International Association
for Cryptologic Research

We consider the following strong variant of private information retrieval (PIR). There is a large database x that we want to make publicly available. To this end, we post an encoding X of x together with a short public key pk in a publicly accessible repository. The goal is to allow any client who comes along to retrieve a chosen bit x_i by reading a small number of bits from X, whose positions may be randomly chosen based on i and pk, such that even an adversary who can fully observe the access to X does not learn information about i.

Towards solving the above problem, we study a weaker secret key variant where the data is encoded and accessed by the same party. This primitive, that we call an oblivious locally decodable code (OLDC), is independently motivated by applications such as searchable sym- metric encryption. We reduce the public-key variant of PIR to OLDC using an ideal form of obfuscation that can be instantiated heuristically with existing indistinguishability obfuscation candidates, or alternatively implemented with small and stateless tamper-proof hardware.

Finally, a central contribution of our work is the first proposal of an OLDC candidate. Our candidate is based on a secretly permuted Reed-Muller code. We analyze the security of this candidate against several natural attacks and leave its further study to future work.

Zero Knowledge Contingent Payment (ZKCP) protocols allow fair exchange of sold goods and payments over the Bitcoin network. In this paper we point out two main shortcomings of current proposals for ZKCP.

First we show an attack that allows a buyer to learn partial information about the digital good being sold, without paying for it. This break in the zero-knowledge condition of ZKCP is due to the fact that in the protocols we attack, the buyer is allowed to choose common parameters that normally should be selected by a trusted third party.

We present ways to fix this attack that do not require a trusted third party.

Second, we show that ZKCP are not suited for the purchase of digital services rather than goods. Current constructions of ZKCP do not allow a seller to receive payments after proving that a certain service has been rendered, but only for the sale of a specific digital good. We define the notion of Zero-Knowledge Contingent Service Payment (ZKCSP) protocols and construct two new protocols, for either public or private verification.

We implemented and tested the attack on ZKCP, and our two new ZKCSP protocols, showing their feasibility for very realistic examples. We present code that learns, without paying, the value of a Sudoku cell in the "Pay-to-Sudoku" ZKCP implementation [17]. We also implement ZKCSP protocols for the case of Proof of Retrievability, where a client pays the server for providing a proof that the client's data is correctly stored by the server. A side product of our implementation effort is a new optimized circuit for SHA256 with less than a quarter than the number of AND gates of the best previously publicly available one. Our new SHA256 circuit may be of independent use for circuit-based MPC and FHE protocols that require SHA256 circuits.

Recent proposals for trusted hardware platforms, such as Intel SGX and the MIT Sanctum processor, offer compelling security features but lack formal guarantees. We introduce a verification methodology based on a trusted abstract platform (TAP) that formally models idealized enclaves and a parameterized adversary. We present machine-checked proofs showing that the TAP satisfies the three key security properties needed for secure remote execution: integrity, confidentiality and secure measurement. We then present machine-checked proofs showing that SGX and Sanctum are refinements of the TAP under certain parameterizations of the adversary, demonstrating that these systems implement secure enclaves for the stated adversary models.

Micro-architectural side-channel-attacks are presently daunting threats to most mathematically elegant encryption algorithms. Even though there exist various defense mechanisms, most of them come with the extra overhead of implementation. Recent studies have prevented some particular categories of these attacks but fail to address the detection of other classes. This paper presents a generic machine learning based multi-layer detection approach targeting these micro-architectural side-channel-attacks, without concentrating on a single category. The proposed approach work by proling low-level hardware events using Linux perf event API and then by analyzing these data with some appropriate machine learning techniques. This paper also presents a novel approach, using time-series data, to correlate the execution trace of the adversary with the secret key of encryption for dealing with false-positives and unknown attacks. The experimental results and performance of the proposed approach suggest its superiority with high detection accuracy and low performance overhead.

The Boyen-Li signature scheme [Asiacrypt'16] is a major theoretical breakthrough. Via a clever homomorphic evaluation of a pseudorandom function over their verification key, they achieve a reduction loss in security linear in the underlying security parameter and entirely independent of the number of message queries made, while still maintaining short signatures (consisting of a single short lattice vector). All previous schemes with such an independent reduction loss in security required a linear number of such lattice vectors, and even in the classical world, the only schemes achieving short signatures relied on non-standard assumptions.

We improve on their result, providing a verification key smaller by a linear factor, a significantly tighter reduction with only a constant loss, and signing and verification algorithms that could plausibly run in about 1 second. Our main idea is to change the scheme in a manner that allows us to replace the pseudorandom function evaluation with an evaluation of a much more efficient weak pseudorandom function.

