International Association
for Cryptologic Research

The Cryptography Group and Cybersecurity Group work on a diverse range of topics, spanning from theoretical cryptography, protocols, and implementations/architecture/leakage, to large scale infrastructures and human aspects of security. Jointly the groups have 10 associated academics, nearly as many postdoctoral researchers, and 15 doctoral students. And we are expanding!

This advert is for:

S3 Advancing Leakage Attacks: the aim of the studentship is to experiment with new and advanced techniques to utilise leakage, by e.g. blending it with traditional cryptanalysis, merging it with key ranking strategies, making it less dependent on statistical assumptions via investigation of non-parametric techniques etc. The ideal candidate will have a background in mathematics, or statistics, and cryptography.

Supervisor: Elisabeth Oswald

The studentship S3 supports EU/UK nationals with a tax-free stipend of around 22k GBP. The latest starting date for students is September 30th 2018.

You may apply for one, some, or all advertised studentships simultaneously (please explain your choice in your application). Your application needs to be filed via: http://www.bristol.ac.uk/study/postgraduate/apply/.

This advert has a nominal end date of 1.5.2018, but we will make appointments as soon as we have identified candidates with the right background.

Closing date for applications: 1 May 2018

Contact: Prof. Elisabeth Oswald, Elisabeth.Oswald (at) bristol.ac.uk

The Cryptography Group and Cybersecurity Group work on a diverse range of topics, spanning from theoretical cryptography, protocols, and implementations/architecture/leakage, to large scale infrastructures and human aspects of security. Jointly the groups have 10 associated academics, nearly as many postdoctoral researchers, and 15 doctoral students. And we are expanding!

This advert is for:

S2 Ranking Distinguishers: Modern side channel attack vectors offer increasingly sophisticated trade-offs between the trace complexity of distinguishers and the computational complexity of some associated key ranking procedure. The aim of the studentship is to determine how much computation is required to effectively recover a key using DPA by exploring computationally intensive distinguishers that reduce the cost of the enumeration phase. The ideal candidate will have a background in high performance computing, statistics, or cryptography.

Supervisors: Martijn Stam and Elisabeth Oswald

The studentship S2 supports UK nationals, who need to pass DV clearance, with a tax-free stipend of around 22k GBP. The latest starting date for students is September 30th 2018.

You may apply for one, some, or all advertised studentships simultaneously (please explain your choice in your application). Your application needs to be filed via: http://www.bristol.ac.uk/study/postgraduate/apply/.

This advert has a nominal end date of 1.5.2018, but we will make appointments as soon as we have identified candidates with the right background.

Closing date for applications: 1 May 2018

Contact: Martijn Stam, Martijn.Stam (at) bristol.ac.uk

The Cryptography Group and Cybersecurity Group work on a diverse range of topics, spanning from theoretical cryptography, protocols, and implementations/architecture/leakage, to large scale infrastructures and human aspects of security. Jointly the groups have 10 associated academics, nearly as many postdoctoral researchers, and 15 doctoral students. And we are expanding!

This advert is for:

S1: Usable Abstractions for Secure Programming - A Mental Models Approach: Cryptographic application programming interfaces (APIs) are currently widely used to provide security of communication and information flows in contemporary applications.  Existing research has highlighted that vulnerabilities arise in software due to misunderstanding about the guarantees provided by API functions or unintentional misconfiguration of relevant security parameters. However, little is understood about developers’ mental models that lead to such issues and the misalignment between these  models and the actual functionality the API as intended by developers. The aim of the studentship is to study developers’ mental models of security APIs and to understand any misalignment with correct API usage.  The ideal candidate will have a background in computer science (in particular programming languages) or software engineering and a strong interest in usable security.

Supervisors: Awais Rashid and Bogdan Warinschi

The studentship S1 supports UK nationals, who need to pass DV clearance, with a tax-free stipend of around 22k GBP. The latest starting date for students is September 30th 2018.

You may apply for one, some, or all four studentships simultaneously (please explain your choice in your application). Your application needs to be filed via: http://www.bristol.ac.uk/study/postgraduate/apply/.

This advert has a nominal end date of 1.5.2018, but we will make appointments as soon as we have identified candidates with the right background.

Closing date for applications: 1 May 2018

Contact: Prof. Awais Rashid, Awais.Rashid (at) bristol.ac.uk

Prof. Bogdan Warinschi, Bogdan.Warinschi (at) bristol.ac.uk

We give an efficient decision procedure that, on input two (acyclic) cryptographic expressions making arbitrary use of an encryption scheme and a (length doubling) pseudorandom generator, determines (in polynomial time) if the two expressions produce computationally indistinguishable distributions for any pseudorandom generator and encryption scheme satisfying the standard security notions of pseudorandomness and indistinguishability under chosen plaintext attack. The procedure works by mapping each expression to a symbolic pattern that captures, in a fully abstract way, the information revealed by the expression to a computationally bounded observer. We then prove that if any two (possibly cyclic) expressions are mapped to the same pattern, then the associated distributions are indistinguishable. At the same time, if the expressions are mapped to different symbolic patterns and do not contain encryption cycles, there are secure pseudorandom generators and encryption schemes for which the two distributions can be distinguished with overwhelming advantage.

