International Association
for Cryptologic Research

A public key infrastructure (PKI) binds public keys to the identities of their respective owners. It employs certificate authorities or a web of trust over social links to transitively build cryptographic trust across parties in the form of chains of certificates. In existing PKIs, Alice cannot send a message to Bob confidentially until a complete chain of trust from Alice to Bob exists. We observe that this temporal restriction---which may be severely limiting in some contexts like whistleblowing---can be eliminated by combining webs of trust with concepts from hierarchical identity-based encryption.

Specifically, we present a novel protocol that allows Alice to securely send a message to Bob, binding to any chain of social links, with the property that Bob can decrypt the message only after trust has been established on all links in the chain. This trust may be established either before or after Alice has sent the message, and it may be established in any order on the links. We prove the protocol's security relative to an ideal functionality, develop a prototypical implementation and evaluate the implementation's performance for a realistic environment obtained by harvesting data from an existing web of trust. We observe that our protocol is fast enough to be used in practice.

Most Multivariate Quadratic (MQ) signature schemes have a very large public key, which makes them unsuitable for many applications, despite attractive features such as speed and small signature sizes. In this paper we introduce a modification of the Unbalanced Oil and Vinegar (UOV) signature scheme that has public keys which are an order of magnitude smaller than other MQ signature schemes. The main idea is to choose UOV keys over the smallest field F2 in order to achieve small keys, but to lift the keys to a large extension field, where solving the MQ problem is harder. The resulting Lifted UOV signature scheme is very competitive with other post-quantum signature schemes in terms of key sizes, signature sizes and speed.

One of the most impactful applications of ``proofs of work'' (POW) currently is in the design of blockchain protocols such as Bitcoin. Yet, despite the wide recognition of POWs as the fundamental cryptographic tool in this context, there is no known cryptographic formulation that implies the security of the Bitcoin blockchain protocol. Indeed, all previous works formally arguing the security of the Bitcoin protocol relied on direct proofs in the random oracle model, thus circumventing the difficulty of isolating the required properties of the core POW primitive.

In this work we fill this gap by providing a formulation of the POW primitive that implies the security of the Bitcoin blockchain protocol in the standard model. Our primitive entails a number of properties that parallel an efficient non-interactive proof system: completeness and fast verification, security against malicious provers (termed ``hardness against tampering and chosen message attacks'') and security for honest provers (termed ``uniquely successful under chosen key and message attacks''). Interestingly, our formulation is incomparable with previous formulations of POWs that applied the primitive to contexts other than the blockchain. Our result paves the way for proving the security of blockchain protocols in the standard model assuming our primitive can be realized from computational assumptions.

Event date: 1 May 2018
Submission deadline: 29 December 2017

We give a brief survey of elliptic curve isogenies and the computational problems relevant for supersingular isogeny crypto. Supersingular isogeny cryptography is attracting attention due to the fact that there are no quantum attacks known against it that are significantly faster than classical attacks. However, the underlying computational problems have not been sufficiently studied by quantum algorithms researchers, especially since there are significant mathematical preliminaries needed to fully understand isogeny crypto. The main goal of the paper is to advertise various related computational problems, and to explain the relationships between them, in a way that is accessible to experts in quantum algorithms.

Using the cloud to store data offers many advantages for businesses and individuals alike. The cloud storage provider, however, has to be trusted not to inspect or even modify the data they are entrusted with. Encrypting the data offers a remedy, but current solutions have various drawbacks. Providers which offer encrypted storage themselves cannot necessarily be trusted, since they have no open implementation. Existing encrypted file systems are not designed for usage in the cloud and do not hide metadata like file sizes or directory structure, do not provide integrity, or are prohibitively inefficient. Most have no formal proof of security. Our contribution is twofold. We first introduce a comprehensive formal model for the security and integrity of cloud file systems. Second, we present CryFS, a novel encrypted file system specifically designed for usage in the cloud. Our file system protects confidentiality and integrity (including metadata), even in presence of an actively malicious cloud provider. We give a proof of security for these properties. Our implementation is easy and transparent to use and offers performance comparable to other state-of-the-art file systems.

Oblivious RAM compilers, introduced by Goldreich and Ostrovsky [JACM'96], compile any RAM program into one that is "memory-oblivious'' (i.e., the access pattern to the memory is independent of the input). All previous ORAM schemes, however, completely break the locality of data accesses (by shuffling the data to pseudorandom positions in memory).

In this work, we initiate the study of locality-friendly oblivious RAMs - Oblivious RAM compilers that preserve the locality of the accessed memory regions, while leaking only the lengths of contiguous memory regions accessed; we refer to such schemes as Range ORAMs. Our main results demonstrate the existence of a statistically-secure Range ORAM with only poly-logarithmic overhead (both in terms of the number of memory accesses, and in terms of locality). In our most optimized construction, the overhead is only a logarithmic factor greater than the best ORAM scheme (without locality).

