International Association
for Cryptologic Research

The security for authenticated encryption schemes is often captured by demanding CCA security (IND-CCA) and integrity of plaintexts (INT-PTXT). In this short note, we prove that this implies in particular integrity of ciphertexts, i.e., INT-CTXT. Hence, the two sets of requirements mentioned in the title are equivalent.

In this paper, we describe a new Las Vegas algorithm to solve the elliptic curve discrete logarithm problem. The algorithm depends on a property of the group of rational points of an elliptic curve and is thus not a generic algorithm. The algorithm that we describe has some similarities with the most powerful index-calculus algorithm for the discrete logarithm problem over a finite field.

Succinct non-interactive arguments (SNARGs) enable verifying NP computations with significantly less complexity than that required for classical NP verification. In this work, we focus on simultaneously minimizing the proof size and the prover complexity of SNARGs. Concretely, for a security parameter $\lambda$, we measure the asymptotic cost of achieving soundness error $2^{-\lambda}$ against provers of size $2^\lambda$. We say a SNARG is quasi-optimally succinct if its proof length is $\tilde{O}(\lambda)$, and that it is quasi-optimal, if moreover, its prover complexity is only polylogarithmically greater than the running time of the classical NP prover. We show that this definition is the best we could hope for assuming that NP does not have succinct proofs. Our definition strictly strengthens the previous notion of quasi-optimality introduced in the work of Boneh et al. (Eurocrypt 2017).

This work gives the first quasi-optimal SNARG for Boolean circuit satisfiability from a concrete cryptographic assumption. Our construction takes a two-step approach. The first is an information-theoretic construction of a quasi-optimal linear multi-prover interactive proof (linear MIP) for circuit satisfiability. Then, we describe a generic cryptographic compiler that transforms our quasi-optimal linear MIP into a quasi-optimal SNARG by relying on the notion of linear-only vector encryption over rings introduced by Boneh et al. Combining these two primitives yields the first quasi-optimal SNARG based on linear-only vector encryption. Moreover, our linear MIP construction leverages a new robust circuit decomposition primitive that allows us to decompose a circuit satisfiability instance into several smaller circuit satisfiability instances. This primitive may be of independent interest.

Finally, we consider (designated-verifier) SNARGs that provide optimal succinctness for a non-negligible soundness error. Concretely, we put forward the notion of "1-bit SNARGs" that achieve soundness error 1/2 with only one bit of proof. We first show how to build 1-bit SNARGs from indistinguishability obfuscation, and then show that 1-bit SNARGs also suffice for realizing a form of witness encryption. The latter result highlights a two-way connection between the soundness of very succinct argument systems and powerful forms of encryption.

We study the isogeny graphs of supersingular elliptic curves over finite fields, with an emphasis on the vertices corresponding to elliptic curves of $j$-invariant 0 and 1728.

Event date: 25 March to 28 March 2019
Submission deadline: 1 March 2018
Notification: 1 May 2018

The Security and Privacy group at Birmingham seeks applications for two new permanent posts in cyber security. One appointments will be made at Lecturer level, the other at Lecturer, Senior Lecturer or Reader.

Candidates are expected to have established research profiles commensurate with their career stage, as well as appropriate ability to engage with teaching, attracting research funding, and administration. The area of expertise is open within cyber security, but we particularly welcome applicants from researchers specialising in systems security or the intersection of security with AI/machine learning or HCI.

The Security and Privacy group currently consists of eleven academics and is recognised by NCSC/EPSRC as an Academic Centre of Excellence in Cyber Security Research. Current members of the group are: Rami Bahsoon, Ian Batten, Tom Chothia, David Galindo, Flavio Garcia, Mihai Ordean, David Oswald, Dave Parker, Christophe Petit, Eike Ritter, Mark Ryan. The current research focus of the group includes: applied cryptography, formal methods, automotive security, hardware and embedded devices security, cloud security, electronic voting, and security and privacy for society.

Closing date for applications: 25 February 2018

Contact: Professor Mark Ryan, m.d.ryan[at]cs.bham.ac.uk

More information: http://sec.cs.bham.ac.uk/#vacancies

The Security & Privacy group at TU Wien is currently looking for

outstanding Ph.D. and postdoc applicants, with a particular focus on

• web security
• formal methods for security and privacy
• cryptocurrencies
• applied cryptography and privacy-enhancing technologies

Outstanding candidates in other disciplines are also encouraged to apply. These positions are supported by ERC, FWF, FFG grants and internal funding.

The employment is full-time (40 hrs/week) and the salary is internationally competitive (the entry-level gross salary per year is approx. 39K for PhD students and 52K per postdoc).

Interested candidates should send

• a motivation letter
• transcript of records (for Ph.D. applicants)
• a research statement (for postdoc applicants)
• a publication list
• a curriculum vitae

• contact information for two referees

to matteo.maffei (at) tuwien.ac.at.

The first application deadline is March 1, 2018: applications received by then will receive full consideration but positions will be filled continuously also later on.

Postdoc applicants are expected to have an outstanding publication record, while Ph.D. applicants should have an excellent transcript of records.

