1.5 trillion pageviews each month across 5 million Internet properties. More than 10 percent of all global Internet requests flow through Cloudflare’s network. Cloudflare protects and accelerates any Internet application online without adding hardware, installing software, or changing a line of code.

About the Department

We are looking for a seasoned cryptography engineer for a development role in the Technology group. This role focuses on the implementation of cutting-edge cryptographic protocols for use at web scale in CloudFlare’s systems.

Candidates will have extensive experience in implementing real-world cryptographic protocols such as TLS. Substantial contributions to cryptographic software such as OpenSSL are preferred. Experience in Go, C, and assembly are required. Cryptography Engineers are expected to be familiar with the nuances of implementing public-key cryptography (PKI), side-channel attacks, padding oracles, constant-time implementations, and have deep domain knowledge.

Requirements

B.S. or M.S. Computer Science or related field, or equivalent experience

Experience building security in a fast-paced, web-scale environment

Advance knowledge of networking protocols - TCP/IP, DNS, SMTP, BGP etc.

In-depth knowledge of authentication protocols, applied cryptography, PKI and SSL/TLS

Proficiency in these languages - Go, C, and x86/amd64 assembly

Knowledge of the latest attack trends, tools and the threat landscape

Proven track record of independently driving security projects in a fast-paced environment

Excellent communication skills on both technical and non-technical issues

Bonus Points

Substantial contributions to cryptography software such as OpenSSL

Experience with high throughput/low latency real-time systems and/or content delivery networks

Closing date for applications: 1 October 2017

Contact: Ed Burns

ed (at) cloudflare.com

More information: https://boards.greenhouse.io/cloudflare/jobs/634967#.WQuUsVPyumk

We are looking for a top early career academic to join our diverse and internationally renowned Department of Computer Science as a Lecturer in Digital Security. The position is part of an appealing environment of existing competencies within digital security which include undergraduate courses and a postgraduate programme and an internationally respected group of academics undertaking pure and applied research in this domain.

The successful appointee will have a PhD, demonstrated excellence in research, and a commitment to high quality research-informed teaching. The ideal candidate would have a research program that complements and builds on existing areas of strength within the department (http://www.cs.auckland.ac.nz).

The scope of the search is digital security, broadly defined. We will be particularly interested in candidates who have developed techniques for digital forensics, security testing, or software obfuscation; or who have demonstrated expertise in security or privacy for mobile devices, cyber-physical systems (esp. Internet of Things), machine-to-machine systems, and big data systems.

Closing date for applications: 25 May 2017

Contact: Professor Robert Amor, Head of Department, trebor (at) cs.auckland.ac.nz

More information: https://www.opportunities.auckland.ac.nz

The Institute of Information Security at University of Stuttgart offers several

Ph.D. and Postdoc Positions

in the fields

- System and Web Security,

- Services and Cloud Computing Security,

- Cryptography, e.g., in the context of electronic voting, and

- Formal Methods in Security.

The positions are available immediately and paid according to the German public salary scale TVL-E13 or TVL-E14, depending on the candidate’s qualification. Appointment periods follow the German Wissenschaftszeitvertragsgesetz (WissZeitVg).

The Institute for Information Security offers a creative international environment for top-level international and creative research in Germany’s high-tech region.

The successful candidate should have a Master’s degree or a Ph.D. (or should be very close to completion thereof) in Computer Science, Mathematics, Information Security, or a related field. We value strong analytical skills. Knowledge in one of the mentioned fields is an asset. Since some teaching is done in German, knowledge of German is required for positions that involve teaching.

The deadline for applications is

May 28th, 2017.

However, late applications will be considered until the positions are filled.

Closing date for applications: 28 May 2017

Contact: Prof. Ralf Küsters

ralf.kuesters (at) sec.uni-stuttgart.de

https://sec.informatik.uni-stuttgart.de

More information: https://sec.informatik.uni-stuttgart.de/jobopenings

Blacklistable anonymous credential systems provide service providers with a way to authenticate users according to their historical behaviors, while guaranteeing that all users can access services in an anonymous and unlinkable manner, thus are potentially useful in practice. Traditionally, to protect services from illegal access, the credential issuer, which completes the registration with users, must be trusted by the service provider. However, in practice, this trust assumption is usually unsatisfied. Besides, to better evaluate users, it is desired to use blacklists, which record historical behaviors of users, of other service providers, but currently, this will threaten the security unless a strong trust assumption is made. Another potential security issue in current blacklistable anonymous credential systems is the blacklist gaming attack, where the service provider attempt to compromise the privacy of users via generating blacklist maliciously.

