International Association
for Cryptologic Research

Tweakable block ciphers are important primitives for designing cryptographic schemes with high security. In the absence of a standardized tweakable block cipher, constructions built from classical block ciphers remain an interesting research topic in both theory and practice. Motivated by Mennink's F[2] publication from 2015, Wang et al. proposed 32 optimally secure constructions at ASIACRYPT'16, all of which employ two calls to a classical block cipher each. Yet, those constructions were still limited to n-bit keys and n-bit tweaks. Thus, applications with more general key or tweak lengths still lack support. This work proposes the XHX family of tweakable block ciphers from a classical block cipher and a family of universal hash functions, which generalizes the constructions by Wang et al. First, we detail the generic XHX construction with three independently keyed calls to the hash function. Second, we show that we can derive the hash keys in efficient manner from the block cipher, where we generalize the constructions by Wang et al.; finally, we propose efficient instantiations for the used hash functions.

This paper presents the first practical fault attack on the ChaCha family of addition-rotation-XOR (ARX)-based stream ciphers. ChaCha has recently been deployed for speeding up and strengthening HTTPS connections for Google Chrome on Android devices. In this paper, we propose differential fault analysis attacks on ChaCha without resorting to nonce misuse. We use the instruction skip and instruction replacement fault models, which are popularly mounted on microcontroller-based cryptographic implementations. We corroborate the attack propositions via practical fault injection experiments using a laser-based setup targeting an Atmel AVR 8-bit microcontroller-based implementation of ChaCha. Each of the proposed attacks can be repeated with $100\%$ accuracy in our fault injection setup, and can recover the entire 256 bit secret key using 5-8 fault injections on an average.

We present the first practically realizable side-channel assisted fault attack on PRESENT, that can retrieve the last round key efficiently using single nibble faults. The attack demonstrates how side-channel leakage can allow the adversary to precisely determine the fault mask resulting from a nibble fault injection instance. We first demonstrate the viability of such an attack model via side-channel analysis experiments on top of a laser-based fault injection setup, targeting a PRESENT-80 implementation on an ATmega328P microcontroller. Subsequently, we present a differential fault analysis (DFA) exploiting the knowledge of the output fault mask in the target round to recover multiple last round key nibbles independently and in parallel. Both analytically and through experimental evidence, we show that the combined attack can recover the last round key of PRESENT with 4 random nibble fault injections in the best case, and around 7-8 nibble fault injections in the average case. Our attack sheds light on a hitherto unexplored vulnerability of PRESENT and PRESENT-like block ciphers that use bit-permutations instead of maximum distance separable (MDS) layers for diffusion.

In this paper, using probability transition matrix, at first we revisit the work of Mantin on finding the probability distribution of RC4 permutation after the completion of KSA. After that, we extend the same idea to analyse the probabilities during any iteration of Pseudo Random Generation Algorithm. Next, we study the bias $Z_r=r$ (where $Z_r$ is the $r$-th output keystream bit), which is one of the significant biases observed in RC4 output keystream. This bias has played an important role in the plaintext recovery attack proposed by Isobe et al. in FSE 2013. However, the accurate theoretical explanation of the bias of $Z_r=r$ is still a mystery. Though several attempts have been made to prove this bias, none of those provides accurate justification. Here, using the results found with the help of probability transition matrix we justify this bias of $Z_r=r$ accurately and settle this issue. The bias obtained from our proof matches perfectly with the experimental observations.

In the paper, we study the security of 3-line generalized Feistel network, which is a considerate choice for some special needs, such as designing a 96-bit cipher based on a 32-bit round function. We show key recovery attacks on 3-line generic balanced Feistel-2 and Feistel-3 based on the meet-in-the-middle technique in the chosen ciphertext scenario. In our attacks, we consider the key size is as large as one-third of the block size. For the first network, we construct a 9-round distinguisher and launch a 10-round key-recovery attack. For the second network, we show a 13-round distinguisher and give a 17-round attack based on some common assumptions.

The advent of Bitcoin paved the way for a plethora of blockchain systems supporting diverse applications beyond cryptocurrencies. Although in-depth studies of the protocols, security, and privacy of blockchains are available, there is no formal model of the transaction semantics that a blockchain is supposed to guarantee.

In this work, we fill this gap, motivated by the observation that the semantics of transactions in blockchain systems can be captured by a directed acyclic graph. Such a transaction graph, or TDAG, generally consists of the states and the transactions as transitions between the states, together with conditions for the consistency and validity of transactions. We instantiate the TDAG model for three prominent blockchain systems: Bitcoin, Ethereum, and Hyperledger Fabric. We specify the states and transactions as well as the validity conditions of the TDAG for each one. This demonstrates the applicability of the model and formalizes the transaction-level semantics that these systems aim for.

