International Association
for Cryptologic Research

We construct two identity-based encryption (IBE) schemes. The first one is IBE satisfying key dependent message (KDM) security for user secret keys. The second one is IBE satisfying simulation-based receiver selective opening (RSO) security. Both schemes are secure against adaptive-ID attacks and do not have any a-priori bound on the number of challenge identities queried by adversaries in the security games. They are the first constructions of IBE satisfying such levels of security.

Our constructions of IBE are very simple. We construct our KDM secure IBE by transforming KDM secure secret-key encryption using IBE satisfying only ordinary indistinguishability against adaptive-ID attacks (IND-ID-CPA security). Our simulation-based RSO secure IBE is based only on IND-ID-CPA secure IBE.

We also demonstrate that our construction technique for KDM secure IBE is used to construct KDM secure public-key encryption. More precisely, we show how to construct KDM secure public-key encryption from KDM secure secret-key encryption and public-key encryption satisfying only ordinary indistinguishability against chosen plaintext attacks.

Cryptosystems based on supersingular isogenies have been proposed recently for use in post-quantum cryptography. Three problems have emerged related to their hardness: computing an isogeny between two curves, computing the endomorphism ring of a curve, and computing a maximal order associated to it. While some of these problems are believed to be polynomial-time equivalent based on heuristics, their relationship is still unknown. We give the first reduction between these problems, with the aid of one more problem which we call Action-on-$\ell$-Torsion. We show that computing $\ell$-power isogenies reduces to computing maximal orders and Action-on-$\ell$-Torsion.

We also define the notion of a compact representation of an endomorphism, and use this to show that endomorphism rings always have polynomial representation size. We then reduce the endomorphism ring problem to computing maximal orders and Action-on-$\ell$-Torsion, thus laying the foundation for analysis of the hardness of endomorphism ring computation. This identifies these last two problems as one possible way to attack some systems, such as hash functions based on the $\ell$-isogeny graph of supersingular elliptic curves. This gives the potential to use algebraic tools in quaternion algebras to solve the problems. We also discuss how these reductions apply to attacks on a hash function of Charles, Goren, and Lauter.

Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a random value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this random value is critical for security: knowledge of one such a random value, or partial knowledge of a series of them, allows reconstructing the signer's private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc.

In this paper we show that in use cases where power or electromagnetic leakage can be exploited, exactly the mechanism that makes EdDSA deterministic complicates its secure implementation. In particular, we break an Ed25519 implementation in WolfSSL, which is a suitable use case for IoT applications. We apply differential power analysis (DPA) on the underlying hash function, SHA-512, requiring only 4000 traces.

Finally, we present a tweak to the EdDSA protocol that is cheap and effective against the described attack while keeping the claimed advantage of EdDSA over ECDSA in terms of featuring less things that can go wrong e.g. the required high-quality randomness. However, we do argue with our countermeasure that some randomness (that need not be perfect) might be hard to avoid.

We put forward the notion of self-guarding cryptographic protocols as a countermeasure to algorithm substitution attacks. Such self-guarding protocols can prevent undesirable leakage by subverted algorithms if one has the guarantee that the system has been properly working in an initialization phase. Unlike detection-based solutions they thus proactively thwart attacks, and unlike reverse firewalls they do not assume an online external party.

We present constructions of basic primitives for (public-key and private-key) encryption and for signatures. We also argue that the model captures attacks with malicious hardware tokens and show how to self-guard a PUF-based key exchange protocol.

Attribute-based encryption (ABE) is a cryptographic primitive which supports fine-grained access control on encrypted data, making it an appealing building block for many applications. In this paper, we propose, implement, and evaluate fully automated methods for proving security of ABE in the Generic Bilinear Group Model (Boneh, Boyen, and Goh, 2005, Boyen, 2008), an idealized model which admits simpler and more efficient constructions, and can also be used to find attacks. Our method is applicable to Rational-Fraction Induced ABE, a large class of ABE that contains most of the schemes from the literature, and relies on a Master Theorem, which reduces security in the GGM to a (new) notion of symbolic security, which is amenable to automated verification using constraint- based techniques. We relate our notion of symbolic security for Rational-Fraction Induced ABE to prior notions for Pair Encodings. Finally, we present several applications, including automated proofs for new schemes.

