International Association
for Cryptologic Research

We are seeking applications Research Fellow to work with Prof. Mark Ryan, Dr Flavio Garcia and Dr David Oswald on the EPSRC project ‘User-controlled hardware security anchors: evaluation and designs’, part of the EPSRC/NCSC Research Institute in Hardware Security and Embedded Systems (RISE):

One of the main goals of this project is to promote and facilitate the adoption of TEE as the main trust anchor for our security architectures. We will perform a thorough evaluation of the security features of different TEE implementations to determine their suitability as trust anchors. We will address the limitations of users interacting directly with TEEs through analysing use cases and developing secure interfaces using auxiliary devices and dedicated features. We will investigate opportunities to leverage strong hardware-based security mechanisms to improve both the strength and usability of authentication. We will also build an architecture for designing protocols and user experiences that leverage these hardware security primitives to enhance the security, manageability, and usability of user authentication over existing approaches. The analysis and applications of our research findings will be demonstrated and implemented on suitable platforms including secure hardware, smart devices and integration with authentication tokens.

In addition to holding a first degree in area of specialism and normally, a higher degree (PhD) relevant to research area or equivalent qualifications, applicants should have expertise in one or more of the following: cryptographic protocols; side-channel and fault attacks; implementation of cryptographic protocols using hardware features.

The Security and Privacy Group in the School of Computer Science is recognised by NCSC/EPSRC as an Academic Centre of Excellence in Cyber Security Research. The group is an expanding team of eleven academic staff researching all aspects of computing security and privacy.

Closing date for applications: 3 January 2018

Contact: Prof. Mark Ryan: m.d.ryan (at) cs.bham.ac.uk
Dr Flavio Garcia: F.Garcia (at) bham.ac.uk
Dr David Oswald: d.f.oswald (at) cs.bham.ac.uk

More information: http://www.jobs.ac.uk/job/BFY368/research-fellow-in-cyber-security-hardware

We consider repairable threshold schemes (RTSs), which are threshold schemes that enable a player to securely reconstruct a lost share with help from their peers. We summarise and, where possible, refine existing RTSs and introduce a new parameter for analysis, called the repair metric. We then explore using secure regenerating codes as RTSs and find them to be immediately applicable. We compare all RTS constructions considered and conclude by presenting the best candidate solutions for when either communication complexity or information rate is prioritised.

In this paper we address the construction of privacy-friendly cryptographic primitives for the post-quantum era and in particular accumulators with zero-knowledge membership proofs and ring signatures. This is an important topic as it helps to protect the privacy of users in online authentication or emerging technologies such as cryptocurrencies. Recently, we have seen first such constructions, mostly based on assumptions related to codes and lattices. We, however, ask whether it is possible to construct such primitives without relying on structured hardness assumptions, but solely based on symmetric key primitives. This is interesting because the resistance of latter primitives to quantum attacks is quite well understood.

In doing so, we choose a modular approach and firstly construct an accumulator (with one-way domain) that allows to efficiently prove knowledge of (a pre-image of) an accumulated value in zero-knowledge. We, thereby, take care that our construction can be instantiated solely from symmetric primitives and that our proofs are of sublinear size. Latter is non trivial to achieve in the symmetric setting due to the absence of algebraic structures which are typically used in other settings to make these efficiency gains. Regarding efficient instantiations of our proof system, we rely on recent results for constructing efficient non-interactive zero-knowledge proofs for general circuits. Based on this building block, we then show how to construct logarithmic size ring signatures solely from symmetric-key primitives. As constructing more advanced primitives only from symmetric key-primitives is a very recent field, we discuss some interesting open problems and future research directions. Finally, we want to stress that our work also indirectly impacts other fields: for the first time it raises the requirement for collision resistant hash functions with particularly low AND count.

We propose Tesseract, a secure real-time cryptocurrency exchange service. Centralized exchange designs are vulnerable to theft of funds, while decentralized exchanges cannot offer real-time cross-chain trades. All the existing exchanges are also vulnerable frontrunning attacks. Tesseract overcomes these flaws by using a trusted execution environment, specifically Intel SGX.

The task of committing the recent trades data to independent cryptocurrency systems presents an all-or-nothing fairness problem, that can be solved by means of SPV proofs or multiple SGX-enabled servers. Tesseract also mitigates denial-of-service attacks by running a consensus protocol among SGX-enabled servers.

Tesseract supports not only real-time cross-chain cryptocurrency trading, but also a secure method to tokenize assets pegged to various cryptocurrencies. For instance, Tesseract-tokenized bitcoins can circulate on the Ethereum blockchain for use in smart contracts.