To further improve the parameters, we also consider the weaker notion of a File ORAM: whereas a Range ORAM needs to support read/write access to arbitrary regions of the memory, a File ORAM only needs to support access to pre-defined non-overlapping regions (e.g., files being stored in memory). Assuming one-way functions, we present a computationally-secure File ORAM that, up to $\log \log n$ factors matches the best ORAM schemes (i.e., we essentially get "locality for free".)

As an intermediate result, we also develop a novel sorting algorithm which is also asymptotically optimal (up to $\log\log n$ factors) and enjoys good locality (can be implemented using $O(\log n)$ sequential accesses). This sorting algorithm can serve as a practical alternative to the previous sorting algorithms used in other oblivious RAM compilers and other applications, and might be of an independent interest.

To the best of our knowledge, before our work, the only works combining locality and obliviousness were for the special case of symmetric searchable encryption [Cash and Tessaro (EUROCRYPT'14), Asharov et al. (STOC'16)]. Searchable encryption can be viewed as a special case of a "read-only" File ORAM which leaks whether the same files are accessed again, and whether files contain the same keyword; this leakage, however, has been shown to be harmful in many applications, and is prevented by the definition of a File ORAM.

We investigate the post-quantum security of hash functions based on the sponge construction. A crucial property for hash functions in the post-quantum setting is the collapsing property (a strengthening of collision-resistance). We show that the sponge construction is collapsing (and in consequence quantum collision-resistant) under suitable assumptions about the underlying block function. In particular, if the block function is a random function or a (non-invertible) random permutation, the sponge construction is collapsing.

The Department of Computer Science at the University of Surrey invites applications for the full-time and permanent post of Senior Lecturer/Reader in Secure Systems. We aim to attract outstanding candidates to the Secure Systems group who have a strong vision for research, an established international research profile, a passion for teaching, and who value collaborative research and working in a team. This is an exciting opportunity in a department that has an established reputation for delivering quality interdisciplinary and applied research based on strong foundations.

Research in the Secure Systems group falls into three main themes: trusted systems, privacy & authentication, and secure communications. We have particular strengths in applied cryptography, protocols, verification, and formal methods. We apply our research in the domains of automotive, rail, democracy, and future internet & 5G, and are keen to extend more broadly. The post-holder will enhance or complement current research strengths of the group.

Applicants must have a PhD in a relevant subject or equivalent professional experience, and should have strong practical skills and experience. A track record of producing high quality outputs and attracting research funding is also required. The appointed candidate will be expected to play a leadership role and contribute to Departmental activities.

The Department of Computer Science embodies the ethos of “applying theory into practice” across its research and teaching activities. Surrey is recognised as an Academic Centre of Excellence in Cyber Security Research by NCSC. The University has made substantial investments in the Secure Systems group, and this post is part of our strategic drive to strengthen and integrate our core safety and security activities within the Secure Systems group.

This is a full-time and permanent position. Salary 48,327-68,814 GBP. The post is available from January 2018 though there is flexibility in the start date.

Closing date for applications: 9 September 2017

Contact: Professor Steve Schneider, Director of Surrey Centre for Cyber Security

University of Surrey

s.schneider (at) surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=061617

Intelligent Voice makes the world’s fastest speech to text software based in the heart of the financial district in London. Traditionally by leveraging GPGPU technology deployed on on-premise servers we have preserved privacy of customer data by placing it behind firewalls. The cloud offers an ideal opportunity for storing large volumes of data in a low-cost efficient way. However, the storage of sensitive data such as speech in plain text format on the cloud is not permitted in many industry sectors such as finance, health care etc. Hence speech data should be encrypted before storage on the cloud, and because it contains biometric identifiers it must remain encrypted. The challenge then is to search over large amounts of encrypted speech and return encrypted search results that can be decrypted by the user only.

Building on existing research within the company we seek a talented cyber security expert to assist with the challenge of merging privacy-preserving cloud technology with our speech recognition software. Knowledge of searchable and fully homomorphic encryption protocols is desired.

Applicants should have already completed, or be close to completing, a PhD in computer science, mathematics, or a related discipline. Applicants should have an excellent research track record demonstrated by publications at major cryptography/security venues, and should have significant experience in the design and deployment of cryptographic protocols.

To apply please send your CV (with publication list), a 1-page cover letter, and the names of at least two people who can provide reference letters (e-mail).

See for more information:

https://www.slideshare.net/cholletge/ppsp-icassp17v10-72961572

Closing date for applications: 15 September 2017

Contact: Dr. Neil Glackin

More information: http://www.intelligentvoice.com

Over the past few years, the increased affordability of genome sequencing and the ensuing availability of genetic data have propelled important progress in precision medicine and enabled a market for personal genomic testing. This yields exciting new opportunities for faster and more accurate diagnosis, personalized treatments, and genetically tailored wellness plans. At the same time, however, it also creates important security and privacy threats.