Secure messaging apps have enjoyed huge uptake, and with the headline figure of one billion active WhatsApp users there has been a corresponding burst of academic research on the topic. One might therefore wonder: how far is the academic community from providing concrete, applicable guarantees about the apps that are currently in widespread use? We argue that there are still significant gaps between the security properties that users might expect from a communication app, and the security properties that have been formally proven. These gaps arise from dubious technical assumptions, tradeoffs in the name of reliability, or simply features out of scope of the analyses. We survey these gaps, and discuss where the academic community can contribute. In particular, we encourage more transparency about analyses' restrictions: the easier they are to understand, the easier they are to solve.

A crucial issue, that mostly affects the performance of actively secure computation of RAM programs, is the task of reading/writing from/to memory in a private and authenticated manner. Previous works in the active security and multiparty settings are based purely on the SPDZ (reactive) protocol, hence, memory accesses are treated just like any input to the computation. However, a garbled-circuit-based construction (such as BMR), which benefits from a lower round complexity, must resolve the issue of converting memory data bits to their corresponding wire keys and vice versa.

In this work we propose three techniques to construct a secure memory access, each appropriates to a different level of abstraction of the underlying garbling functionality. We provide a comparison between the techniques by several metrics. To the best of our knowledge, we are the first to construct, prove and implement a concretely efficient garbled-circuit-based actively secure RAM computation with dishonest majority.

Our construction is based on our third (most efficient) technique, cleverly utilizing the underlying SPDZ authenticated shares (Damgård et al., Crypto 2012), yields lean circuits and a constant number of communication rounds per physical memory access. Specifically, it requires no additional circuitry on top of the ORAM's, incurs only two rounds of broadcasts between every two memory accesses and has a multiplicative overhead of 2 on top of the ORAM's storage size.

Our protocol outperforms the state of the art in this settings when deployed over WAN. Even when simulating a very conservative RTT of 100ms our protocol is at least one order of magnitude faster than the current state of the art protocol of Keller and Scholl (Asiacrypt 2015).

In this paper we present new fundamental properties of SPNs. These properties turn out to be particularly useful in the adaptive chosen ciphertext/plaintext setting and we show this by introducing for the first time key-independent yoyo-distinguishers for 3- to 5-rounds of AES. All of our distinguishers beat previous records and require respectively $3, 4$ and $2^{25.8}$ data and essentially zero computation except for observing differences. In addition, we present the first key-independent distinguisher for 6-rounds AES based on yoyos that preserve impossible zero differences in plaintexts and ciphertexts. This distinguisher requires an impractical amount of $2^{122.83}$ plaintext/ciphertext pairs and essentially no computation apart from observing the corresponding differences. We then present a very favorable key-recovery attack on 5-rounds of AES that requires only $2^{11.3}$ data complexity and $2^{31}$ computational complexity, which as far as we know is also a new record. All our attacks are in the adaptively chosen plaintext/ciphertext scenario. Our distinguishers for AES stem from new and fundamental properties of generic SPNs, including generic SAS and SASAS, that can be used to preserve zero differences under the action of exchanging values between existing ciphertext and plaintext pairs. We provide a simple distinguisher for 2 generic SP-rounds that requires only 4 adaptively chosen ciphertexts and no computation on the adversaries side. We then describe a generic and deterministic yoyo-game for 3 generic SP-rounds which preserves zero differences in the middle but which we are not capable of exploiting in the generic setting.

Linear regression with 2-norm regularization (i.e., ridge regression) is an important statistical technique that models the relationship between some explanatory values and an outcome value using a linear function. In many current applications (e.g., predictive modelling in personalized health-care), these values represent sensitive data owned by several different parties who are unwilling to share them. In this setting, training a linear regression model becomes challenging and needs specific cryptographic solutions. This problem was elegantly addressed by Nikolaenko et al. in S&P (Oakland) 2013. They suggested a two-server system that uses linearly-homomorphic encryption (LHE) and Yao’s two-party protocol (garbled circuits). In this work, we propose a novel system that can train a ridge linear regression model using only linearly-homomorphic encryption (i.e., without using Yao’s protocol). This greatly improves the overall performance (both in computation and communications) as Yao’s protocol was the main bottleneck in the previous solution. The efficiency of the proposed system is validated both on synthetically-generated and real-world datasets.

The University of Luxembourg seeks to hire outstanding PhD candidate at the Computer Science and Communications Research Unit. The positions are part of the FNR PRIDE doctoral training program on Security and Privacy for System Protection. CryptoLUX/SnT team is an established leading European team in the area of applied cryptography, information security and privacy.