In this work, we settle the relations among a variety of security notions related to non-malleability and CCA-security that have been proposed for commitment schemes in the literature. Interestingly, all our separations follow from two generic transformations. Given two appropriate security notions X and Y from the class of security notions we compare, these transformations take a commitment scheme that fulfills notion X and output a commitment scheme that still fulfills notion X but not notion Y.

Using these transformations, we are able to show that some of the known relations for public-key encryption do not carry over to commitments. In particular, we show that, surprisingly, parallel non-malleability and parallel CCA-security are not equivalent for commitment schemes. This stands in contrast to the situation for public-key encryption where these two notions are equivalent as shown by Bellare et al. at CRYPTO ‘99.

Naveed, Kamara, and Wright (CCS 2015) applied classical frequency analysis to carry out devastating inference attacks on databases in which the columns are encrypted with deterministic and order-preserving encryption. In this paper, we propose another classical technique, homophonic encoding, as a means to combat these attacks. We introduce and develop the concept of frequency-smoothing encryption (FSE) which provably prevents inference attacks in the snapshot attack model, wherein the adversary obtains a static snapshot of the complete encrypted database, while preserving the ability to efficiently make encrypted queries to the database. We provide provably secure constructions for FSE schemes, and we empirically assess their security for concrete parameters by evaluating them against real data. We show that frequency analysis attacks (and optimal generalisations of them for the FSE setting) no longer succeed. Finally, we discuss extending our schemes to take advantage of the full generality and power of our stateful FSE framework.

Blockchains based on proofs of work (PoW) currently account for more than 90% of the total market capitalization of existing digital cryptocurrencies. The security of PoW-based blockchains requires that new transactions are verified, making a proper replication of the blockchain data in the system essential. While existing PoW mining protocols offer considerable incentives for workers to generate blocks, workers do not have any incentives to store the blockchain. This resulted in a sharp decrease in the number of full nodes that store the full blockchain, e.g., in Bitcoin, Litecoin, etc. However, the smaller is the number of replicas or nodes storing the replicas, the higher is the vulnerability of the system against compromises and DoS-attacks. In this paper, we address this problem and propose a novel solution, EWoK (Entangled proofs of WOrk and Knowledge). EWoK regulates in a decentralized-manner the minimum number of replicas that should be stored by tying replication to the only directly-incentivized process in PoW-blockchains—which is PoW itself. EWoK only incurs small modifications to existing PoW protocols, and is fully compliant with the specifications of existing mining hardware—which is likely to increase its adoption by the existing PoW ecosystem. EWoK plugs an efficient in-memory hash-based proof of knowledge and couples them with the standard PoW mechanism. We implemented EWoK and integrated it within commonly used mining protocols, such as GetBlockTemplate and Stratum mining; our results show that EWoK can be easily integrated within existing mining pool protocols and does not impair the mining efficiency.

We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for efficient range proofs on committed values: they enable proving that a committed value is in a range using only $2\log_2(n)+9$ group and field elements, where $n$ is the bit length of the range. Proof generation and verification times are linear in $n$.

Bulletproofs greatly improve on the linear (in $n$) sized range proofs currently used to implement Confidential Transactions (CT) in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that $m$ commitments lie within a given range by providing only an additive $O(\log(m))$ group elements over the length of a {\em single} proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication.

Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The efficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains.

Event date: 18 June to 19 June 2018
Submission deadline: 18 February 2018
Notification: 31 March 2018

The Department of Computer Science at the University of Surrey is seeking to recruit a full-time researcher to the “Voting on Ledger Technologies” project funded by EPSRC under the “Applications of Distributed Ledger Technologies” call. This post is on the topic of online voting, and builds on Surrey’s previous work on secure electronic voting. The research will be to investigate the use of Distributed Ledger Technology in supporting verifiability properties within electronic voting systems, and to design and develop a proof-of-concept system in conjunction with projects partners Monax (providers of the Ledger Technology) and Electoral Reform Services (who provide voting services).

The University of Surrey is recognized by the National Cyber Security Centre as one of only fourteen Academic Centres of Excellence in Cyber Security Research. Its security related research is focused on protocol analysis, security verification, trusted computing, data privacy, access control, privacy preserving security, cryptography, and distributed ledger technologies.

The position offers the platform for the research fellow to work within a group and develop skills to become an independent researcher. The successful candidate will work under the direction of Professor Steve Schneider, together with Dr Francois Dupressoir and Dr Helen Treharne. The project is also collaborative with King’s College London.

We are looking for applicants that demonstrate strong research and analytical skills, have strong communication skills and enthusiasm for developing their own research ideas. Applicants should also have skills in software engineering for web applications, and an understanding of computer security and basic cryptography. Knowledge of Distributed Ledger Technologies would be an advantage.

Applicants should have a PhD in a relevant subject or equivalent professional experience. The post is available to start by January 1st 2018, and runs in the first instance to August 2019.

