International Association
for Cryptologic Research

We give a complete characterization of quantum attacks for finding a collision in a non- uniform random function whose outputs are drawn according to a distribution of min-entropy k. This can be viewed as showing generic security of hash functions under relaxed assumptions in contrast to the standard heuristic of assuming uniformly random outputs. It also has ap- plications in analyzing quantum security of the Fujisaki-Okamoto transformation [TU TCC16B]. In particular, our results close a gap in the lower bound left open in [TTU PQCrypto16].

Specifically, let $D$ be a min-entropy $k$ distribution on a set $Y$ of size $N$. Let $f: X\to Y$ be a function whose output $f(x)$ is drawn according to $D$ for each $x \in X$ independently. We show that $\Omega(2^{k/3})$ quantum queries are necessary to find a collision in $f$, improving the previous bound $\Omega(2^{k/9})$. In fact we show a stronger lower bound $2^{k/2}$ in some special case. For all cases, we also describe explicit quantum algorithms that find a collision with a number of queries matching the corresponding lower bounds.

Event date: 14 June to 16 June 2018
Submission deadline: 1 April 2018
Notification: 11 May 2018

Event date: 17 June to 22 June 2018
Submission deadline: 1 April 2018
Notification: 7 April 2018

Applications are invited for a Research Associate (postdoc) position.

You will work on the project “Practical Data-intensive Secure Computation: a Data Structural Approach”. This is a project funded by the EPSRC. The aim of the project is to investigate how data structures can be used as an efficiency and scalability booster in the context of secure computation. The project has a particular emphasis on putting theory into practice. The project will investigate both data structures and cryptography.

You will design novel cryptographic data structures and associated protocols for efficient secure computation, as well as apply them in domains such as cloud computing and data mining in order to solve real-world security/privacy problems. Other responsibilities include: writing papers, presenting work at international conferences, and contributing to an open source software package. There will be opportunities to collaborate with industrial research labs and other leading universities.

The candidate must have:

* a PhD (or equivalent) in a relevant area;

* a strong background in cryptography/security;

* good programming skills (C++/Java, parallel/GPU computing experience is a plus).

* good communication and time management skills.

Experience/knowledge in one or more of the following areas would be desirable but not essential: computer networks, operating systems, databases, statistics and data mining.

The post is available from January 2018, fixed term for 2 years and is full time. The post is based in the Security & Resilient Systems (SRS) Group within the School of Computing Science. The School is one of the Academic Centres of Excellence in Cyber Security Research (ACE-CSR) in the UK. In the latest 2014 Research Excellence Framework (REF) assessment, the School ranked 9th overall and 1st for Research Impact among computer science departments in the UK.

Closing date for applications: 16 August 2017

Contact: Dr Changyu Dong (changyu.dong AT ncl.ac.uk)

More information: http://bit.ly/2tG6XJr

Suppose $n$ parties have respective inputs $x_1, \ldots, x_n \in \mathbb{G}$, where $\mathbb{G}$ is a finite group. The parties would like to privately compute $x_1 x_2 \cdots x_n$ (where multiplication refers to the group operation in $\mathbb{G}$). There is a well-known secure protocol that works for any number of parties $n$ when $\mathbb{G}$ is abelian. In this note we consider private group-product protocols for non-abelian groups. We show that such protocols are possible for if and only if $n$ (the number of parties) is less than 4.

Bitcoin has not only attracted many users but also been considered as a technical breakthrough by academia. However, the expanding potential of Bitcoin is largely untapped due to its limited throughput. The Bitcoin community is now facing its biggest crisis in history as the community splits on how to increase the throughput. Among various proposals, Bitcoin Unlimited recently becomes a most popular candidate, as it allows miners to collectively decide the block size limit according to the real network capacity. However, the security of BU is heatedly debated and no consensus has been reached as the issue is discussed in different miner incentive models. In this paper, we systematically evaluate BU's security with three incentive models via testing the two major arguments of BU supporters: the block validity consensus is not necessary for BU's security; such consensus would emerge in BU on the run. Our results invalidate both arguments and therefore disprove BU's security claims. Our paper further contributes to the field by addressing the necessity of a prescribed block validity consensus for cryptocurrencies.

Leveled authentication allows resource-constrained IoT devices to be authenticated at different strength levels according to the particular types of communication. To achieve efficient leveled authentication, we propose a lightweight public key encryption scheme that can produce very short ciphertexts without sacrificing its security.

