International Association
for Cryptologic Research

We define and study zero-testable homomorphic encryption (ZTHE) -- a semantically secure, somewhat homomorphic encryption scheme equipped with a weak zero test that can identify trivial zeros. These are ciphertexts that result from homomorphically evaluating an arithmetic circuit computing the zero polynomial over the integers. This is a relaxation of the (strong) zero test provided by the notion of graded encodings, which identifies all encodings of zero.

We show that ZTHE can suffice for powerful applications. Based on any ZTHE scheme that satisfies the additional properties of correctness on adversarial ciphertexts and multi-key homomorphism, we construct publicly verifiable non-interactive arguments for delegating computation. Such arguments were previously constructed from indistinguishability obfuscation or based on so-called knowledge assumptions. The arguments we construct are adaptively sound, based on an efficiently falsifiable assumption, and only make black-box use of the underlying cryptographic primitives.

We also show that a ZTHE scheme that is sufficient for our application can be constructed based on an efficiently-falsifiable assumption over so-called "clean" graded encodings.

Structure-Preserving Signatures (SPSs) are an important tool for the design of modular cryptographic protocols. It has been proven that such schemes in the most efficient Type-3 bilinear group setting have a lower bound of 3-element signatures, which must include elements from both base groups, and a verification overhead of at least 2 Pairing-Product Equations (PPEs). Very recently, Ghadafi (ESORICS 2017) showed that by restricting the message space to the set of Diffie-Hellman pairs (which does not hinder applicability of the schemes), some of the existing lower bounds for the single message case can be circumvented. However, the case of signing multiple messages, which is required for many applications, was left as an open problem since the techniques used for signing single messages do not seem to lend themselves to the multi-message setting. In this work we investigate this setting and answer the question in the affirmative. We construct schemes that sign vectors of messages and which yield shorter signatures than optimal schemes for vectors of unilateral messages. More precisely, we construct 2 fully randomiazble schemes that sign vectors of Diffie-Hellman pairs yielding signatures consisting of only 2 elements regardless of the size of the vector signed. We also construct a unilateral scheme that signs a pair of messages yielding signatures consisting of 3 elements from the shorter base group. All of our schemes require a single PPE for verification (not counting the cost of verifying the well-formedness of the messages). Thus, all of our schemes compare favourably to all existing schemes with respect to signature size and verification overhead. Even when considering single messages, our first 2 schemes compare favourably to the best existing schemes in many aspects including the verification overhead and the key size.

This paper develops a cryptographic protocol for outsourcing arbitrary stateful computation among multiple clients to an untrusted server, while guaranteeing integrity of the data. The clients communicate only with the server and store only a short authenticator to ensure that the server does not cheat.

Our contribution is two-fold. First, we extend the recent hash&prove scheme of Fiore et al. (CCS 2016) to stateful computations that support arbitrary updates by the untrusted server, in a way that can be verified by the clients. We use this scheme to generically instantiate authenticated data types. Second, we describe a protocol for multi-client verifiable computation based on an authenticated data type, and prove that it achieves a computational version of fork linearizability. This is the strongest guarantee that can be achieved in the setting where clients do not communicate directly; it ensures correctness and consistency of outputs seen by the clients individually.

In this paper we present the first proof of a shuffle for lattice-based cryptography which can be used to build a universally verifiable mix-net capable of mixing votes encrypted with a post-quantum algorithm, thus achieving long-term privacy. Universal verifiability is achieved by means of the publication of a non-interactive zero knowledge proof of a shuffle generated by each mix-node which can be verified by any observer. This published data guarantees long-term privacy since its security is based on perfectly hiding commitments and also on the hardness of solving the Ring Learning With Errors (RLWE) problem, that is widely believed to be quantum resistant.

The research on secure poker protocols without trusted intermediaries has a long history that dates back to modern cryptography's infancy. Two main challenges towards bringing it into real-life are enforcing the distribution of the rewards, and penalizing misbehaving/aborting parties. Using recent advances of cryptocurrencies and blockchain technologies, Kumaresan et al. (CCS 2015) and Bentov et al. (ASIACRYPT 2017) were able to address those problems. While they made significant progress towards meeting the real-life deployment requirements, the protocols still lack either efficiency or a formal security proof in a strong model. Specifically, the former relies on Bitcoin and simple contracts, but is not very efficient as it needs numerous interactions with the cryptocurrency network as well as a lot of collateral. The latter improves by using stateful contracts and off-chain execution: it shows a solution based on general multiparty computation that has a security proof in a strong model, but is not very efficient. Alternatively, it proposes to use tailor-made poker protocols as a building block to improve the efficiency. However, a security proof is unfortunately still missing for the latter case: the security properties the tailor-made protocol would need to meet were not even specified, let alone proven to be met by a given protocol. Our solution closes this undesirable gap as it concurrently: (1) enforces the rewards' distribution; (2) enforces penalties on misbehaving parties; (3) has efficiency comparable to the tailor-made protocols; (4) has a security proof in a simulation-based model of security. Combining techniques from the above works, from tailor-made poker protocols and from efficient zero-knowledge proofs for shuffles, and performing optimizations, we obtain a solution that satisfies all four desired criteria and does not incur a big burden on the blockchain.