As a matter of independent interest, we give an improved method of randomized inversion of the G gadget matrix [MP12], which reduces the noise growth rate in homomorphic evaluations performed in a large number of lattice-based cryptographic schemes, without incurring the high cost of sampling discrete Gaussians.

Connectivity becomes increasingly important also for small embedded systems such as typically found in industrial control installations. More and more use-cases require secure remote user access increasingly incorporating handheld based human machine interfaces, using wireless links such as Bluetooth. Correspondingly secure operator authentication becomes of utmost importance. Unfortunately, often passwords with all their well-known pitfalls remain the only practical mechanism. We present an assessment of the security requirements for the industrial setting, illustrating that offline attacks on passwords-based authentication protocols should be considered a significant threat. Correspondingly use of a Password Authenticated Key Exchange protocol becomes desirable. We review the signif-icant challenges faced for implementations on resource-constrained devices. We explore the design space and shown how we succeeded in tailoring a partic-ular variant of the Password Authenticated Connection Establishment (PACE) protocol, such that acceptable user interface responsiveness was reached even for the constrained setting of an ARM Cortex-M0+ based Bluetooth low-energy transceiver running from a power budget of 1.5 mW without notable energy buffers for covering power peak transients.

Garbled circuits are of central importance in cryptography, finding widespread application in secure computation, zero-knowledge (ZK) protocols, and verifiable outsourcing of computation to name a few. We are interested in a particular kind of garbling scheme, termed privacy-free in the literature. We show that Boolean formulas can be garbled information-theoretically in the privacy-free setting, producing no ciphertexts at all. Existing garbling schemes either rely on cryptographic assumptions (and thus require cryptographic operations to construct and evaluate garbled circuits), produce garbled circuits of non-zero size, or are restricted to low depth formulaic circuits. Our result has both theoretical and practical implications for garbled circuits as a primitive. On the theory front, our result breaks the known theoretical lower bound of one ciphertext for garbling an AND gate in this setting. As an interesting implication of producing size zero garbled circuits, our scheme scores adaptive security for free. On the practical side, our garbling scheme involves only cheap XOR operations and produces size zero garbled circuits. As a side result, we propose several interesting extensions of our scheme. Namely, we show how to garble threshold and high fan-in gates. An aspect of our garbling scheme that we believe is of theoretical interest is that it does not maintain the invariant that the garbled circuit evaluator must not at any point be in possession of both keys of any wire in the garbled circuit.

Our scheme directly finds application in ZK protocols where the verification function of the language is representable by a formulaic circuit. Such examples include Boolean formula satisfiability. The ZK protocols obtained by plugging in our scheme in the known paradigm of building ZK protocols from garbled circuits offer better proof size, while relying on standard assumptions. Furthermore, the adaptivity of our garbling scheme allows us to cast our ZK protocols in the offline-online setting and offload circuit dependent communication and computation to the offline phase. As a result, the online phase enjoys communication and computation (in terms of number of symmetric key operations) complexity that are linearly proportional to the witness size alone.

Goals and Responsibilities

The goal of this research project is to provide a wider analysis of the existing cryptologic designs and their constructions in order to provide the possibility of new approaches to the designs and analysis of cryptographic components. The conducted research will be in the context of symmetric cryptology and secure hardware implementations. A particular focus will be on the design and analysis of symmetric-key primitives and components.

Required Qualifications

Candidates should have a Ph.D. degree or equivalent experience. Candidates should have a background in symmetric cryptology, hardware cryptology, hardware security or related areas. The following is a list of essential skills for the considered post: Circuit Analysis and Design, Cryptographic Hardware Design (Reconfigurable Hardware, random number generation, lightweight cryptographic design, ALTERA hardware, FPGAs and Verilog VHDL programming), and Cryptographic Design and Cryptanalysis

Terms of employment

The period of employment is one to two years from the initiation of the contract. This is extendable to additional year based on performance. The potential start date is August 2017. The location of the post is Center for Cyber Security in NYU Abu Dhabi.

Application Process

Submissions will be accepted through our online application no later than July 15, 2017. Please visit our website at https://apply.interfolio.com/37893 for instructions and information on how to apply. Please fill in the online application form, and attach all your materials in English. This includes a cover letter, research statement, curriculum vitae, diploma (an official translation into English), a list of publications and three letters of reference. Applicants will be prompted to enter the names and email addresses of three referees. Each referee will be contacted to upload his or her reference letter. Applications and enclosures received beyond the stated deadline will not be considered.