The working language in the group is English, knowledge of German is not required.

TU Wien offers an outstanding research environment and numerous professional development opportunities. The Faculty of Informatics is the largest one in Austria and is consistently ranked

among the best in Europe. Ph.D. students have the possibility to join the LogiCS doctoral school. Vienna features a vibrant and excellence-driven research landscape, with several leading research institutes (e.g., IST, AIT, SBA, RIAT) and universities continuously establishing collaborations in various fields, including cybersecurity. Finally, Vienna has been consistently ranked by Mercer over the last years the best city for quality of life worldwide.

Closing date for applications: 1 March 2018

Contact: Matteo Maffei

More information: https://secpriv.tuwien.ac.at/thesis_and_job_opportunities/

As a Post-Quantum Crypto Researcher, you will:

• Design, implement and deploy cryptographic algorithms covering asymmetric quantum-safe crypto covering both but not limited to: key exchange algorithms and digital signature schemes.

• Conduct research and development in lattice-based, code-based or hash-based cryptosystems.

• Perform security assessments of either crypto-primitives or cryptosystems at the theoretical and implementation level.

• Work closely with the secure communications team and other teams in the organization to design end-to-end secure communication protocols using state-of-the art and customized cryptographic algorithms and primitives.

• Be involved in the integration of developed cryptosystems within DarkMatter products

Closing date for applications: 30 April 2018

Contact: Sheila Morjaria OR Mehdi Messaoudi

More information: http://grnh.se/ur3ywb1

As a Cryptography Hardware Engineer, you will:

• Design, implement and deploy cryptographic algorithms on hardware covering symmetric and asymmetric crypto covering but not limited to: post-quantum cryptosystems, block and stream ciphers.

• Conduct research and development in hardware implementation and optimization and side-channel countermeasures.

• Perform security assessments of either crypto-primitives or cryptosystems at the theoretical and implementation level.

• Work closely with the secure communications team and other teams in the organization to design end-to-end secure communication protocols using state-of-the art and customized cryptographic algorithms and primitives.

• Be involved in the integration of developed cryptosystems within DarkMatter products.

Closing date for applications: 30 July 2018

Contact: Sheila Morjaria OR Mehdi Messaoudi

More information: http://grnh.se/cb1a0l1

A hash function family is called correlation intractable if for all sparse relations, it is hard to find, given a random function from the family, an input-output pair that satisfies the relation (Canetti et al., STOC 98). Correlation intractability (CI) captures a strong Random-Oracle-like property of hash functions. In particular, when security holds for all sparse relations, CI suffices for guaranteeing the soundness of the Fiat-Shamir transformation from any constant round, statistically sound interactive proof to a non-interactive argument. However, to date, the only CI hash function for all sparse relations (Kalai et al., Crypto 17) is based on general program obfuscation with exponential hardness properties.

We construct a simple CI hash function for arbitrary sparse relations, from any symmetric encryption scheme that satisfies some natural structural properties, and in addition guarantees that key recovery attacks mounted by polynomial-time adversaries have only exponentially small success probability - even in the context of key-dependent messages (KDM). We then provide parameter settings where ElGamal encryption and Regev encryption plausibly satisfy the needed properties. Our techniques are based on those of Kalai et al., with the main contribution being substituting a statistical argument for the use of obfuscation, therefore greatly simplifying the construction and basing security on better-understood intractability assumptions.

In addition, we extend the definition of correlation intractability to handle moderately sparse relations so as to capture the properties required in proof-of-work applications (e.g. Bitcoin). We also discuss the applicability of our constructions and analyses in that regime.

Satisfiability modulo theories or SMT can be stated as a generalization of Boolean satisfiability problem or SAT. The core idea behind the introduction of SMT solvers is to reduce the complexity through providing more information about the problem environment.

In this paper, we take advantage of a similar idea and feed the SMT solver itself, by extra information provided through middle state Cube characteristics, to introduce a new method which we call SMT-based Cube Attack, and apply it to improve the success of the solver in attacking reduced-round versions of the Simeck32/64 lightweight block cipher.

We first propose a new algorithm to find cubes with most number of middle state characteristics. Then, we apply these obtained cubes and their characteristics as extra information in the SMT definition of the cryptanalysis problem, to evaluate its effectiveness. Our cryptanalysis results in a full key recovery attack by 64 plaintext/ciphertext pairs on 12 rounds of the cipher in just 122.17 seconds. This is the first practical attack so far presented against the reduced-round versions of Simeck32/64.

We also conduct the cube attack on the Simeck32/64 to compare with the SMT-based cube attack. The results indicate that the proposed attack is more powerful than the cube attack.

In the past years, the security of Bitcoin-like protocols has been intensively studied. However, previous investigations are mainly focused on the single-mode version of Bitcoin protocol, where the protocol is running among full nodes (miners). In this paper, we initiate the study of multi-mode cryptocurrency protocols. We generalize the recent framework by Garay et al. (Eurocrypt 2015) with new security definitions that capture the security of realistic cryptocurrency systems (e.g. Bitcoin with full and lightweight nodes). We provide the first rigorous security model for addressing the "blockchain bloat" issue. As an immediate application of our new framework, we analyze the security of existing blockchain pruning proposals for Bitcoin aiming to improve the storage efficiency of network nodes by pruning unnecessary information from the ledger.