Salary: £30,688 to £39,992 per annum

Closing date for applications: 23 November 2017

Contact: Professor Steve Schneider

Professor in Secure Systems

Department of Comoputer Science, Guildford, Surrey, GU2 7XH

s.schneider (at) surrey.ac.uk

More information: https://jobs.surrey.ac.uk/Vacancy.aspx?ref=034017-R

This is a post-doc position at the Department of Mathematics of Aalborg University, associated to the 3-year interdepartamental project SECURE.

The position is part of the workpackage Secure Computation of the project above, and the central task consists in evaluating the applicability of the different existing results in secure multiparty computation to the algorithms used in control theory and developing new results/optimizations in this setting.

We are looking for a postdoc that has strong background on mathematics. The ideal candidate has expertise in cryptography and more specifically secure computation but candidates from associated areas are also welcome.

The project starts in January 2018 and hence we would like a candidate that starts then or shortly thereafter. The deadline for the application is 29th November and the applications needs to be done through the following webpage: http://www.stillinger.aau.dk/vis-stilling/?vacancy=939782 .

Closing date for applications: 29 November 2017

Contact: Ignacio Cascudo, Associate Professor, Department of Mathematics, Aalborg University.

Email: ignacio (at) math.aau.dk

More information: http://www.stillinger.aau.dk/vis-stilling/?vacancy=939782

The Cryptolux team of the University of Luxembourg is offering a 3 year Postdoc position in Cryptography. Candidates with proven publication record (at least one paper in top 10 security conferences) and interests in one or several of the following areas are welcome to apply:

- Design and analysis of symmetric cryptographic primitives

- Side-channel attacks on block ciphers and countermeasures

- Financial cryptography, crypto-currencies, blockchain tech

- Privacy enhancing technologies

- White-box cryptography

We offer

You will work in an exciting international environment and will have the opportunity to participate in the development of a large IT security-focused research center (>200 people researching all aspects of IT security). The University offers highly competitive salaries and is an equal opportunity employer.

Applications, written in English, should be submitted by e-mail and should include:

• Curriculum Vitae (including your contact address, photo, work experience, publications)

• A research statement indicating your interests, main achievements, motivation (max 1 page)

Closing date for applications: 15 January 2018

Contact: Prof. Alex Biryukov

More information: https://www.cryptolux.org/index.php/Home

Applications are invited for a postdoctoral research assistant position in the Information Security Group (ISG) at Royal Holloway, University of London, to work in the area of post-quantum cryptography. The goal of this industry-funded two-year project is to investigate and propose novel methods and techniques for hardware implementation of popular and promising post-quantum cryptographic schemes.

The post is based at Royal Holloway’s main campus in Egham, Surrey, within commuting distance from London. The successful applicant will work with Prof Carlos Cid, Dr Martin Albrecht and other members of the ISG, in the research of efficient and secure hardware implementations of post-quantum cryptographic schemes. The researcher will consider the specific mathematical structure and features of these schemes, and will investigate the most suitable algorithmic and parameter choices for FPGA implementations. Moreover, potential trade-offs involving implementation costs, speed and scalability will be evaluated, considering for example the deployment in particular environments.

We are looking for a candidate with a PhD degree in a relevant subject and strong background and experience in FPGA implementation, ideally of cryptographic algorithms. The post will last for two years and the ideal candidate should be able to start should be able to start as soon as possible.

Established in 1990, the Information Security Group at Royal Holloway was one of the first dedicated academic groups in the world to conduct research and teaching in information security. The ISG is today a world-leading interdisciplinary research group with 20 full-time members of staff, 10 post-doctoral research assistants and over 50 PhD students working on a range of subjects in cyber security, in particular cryptography.

Closing date for applications: 10 December 2017

Contact: Carlos Cid (carlos.cid (at) rhul.ac.uk), Martin Albrecht (martin.albrecht (at) rhul.ac.uk)

More information: https://jobs.royalholloway.ac.uk/vacancy.aspx?ref=0817-306-R

In cloud storage service, public auditing mechanisms allow a third party to verify integrity of the outsourced data on behalf of data users without the need to retrieve data from the cloud server. Recently, Shen et al. proposed a new lightweight and privacy preserving cloud data auditing scheme which employs a third party medium to perform time-consuming operations on behalf of users. The authors have claimed that the scheme meets the security requirements of public auditing mechanisms. In this paper, we propose two attacks against Shen et al.'s scheme. In the first attack, an active adversary who is involved in the protocol, can forge a valid authenticator on an arbitrarily modified data block. In the second attack, the dishonest cloud server arbitrarily manipulates the received data blocks, and in both attacks data manipulation is not detected by the auditor in the verification phase. Accordingly, the scheme is insecure for cloud storage auditing.