Event date: 9 September to 12 September 2018
Submission deadline: 15 April 2018
Notification: 15 June 2018

The main objective of the research in the Embedded System Security Group of Laboratoire Hubert Curien is to propose efficient and robust hardware architectures aimed at applied cryptography that are resistant to passive and active cryptographic attacks. More information on:

https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html

For a new project which addresses the problem of the security of hardware implementation of symmetric cipher face to side channel analysis exploited deep learning techniques, we are looking for candidates with an outstanding Master in security or electrical engineering (with applied cryptography/hardware security) skills or computer science (with Deep Laerning skills). Knowledge of French is not mandatory.

The Ph.D. position will start in September 2018, it is funded for 36 months.

To apply please send your detailed CV, motivation for applying (1 page) and names of at least two people who can provide reference letters (e-mail).

Closing date for applications: 20 April 2018

Contact: Prof. Lilian BOSSUET lilian.bossuet(at)univ-st-etienne.fr

The Technische Universität Darmstadt is at the forefront of research in cybersecurity and privacy. Our research team analyzes and improves the state of cybersecurity and privacy in real-world networks and systems. We focus on the Internet, critical infrastructures, business software and industrial control systems. We develop innovative cybersecurity and privacy solutions and work with partners from industry and government agencies. We are involved in international standardization (e.g., IETF). Much of our research is done in collaboration with leading academic and industrial cybersecurity institutions from around the world.

We are seeking highly motivated and qualified candidates who are interested in joining our team and help strengthening our research work. Candidates must have a very good PhD in Computer Science or related field, and must demonstrate practical experience and solid knowledge in cybersecurity. Candidates must be self-motivated and dedicated, independent, and willing to work in an international and excellence-oriented work environment. Our working languages are German and English; if necessary applicants are expected to improve their language skills through intensive language classes. All employees are expected to contribute to our academic teaching program.

All positions are initially for a limited period but may be extended. Compensation follows the Tarifvertrag für die Technische Universität Darmstadt (TV-TU), corresponding to the candidate’s qualifications and responsibilities.

The Technische Universität Darmstadt aims at increasing the number of female researchers and therefore explicitly encourages women to apply. Severely handicapped will be preferred, given equal qualification.

Applications must include a professional CV, copies of diplomas and certificates, and in particular for post-doc candidates a list of publications, copies of two selected publications and two references.

Closing date for applications: 31 March 2018

Contact: staff-sit (at) crisp-da.de

More information: http://www.sit.tu-darmstadt.de

Current blockchain systems are incapable of holding sensitive data securely on their public ledger while supporting accountability of data access requests and revocability of data access rights. Instead, they either keep the sensitive data off-chain as a semi-centralized solution or they just publish the data on the ledger ignoring the problem altogether. In this work, we introduce SCARAB the first secure decentralized access control mechanism for blockchain systems that addresses the challenges of accountability, by publicly logging each request before granting data access, and of revocability, by introducing collectively managed data access policies. SCARAB introduces, therefore, on-chain secrets, which utilize verifiable secret sharing to enable collectively managed secrets under a Byzantine adversary, and identity skipchains, which enable the dynamic management of identities and of access control policies. The evaluation of our SCARAB implementation shows that the latency of a single read/write request scales linearly with the number of access-securing trustees and is in the range of 200 ms to 8 seconds for 16 to 128 trustees.

We present a new approach to designing concretely efficient MPC protocols with semi-honest security in the dishonest majority setting. Motivated by the fact that within the dishonest majority setting the efficiency of most practical protocols \emph{does not depend on the number of honest parties}, we investigate how to construct protocols which improve in efficiency as the number of honest parties increases. Our central idea is to take a protocol which is secure for $n-1$ corruptions and modify it to use short symmetric keys, with the aim of basing security on the concatenation of all honest parties' keys. This results in a more efficient protocol tolerating fewer corruptions, whilst also introducing an LPN-style syndrome decoding assumption.

We first apply this technique to a modified version of the semi-honest GMW protocol, using OT extension with short keys, to improve the efficiency of standard GMW with fewer corruptions. We also obtain more efficient constant-round MPC, using BMR-style garbled circuits with short keys, and present an implementation of the online phase of this protocol. Our techniques start to improve upon existing protocols when there are around $n=20$ parties with $h=6$ honest parties, and as these increase we obtain up to a 13 times reduction (for $n=400,h=120$) in communication complexity for our GMW variant, compared with the best-known GMW-based protocol modified to use the same threshold.

We construct efficient, unconditional non-malleable codes that are secure against tampering functions computed by small-depth circuits. For constant-depth circuits of polynomial size (i.e.~$\mathsf{AC^0}$ tampering functions), our codes have codeword length $n = k^{1+o(1)}$ for a $k$-bit message. This is an exponential improvement of the previous best construction due to Chattopadhyay and Li (STOC 2017), which had codeword length $2^{O(\sqrt{k})}$. Our construction remains efficient for circuit depths as large as $\Theta(\log(n)/\log\log(n))$ (indeed, our codeword length remains $n\leq k^{1+\epsilon})$, and extending our result beyond this would require separating $\mathsf{P}$ from $\mathsf{NC^1}$.

