International Association
for Cryptologic Research

Event date: 4 June 2018
Submission deadline: 29 January 2018
Notification: 10 March 2018

Event date: 30 September to 3 October 2018

Event date: 8 July to 13 July 2018
Submission deadline: 1 February 2018
Notification: 15 March 2018

Event date: 3 December to 4 December 2018
Submission deadline: 22 June 2018
Notification: 22 August 2018

This is a “rolling advert” with a nominal closing date of 31 March 2018. Applications are welcome at any time and the timing of the selection process will be dependent on the applications received.

Disclaimer: This position is funded by HM Government and is available only to UK citizens.

Surrey Centre for Cyber Security (SCCS) at the University of Surrey invites applications for a fully-funded PhD position in Cryptography to work on a research project focusing on the design, analysis and development of multi-factor authentication protocols.

The successful candidate will be working under supervision of Dr Mark Manulis (Principal Supervisor, http://www.manulis.eu) and Dr Thanassis Giannetsos (Co-Supervisor).

Successful applicants are expected to hold Bachelor degree or Master degree in Information Security, Computer Science, Mathematics or related discipline accomplished with at least 2:1 honours and have strong background knowledge and technical skills (incl. programming skills) in cryptography and/or information/cyber security. A related research-oriented BSc final year project or MSc dissertation will strengthen the profile of the candidate. We particularly welcome applications from ongoing students who are projected to fulfil the above criteria and complete their degree in 2018.

The appointed candidate will receive a tax-free PhD stipend of GBP 22,000 per year for 3.5 years of PhD studies within which the candidate is expected to submit their PhD thesis. This stipend is significantly higher than an average PhD stipend in the UK. Additional funding is available to support presentation of research results at international conferences, participation in PhD summer schools and other scientific events, and engagement with industry.

Prior to submitting your application please contact us by email.

Closing date for applications: 31 March 2018

Contact: Mark Manulis
m.manulis (at) surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=007418

Worried about surveillance? Concerned about mistakes in security proofs and bugs in software? Curious about what blockchain technology will look like after the crypto-currency bubble?

At the University of Edinburgh we design new techniques for IOHK‘s Cardano blockchain based on scientific principles using mathematical proofs, modern programming languages, and formal semantics. Join as a Postdoc or PhD to work on anti-surveillance, blockchain technology, multi-party computation, and zero-knowledge. Multiple positions are available.

To apply, send your CV with a cover letter and two letters of recommendation. The positions are available until filled.

Closing date for applications: 28 February 2018

Contact: Markulf Kohlweiss, mkohlwei (at) ed.ac.uk

More information: http://web.inf.ed.ac.uk/security-privacy

We invite applications for a 3-year Postdoctoral Research position to join the Cryptography Group at the Mathematical Institute, University of Oxford. This is a fixed-term position available from 1st Feb 2018 or as soon as possible thereafter.

Candidates should possess (or about to) a PhD in computer science or a mathematical science-related subject, with a strong cryptography/security background (experience in any area of cryptography is welcome, i.e., public key/symmetric key, post-quantum cryptography, etc.), a good publication record and motivation to explore (and partially work on) new subjects, namely, distributed ledger/blockchain technology/financial cryptography.

Closing date for applications: 15 February 2018

Contact: For an informal discussion about the position, please contact Ali El Kaafarani (ali.elkaafarani (at) maths.ox.ac.uk)

More information: http://www.maths.ox.ac.uk/node/27252

The loosely defined terms hard fork and soft fork have established themselves as descriptors of different classes of upgrade mechanisms for the underlying consensus rules of (proof-of-work) blockchains. Recently, a novel approach termed velvet fork, which expands upon the concept of a soft fork, was outlined. Specifically, velvet forks intend to avoid the possibility of disagreement by a change of rules through rendering modifications to the protocol backward compatible and inclusive to legacy blocks.We present an overview and definitions of these different upgrade mechanisms and outline their relationships. Hereby, we expose examples where velvet forks or similar constructions are already actively employed in Bitcoin and other cryptocurrencies. Furthermore, we expand upon the concept of velvet forks by proposing possible applications and discuss potentially arising security implications.