We provide a reference implementation of Tesseract that supports Bitcoin, Ethereum, and similar cryptocurrencies.

Event date: 1 January 2019
Submission deadline: 22 March 2018

Event date: 28 May to 30 May 2018
Submission deadline: 19 February 2018
Notification: 2 April 2018

The Department of Computer Science/Surrey Centre for Cyber Security at the University of Surrey seeks to recruit an outstanding post-doctoral researcher in the field of privacy-oriented cryptography for a full-time position (24 months, salary £30,688 to £31,604 per annum) by February 2017.

The post is part of the EPSRC-funded research project “TAPESTRY: Trust, Authentication and Privacy over a DeCentralised Social Registry”. Successful applicant will be working on the design and analysis of privacy-preserving cryptographic protocols under the supervision of Dr Mark Manulis and will benefit from the environment provided by the Surrey Centre for Cyber Security (SCCS, http://sccs.surrey.ac.uk/).

Applicants are expected to have core skills in the design and security analysis of privacy-oriented cryptographic protocols (e.g. zero-knowledge proofs, anonymous credentials, etc). Experience in implementation of cryptographic protocols is a plus. They should hold a PhD or be close to the completion of their PhD studies and be able to drive their own research direction.

Closing date for applications: 17 December 2017

Contact: Dr. Mark Manulis at m.manulis (at) surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=079116-R-R

Singapore University of Technology and Design (SUTD) is a young university established in collaboration with MIT. Security is one of its major focuses. SUTD hosts the iTrust and STE-SUTD centres for research in cyber security.

I am looking for highly motivated PhD students who are interested in conducting research in blockchain or network security.

I am also looking for postdocs interest in blockchain systems.

You can find more information at https://pszal.github.io/open_positions

Closing date for applications: 1 April 2018

Contact: Pawel Szalachowski

pawel (at) sutd.edu.sg

More information: https://pszal.github.io/open_positions

Multiple competitively-funded Ph.D. student positions are available starting Fall 2018 (all documents submitted by January 15, 2018) to work on different aspects of Cryptographic Engineering in the CSE department at USF.

USF is an R1 university and among the leading institutions in Florida. We are looking for motivated, talented, and hardworking applicants who have background and are interested in working on different aspects of Cryptographic Engineering with emphasis on:

- Cryptographic hardware systems

- Side-channel attacks, particularly fault and power analysis attacks

The required expertise includes:

- Masters (or Bachelors with outstanding background) in Computer Engineering or Electrical Engineering

- Solid background in digital design, VLSI, computer arithmetic, and ASIC/FPGA implementations

- Solid HDL expertise

- Outstanding English (if English tests are taken) to be eligible for department funding

- Motivation to work beyond the expectations from an average Ph.D. student and publish in top tier venues

Please closely observe the admission requirement details here before emailing:

http://www.usf.edu/engineering/cse/graduate/phd-program.aspx

Please send me your updated CV (including list of publications, language test marks, and references), transcripts for B.Sc. (and/or M.Sc.), and a statement of interest at mehran2 (at) usf.edu as soon as possible.

NOTE: At this time, I consider only the applicants who have already taken TOEFL/IELTS and GRE exams with excellent marks (application deadline: Jan. 15th, 2018). The successful candidate will be asked to apply formally very soon to the USF CSE department, so all the material has to be ready.

Mehran Mozaffari-Kermani

Assistant Professor, CSE @ USF

College of Engineering

University of South Florida

Tampa, FL 33620

Website: http://www.csee.usf.edu/~mehran2/

Closing date for applications: 1 February 2018

Contact: Mehran Mozaffari-Kermani

Symbolic methods for reasoning about the security of cryptographic systems have for some time concentrated mainly on protocols. More recently, however, we see a rising interest in the use of symbolic methods to reason about the security of algorithms as well, especially algorithms that are built by combining well-defined primitives. For this kind of application two things are generally required: the ability to reason about term algebras obeying equational theories at the symbolic level, and the ability to prove computational soundness and completeness of the symbolic model. It is often challenging to provide both these capabilities, especially for an adaptive adversary that can perform chosen plaintext or ciphertext attacks. In this paper we derive sound and complete symbolic criteria for computational security against adaptive chosen plaintext attacks of a class of modes of encryption. These apply to any scheduling policy used to send the cipher text, ranging from the messagewise schedule, in which ciphertext blocks are sent to the adversary only after all the plaintext blocks have been received, to the blockwise schedule, in which ciphertext blocks are sent as soon as they are computed. We also discuss how this approach could extended to larger classes of modes, and how could it be applied to the automatic synthesis of cryptosystems.