He or she will contribute to a research project on future directions in one or more of the following topics:

o Design and Cryptanalysis of lightweight block ciphers, authenticated encryption schemes

o Side-channel attacks on symmetric cryptosystems and countermeasures

o Design and security analysis of IoT and blockchain security protocols

o Strong whitebox-cryptography

Your Profile

• M.Sc. degree in Computer Science, Applied Mathematics, Electrical Engineering, or a related field

• Strong mathematical and algorithmic CS background (complexity of algorithms; probability/statistics; discrete math; basic cryptography, algebra)

• Background in cryptography or information security or ethical hacking - a plus

• Good skills in programming, scripting languages . Math tools a plus.

• Commitment, team working and a critical mind

• Participation in competitions, Olympiads, CTFs - a big plus

• Fluent written and verbal communication skills in English are mandatory

We offer

Duration of Ph.D. is typically between 3-4 years. The University offers highly competitive salaries and is an equal opportunity employer. You will work in an exciting international environment and will have the opportunity to participate in the development of a newly created research center.

Applications, written in English, should be submitted online and should include:

• Curriculum Vitae (including your contact address, photo, work experience, publications)

• A research statement indicating your interest, prior research (if any) and your motivation (max 1 page)

Closing date for applications: 30 November 2017

Contact: Prof. Alex Biryukov (e-mail: name dot family name (at) uni.lu)

More information: https://www.cryptolux.org

Singapore University of Technology and Design (SUTD) is a young university established in collaboration with MIT and security is one of its major focuses. SUTD hosts the iTrust and STE-SUTD centres for research in cyber security.

I am looking for highly motivated PhD interns (strong MSc students will also be considered) who are interested in conducting research in at least one of the following fields:

- blockchain security (Bitcoin, Ethereum, cryptocurrencies, smart contracts, ...)

- network and systems security (Internet, SSL/TLS, PKI, ...)

Candidates should have an excellent background in computer science (or related), ability to work on inter-disciplinary research projects, good design and programming skills, and a strong interest in at least one of the listed fields.

The attachment should be between 3 and 6 months, and an allowance will be provided for local expenses.

If you are interested please send your CV to Pawel Szalachowski.

Closing date for applications:

Contact: pawel (at) sutd.edu.sg

The Department of Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign (ECE ILLINOIS) invites applications for full-time faculty positions at all levels and in all areas of electrical and computer engineering, broadly defined, with particular emphasis in the areas of bio-electronics, bio-computation, bio-imaging including MRI, and health; machine learning, control, and optimization for dynamic complex systems; robotics; machine vision; power electronics and electric machines; quantum computing; cybersecurity and reliability; embedded computing systems and the internet of things; networked and distributed computing; data-centric computer systems and storage. Applications are encouraged from candidates whose research programs are in core as well as broad interdisciplinary areas of electrical and computer engineering.

Closing date for applications: 15 November 2017

More information: https://jobs.illinois.edu

Our Cybersecurity Technology Area conducts cutting-edge innovation in several areas of cybersecurity, including: cyber situational awareness, digital identity, predictive intelligence for cybersecurity, cyber range, and applied cryptography. Its main objective is to produce innovative solutions that help our customers to effectively counter advanced and emerging cyberthreats. We actively collaborate with renowned Research Centres and Universities across Europe, maximising the expert knowledge and scientific advances in cybersecurity and related fields.

We are looking for a senior research engineer for the cyber situational awareness research line. The candidate must prove the ability to undertake applied research and innovation, from exploratory thinking to prototyping and demonstration. The candidate should demonstrate the ability to generate new ideas, develop novel conceptual models and architectures and validate them with proof-of-concepts and functional prototypes. The candidate must have strong programming skills, in different languages and environments.

Minimum:

• Ph.D. in Computer Science or similar, cybersecurity topic.
• +5 years of experience in cybersecurity, having participated in projects in/for the private sector.
• Experience in complex systems modelling and design.
• Knowledge in vulnerability assessment, attack detection techniques, risk management, threat intelligence.
• Good track of scientific publications.
• Be eligible to obtain NATO/EU Security Clearance.
• English: C1 (CEFR). Fluent in Spanish is a plus, but not required.

Preferred:

• Knowledge in cyber situational awareness or related field, such as dynamic risk management, cyber mission impact assessment, predictive intelligence, visual analytics.
• Knowledge in big data, data mining, machine learning.

If you are interested, please submit your CV in PDF format to the contact person.

Closing date for applications: 31 December 2017

Contact: Dr. Jorge Lopez Hernandez-Ardieta

Head of Cybersecurity Product Innovation

jlhardieta at minsait.com

More information: http://www.indracompany.com/en

Cybernetica\'s Information Security Institute has an open position for a

SENIOR RESEARCHER

We are looking for applicants that complement our existing competencies and at the same time have necessary abilities to lead an independent industrial research group.