Closing date for applications: 15 August 2017

Contact: Hoda A.Alkhezaimi

More information: https://apply.interfolio.com/37893

Event date: 9 January to 11 January 2018
Submission deadline: 15 August 2017
Notification: 30 October 2017

Event date: 14 September to 15 September 2017
Submission deadline: 25 June 2017

Do you have a PhD/Master in Cryptography, Security, Software Engineering, Electronics, or Mathematics? We are currently looking for both a software and hardware security architect to extend our growing crypto and security teams for our office in Leuven (Belgium), Eindhoven (Netherlands), Hamburg (Germany) or Gratkorn (Austria).

Software Security Engineer is responsible for

• Design of embedded software security architectures

• Risk and threats analysis of security systems

• Support the various HW and SW development teams of NXP with security reference designs

• End-to-end security architecture

• Root cause analysis of security defects and creation of counter measures

• Specification and design of innovative security concepts (whitebox cryptography, secure virtual machines, code obfuscators)

Hardware Security Engineer is responsible for

• Detailed implementation reviews

• Definition of security mechanisms in hardware, firmware, protocols, etc.

• Security requirements management by definition and linking of security mechanisms to functional requirements

• Detailed attack modeling and security mechanism specification for hardware and software blocks

• Root cause analysis of security defects

• Planning coordination and execution of pre-silicon vulnerability analysis

See for more information:

https://nxp.wd3.myworkdayjobs.com/en-US/careers/job/Hamburg/Hardware-Security-Architect--m-f-_R-10002704

https://nxp.wd3.myworkdayjobs.com/en-US/careers/job/Hamburg/Software-Security-Architect--m-f-_R-10002703

About us

NXP Semiconductors enables secure connections and infrastructure for a smarter world, advancing solutions that make lives easier, better and safer. As the world leader in secure connectivity solutions for embedded applications, we are driving innovation in the secure connected vehicle, end-to-end security & privacy and smart connected solutions markets.

Closing date for applications: 31 December 2017

Contact: Joppe Bos, Cryptographer, joppe.bos (at) nxp.com

Event date: 28 September to 29 September 2017
Submission deadline: 15 June 2017
Notification: 31 July 2017

A new H2020 MSCA ITN project RESCUE has 15 Early-Stage Researcher / PhD Student positions open at eight partner institutions.

An innovative European training network RESCUE is to take on the key interdependent challenges in nanoelectronic systems design - reliability, security and quality.

• Application deadline: June 30, 2017

• Recruitment starts in September/October 2017

• Full-time employment contracts at the selected RESCUE host institution for 36 month.

More details http://rescue-etn.eu/

RESCUE Consortium

- Tallinn University of Technology, EE (Maksim Jenihhin)

- BTU Cottbus-Senftenberg, DE (H.T. Vierhaus)

- Delft University of Technology, NL (Said Hamdioui)

- Politecnico di Torino, IT (Matteo Sonza Reorda)

- Cadence Design Systems GmbH, DE (Anton Klotz)

- IROC Technologies, FR (Dan Alexandrescu)

- Intrinsic-ID B.V., NL (Georgios Selimis)

- IHP - Innovations for High Performance Microelectronics GmbH, DE (Milos Krstic)

- Robert Bosch GmbH, DE - Partner Organization (Herve Seudie)

Closing date for applications: 30 June 2017

More information: http://rescue-etn.eu/vacancies

Abertay University

Abertay was the first university in the world to offer degrees Ethical Hacking, and the University continues to be recognised as an international leader in its field. The University has long-established professional links with the United Kingdom thriving cybersecurity community. Abertay University is also home to the largest Student run Cyber-Security Conference in the United-Kingdom

Project Description

The Internet of Things (IoT) is expected to become a transformative technology that offers end-users the capability of sensing, actuating and improved communications. This will lead to significant improvements for Vehicular technologies, Health, Manufacturing (Industry 3.0), Farming, Energy Management, etc.

Computational intelligence approaches, examples of which include evolutionary computation, immune-inspired approaches, and swarm intelligence, are employed to develop scalable machine learning Intrusion Detection Systems.

In this project we will build and expand on existing research activities on Intrusion Detection within the Security Research Group and the Machine Learning Group at Abertay University and would aim to identify security risks in IoT networks and develop a machine learning (Deep Learning, Generative Adversarial Networks) methods for their mitigation.

The ideal student would have an interest in Wireless communications protocols, Linux configuration, and GPU Programming (CUDA) as well as

* A strong background in computing and mathematics (an understanding of machine learning is highly desirable).

* An ability to programme in a high-level computing language (such as Python, C or C++) and/or experience with Matlab (or similar).

*An interest in Security and Privacy applications and research (a background in Security is desirable, but not essential).

*Good numerical and verbal communication skills.