The correlation immunity of Boolean functions is a property related to cryptography, to error correcting codes, to orthogonal arrays (in combinatorics, which was also a domain of interest of S. Golomb) and in a slightly looser way to sequences. Correlation-immune Boolean functions (in short, CI functions) have the property of keeping the same output distribution when some input variables are fixed. They have been widely used as combiners in stream ciphers to allow resistance to the Siegenthaler correlation attack. Very recently, a new use of CI functions has appeared in the framework of side channel attacks (SCA). To reduce the cost overhead of counter-measures to SCA, CI functions need to have low Hamming weights. This actually poses new challenges since the known constructions which are based on properties of the Walsh-Hadamard transform, do not allow to build unbalanced CI functions. In this paper, we propose constructions of low-weight dth-order CI functions based on the Fourier- Hadamard transform, while the known constructions of resilient functions are based on the Walsh-Hadamard transform. We first prove a simple but powerful result, which makes that one only need to consider the case where d is odd in further research. Then we investigate how constructing low Hamming weight CI functions through the Fourier-Hadamard transform (which behaves well with respect to the multiplication of Boolean functions). We use the characterization of CI functions by the Fourier-Hadamard transform and introduce a related general construction of CI functions by multiplication. By using the Kronecker product of vectors, we obtain more constructions of low-weight d-CI Boolean functions. Furthermore, we present a method to construct low-weight d-CI Boolean functions by making additional restrictions on the supports built from the Kronecker product.

In this article, we propose a new method to protect block cipher implementations against Differential Fault Attacks (DFA). Our strategy, so-called ``Tweak-in-Plaintext'', ensures that an uncontrolled value (`tweak-in') is inserted into some part of the block cipher plaintext, thus effectively rendering DFA much harder to perform. Our method is extremely simple yet presents many advantages when compared to previous solutions proposed at AFRICACRYPT 2010 or CARDIS 2015. Firstly, we do not need any Tweakable block cipher, nor any related-key security assumption (we do not perform any re-keying). Moreover, performance for lightweight applications is improved, and we do not need to send any extra data. Finally, our scheme can be directly used with standard block ciphers such as AES or PRESENT. Experimental results show that the throughput overheads, for incorporating our scheme into AES-128, range between $\approx$ 5\% to $\approx$ 26.9\% for software, and between $\approx$ 3.1\% to $\approx$ 25\% for hardware implementations; depending on the tweak-in size.

Generally ciphers project a fixed measure of security, defined by the com- plexity of their algorithms. Alas, threat is variable, and should be met with matching security. It is useless to project insu cient security, and it is wasteful and burden- some to over-secure data. BitFlip comes with threat-adjustable flexibility, established via: (i) smart decoy strategy, (ii) parallel encryption, (iii) uniform letter frequency adjustment – tools which enable the BitFlip user to (a) adjust its ciphertexts to match the appraised threat, and (b) sustain security levels for aging keys. The use of these threat-adjusting tools may be automated to allow (1) AI engines to enhance the security service of the cipher, and (2) to enable remote hard-to-access IoT devices to keep aging keys useful, and preserve precious energy by matching security to the ad-hoc threat level. BitFlip may also be operated in a zero-leakage mode where no attributes of a conversation are disclosed, up to full steganographic levels. BitFlip se- curity is two-dimensional: intractability and equivocation, both may be conveniently increased to meet quantum cryptanalytic attacks.

In this paper, we point out flaws in an existing verifiably multiplicative secret sharing (VMSS) scheme. Namely, we show that a scheme proposed by Yoshida and Obana presented at ICITS 2017 is insecure against an adversary who corrupts a single player. We then show that in the model of ICITS 2017 which restricts the decoder additive, the error-free verification is impossible. We further show that by allowing a general class of decoders which include a linear one, the scheme is error-free.

In this work we construct efficient aggregate signatures from the RSA assumption in the synchronized setting. In this setting, the signing algorithm takes as input a (time) period $t$ as well the secret key and message. A signer should sign at most once for each $t$. A set of signatures can be aggregated so long as they were all created for the same period $t$. Synchronized aggregate signatures are useful in systems where there is a natural reporting period such as log and sensor data, or for signatures embedded in a blockchain protocol where the creation of an additional block is a natural synchronization event.

We design a synchronized aggregate signature scheme that works for a bounded number of periods $T$ that is given as a parameter to a global system setup. The big technical question is whether we can create solutions that will perform well with the large $T$ values that we might use in practice. For instance, if one wanted signing keys to last up to ten years and be able to issue signatures every second, then we would need to support a period bound of upwards of $2^{28}$.

We build our solution in stages where we start with an initial solution that establishes feasibility, but has an impractically large signing time where the number of exponentiations and prime searches grows linearly with $T$. We prove this scheme secure in the standard model under the RSA assumption with respect to honestly-generated keys. We then provide a tradeoff method where one can tradeoff the time to create signatures with the space required to store private keys. One point in the tradeoff is where each scales with $\sqrt{T}$.

Finally, we reach our main innovation which is a scheme where both the signing time and storage scale with $\lg{T}$ which allows for us to keep both computation and storage costs modest even for large values of $T$. Conveniently, our final scheme uses the same verification algorithm, and has the same distribution of public keys and signatures as the first scheme. Thus we are able to recycle the existing security proof for the new scheme.

