International Association
for Cryptologic Research

The Engineering Cryptographic Protocols (ENCRYPTO) Group at TU Darmstadt is looking for a research assistant (doctoral researcher / PhD student) in Scalable Cryptographic Protocols.

The ENCRYPTO group is member of the Center for Research in Security and Privacy (CRISP) and the profile area Cybersecurity at TU Darmstadt (CYSEC). We develop methods and tools to optimize and automatically generate cryptographic protocols. See http://encrypto.de for details.

The candidate will do cutting-edge research on cryptographic protocols that scale to real-world problem sizes, including secure multi-party computation and private information retrieval.

The candidate is expected to have a completed Master (or equivalent) degree with excellent grades in IT security, computer science, electrical engineering, mathematics, or a closely related field. Solid knowledge in IT security, applied cryptography, efficient algorithms, circuit design, and excellent programming skills are required. Additional knowledge in cryptographic protocols, parallel computing, compiler construction, programming languages, and software engineering is a plus.

Review of applications starts immediately until the position is filled.

More details and info on how to apply: http://encrypto.de/jobs/CRISP2018

Closing date for applications:

Contact: Thomas Schneider, thomas.schneider (at) crisp-da.de

More information: http://encrypto.de/jobs/CRISP2018

Surrey Centre for Cyber Security (SCCS) is the heart of the cyber security activities across the University of Surrey.It is one of the 14 Academic Centres of Excellence in Cyber Security Research (ACEs-CSR) recognised by the UK Government Communications Headquarters (GCHQ) in partnership with the Engineering and Physical Sciences Research Council (EPSRC).

The student will be based in the Department of Computer Science at the University of Surrey, UK. The PhD project aims at exploring post-quantum cryptography into blockchain technology. The candidate may need to do research on the following areas (but not limited to): blockchain (cryptocurrencies, smart-contracts), distributed consensus protocols, and post-quantum cryptography (signature, encryption). We expect the candidate to undertake not only theoretical-centre research but also some level of implementation.

The candidate should be passionate about applied research and development of cutting-edge security technologies. With a strong desire to work on problems with real-world impact and commercial value, the candidate is expected to conduct high-quality applied research by working closely with a team of security domain experts. (Highly motivated, independent and resourceful team player, strong analytical thinking, interpersonal and problem solving skills)

Entry Requirements

Essential:

1. Bachelor degree in Computer Science, Computer Engineering, Mathematics, Electrical Engineering, or related field (UK equivalent of 2:1 classification or above)

2. Interest in cryptography and information security

3. Adequate programming skills in Java, C/C++, Python

4. Fluent written and verbal communication skills in English

Desirable:

1. Master degree in Computer Science, Computer Engineering, Mathematics, Electrical Engineering, or related field (UK equivalent of Merit classification or above)

2. Knowledge of post-quantum cryptography and block-chain

3. Strong programming skills in Java, C/C++, Python

Closing date for applications: 31 March 2018

Contact: Dr. Kaitai Liang, email: k.liang (at) surrey.ac.uk

More information: http://www.jobs.ac.uk/job/BHD180/phd-opportunity-in-exploring-post-quantum-cryptography-into-block-chain-technology/

Karlstad University, Sweden, has an opening for a full-time PhD position in Computer Science in the fields of computer security, privacy, and computer networking on secure and privacy-preserving networked systems.

The PhD student will work on secure and privacy-preserving networked systems within the research profile High Quality Networked Services in a Mobile World (HITS), funded by the Knowledge Foundation of Sweden, and a recently accepted EU H2020 innovation action. Duties include applied cryptography, reasoning about security and privacy properties of cryptographic systems, and to construct provably secure systems. Experience with secure logging, Certificate Transparency, or blockchain-related systems are of particular relevance. Further, the PhD student is expected to contribute to research across research areas at the Computer Science subject to analyse and engineer networked systems. The networked systems relate to technologies such as software defined networking, programmable data planes, and network middleboxes that analyse network traffic.

The duties will be performed within both national and international research projects with collaborating academic and industry partners. A successful candidate needs to have excellent written and spoken English, a solid background in the previously mentioned technologies and research areas, good programming experience, be strongly motivated to deconstruct highly complex networked systems, and the ability to develop into an independent researcher.

A PhD student in Sweden is employed, pays no fees related to the PhD position, and has a decent monthly salary. The position is limited to four years. If the PhD student takes other research, teaching or administrative tasks besides her/his PhD research, it can be prolonged for up to one more year. Democratic principles, equality and diversity are cornerstones of the University. We value the enriching presence of diverse backgrounds and competencies among students and staff.