SPHINCS is a recently proposed stateless hash-based signature scheme and promising candidate for a post-quantum secure digital signature scheme. In this work we provide a comparison of the performance when instantiating SPHINCS with different cryptographic hash functions on both recent Intel and AMD platforms found in personal computers and the ARMv8-A platform which is prevalent in mobile phones.

In particular, we provide a broad comparison of the performance of cryptographic hash functions utilizing the cryptographic extensions and vector instruction set extensions available on modern microprocessors. This comes with several new implementations optimized towards the specific use case of hash-based signature schemes.

Further, we instantiate SPHINCS with these primitives and provide benchmarks for the costs of generating keys, signing messages and verifying signatures with SPHINCS on Intel Haswell, Intel Skylake, AMD Ryzen, ARM Cortex A57 and Cortex A72.

Masking provides a high level of resistance against side-channel analysis. However, in practice there are many possible pitfalls when masking schemes are applied, and implementation flaws are easily overlooked. Over the recent years, the formal verification of masked software implementations has made substantial progress. In contrast to software implementations, hardware implementations are inherently susceptible to glitches. Therefore, the same methods tailored for software implementations are not readily applicable. In this work, we introduce a method to formally verify the security of masked hardware implementations that takes glitches into account. Our approach does not require any intermediate modeling steps of the targeted implementation and is not bound to a certain leakage model. The verification is performed directly on the circuit’s netlist, and covers also higher-order and multivariate flaws. Therefore, a sound but conservative estimation of the Fourier coefficients of each gate in the netlist is calculated, which characterize statistical dependence of the gates on the inputs and thus allow to predict possible leakages. In contrast to existing practical evaluations, like t-tests, this formal verification approach makes security statements beyond specific measurement methods, the number of evaluated leakage traces, and the evaluated devices. Furthermore, flaws detected by the verifier are automatically localized. We have implemented our method on the basis of an SMT solver and demonstrate the suitability on a range of correctly and incorrectly protected circuits of different masking schemes and for different protection orders. Our verifier is efficient enough to prove the security of a full masked AES S-box, and of the Keccak S-box up to the third protection order.

At post-quantum cryptography group in the department of Computer Science and Engineering at Florida Atlantic University, we have multiple positions for PhD students in the following areas:

--Post-Quantum Cryptography and Implementations

--Fully Homomorphic Encryption and Implementations

--Blockchain Security

--Information Quantum Computing (from Cryptography aspects)

--Authenticated Key exchange and TLS

We offer very competitive and generous packages. To apply, please send an email with your CV, transcripts, and IELTS/TOEFL and GRE scores. Students with strong Mathematics background are more than welcome to apply. Applicants with solid knowledge of operating systems, hardware/software implementations (FPGA, CPUs, ARM) skills will be given priority.

For more information please visit: https://faculty.eng.fau.edu/azarderakhsh/

Contact: Dr. Reza azarderakhsh, razarderakhsh{-a-t-}fau.edu

Closing date for applications: 31 December 2017

More information: https://faculty.eng.fau.edu/azarderakhsh/

As part of a special measure towards increasing female employment in scientific positions and promoting young researchers, the Faculty of Informatics at the TU Wien (Vienna University of Technology) invites applications for an Assistant Professor position (tenure track) for women expected to begin on May 2, 2018.

Candidates can apply in any of the Faculty’s main research areas: Computer Engineering, Distributed and Parallel Systems, Logic & Computation, Media Informatics & Visual Computing, as well as Business Informatics (http://www.informatik.tuwien.ac.at/research).

The work contract is initially limited to six years. The candidate and TU Wien can agree upon a tenure evaluation, which when positive, opens the possibility to change the position to Associate Professor with an unlimited contract.

Duties include research in one of the Faculty’s main research areas (see above) as well as graduate and undergraduate teaching.