We also show how to extend our results to the identity-based setting in the random oracle model, which can further reduce the overall cryptographic overhead. We conclude with a detailed evaluation of the signing time and storage requirements for various practical settings of the system parameters.

We use the signal function from RLWE key exchange to derive an efficient zero knowledge authentication protocol to validate an RLWE key $p=as+e$ with secret $s$ and error $e$ in the Random Oracle Model (ROM). With this protocol, a verifier can validate that a key $p$ presented to him by a prover $P$ is of the form $p=as+e$ with $s,e$ small and that the prover knows $s$. We accompany the description of the protocol with proof to show that it has negligible soundness and completeness error. The soundness of our protocol relies directly on the hardness of the RLWE problem. The protocol is applicable for both LWE and RLWE but we focus on the RLWE based protocol for efficiency and practicality. We also present a variant of the main protocol with a commitment scheme to avoid using the ROM.

Event date: 2 June to 10 June 2018

Event date: 16 July to 18 July 2018
Submission deadline: 30 March 2018
Notification: 21 May 2018

WireGuard (Donenfeld, NDSS 2017) is a recently proposed secure network tunnel operating at layer 3. WireGuard aims to replace existing tunnelling solutions like IPsec and OpenVPN, while requiring less code, being more secure, more performant, and easier to use. The cryptographic design of WireGuard is based on the Noise framework. It makes use of a key exchange component which combines long-term and ephemeral Diffie-Hellman values (along with optional preshared keys). This is followed by the use of the established keys in an AEAD construction to encapsulate IP packets in UDP. To date, WireGuard has received no rigorous security analysis. In this paper, we, rectify this. We first observe that, in order to prevent Key Compromise Impersonation (KCI) attacks, any analysis of WireGuard's key exchange component must take into account the first AEAD ciphertext from initiator to responder. This message effectively acts as a key confirmation and makes the key exchange component of WireGuard a 1.5 RTT protocol. However, the fact that this ciphertext is computed using the established session key rules out a proof of session key indistinguishability for WireGuard's key exchange component, limiting the degree of modularity that is achievable when analysing the protocol's security. To overcome this proof barrier, and as an alternative to performing a monolithic analysis of the entire WireGuard protocol, we add an extra message to the protocol. This is done in a minimally invasive way that does not increase the number of round trips needed by the overall WireGuard protocol. This change enables us to prove strong authentication and key indistinguishability properties for the key exchange component of WireGuard under standard cryptographic assumptions.

Most algorithms for hard lattice problems are based on the principle of rank reduction: to solve a problem in a $d$-dimensional lattice, one first solves one or more problem instances in a sublattice of rank $d - 1$, and then uses this information to find a solution to the original problem. Existing lattice sieving methods, however, tackle lattice problems such as the shortest vector problem (SVP) directly, and work with the full-rank lattice from the start. Lattice sieving further seems to benefit less from starting with reduced bases than other methods, and finding an approximate solution almost takes as long as finding an exact solution. These properties currently set sieving apart from other methods.

In this work we consider a progressive approach to lattice sieving, where we gradually introduce new basis vectors only when the sieve has stabilized on the previous basis vectors. This leads to improved (heuristic) guarantees on finding approximate shortest vectors, a bigger practical impact of the quality of the basis on the run-time, better memory management, a smoother and more predictable behavior of the algorithm, and significantly faster convergence - compared to traditional approaches, we save between a factor $20$ to $40$ in the time complexity for SVP.

Event date: 30 May to 1 June 2018
Submission deadline: 5 March 2018
Notification: 26 March 2018

LOCATION: WILMINGTON, MA, U.S.

Position Overview

OnBoard Security delivers world-class research and consulting services in secure communications, network security architecture, PKI, and security for connected vehicles and the Internet of Things. During your paid 3-month internship, you will support research projects on a variety of cryptography topics.

Required Qualifications

Course studies in Computer Science, Mathematics, or related field with a strong record of academic performance. Master and Ph.D. students are welcomed to apply.

The intern will be conducting innovative research in at least one of the following areas:

• Homomorphic encryption
• Lattice based signatures
• Group signatures and ring signatures
• Efficient cryptographic implementations
• Lattice-based cryptanalysis

Knowledge of the following area are considered as a strong plus:

• NTRU and other lattice-based cryptography
• Sage, Magma, Pari/GP, NTL, or a similar software.
• Lattice algorithms such as BKZ, Sieving, Enumeration, etc.
• Trusted Platform Module (TPM) and trusted computing.

Salary

• Up to $4500/month.
• Starting date is flexible.

Contact us

If you can picture yourself diving into lattice-based cryptography research projects as part of a great team, contact us immediately at HR@onboardsecurity.com

OnBoard Security is an equal opportunity employer - M/F/Vets/Disabled

Closing date for applications: 18 July 2018