Applicants are encouraged to contact Dr Xavier Bellekens for advice on developing a proposal prior to submitting it.

Closing date for applications: 10 July 2017

Contact: Dr Xavier Bellekens (x.bellekens [AT] abertay.ac.uk )

More information: http://www.xavierbellekens.com/PhDApplication

We discuss the design rationale and analysis of the SIMON and SPECK lightweight block ciphers.

We propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. If a user happens to log in to a server from a terminal that has been fully compromised, then the other past and future user's sessions initiated from honest terminals stay secure. We define the security model for Human Authenticated Key Exchange (HAKE) protocols and first propose two generic protocols based on human-compatible (HC) function family, password-authenticated key exchange (PAKE), commitment, and authenticated encryption. We prove our HAKE protocols secure under reasonable assumptions and discuss efficient instantiations. We thereafter propose a variant where the human gets help from a small device such as RSA SecurID. This permits to implement an HC function family with stronger security and thus allows to weaken required assumptions on the PAKE. This leads to the very efficient HAKE which is still secure in case of strong corruptions. We believe that our work will promote further developments in the area of human-oriented cryptography.

The evolution of crypto ransomware has increasingly influenced real-life systems and lead to fatal threats to data security of individuals and enterprises. A crypto ransomware basically encrypts files of victims using either standard or their own customized crypto functions and request ransom from users to retrieve them again. In this paper, we propose a new detection and analyzing approach, called ExpMonitor, which basically targets ransomware's public key cryptographic algorithms carried out on victim's computer. ExpMonitor is based on observing public key encryption running on the CPU. Monitoring integer multiplication instructions can detect large integer arithmetic operations, which constitute the backbone of public key encryption. While existing detection mechanisms can only targets particular cryptographic functions our technique complements the state-of-the-art.

A watermarking scheme for a public-key cryptographic functionality enables the embedding of a mark in the instance of the secret-key algorithm such that the functionality of the original scheme is maintained, while it is infeasible for an adversary to remove the mark (unremovability) or mark a fresh object without the marking key (unforgeability). Cohen et al. [STOC'16] has provided constructions for watermarking arbitrary cryptographic functionalities; the resulting schemes rely on indistinguishability obfuscation (iO) and leave two important open questions: (i) the realization of both unremovability and unforgeability, and (ii) schemes the security of which reduces to simpler hardness assumptions than iO. In this paper we provide a new definitional framework that distinguishes between watermarking cryptographic functionalities and implementations (think of ElGamal encryption being an implementation of the encryption functionality), while at the same time provides a meaningful relaxation of the watermarking model that enables both unremovability and unforgeability under minimal hardness assumptions. In this way we can answer questions regarding the ability to watermark a given implementation of a cryptographic functionality which is more refined compared to the question of whether a watermarked implementation functionality exists. Taking advantage of our new formulation we present the first constructions for watermarking public key encryption that achieve both unremovability and unforgeability under minimal hardness assumptions. Our first construction enables the watermarking of any public-key encryption implementation assuming only the existence of one-way functions for private key detection. Our second construction is at the functionality level and uses a stronger assumption (existence of identity-based encryption (IBE)) but supports public detection of the watermark.

Irreducible Polynomials (IPs) have been of utmost importance in generation of substitution boxes in modern cryptographic ciphers. In this paper an algorithm entitled Composite Algorithm using both multiplication and division over Galois fields have been demonstrated to generate all monic IPs over extended Galois Field GF($p^q$) for large value of both p and q. A little more efficient Algorithm entitled Multiplication Algorithm and more too Division Algorithm have been illustrated in this Paper with Algorithms to find all Monic IPs over extended Galois Field GF($p^q$) for large value of both p and q. Time Complexity Analysis of three algorithms with comparison to Rabin’s Algorithms has also been exonerated in this Research Article.

Non-Interactive Multiparty Computations (Beimel et al., Crypto 2014) is a very powerful notion equivalent (under some corruption model) to garbled circuits, Private Simultaneous Messages protocols, and obfuscation. We present robust solutions to the problem of Non-Interactive Multiparty Computation in the computational and information-theoretic models. Our results include the first efficient and robust protocols to compute any function in $NC^1$ for constant-size collusions, in the information-theoretic setting and in the computational setting, to compute any function in $P$ for constant-size collusions, assuming the existence of one-way functions. Our constructions start from a Private Simultaneous Messages construction (Feige, Killian Naor, STOC 1994 and Ishai, Kushilevitz, ISTCS 1997) and transform it into a Non-Interactive Multiparty Computation for constant-size collusions. We also present a new Non-Interactive Multiparty Computation protocol for symmetric functions with significantly better communication complexity compared to the only known one of Beimel et al.