The security of our scheme is based on the Learning With Secretly Scaled Errors in Dense Lattice (referred to as Compact-LWE) problem. We prove the hardness of Compact-LWE by reducing Learning With Errors (LWE) to Compact-LWE. However, unlike LWE, even if the closest vector problem (CVP) in lattices can be solved, Compact-LWE is still hard, due to the high density of lattices constructed from Compact-LWE samples and the relatively longer error vectors. By using a lattice-based attack tool, we verify that the attacks, which are successful on LWE instantly, cannot succeed on Compact-LWE, even for a small dimension parameter like $n=13$, hence allowing small dimensions for short ciphertexts.

On the Contiki operating system for IoT, we have implemented our scheme, with which a leveled Needham-Schroeder-Lowe public key authentication protocol is implemented. On a small IoT device with 8MHZ MSP430 16-bit processor and 10KB RAM, our experiment shows that our scheme can complete 50 encryptions and 500 decryptions per second at a security level above 128 bits, with a public key of 2368 bits, generating 176-bit ciphertexts for 16-bit messages. With two small IoT devices communicating over IEEE 802.15.4 and 6LoWPAN, the total time of completing an authentication varies from 640ms (the 1st authentication level) to 8373ms (the 16th authentication level), in which the execution of our encryption scheme takes only a very small faction from 46ms to 445ms.

Decentralized ledger-based cryptocurrencies such as Bitcoin provide a means to construct payment systems without requiring a trusted bank, yet the anonymity of Bitcoin is proved to be far from enough. Zerocash is the first full-fledged anonymouse digital currency based on the blockchain technology, using zk-SNARK as the zero-knowledge module for the privacy preserving. Zerocash solves the privacy problem but also brings some other issues, including insufficient scalability as in Bitcoin. Meanwhile, Lightning network proves to be a nice solution to solve the scalability problem in Bitcoin. However, to employ the idea of lightning network in Zerocash is a great challenge due to the lack of programmability of Zerocash. We modify the Zerocash scheme to implement multisignature scheme and the lock time mechanism without compromising the privacy guarantee provided by Zerocash. With these two mechanisms, we present the construction of micropayment system Z-Channel on the basis of Zerocash. The Z-Channel system effectively solves the scalability and instant payment problems in Zerocash.

Edit distance is an important non-linear metric that has many applications ranging from matching patient genomes to text-based intrusion detection. Privacy-preserving edit distance protocols have been a long-standing goal of many security researchers. In this paper, we propose efficient secure computation protocols for private edit distance as well as several generalized applications including weighted edit distance (with potentially content-dependent weights), longest common subsequence, and heaviest common subsequence. Our protocols run 20+ times faster and use an order-of-magnitude less bandwidth than their best previous counterparts. Alongside, we propose a garbling scheme that allows free arithmetic addition, free multiplication with constants, and low-cost comparison/minimum for inputs of restricted relative-differences. Moreover, the encodings (i.e. wire- labels) in our garbling scheme can be converted from and to encodings used by traditional binary circuit garbling schemes with light to moderate costs. Therefore, while being extremely efficient on certain kinds of computations, the new garbling scheme remains composable and capable of handling generic computational tasks, hence may be of independent interest.

We propose a novel cryptographic primitive that we call conditional blind signatures. Our primitive allows a user to request blind signatures on messages of her choice. The signer has a secret Boolean input which determines if the supplied signature is valid or not. The user should not be able to distinguish between valid and invalid signatures. A designated verifier, however, can tell which signatures verify correctly, and is in fact the only entity who can learn the secret input associated with the signed message after the unblinding process. We instantiate our primitive as an extension of the Okamoto-Schnorr blind signature scheme. We analyze and prove the security properties of the new scheme and explore potential applications.

Recently, we showed that the controlled-NOT function is a permutation that cannot be inverted in subexponential time in the worst case [Quantum Information Processing. 16:149 (2017)]. Here, we show that such a condition can provoke biased interpretations from Bell’s test experiments.

We propose SOFIA, the first MQ-based signature scheme provably secure in the quantum-accessible random oracle model (QROM). Our construction relies on an extended version of Unruh's transform for 5-pass identification schemes that we describe and prove secure both in the ROM and QROM.

Based on a detailed security analysis, we provide concrete parameters for SOFIA that achieve 128 bit post-quantum security. The result is SOFIA-4-128 with parameters that are carefully optimized to minimize signature size and maximize performance. SOFIA-4-128 comes with an implementation targeting recent Intel processors with the AVX2 vector-instruction set; the implementation is fully protected against timing attacks.