Closing date for applications: 11 March 2018

Contact: Tobias Pulls, senior lecturer +46 (0) 54-700 24 75, tobias.pulls (at) kau.se

More information: https://kau.varbi.com/en/what:job/jobID:193337/

Event date: 11 November to 14 November 2018
Submission deadline: 17 May 2018
Notification: 30 August 2018

Event date: 3 September to 7 September 2018
Submission deadline: 18 April 2018
Notification: 5 June 2018

The School of Computer Science & Information Technology (CSIT) invites applications for the position of (Full) Professor of Computer Science. The School strategy is to expand its research and teaching in the area of cyber-security, and candidates with such expertise are especially encouraged to apply. Applications from candidates with expertise in other areas of computer science will also be considered. The School seeks to appoint an outstanding academic leader who will contribute to its research-led teaching ethos and play a key role in the School’s future development.

The School of CSIT has 26 full-time academic staff and offers degrees at bachelors, masters and doctoral level. It has very close engagement with industry sponsors, including those in the cluster of over 20 cyber-security companies that are based in Cork. The School has a strong research track record, and ranked very highly in the recent Research Quality Review. Professors in the School have leadership roles in three large-scale national research centres: CONNECT – Research Centre for Future Networks; Insight – Centre for Data Analytics; and Lero – Irish Software Research Centre. For further information on the School, please visit https://www.ucc.ie/en/compsci/

Appointment may be made on the Professorial Salary Scale: €111,196 – €140,962 (Scale B), €109,129-€133,980 (Scale A). In all instances the successful appointment will be at the first point of the scale. For an information package including full details of the post, selection criteria and application process see https://www.ucc.ie/hr/vacancies

Closing date for applications: 6 March 2018

Contact: Informal enquiries can be made, in confidence, to the Head of School, Professor Cormac J. Sreenan, head (at) cs.ucc.ie

More information: https://goo.gl/biAAB7

The Interdisciplinary Center for Security, Reliability and Trust (SnT) at the University of Luxembourg is currently offering one position for a Ph.D. student / junior researcher in the areas of privacy, anonymity, and network security.

For further details and how to apply, please visit https://secan-lab.uni.lu/jobs

For further information or for an informal discussion, please contact us by email: secanlab.jobs (at) uni.lu

Closing date for applications: 24 February 2018

Contact: secanlab.jobs (at) uni.lu

More information: https://secan-lab.uni.lu/jobs

The Chair for Security Engineering at Ruhr-University Bochum is looking for excellent Ph.D. candidates with a particular focus on

- security and safety in autonomous systems

- side-channel prevention on the processor level

- formal methods for security and privacy

- applied cryptography in software and hardware

Successful applicands for the open positions will become part of the Horst Görtz Institute for IT-Security (HGI), one of the largest research centers in IT-Security within Europe.

Candidates are invited to apply until February 28. Please include in your application a motivation letter, CV and transcript of records.

For any additional information, please contact Tim Güneysu

Closing date for applications: 28 February 2018

Contact: Tim Güneysu

Chair for Security Engineering,

Ruhr Universität Bochum

Universitätsstr. 150

44780 Bochum

+49 234 32 24626

tim.gueneysu (at) rub.de

At ITCS 2013, Mahmoody, Moran and Vadhan [MMV'13] introduce and construct publicly verifiable proofs of sequential work, which is a protocol for proving that one spent sequential computational work related to some statement. The original motivation for such proofs included non-interactive time-stamping and universally verifiable CPU benchmarks. A more recent application, and our main motivation, are blockchain designs, where proofs of sequential work can be used -- in combination with proofs of space -- as a more ecological and economical substitute for proofs of work which are currently used to secure Bitcoin and other cryptocurrencies.

The construction proposed by [MMV'13] is based on a hash function and can be proven secure in the random oracle model, or assuming inherently sequential hash-functions, which is a new standard model assumption introduced in their work.

In a proof of sequential work, a prover gets a "statement" $\chi$, a time parameter $N$ and access to a hash-function $H$, which for the security proof is modelled as a random oracle. Correctness requires that an honest prover can make a verifier accept making only $N$ queries to $H$, while soundness requires that any prover who makes the verifier accept must have made (almost) $N$ sequential queries to $H$. Thus a solution constitutes a proof that $N$ time passed since $\chi$ was received. Solutions must be publicly verifiable in time at most polylogarithmic in $N$.

The construction of [MMV'13] is based on "depth-robust" graphs, and as a consequence has rather poor concrete parameters. But the major drawback is that the prover needs not just $N$ time, but also $N$ space to compute a proof.