The TU Wien (Vienna University of Technology) is among the most successful technical universities in Europe and it is Austria’s largest scientific-technical research and educational institution. The Faculty of Informatics, one of the eight faculties at the TU Wien (Vienna University of Technology), has an excellent reputation and plays an active role in national and international research.

Application deadline: November 5, 2017

Closing date for applications: 5 November 2017

More information: http://www.informatik.tuwien.ac.at/vacancies

Event date: 19 October to 20 October 2017
Submission deadline: 30 June 2017
Notification: 30 July 2017

The IACR is soliciting affiliated events to be held in conjunction with EUROCRYPT 2018 on Sunday April 29th, in Tel Aviv. Each such event is expected to provide a forum discussing a specific topic of the broad cryptographic world (theory, practice, implementation, standardizations, etc.). This includes workshops, tutorials, etc. that can be annual events, one-time events, or aperiodic.

Information about proposing an affiliated event can be found at https://eurocrypt.iacr.org/2018/callforevents.html. Proposals are due October 24.

Event date: 1 November 2018
Submission deadline: 31 October 2017

Event date: 3 September to 5 September 2018

The Bradley Department of Electrical and Computer Engineering at Virginia Tech seeks applications for a tenured/tenure-track position in Computer Engineering, at the rank of Assistant or Associate Professor, specifically in the area of Secure Hardware/Software Systems, including (but not limited to) Cryptographic Engineering, Security and Privacy Design, Cross-disciplinary Secure Systems for the Internet of Things and the Cloud, Secure and Ultra-low Power Computer Architectures, Design Automation and Formal Verification of Cryptography for the Internet of Things and the Cloud. This position is based in Virginia Tech’s Blacksburg campus.

The successful candidate would be expected to collaborate with existing Virginia Tech ECE faculty with expertise covering hardware security, tamper-resistant secure implementations, secure embedded systems design, VLSI and System-on-Chip design, computer security, low-power and energy-efficient implementation of hardware and software, wireless systems, and RF IC design. Beyond the ECE department, the university has world-class research activities in machine learning, robotics, data analytics, integrated security, intelligent infrastructure, transportation, advanced manufacturing, and medical sciences.

The successful candidate will be expected to develop and maintain a nationally-recognized funded research program, teach undergraduate and graduate courses, and participate in department, college, and/or university service and outreach activities.

Closing date for applications: 15 December 2017

More information: http://listings.jobs.vt.edu/postings/79966

The main objective of the research in the Embedded System Security Group is to propose efficient and robust hardware architectures aimed at applied cryptography and telecom that are resistant to passive and active cryptographic attacks. More information on https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html.

For a new project which addresses the problem of the security of True Random Number Generator (TRNG). We are looking for candidates with an outstanding Ph.D in applied mathematics and a strong publication record in this field. The main topic of the post-doc is to work on stochastic modeling of TRNG. Knowledge of French is not mandatory.

The Post-Doc position will start in December 2017 (flexible starting date), it is funded for 24 month.

To apply please send your detailed CV (with publication list), motivation for applying (1 page) and names of at least two people who can provide reference letters (e-mail).

Closing date for applications: 30 November 2017

Contact: Prof. Lilian BOSSUET lilian.bossuet(at)univ-st-etienne.fr

The main objective of the research in the Embedded System Security Group is to propose efficient and robust hardware architectures aimed at applied cryptography and telecom that are resistant to passive and active cryptographic attacks. More information on https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html.

For a new project which addresses the problem of the security of True Random Number Generator (TRNG). We are looking for candidates with an outstanding Ph.D in hardware security and a strong publication record in this field. The main topic of the post-doc is to work on laser fault injection on TRNG. Knowledge of French is not mandatory.

The Post-Doc position will start in December 2017 (flexible starting date), it is funded for at least 24 month.

To apply please send your detailed CV (with publication list), motivation for applying (1 page) and names of at least two people who can provide reference letters (e-mail).

Closing date for applications: 30 November 2017

Contact: Prof. Lilian BOSSUET lilian.bossuet(at)univ-st-etienne.fr

The research group IT-Security focuses security in wireless networks, cryptographic privacy-enhancing technologies, and (mobile) malware defense. We are currently looking for PhD students to work on one of the following topics:

* Serious gaming in rising security awareness

* Privacy-enhancing technologies

* Machine Learning and anomolie detection

Closing date for applications: 17 October 2017

Contact: Ulrike Meyer, professor, Mies-van-der-Rohe Strasse 15, meyer (at) itsec.rwth-aachen.de

More information: http://www.itsec.rwth-aachen.de/job-offers

The Singapore University of Technology and Design (SUTD) seeks to fill six post-doctoral positions in the area of cyber security for the Project BCS-T: Testing for Block Chain Security by Design. Selected candidates will have a unique opportunity to work closely with the developers of Ethereum and an international team of researchers located in Singapore and the Netherlands (TNO and TU Delft). The primary focus of BCS-T is to develop foundations for a systematic approach to identify and mitigate the security risks of block chain technology in general, and smart contracts in particular.