We study instantiating the random permutation of the block-cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft standard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random permutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composability result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key-dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES.

A new paradigm in secure protocol design is to hold parties accountable for misbehaviour instead of postulating that they are trustworthy. Recent approaches in defining this property, called accountability, have highlighted the difficulty of characterising malicious behaviour. So far, no satisfactory solution has been found. Consequently, existing definitions are either not truly protocol agnostic or require complete monitoring of all parties.

To our knowledge, this work is the first to formalize misbehavior in the following sense: a deviation from the behaviour prescribed by the protocol that caused a security violation. We propose a definition for the case where it is known which parties deviated in which respect, and extend this definition to the case where neither these deviations are known, nor the complete trace of the protocol. We point out that, under realistic assumptions, it is impossible to determine all misbehaving parties, however, we show that completeness can be relaxed to exclude spurious causal dependencies. We demonstrate the use of our definition with two case studies, a delegation protocol with a central trusted authority, and an actual accountability protocol from the literature. In both cases, we discover accountability violations and apply our definition to the fixed protocols.

Nested symmetric encryption is a well-known technique for low-latency communication privacy. But just what problem does this technique aim to solve? In answer, we provide a provable-security treatment for onion authenticated-encryption (onion-AE). Extending the conventional notion for authenticated-encryption, we demand indistinguishability from random bits and time-of-exit authenticity verification. We show that the encryption technique presently used in Tor does not satisfy our definition of onion-AE security, but that a construction by Mathewson (2012), based on a strong, tweakable, wideblock PRP, does do the job. We go on to discuss three extensions of onion-AE, giving defini- tions to handle inbound flows, immediate detection of authenticity errors, and corrupt ORs.

Ransomware has become one of the major threats nowadays due to its huge impact and increased rate of infections around the world. CryptoWall 3, was responsible for damages of over 325 millions of dollars, since its discovery in 2015. Recently, another family of ransomware appeared in the cyber space which is called WannaCry over 230.000 computers around the world, in over 150 countries were infected. Ransomware usually uses the RSA algorithm to protect the encryption key and AES for encrypting the files. If these algorithms are correctly implemented then it is impossible to recover the encrypted information. Some attacks, nonetheless, work against the implementation of RSA. These attacks are not against the basic algorithm, but against the protocol. In the following sections we present the fully analysis on three representative ransomware: Spora, DMA Locker and WannaCry.

In this paper, we consider the indistinguishability of XTS in some security models for both full final block and partial final block cases. Firstly, some evaluations of the indistinguishability up-to-block are presented. Then, we present a new security model in which the adversary can not control sector number, based on an $\epsilon$-collision resistant function. In this model, we give a bound of the distinguishing advantage that the adversary can get when attacks on XTS. The received results is an extension of \cite{6}.

In this paper, we consider the implications of parallelizing time-memory tradeoff attacks using a large number of distributed processors. It is shown that Hellman’s original tradeoff method and the Biryukov-Shamir attack on stream ciphers, which incorporates data into the tradeoff, can be effectively distributed to reduce both time and memory, while other approaches are less advantaged in a distributed approach. Distributed tradeoff attacks are specifically discussed as applied to stream ciphers and the counter mode operation of block ciphers, where their feasibility is considered in relation to distributed exhaustive key search. In particular, for counter mode with an unpredictable initial count, we show that distributed tradeoff attacks are applicable, but can be made infeasible if the entropy of the initial count is at least as large as the key. In general, the analyses of this paper illustrate the effectiveness of a distributed tradeoff approach and show that, when enough processors are involved in the attack, it is possible some systems, such as lightweight cipher implementations, may be practically susceptible to attack.

Ph.D. student positions are available starting Fall 2018 in the field of hardware security and reliability in the CSEE Department of University of Maryland, Baltimore County.

UMBC is ranked 55 in Computer Engineering according to US News, and places 7th in the ranking of Most Innovative national universities.

Our group has a strong background in hardware security, reliability, and trust, and in particular in side-channel analysis and fault analysis attacks, IC Counterfeiting, Trojan detection, IP/IC protection, Physically Unclonable Functions (PUFs) and Crypto devices as well as testing and reliability of secure devices.

Requirements:

- M.Sc./B.Sc. in Computer Engineering or Electrical Engineering

- Solid knowledge in Hardware Description Languages (HDL)

- Solid Knowledge in VLSI and digital design

Please contact me with your CV and Statement of Purpose by February 15th.

Naghmeh Karimi, Assistant Professor

Department of Computer Science and Electrical Engineering

University of Maryland, Baltimore County

Baltimore, MD 21250

E-mail: nkarimi (at) umbc.edu

Web: http://www.csee.umbc.edu/~nkarimi/

Closing date for applications: 28 February 2018

Contact: Naghmeh Karimi

Event date: 17 September to 19 September 2018
Submission deadline: 25 April 2018
Notification: 20 June 2018