In this work we propose a proof of sequential work which is much simpler, more efficient and achieves much better concrete bounds. Most importantly, the space required can be as small as $\log(N)$ (but we get better soundness using slightly more memory than that).

An open problem stated by [MMV'13] that our construction does not solve either is achieving a "unique" proof, where even a cheating prover can only generate a single accepting proof. This property would be extremely useful for applications to blockchains.

Since the development of cryptanalysis of AES and AES-like constructions in the late 1990s, the set of inputs (or a subset of it) which differ only in one diagonal has special importance. It appears in various (truncated) differential, integral, and impossible differential attacks, among others.

In this paper we present new techniques to analyze this special set of inputs that is so versatile, and report on new properties. Classically, in differential cryptanalysis, statements about the probability distribution of output differences, like mean or variance, are of interest. So far such statements where only possible for up to 4 rounds of AES. In this paper we consider the probabilistic distribution of the number of different pairs of corresponding ciphertexts that lie in certain subspaces after 5 rounds. We rigorously prove that the following two properties (independent of any key or constant additions) hold for 5 rounds of the AES permutation: – the mean value is bigger for AES than for a random permutation; – the variance is approximately by a factor 36 higher for AES than for a random permutation. While the distinguisher based on the variance is (almost) independent of the details of the S-Box and of the MixColumns matrix, the mean value distinguisher does depend on the details of the S-Box and may give rise to a new design criterion for S-Boxes.

Of independent interest is the technique that we developed for this rigorous analysis. To the best of our knowledge this seems to be the first time that such a precise differential analysis was performed. Practical implementations and verification confirm our analysis.

Recent developments in multi party computation (MPC) and fully homomorphic encryption (FHE) promoted the design and analysis of symmetric cryptographic schemes that minimize multiplications in one way or another. In this paper, we propose with Rasta a design strategy for symmetric encryption that has ANDdepth d and at the same time only needs d ANDs per encrypted bit. Even for very low values of d between 2 and 6 we can give strong evidence that attacks may not exist. This contributes to a better understanding of the limits of what concrete symmetric-key constructions can theoretically achieve with respect to AND-related metrics, and is to the best of our knowledge the first attempt that minimizes both metrics simultaneously. Furthermore, we can give evidence that for choices of d between 4 and 6 the resulting implementation properties may well be competitive by testing our construction in the use-case of removing the large ciphertext-expansion when using the BGV scheme.

We show new constructions of semi-honest and malicious two-round multiparty secure computation protocols using only (a fixed) $\mathsf{poly}(n,\lambda)$ invocations of a two-round oblivious transfer protocol (which use expensive public-key operations) and $\mathsf{poly}(\lambda, |C|)$ cheaper one-way function calls, where $\lambda$ is the security parameter, $n$ is the number of parties, and $C$ is the circuit being computed. All previously known two-round multiparty secure computation protocols required $\mathsf{poly}(\lambda,|C|)$ expensive public-key operations.

Within recent years, secure comparison protocols have been proposed using binary decomposition and properties of algebraic fields. These have been repeatedly optimized and increased in efficiency, but have seemingly reached a plateau. We propose a new approach to this problem that takes advantage of dynamic group sizes for intermediate calculations and asymmetric computations among participating parties. As a consequence, according to our analysis, communication and computation costs have been brought to a very low and efficient level. Particularly, the communication costs have been considerably reduced both in order as well as the dominating term's order of magnitude. In addition, our proposed protocol requires no secure multi-party multiplication invocations in contrast to those required by the existing protocols, leading to inefficient constructions of secure comparisons.

Scalar multiplications are the main operation in the implementation of hyperellip-tic curve cryptosystems, where the basic arithmetic of reduced divisor classes are required. In this paper, we derive the explicit formulae for the arithmetic of reduced divisor classes by exploiting Jacobian coordinates introduced by Hisil and Costello when the degenerate divisor involves. Our results can be regarded as a supplementary study of [1]. An efficiency analysis shows that the degenerate divisor as a base point can be a valid alternative in scalar multiplications as well.

Independent Component Analysis (ICA) is a powerful technique for blind source separation. It has been successfully applied to signal processing problems, such as feature extraction and noise reduction, in many different areas including medical signal processing and telecommunication. In this work, we propose a framework to apply ICA to denoise side-channel measurements and hence to reduce the complexity of key recovery attacks. Based on several case studies, we afterwards demonstrate the overwhelming advantages of ICA with respect to the commonly used preprocessing techniques such as the singular spectrum analysis. Mainly, we target a software masked implementation of an AES and a hardware unprotected one. Our results show a significant Signal-to-Noise Ratio (SNR) gain which translates into a gain in the number of traces needed for a successful side-channel attack. This states the ICA as an important new tool for the security assessment of cryptographic implementations.