In this paper, we present a new cryptographic protocol, PAPEETE (Private, Authorized, fast PErsonal gEnomic TEsting) suitable for running different types of tests on users' genetic data (specifically, SNPs). The protocol, which builds on top of additively homomorphic encryption, provides privacy for both users and test facilities, and it guarantees that the test is authorized by an appropriate authority such as the FDA. Finally, we present a prototype implementation of PAPEETE, and an experimental evaluation that attests to the real-world practicality of our techniques.

Private set intersection (PSI) allows two parties, who each hold a set of items, to compute the intersection of those sets without revealing anything about other items. Recent advances in PSI have significantly improved its performance for the case of semi-honest security, making semi-honest PSI a practical alternative to insecure methods for computing intersections. However, the semi-honest security model is not always a good fit for real-world problems.

In this work, we introduce a new PSI protocol that is secure in the presence of malicious adversaries. Our protocol is based entirely on fast symmetric-key primitives and inherits important techniques from state-of-the-art protocols in the semi-honest setting. Our novel technique to strengthen the protocol for malicious adversaries is inspired by the dual execution technique of Mohassel \& Franklin (PKC 2006). Our protocol is optimized for the random-oracle model, but can also be realized (with a performance penalty) in the standard model.

We demonstrate our protocol's practicality with a prototype implementation. To securely compute the intersection of two sets of size $2^{20}$ requires only 13 seconds with our protocol, which is $\sim 12\times$ faster than the previous best malicious-secure protocol (Rindal \& Rosulek, Eurocrypt 2017), and only $3\times$ slower than the best semi-honest protocol (Kolesnikov et al., CCS 2016).

Proxy re-encryption (PRE) is a cryptographic primitive introduced by Blaze, Bleumer and Strauss to provide delegation of decryption rights. PRE allows re-encryption of a ciphertext intended for Alice (delegator) to a ciphertext for Bob (delegatee) via a semi-honest proxy, who should not learn anything about the underlying message. In 2003, Al-Riyami and Patterson introduced the notion of certificateless public key cryptography which offers the advantage of identity-based cryptography without suffering from the key escrow problem. The existing certificateless PRE (CLPRE) schemes rely on costly bilinear pairing operations. In ACM ASIA-CCS SCC 2015, Srinivasan et al. proposed the first construction of a certificateless PRE scheme without resorting to pairing in the random oracle model. However, in this work, we demonstrate a flaw in the CCA-security proof of their scheme. Also, we present the first construction of a CLPRE scheme without pairing which meets CCA security under the computational Diffie-Hellman hardness assumption in the random oracle model.

Nazarbayev University is seeking highly-qualified faculty at the assistant and associate professor ranks to join its rapidly growing Mathematics Department in the School of Science and Technology. All areas of mathematics will be considered but preference will be given to applied mathematics and statistics (broadly interpreted).

Successful candidates should hold a PhD in mathematics, statistics or in a related field and have excellent English-language communication skills and experience with Western higher education. Applicants for associate professor positions should have considerable experience in supervising students at the graduate level, possess strong teaching skills and experience, and a demonstrated rank-appropriate research accomplishment and service. Applicants for assistant professor level should demonstrate a potential for excellence in teaching, research, and service.

Position responsibilities include: teaching undergraduate and graduate level of courses (2-2 teaching load), supervision of graduate students, curricular and program development, ongoing engagement in professional and research activities, general program guidance and leadership, and other activities related to the intellectual and cultural environment of the university.

Nazarbayev University offers an attractive benefits package, including:

• competitive compensation;
• free housing based on family size and rank;
• relocation allowance;
• no-cost medical insurance, with global coverage;
• educational allowance for children;
• air tickets to home country, twice per year

Applicants should send a detailed CV, teaching and research statements, and list of publications to sst (at) nu.edu.kz. Review of applications will begin immediately but full consideration will be given to applications submitted no later than September 15, 2017. Successful appointments are expected to begin on January 1st, 2018.

Closing date for applications: 15 September 2017

More information: http://sst.nu.edu.kz

School of Computing and Information Technology (SCIT) is one of six Schools within the Faculty of Engineering and Information Sciences at the University of Wollongong.

This position is expected to provide development, teaching and research within the Institute of Cybersecurity and Cryptology in the school.

For further information about this position, please contact the Head of School and Director of Institute of Cybersecurity and Cryptology, Professor Willy Susilo on + 61 2 4221 5535.