Recently a lot of attention is paid to the search for efficiently implementable MDS matrices for lightweight symmetric primitives. Previous work concentrated on locally optimizing the multiplication with single matrix elements. Separate from this line of work, several heuristics were developed to find shortest linear straight-line programs. Solving this problem actually corresponds to globally optimizing multiplications by matrices.

In this work we combine those, so far largely independent line of works. As a result, we achieve implementations of known, locally optimized, and new MDS matrices that significantly outperform all implementations from the literature. Interestingly, almost all previous locally optimized constructions behave very similar with respect to the globally optimized implementation.

As a side effect, our work reveals the so far best implementation of the AES MixColumns operation with respect to the number of XOR operations needed.

Suppose a server holds a long text string and a receiver holds a short pattern string. Secure pattern matching allows the receiver to learn the locations in the long text where the pattern appears, while leaking nothing else to either party besides the length of their inputs. In this work we consider secure wildcard pattern matching WPM, where the receiver's pattern is allowed to contain wildcards that match to any character.

We present SWiM, a simple and fast protocol for WPM that is heavily based on oblivious transfer (OT) extension. As such, the protocol requires only a small constant number of public-key operations and otherwise uses only very fast symmetric-key primitives. SWiM is secure against semi-honest adversaries. We implemented a prototype of our protocol to demonstrate its practicality. We can perform WPM on a DNA text (4-character alphabet) of length $10^5$ and pattern of length $10^3$ in just over 2 seconds, which is over two orders of magnitude faster than the state-of-the-art scheme of Baron et al. (SCN 2012).

The HFEv- signature scheme is one of the most studied multivariate schemes and one of the major candidates for the upcoming standardization of post-quantum digital signature schemes. In this paper, we propose three new attack strategies against HFEv-, each of them using the idea of projection. Especially our third attack is very effective and is, for some parameter sets, the most efficient known attack against HFEv-. Furthermore, our attack requires much less memory than direct and rank attacks. By our work, we therefore give new insights in the security of the HFEv- signature scheme and restrictions for the parameter choice of a possible future standardized HFEv- instance.

Picnic is a practical approach to digital signatures where the security is largely based on the existence of a one-way function, and the signature size strongly depends on the number of multiplications in the description of that one-way function. The highly parameterizable block cipher family LowMC has the most competitive properties with respect to this metric, and is hence a standard choice. In this paper we study various options for efficient implementations of LowMC in-depth.

First, we investigate optimizations of the linear layer of LowMC independently of any implementation optimizations. By decomposing the round key computations based on the keys' effect on the S-box layer and general optimizations, we reduce runtime costs by up to 40 % and furthermore reduce the size of the LowMC matrices by around 55 % compared to the original Picnic implementation (CCS'17).

Second, we propose a Feistel structure using smaller matrices completely replacing the remaining large matrix multiplication in LowMC's linear layer. With this approach we achieve an operation count logarithmic in the blocksize, but more importantly improve over Picnic's constant-time matrix multiplication by 60 % while retaining a constant-time algorithm. Furthermore, this technique also enables us to reduce the memory requirements for the LowMC matrices by 50 %.

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to ``identify a portfolio of authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption.'' Each of the 15 candidate schemes competing in the currently ongoing 3rd round of CAESAR must clearly declare its security claims, i.a. whether or not it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting "Robustness" in CAESAR as the ability to mitigate damage even if security guarantees are void, we describe attacks with birthday complexity or beyond, and/or with nonce reuse for each of the 15 candidates. We then sort the candidates into classes depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions.

Zero-knowledge arguments of knowledge are powerful cryptographic primitives that allow a computationally strong prover to convince a weaker verifier for the validity of an NP statement, without revealing anything about the corresponding witness (beyond its existence). Most state-of-the-art implementations of such arguments that achieve succinct communication and verification cost follow the quadratic arithmetic program paradigm. One notable exception to this is the vSQL system of [Zhang et al. IEEE S&P 2017] which takes an entirely different approach resulting is significantly fewer cryptographic operations. However, it has the notable downside that is not zero-knowledge (i.e., it does not hide the witness from the verifier), a property that has proven to be of utmost importance in many application (e.g., in cryptocurrencies). In this work, we present a zero-knowledge version of the argument upon which vSQL is based. Our construction utilizes two separate techniques: (i) a novel zero-knowledge verifiable polynomial delegation protocol, and (ii) running parts of the argument of vSQL over homomorphic commitments, thus hiding the committed values.