The list of potential topics of interest includes but is not limited to

• new directions in cryptography (especially post-quantum cryptography),

• cryptanalysis,

• formal methods (sociotechnical risk models, protocol analysis),

• privacy-preserving computations,

• data mining and/or machine learning for security,

• secure software and systems development,

• hardware-level and embedded systems security (Internet-of-Things, smart cards, side channel attacks).

We stress once more that the previous list is not exhaustive. We a looking for a candidate who creates synergies with our existing senior researchers.

Successful applicant has a

• PhD degree in computer science, mathematics, software engineering or in a closely related field, together with a

• proven track record showing academic and/or industrial performance in the field of computer security or cryptography.

We offer

• opportunity to integrate new research activities into Cybernetica\'s R&D portfolio, as well as to contribute to existing themes;

• to work with, learn from, and teach highly qualified professionals, both in research and development;

• to be part of, and improve the Estonian e-society;

• (reasonable) funds to set up your research environment, should your research topics require the purchase or rent of specialized hardware, high-performance computing resources, etc;

• funds to hire a junior researcher working on your research topics;

• being part of a growing team either in our Tallinn or Tartu office;

• flexible working hours.

Closing date for applications: 15 November 2017

Contact: Helena Sarapuu

Head of HR

Cybernetica AS

E-mail: job (at) cyber.ee

Address: Mäealuse 2/1, 12618 Tallinn, Estonia

More information: https://cyber.ee/en/research/

Singapore University of Technology and Design (SUTD) is a young university which was established in collaboration with MIT. iTrust is a Cyber Security Research Center with about 15 multi-discipline faculty members from SUTD. It has the world’s best facilities in cyber-physical systems (CPS) including testbeds for Secure Water Treatment (SWaT), Water Distribution (WADI), Electric Power and Intelligent Control (EPIC), and IoT. (See more info at https://itrust.sutd.edu.sg/research/testbeds/)

I am looking for PhD interns with interest in cyber-physical system security (IoT, autonomous vehicle, and power grid etc.), especially on the topics such as 1) Lightweight and low-latency crypto algorithms for CPS devices, 2) Resilient authentication of devices and data in CPS, 3) Advanced SCADA firewall to filter more sophisticated attacking packets in CPS, 4) Big data based threat analytics for detection of both known and unknown threats, 5) Attack mitigation to increase the resilience of CPS. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Contact: Prof. Jianying Zhou

Email:  jianying_zhou (at) sutd.edu.sg

Home:  http://jianying.space/  

Closing date for applications: 31 October 2017

Contact: Prof. Jianying Zhou

More information: http://jianying.space/

Event date: 9 July to 11 July 2018
Submission deadline: 5 February 2018
Notification: 5 April 2018

Event date: 1 October to 13 April 2018
Submission deadline: 13 April 2018
Notification: 13 June 2018

Event date: 7 May to 9 May 2018
Submission deadline: 7 January 2018
Notification: 20 February 2018

Recently, Döttling and Garg (CRYPTO 2017) showed how to build identity-based encryption (IBE) from a novel primitive termed Chameleon Encryption, which can, in turn, be realized from simple number theoretic hardness assumptions such as the computational Diffie-Hellman assumption (in groups without pairings) or the factoring assumption. In a follow-up work (TCC 2017), the same authors showed that IBE can also be constructed from a slightly weaker primitive called One-Time Signatures with Encryption (OTSE).

In this work, we show that OTSE can be instantiated from hard learning problems such as the Learning With Errors (LWE) and the Learning Parity with Noise (LPN) problems. This immediately yields the first IBE construction from the LPN problem and a construction based on a weaker LWE assumption compared to previous works.

Finally, we show that the notion of one-time signatures with encryption is also useful for the construction of key-dependent-message (KDM) secure public-key encryption. In particular, our results imply that a KDM-secure public key encryption can be constructed from any KDM-secure secret-key encryption scheme and any public-key encryption scheme.

In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoff between data complexity $D$ and time complexity $T$ against the problem of cardinality $N$ is $D^2 \cdot T^2 =N$ and $D \cdot T^6 = N^3$ in the best and worst case scenarios to the adversary respectively, while the classic attack requires $D\cdot T = N$. This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for $T$ by limiting the maximum $D$ to be below $2^{n/2}$ according to the classical tradeoff $D\cdot T = N$. Those schemes are broken if quantum offline computations are performed by adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H$^2$-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.