Private set intersection is an important area of research and has been the focus of many works over the past decades. It describes the problem of finding an intersection between the input sets of at least two parties without revealing anything about the input sets apart from their intersection.

In this paper, we present a new approach to compute the intersection between sets based on a primitive called Oblivious Linear Function Evaluation (OLE). On an abstract level, we use this primitive to efficiently add two polynomials in a randomized way while preserving the roots of the added polynomials. Setting the roots of the input polynomials to be the elements of the input sets, this directly yields an intersection protocol with optimal asymptotic communication complexity $O(m\kappa)$. We highlight that the protocol is information-theoretically secure assuming OLE.

We also present a natural generalization of the 2-party protocol for the fully malicious multi-party case. Our protocol does away with expensive (homomorphic) threshold encryption and zero-knowledge proofs. Instead, we use simple combinatorial techniques to ensure the security. As a result we get a UC-secure protocol with asymptotically optimal communication complexity $O((n^2+nm)\kappa)$, where $n$ is the number of parties, $m$ is the set size and $\kappa$ the security parameter. Apart from yielding an asymptotic improvement over previous works, our protocols are also conceptually simple and require only simple field arithmetic.

Along the way we develop tools that might be of independent interest.

In this paper we investigate the sparse structure of the superpoly in cube attack, and further reduce the complexity of superpoly recovery.

We apply our technique to stream cipher TRIVIUM and KREYVIUM. For TRIVIUM, benefited from our techniques, we, for the first time, can recover the superpoly of 833-rounds with cube dimension 73, and complexity $2^{76.91}$. Furthermore, for 833-rounds, we can find a new cube of dimension 74, with only one secret key bit involved, thus the complexity is $2^{75}$. For 839-rounds, we find a cube of dimension 78, with only one secret key bit involved in the superpoly.

For KREYVIUM, the lower complexity evaluation enables us to recover the superpoly of 849-rounds with time complexity of $2^{81.7}$. Moreover, we find a new cube of dimension 102, which can achieve 888-rounds with complexity $2^{111.38}$. So far as we know, all of our results are the best.

A secret-sharing scheme for a monotone Boolean (access) function $F: \{0,1\}^n \to \{0,1\}$ is a randomized algorithm that on input a secret, outputs $n$ shares $s_1,\ldots,s_n$ such that for any $(x_1,\ldots,x_n) \in \{0,1\}^n$, the collection of shares $ \{ s_i : x_i = 1 \}$ determine the secret if $F(x_1,\ldots,x_n)=1$ and reveal nothing about the secret otherwise. The best secret sharing schemes for general monotone functions have shares of size $\Theta(2^n)$. It has long been conjectured that one cannot do much better than $2^{\Omega(n)}$ share size, and indeed, such a lower bound is known for the restricted class of linear secret-sharing schemes.

In this work, we *refute* two natural strengthenings of the above conjecture:

-- First, we present secret-sharing schemes for a family of $2^{2^{n/2}}$ monotone functions over $\{0,1\}^n$ with sub-exponential share size $2^{O(\sqrt{n} \log n)}$. This *unconditionally* refutes the stronger conjecture that circuit size is a lower bound on the share size.

-- Second, we disprove the analogous conjecture for non-monotone functions. Namely, we present non-monotone secret-sharing schemes for *every* access function over $\{0,1\}^n$ with shares of size $2^{O(\sqrt n \log n)}$.

Our construction draws upon a rich interplay amongst old and new problems in information-theoretic cryptography: from secret-sharing, to multi-party computation, to private information retrieval. Along the way, we also construct the first multi-party conditional disclosure of secrets (CDS) protocols for general functions $F:\{0,1\}^n \rightarrow \{0,1\}$ with communication complexity $2^{O(\sqrt n \log n)}$.

We are looking for highly motivated and qualified candidate to fill PhD or PostDoc position for research in system security and applied cryptography. Specific topics include:

• Side channel attacks and mitigations

• System security for IoT, mobile and Cloud systems

• Trusted computing and trusted execution environments

• Applied cryptography

• Secure microarchitectures

As ideal candidate, you are highly motivated, knowledgeable in security and willing to perform creative and deep research. You have a degree in computer science, electronics or applied mathematics. Prior experience in low-level programming, code analysis, cryptography and/or machine learning are an asset. Publications at relevant conferences such as USENIX Security, CCS, S&P, CHES, CRYPTO, EUROCRYPT are expected for PostDoc applications.

The brand-new Institute for IT Security at University of Lübeck performs research on various topics in IT security. We offer an attractive working environment as part of an international cutting-edge research team, at the shores of the Baltic sea.

Please provide a resume, transcripts, a motivational statement and contact information of at least two references.

Closing date for applications: 15 December 2017

Contact: Thomas Eisenbarth thomas.eisenbarth (at) uni-luebeck.de

More information: https://www.its.uni-luebeck.de/en/jobs.html