Digital currencies like Bitcoin and other blockchain based systems provide means to record monetary transfers between accounts. In Bitcoin like systems transactions are published on a decentralized ledger and reveal the sender, receiver and amount of a transfer, hence such systems give only moderate anonymity guarantees.

Payment systems like ZCash attempt to offer much stronger anonymity by hiding the origin, destination and value of a payment. The ZCash system is able to offer strong anonymity, mainly due to use of Zero-Knowledge Succinct Non-interactive Arguments of Knowledge (ZK-SNARK) of arithmetic circuit satisfiability. One drawback of ZCash is that the arithmetic circuit is rather large, thus requires a large common reference string and complex prover for the ZK-SNARK. In fact, the memory and prover complexity is dominated by the ZK-SNARK in use and is mainly determined by the complexity of the circuit.

In this paper we design a Decentralized Anonymous Payment system (DAP), functionally similar to ZCash, however with significantly smaller arithmetic circuits, thus greatly reducing the memory and prover complexity of the system. Our construction is based on algebraic primitives, from the realm of elliptic curve and lattice based cryptography, which satisfiability might be efficiently verified by an arithmetic circuit.

Evaluation of security margins after a side-channel attack is an important step of side-channel resistance evaluation. The security margin indicates the brute force effort needed to recover the key given the leakages. In the recent years, several solutions for key rank estimation algorithms have been proposed. All these solutions give an interesting trade-off between the tightness of the result and the time complexity for symmetric key. Unfortunately, none of them has a linear complexity in the number of subkeys, hence these solutions are slow for large (asymmetric) keys. In this paper, we present a solution to obtain a key rank estimation algorithm with a reasonable trade-off between the efficiency and the tightness that is suitable for large keys. Moreover, by applying backtracking we obtain a parallel key enumeration algorithm.

In this paper, we study experimental cube attacks against Trivium-like ciphers and we focus on improving nonlinear superpolies recovery. We first present a general framework in cube attacks to test nonlinear superpolies, by exploiting a kind of linearization technique. It worth noting that, in the new framework, the complexities of testing and recovering nonlinear superpolies are almost the same as those of testing and recovering linear superpolies. To demonstrate the effectiveness of our new attack framework, we do extensive experiments on Trivium, Kreyvium, and TriviA-SC-v2 respectively. We obtain several linear and quadratic superpolies for the 802-round Trivium, which is the best experimental results against Trivium regarding the number of initialization rounds. For Kreyvium, it is shown that the probability of finding a quadratic superpoly using the new framework is twice as large as finding a linear superpoly. Hopefully, this new framework would provide some new insights on cube attacks against NFSR-based ciphers, and in particular make nonlinear superpolies potentially useful in the future cube attacks.

The cost of higher-order masking as a countermeasure against side-channel attacks is often considered too high for practical scenarios, as protected implementations become very slow. At Eurocrypt 2017, the bounded moment leakage model was proposed to study the (theoretical) security of parallel implementations of masking schemes. Work at CHES 2017 then brought this to practice by considering an implementation of AES with 32 shares, bitsliced inside 32-bit registers of ARM Cortex-M processors. In this paper we show how the NEON vector instructions of larger ARM Cortex-A processors can be exploited to build much faster masked implementations of AES. Specifically, we present AES with 4 and 8 shares, which in theory provide security against 3rd and 7th-order attacks, respectively. The software is publicly available and optimized for the ARM Cortex-A8. We use refreshing and multiplication algorithms that are proven to be secure in the bounded moment leakage model and to be strongly non-interfering. Additionally, we perform a concrete side-channel evaluation on a BeagleBone Black, using a combination of test vector leakage assessment (TVLA), leakage certification tools and information-theoretic bounds.

Since the advent of Differential Power Analysis (DPA) in the late 1990s protecting embedded devices against Side-Channel Analysis (SCA) attacks has been a major research effort. Even though many different first-order secure masking schemes are available today, when applied to the AES S-box they all require fresh random bits in every evaluation. As the quality criteria for generating random numbers on an embedded device are not well understood, an integrated Random Number Generator (RNG) can be the weak spot of any protected implementation and may invalidate an otherwise secure implementation. We present a new construction based on Threshold Implementations and Changing of the Guards to realize a first-order secure AES with zero per-round randomness. Hence, our design does not need a built-in RNG, thereby enhancing security and reducing the overhead.