In this paper, we solve these problems and present the decentralized blacklistable anonymous credential system with reputation, which inherits nearly all features of the BLACR system presented in Au et.al. (NDSS'12). However, in our new system, no trusted party is needed to register users. Moreover, blacklists from other service providers can be used safely in the new system assuming a minimal trust assumption holds. Besides, the new system is also partially resilient to the blacklist gaming attack. Technically, the main approach to solving these problems is a novel use of the blockchain technique, which serve as a public append-only ledger and are used to store credentials and blacklists. To simplify the construction, we also present a generic framework for constructing our new system. The general framework can be instantiated from three different types of cryptographic systems, including the RSA system, the classical DL system, and the pairing based system, and all these three types of instantiations can be supported simultaneously in the framework. To demonstrate the practicability of our system, we also give a proof of concept implementation for the instantiation under the RSA system. The experiment results indicate that when authenticating with blacklists of reasonable size, our implementation can fulfill practical efficiency demands, and when authenticating with empty blacklists, it is more efficient than that of Garman et al. (NDSS'14), which presents a decentralized anonymous credential system without considering revocation.

NewHope and NewHope-Simple are two recently proposed post-quantum key exchange protocols based on the hardness of the Ring-LWE problem. Due to their high security margins and performance, there have been already discussions and proposals for integrating them into Internet standards, like TLS, and anonymity network protocols, like Tor. In this work, we present time-constant and vector-optimized implementations of NewHope and NewHope-Simple for ARMv8-A 64-bit processors which target high-speed applications. This architecture is implemented in a growing number of smart phone and tablet processors, and features powerful 128-bit SIMD operations provided by the NEON engine. In particular, we propose the use of three alternative modular reduction methods, which allow to better exploit NEON parallelism by avoiding larger data types during the Number Theoretic Transform (NTT) and remove the need to transform input coefficients into Montgomery domain during pointwise multiplications. The NEON vectorized NTT uses a 16-bit unsigned integer representation and executes in only 18, 909 clock cycles on an ARM Cortex-A53 core. Our implementation improves previous assembly-optimized results on ARM NEON platforms by a factor of 3.4 and outperforms the C reference implementation on the same platform by a factor of 8.3. The total time spent on the key exchange was reduced by more than a factor of 3.5 for both protocols.

Fully homomorphic encryption allows cloud servers to evaluate any computable functions for clients without revealing any information. It attracts much attention from both of the scientific community and the industry since Gentry’s seminal scheme. Currently, the Brakerski- Gentry-Vaikuntanathan scheme with its optimizations is one of the most potentially practical schemes and has been implemented in a homomorphic encryption C++ library HElib. HElib supplies friendly interfaces for arithmetic operations of polynomials over finite fields. Based on HElib, Chen and Gong (2015) implemented arithmetic over encrypted integers. In this paper, we revisit the HElib-based implementation of homomorphically arithmetic operations on encrypted integers. Due to several optimizations and more suitable arithmetic circuits for homomorphic encryption evaluation, our implementation is able to homomorphically evaluate 64-bit addition/subtraction and 16-bit multiplication for encrypted integers without bootstrapping. Experiments show that our implementation outperforms Chen and Gong’s significantly.

We construct a 4-round multi-party computation protocol for any functionality, which is secure against a malicious adversary. Our protocol relies on the sub-exponential hardness of the Learning with Errors (LWE) problem with polynomial noise ratio, and on the existence of adaptively secure commitments. Our round complexity matches a lower bound of Garg et al. (EUROCRYPT '16), and outperforms the state of the art of 6-rounds based on similar assumptions to ours, and 5-rounds relying on indistinguishability obfuscation.

Our construction takes after the multi-key FHE approach of Mukherjee-Wichs (EUROCRYPT '16) who constructed a 2-round semi-malicious protocol from LWE in the common random string (CRS) model. We show how to use a preliminary round of communication to replace the CRS, thus achieving 3-round semi-malicious security without setup. Adaptive commitments and zero-knowledge proofs are then used to compile the protocol into the fully malicious setting.