Cloud database systems such as Amazon RDS or Google Cloud SQL enable the outsourcing of a large database to a server who then responds to SQL queries. A natural problem here is to efficiently verify the correctness of responses returned by the (untrusted) server. In this paper we present vSQL, a novel cryptographic protocol for publicly verifiable SQL queries on dynamic databases. At a high level, our construction relies on two extensions of the CMT interactive-proof protocol [Cormode et al., 2012]: (i) supporting outsourced input via the use of a polynomial-delegation protocol with succinct proofs, and (ii) supporting auxiliary input (i.e., non-deterministic computation) efficiently. Compared to previous verifiable-computation systems based on interactive proofs, our construction has verification cost polylogarithmic in the auxiliary input (which for SQL queries can be as large as the database) rather than linear.

In order to evaluate the performance and expressiveness of our scheme, we tested it on SQL queries based on the TPC-H benchmark on a database with $6 \times 10^6$ rows and $13$ columns. The server overhead in our scheme (which is typically the main bottleneck) is up to $120\times$ lower than previous approaches based on succinct arguments of knowledge (SNARKs), and moreover we avoid the need for query-dependent pre-processing which is required by optimized SNARK-based schemes. In our construction, the server/client time and the communication cost are comparable to, and sometimes smaller than, those of existing customized solutions which only support specific queries.

Rotating Sbox Masking (RSM) scheme is a lightweight and highly efficient first-order masking scheme proposed to protect cryptographic implementations like AES from side channel attacks. It is a Low Entropy Masking Scheme (LEMS) and has attracted special attention from academia and industry with its low overhead and high performance. The two public targets of DPA Contest v4 are both RSM-masked AES implementations, specifically, AES-256 (namely RSM-AES-256) for v4.1 and AES-128 (namely RSM-AES-128) for v4.2 respectively. The security of RSM-AES-256 was intensively studied by researchers worldwide under the framework of DPA Contest and several flaws were identified. Its improved version is RSM-AES-128, in which several pitfalls of RSM-AES-256 were fixed. However, the practical security of RSM-AES-128 is still not thoroughly studied. In this paper, we focus on analyzing the practical security of RSM-AES-128 from a profiling attack point of view. Specifically, we firstly present a Multivariate Template Attack (MTA) to maximize the success rates of key recovery. Next, we propose a new Depth-First Key Enumeration Algorithm (DFKEA) that could be applied to find the correct key efficiently after a side channel attack. By combining the DFKEA to our MTA, we propose a novel multivariate profiling attack scheme which could recover the secret key of RSM-AES-128 with over 95% possibility only using one trace. It is the best attack among all attacks submitted to DPA Contest Official up to now. After thoroughly analyzed our attack scheme and RSM-AES-128, we finally present two proposals to improve the practical security of this implementation at an acceptable overhead and performance loss.

Supersingular isogeny-based cryptography is one of the more recent families of post-quantum proposals. An interesting feature is the comparatively low bandwidth occupation in key agreement protocols, which stems from the possibility of key compression. However, compression and decompression introduce a significant overhead to the overall processing cost despite recent progress. In this paper we address the main processing bottlenecks involved in key compression and decompression, and suggest substantial improvements for each of them. Some of our techniques may have an independent interest for other, more conventional areas of elliptic curve cryptography as well.

Private information retrieval (PIR) is a key building block in many privacy-preserving systems. Unfortunately, existing constructions remain very expensive. This paper introduces two complementary techniques that make the computational variant of PIR (CPIR) more efficient in practice. The first technique targets a recent class of CPU-efficient CPIR protocols where the PIR query sent by the client is a vector containing a number of ciphertexts proportional to the size of the server’s database. We propose a new method to compresses this vector into a single ciphertext, thereby reducing network costs by over 120X.

The second technique is a new data encoding called a probabilistic batch code (PBC). We use PBCs to build a multi-query PIR scheme that allows the server to amortize the computational cost of processing a batch of requests. The protocol achieves a 6.7X speedup over processing queries one at a time, and is significantly more efficient than related encodings. We apply our techniques to the Pung unobservable communication system which relies on a custom multi-query CPIR protocol for its privacy guarantees. Replacing Pung’s protocol with our schemes, we find that we can simultaneously reduce network costs by 33X and increase throughput by 2X.