Outsourcing data to the cloud is becoming increasingly prevalent. To ensure data confidentiality, encrypting the data before outsourcing it is advised. While encryption protects the secrets in the data, it also prevents operations on the data. For example in a multi-user setting, data is often accessed via search, but encryption prevents search. Searchable encryption solves this dilemma. However, in a multi-user setting not all users may be allowed to access all data, requiring some means of access control. We address the question how searchable encryption and access control can be combined. Combining these technologies is required to achieve strong notions of confidentiality: if a ciphertext occurs as a search result, we learn something about the underlying document, even if access control does not let us access the document. This illustrates a need to link search and access control, so that search results presented to users only feature data the users are allowed to access. Our searchable encryption scheme with access control establishes that link.

Event date: 9 April to 11 April 2018
Submission deadline: 18 November 2017
Notification: 10 January 2018

Event date: 2 July to 4 July 2018
Submission deadline: 25 February 2018
Notification: 8 April 2018

Event date: 6 November to 10 November 2017
Submission deadline: 27 July 2017
Notification: 27 August 2017

Singapore University of Technology and Design (SUTD) is a young university established in collaboration with MIT. Security is one of its major focuses. SUTD hosts the iTrust centre for research in cyber security (https://itrust.sutd.edu.sg/) and world-class testbeds in cyber-physical systems.

I am looking for highly motivated PhD students who are interested in conducting research in at least one of the following fields:

- network and systems security (Internet security, SSL/TLS, PKI, SDN, ...)

- FinTech security (blockchain, cryptocurrencies, smart contracts, ...)

- security of cyber-physical systems (IoT, critical infrastructures, ...)

Candidates should have an excellent background (BSc/MSc degree) in computer science (or related), ability to work on inter-disciplinary research projects, good design and programming skills, and a strong interest in at least one of the listed fields.

The positions are fully funded up to 4 years with a very competitive scholarship. More information about the PhD program is available at https://istd.sutd.edu.sg/phd/phd-overview/.

Interested candidates should send a CV and a research statement to Pawel Szalachowski psz (at) inf.ethz.ch

Closing date for applications: 15 September 2017

We invite applications for a three year, funded PhD degree in the area of Cyber Security.

Suggested research topics include, but are not limited to the following:

• Internet of Things Security
• Human Aspects of Security
• Ransomware
• Tools for Vulnerability Analysis

Applicants should be a UK or EU national. Applicants should have a 2:1 in an undergraduate degree as a minimum. Masters or equivalent professional or research experience with computer security, computer networks or interdisciplinary collaboration is an advantage. Successful applicants will be supervised within the Security Research Group.

Closing date for applications: 21 July 2017

Contact: Budi Arief, b.arief (at) kent.ac.uk

More information: https://www.cs.kent.ac.uk/research/studyingforaphd/phd-cyber-2017.html

Differential Fault Attack (DFA) is presently a very well known technique to evaluate security of a stream cipher. This considers that the stream cipher can be weakened by injection of the fault. In this paper we study DFA on three ciphers, namely Grain v1, Lizard and ACORN v3. We show that Grain v1 (an eStream cipher) can be attacked with injection of only 5 faults instead of 10 that has been reported in 2012. For the first time, we have mounted the fault attack on Lizard, a very recent design and show that one requires only 5 faults to obtain the state. ACORN v3 is a third round candidate of CAESAR and there is only one hard fault attack on an earlier version of this cipher. However, the `hard fault' model requires a lot more assumption than the generic DFA. In this paper, we mount a DFA on ACORN v3 that requires 9 faults to obtain the state. In case of Grain v1 and ACORN v3, we can obtain the secret key once the state is known. However, that is not immediate in case of Lizard. While we have used the basic framework of DFA that appears in literature quite frequently, specific tweaks have to be explored to mount the actual attacks that were not used earlier. To the best of our knowledge, these are the best known DFA on these three ciphers.

Protocols for Private Set Intersection (PSI) are an important cryptographic primitive to perform joint operations on datasets in a privacy-preserving way. They allow two entities to compute the intersection of their private sets without revealing any additional information beyond the intersection, which can be learned by only one of the parties, as in one-way PSI protocols, or by both parties in mutual PSI protocols. In addition, the PSI setting may be unbalanced when one set is substantially smaller than the other or balanced when the sets have approximately the same size. However, even with several PSI protocols already proposed, applications keep using insecure naive approaches that are more efficient in both run time and communication. To make matters worse, implementations in the literature do not use the best possible implementation techniques, especially when implementing PSI protocols instantiated with curve-based public-key cryptography. This paper proposes an efficient one-way PSI protocol based on public-key cryptography for the unbalanced scenario. Security is based on the hardness of the One-More-Gap-Diffie-Hellman (OMGDH) problem against semi-honest adversaries and includes forward secrecy on the client side. A Cuckoo filter is also used to reduce the amount of data exchanged and stored by the client. Our implementation employs the state-of-the-art Galbraith-Lin-Scot (GLS-254) binary elliptic curve with point compression.