Yao's garbled circuit construction is a central cryptographic tool with numerous applications. In this tutorial, we study garbled circuits from a foundational point of view under the framework of randomized encoding (RE) of Functions. We review old and new constructions of REs, present some lower-bounds, and describe some applications. We will also discuss new directions and open problems in the foundations of REs.

This is a survey that appeared in a book of surveys in honor of Oded Goldreich's 60th birthday.

Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers (like $E_0$, A5/1, Trivium, Grain) to $\frac{1}{2}n$, where $n$ denotes the inner state length of the underlying keystream generator. This implies that to withstand TMD tradeoff attacks, the state size should be at least double the key size. In 2015, Armknecht and Mikhalev introduced a new line of research, which pursues the goal of reducing the inner state size of lightweight stream ciphers below this boundary by deploying a key-dependent state update function in a Grain-like stream cipher. Although their design Sprout was broken soon after publication, it has raised interest in the design principle, and a number of related ciphers have been suggested since, including Plantlet, a follow-up of Sprout, and the cipher Fruit.

In this paper, existing TMD tradeoff attacks are revisited, and new insights on distinguishers and key recovery related to small-state stream ciphers are derived. A particular result is the transfer of a generic distinguishing attack suggested in 2007 by Englund, Hell, and Johansson to this new class of lightweight ciphers. Our analysis shows that the initial hope of achieving full security against TMD tradeoff attacks by continuously using the secret key has failed. In particular, we demonstrate that there are generic distinguishing attacks against Plantlet and Fruit with complexity significantly smaller than that of exhaustive key search. However, by studying the assumptions underlying the applicability of these attacks, we are able to come up with a new design idea for small-state stream ciphers which might allow to finally achieve full security against TMD tradeoff attacks.

Another contribution of this paper is the first key recovery attack against the most recent version of Fruit. We show that there are at least $2^{64}$ weak keys, each of which does not provide 80-bit security as promised by designers. This new attack against Fruit, together with previous attacks against Sprout, raises the question whether a more complicated key schedule than the basic one used in Plantlet is actually beneficial for the security of such ciphers.

We call a simple abelian variety over $\mathbb{F}_p$ super-isolated if its ($\mathbb{F}_p$-rational) isogeny class contains no other varieties. The motivation for considering these varieties comes from concerns about isogeny based attacks on the discrete log problem. We heuristically estimate that the number of super-isolated elliptic curves over $\mathbb{F}_p$ with prime order and $p \leq N$, is roughly $\tilde{\Theta}(\sqrt{N})$. In contrast, we prove that there are only 2 super-isolated surfaces of cryptographic size and near-prime order.

A Degenerate Grouping Power Attack (DGPA) is a type of Partitioning Power Analysis (PPA) used to extract secret keys from the power sidechannel signal of an encryption algorithm running on a device along with some known and varying information such as the associated plaintext or ciphertext associated with each encryption. The DGPA is applied to SIMON and SPECK implementations on MSP430, PIC16F, and Spartan 6 platforms in this work. While keys are successfully recovered from unprotected implementations, guidance is given on a minimum number of rounds, $d$, to perform per clock cycle in FPGAs and ASICs as to mitigate against such attacks for a deployment dependent maximum quantity of data which is to be encrypted with a given key. On the Spartan 6, full key recovery of SIMON 64/128 $d\leq4$ and SPECK 64/128 $d\leq3$ is trivially achieved in seconds with no more than one million random plaintexts, requiring the use of larger $d$ for most implementations. The amount of work to recover a key as a function of the amount of collected data encrypted with that key is explored. To ensure security when performing most modes of block cipher operation with an algorithm having block size $2n$, a particular key should be used to perform no more than $2^n$ encryptions. A feasible key recovery requiring less than 80-bits of work and data from less than $2^{32}$ encryptions is excluded for SIMON 64/128 implementations having $d\geq 9$ and for SPECK 64/128 implementations having $d\geq5$. The DGPA attack method is demonstrated to succeed against a limited data set consisting of one power sample per device clock cycle against a specifically targeted instruction. This provides a basis for a low power field deployed power side channel signal capture hardware for embedded key recovery and exfiltration.

Event date: 12 June to 13 June 2017

Event date: 8 May to 12 May 2017