Closing date for applications: 9 September 2017

Contact: Professor Willy Susilo

More information: https://jobs.uow.edu.au/careersection/ext/jobdetail.ftl?job=170477&tz=GMT%2B10%3A00

We are looking for outstanding PhD candidates and Post doctoral researchers working on topics related to cryptography and IT Security. Topics of particular interest include (but are not limited to):

- Secure cryptographic implementations

- Leakage/tamper resilient cryptography

- Distributed cryptography

- Blockchains and cryptocurrencies

The application should include a curriculum vitae, a short research statement, and names of 1 person (2 in case of PostDocs) that can provide reference about the applicant and her/his work. In case of PostDoc applications, the candidate shall be able to show solid expertise in cryptography/IT Security illustrated in form of publications at major crypto/security venues such as CRYPTO, EUROCRYPT, ASIACRYPT, TCC, PKC, CHES, FC, ACM CCS, IEEE S&P, USENIX Security, NDSS etc.

The positions are available immediately and paid according to the German public salary scale TVL-E13 or TVL-E14, depending on the candidate’s qualification. TU Darmstadt offers excellent working environment in the heart of the Rhein-Main area, and is one of the leading institutes for research on IT security with more than 200 researchers working on all aspects of cybersecurity.

Review of applications starts immediately until the positions are filled.

Closing date for applications: 5 October 2017

Contact: Prof. Sebastian Faust

Contact: sebastian.faust (at) gmail.com

We are looking for highly motivated and qualified candidates to fill PhD or PostDoc positions for research in system security and applied cryptography. Specific topics include:

• Side channel attacks and mitigations
• System security for IoT, mobile and Cloud systems
• Trusted computing and trusted execution environments
• Applied cryptography
• Secure microarchitectures

As ideal candidate, you are highly motivated, independent and able to perform creative and deep research. You have a degree in computer science, electronics or applied mathematics with strong interest in systems security, algorithms and machine learning. Prior experience in low-level programming, code analysis, cryptography and/or signal processing are an asset. Positions remain open until filled.

The brand-new Institute for IT Security at University of Luebeck offers excellent research conditions, close to the most gorgeous beaches of the Baltic sea. We offer a competitive salary and an international cutting-edge research team in an attractive working environment.

Please provide a resume, transcripts, a motivational statement and contact information of at least two references.

Closing date for applications: 28 August 2017

Contact: Thomas Eisenbarth thomas.eisenbarth (at) uni-luebeck.de

More information: https://www.its.uni-luebeck.de/en/jobs.html

AEZ is an authenticated encryption algorithm, submitted to the CAESAR competition. It has been selected for the third round of the competition. While some classical analysis on the algorithm have been published, the cost of these attacks is beyond the security claimed by the designers. In this paper, we show that all the versions of AEZ are completely broken against a quantum adversary. For this, we propose a generalisation of Simon's algorithm for quantum period finding that allows to build efficient attacks.

In 2012 Guneysu, et al. proposed GLP, a practical and efficient post-quantum digital signature scheme based on the computational hardness of the Ring Learning With Errors problem. It has some advantages over more recent efficient post-quantum digital signature proposals such as BLISS and Ring-TESLA, but Ring Learning With Errors hardness is more fully understood now than when GLP was published a half decade ago. Although not broken, GLP as originally proposed is no longer considered to offer strong levels of security.

We propose GLYPH, a new instantiation of GLP, parametrised for 128 bits of security under the very conservative assumptions proposed in [2], which gives a strong assurance that it will be secure against forgery even if there are further developments in lattice cryptanalysis. Parameters to obtain this strong security level in an efficient manner were not possible within the original formulation of GLP, as they are not compatible with a signature compression algorithm, and to address this we also propose a new form of the compression algorithm which works efficiently with wider ranges of parameters.

After the introduction of some stream ciphers with the minimal internal state, the design idea of these ciphers (i.e. the design of stream ciphers by using a secret key, not only in the initialization but also permanently in the keystream generation) has been developed. The idea lets to design lighter stream ciphers that they are suitable for devices with limited resources such as RFID, WSN. We present necessary conditions for designing a secure stream cipher with the minimal internal state. Based on the conditions, we propose Fruit-128 stream cipher for 128-bit security against all types of attacks. Our implementations showed that the area size of Fruit-128 is about 25.2% smaller than that of Grain-128a. The discussions are presented that Fruit-128 is more resistant than Grain-128a to some attacks such as Related key chosen IV attack. Sprout, Fruit-v2 and Plantlet ciphers are vulnerable to time-memory-data trade-off (TMDTO) distinguishing attacks. For the first time, IV bits were permanently used to strengthen Fruit-128 against TMDTO attacks. We will show that if IV bits are not permanently available during the keystream production step, we can eliminate the IV mixing function from it. In this case, security level decreases to 69-bit against TMDTO distinguishing attacks (that based on the application might be tolerable). Dynamic initialization is another contribution of the paper (that it can strengthen initialization of all stream ciphers with low area cost).