The project results will be validated using case studies, where block chain technologies, such as HyperLedger and Ethereum, are deployed in IoT and FinTech applications. This offers researchers a unique opportunity to conduct cutting-edge research and validate it in a realistic setting. Collaboration with several private and Government agencies in Singapore and abroad increases the chances of technology transfer and hence the research impact.

The project has been awarded funding, and selected candidates will be expected to join ASAP. Later joining dates could be negotiated.

We seek for postdocs with a background in:

- mathematics, economics, or game theory.

- software engineering, distributed systems, networking, financial engineering, or additive manufacturing.

- software engineering, formal methods, programming languages, software security, or software testing.

Strong candidates with background in other (related) areas will also be considered.

Selected candidates will have a unique opportunity to work closely with the developers of Ethereum and an international team of researchers located in Singapore and the Netherlands (TNO and TU Delft). SUTD offers internationally competitive salaries, medical and other benefits. All positions are for up to two years and could be negotiated.

Interested candidates should send an up-to-date curriculum vitae to Pawel Szalachowski, email: pawel (at) sutd.edu.sg

Closing date for applications:

Leakage of information between two processes sharing the same processor cache has been exploited in many novel approaches targeting various cryptographic algorithms. The software implementation of AES is an especially attractive target since it makes extensive use of cache-resident table lookups. We consider two attack scenarios where either the plaintext or ciphertext is known. We employ a multi-threaded spy process and ensure that each time slice provided to the victim (running AES) is small enough so that it makes a very limited number of table accesses. We design and implement a suite of algorithms to deduce the 128-bit AES key using as input the set of (unordered) cache line numbers captured by the spy threads in an access-driven cache-based side channel attack. Our algorithms are expressed using simple relational algebraic operations and run in under a minute. Above all, our attack is highly efficient - we demonstrate recovery of the full AES key given only about 6-7 blocks of plaintext or ciphertext (theoretically even a single block would suffice). This is a substantial improvement over previous cache-based side channel attacks that require between 100 and a million encryptions. Moreover, our attack supports varying cache hit/miss observation granularities, does not need frequent interruptions of the victim and will work even if the victim makes up to 60 cache accesses before being interrupted. Finally, we develop analytic models to estimate the number of encryptions/decryptions required as a function of access granularity and compare model results with those obtained from our experiments

Linear cryptanalysis of DES, proposed by Matsui in 1993, has had a seminal impact on symmetric-key cryptography, having seen massive research efforts over the past two decades. It has spawned many variants, including multidimensional and zero-correlation linear cryptanalysis. These variants can claim best attacks on several ciphers, including PRESENT, Serpent, and CLEFIA. For DES, none of these variants have improved upon Matsui's original linear cryptanalysis, which has been the best known-plaintext key-recovery attack on the cipher ever since. In a revisit, Junod concluded that when using $2^{43}$ known plaintexts, this attack has a complexity of $2^{41}$ DES evaluations. His analysis relies on the standard assumptions of right-key equivalence and wrong-key randomisation.

In this paper, we first investigate the validity of these fundamental assumptions when applied to DES. For the right key, we observe that strong linear approximations of DES have more than just one dominant trail and, thus, that the right keys are in fact inequivalent with respect to linear correlation. We therefore develop a new right-key model using Gaussian mixtures for approximations with several dominant trails. For the wrong key, we observe that the correlation of a strong approximation after the partial decryption with a wrong key still shows much non-randomness. To remedy this, we propose a novel wrong-key model that expresses the wrong-key linear correlation using a version of DES with more rounds. We extend the two models to the general case of multiple approximations, propose a likelihood-ratio classifier based on this generalisation, and show that it performs better than the classical Bayesian classifier.

On the practical side, we find that the distributions of right-key correlations for multiple linear approximations of DES exhibit exploitable asymmetries. In particular, not all sign combinations in the correlation values are possible. This results in our improved multiple linear attack on DES using 4 linear approximations at a time. The lowest computational complexity of $2^{38.86}$ DES evaluations is achieved when using $2^{42.78}$ known plaintexts. Alternatively, using $2^{41}$ plaintexts results in a computational complexity of $2^{49.75}$ DES evaluations. We perform practical experiments to confirm our model. To our knowledge, this is the best attack on DES.