We obtain our codes via a new efficient non-malleable reduction from small-depth tampering to split-state tampering. A novel aspect of our work is the incorporation of techniques from unconditional derandomization into the framework of non-malleable reductions. In particular, a key ingredient in our analysis is a recent pseudorandom switching lemma of Trevisan and Xue (CCC 2013), a derandomization of the influential switching lemma from circuit complexity; the randomness-efficiency of this switching lemma translates into the rate-efficiency of our codes via our non-malleable reduction.

As machine learning grows into a ubiquitous technology that finds many interesting applications, the privacy of data is becoming a major concern. This paper deals with machine learning and encrypted data. Namely, our contribution is twofold: we first build a new Functional Encryption scheme for quadratic multi-variate polynomials, which outperforms previous schemes. It enables the efficient computation of quadratic polynomials on encrypted vectors, so that only the result is in clear. We then turn to quadratic networks, a class of machine learning models, and show that their design makes them particularly suited to our encryption scheme. This synergy yields a technique for efficiently recovering a plaintext classification of encrypted data. Eventually, we prototype our construction and run it on the MNIST dataset to demonstrate practical relevance. We obtain 97.54% accuracy, with decryption and encryption taking few seconds.

Pebble games were originally formulated to study time-space tradeoffs in computation, modeled by games played on directed acyclic graphs (DAGs). Close connections between pebbling and cryptography have been known for decades. A series of recent research starting with (Alwen and Serbinenko, STOC 2015) has deepened our understanding of the notion of memory-hardness in cryptography --- a useful property of hash functions for deterring large-scale password-cracking attacks --- and has shown memory-hardness to have intricate connections with the theory of graph pebbling.

Definitions of memory-hardness are not yet unified in this somewhat nascent field, however, and the guarantees proven are with respect to a range of proposed definitions.

In this work, we improve upon two main limitations of existing models of memory-hardness.

First, existing measures of memory-hardness only account for dynamic (i.e., runtime) memory usage, and do not consider static memory usage. We propose a new definition of static-memory-hard function (SHF) which takes into account static memory usage and allows the formalization of larger memory requirements for efficient functions, than in the dynamic setting (where memory usage is inherently bounded by runtime). We then give two SHF constructions based on pebbling; to prove static-memory-hardness, we define a new pebble game (``black-magic pebble game''), and new graph constructions with optimal complexity under our proposed measure.

Secondly, existing memory-hardness models implicitly consider linear tradeoffs between the costs of time and space. We propose a new model to capture nonlinear time-space trade-offs and prove that nonlinear tradeoffs can in fact cause adversaries to employ different strategies from linear tradeoffs.

Finally, as an additional contribution of independent interest, we present the first asymptotically tight graph construction that achieves the best possible space complexity up to loglogn-factors for an existing memory-hardness measure called cumulative complexity.

A non-malleable code is an unkeyed randomized encoding scheme that offers the strong guarantee that decoding a tampered codeword either results in the original message, or in an unrelated message. We consider the simplest possible construction in the computational split-state model, which simply encodes a message $m$ as $k||E_k(m)$ for a uniformly random key $k$, where $E$ is a block cipher. This construction is comparable to, but greatly simplifies over, the one of Kiayias et al. (ACM CCS 2016), who eschewed this simple scheme in fear of related-key attacks on $E$. In this work, we prove this construction to be a strong non-malleable code as long as $E$ is: (i) a pseudorandom permutation under leakage and (ii) related-key secure with respect to an arbitrary but fixed key relation. Both properties are believed to hold for "good" block ciphers, such as AES-128, making this non-malleable code very efficient with short codewords of length $|m| + 2\tau$ (where $\tau$ is the security parameter, e.g., 128 bits), without significant security penalty.

Active physical attacks pose a serious threat to cryptographic hardware, i.e., by injecting faults during the computation. The tools to inject such faults have evolved over the last years and are becoming increasingly powerful. A promising approach to thwart this type of attacks is employing Concurrent Error Detection (CED) schemes. They are usually based on an Error-Detecting Code (EDC) which provides the capability to detect certain injected faults. Depending on the assumed adversary model, the potency of the CED scheme can be adapted during the design phase by adjusting the underlying code. In this work, we propose a methodology to enable a correct, practical, and robust implementation of code-based CED schemes. Indeed, we show that a straightforward hardware implementation of a given code-based CED scheme very likely suffers from severe vulnerabilities and does not provide the desired level of protection against fault attacks. In particular, the propagation of faults into the combinatorial logic is often not considered in the security evaluation of these schemes. First, we formally define this detrimental effect and demonstrate its impact on the security of common CED schemes. Second, we introduce an implementation strategy to limit the negative effect of fault propagation. Third, in contrast to many other works where the fault coverage of an implementation equipped with an EDC is considered, we present a detailed implementation strategy which - based on the specification of the underlying EDC - can guarantee (i.e., 100% coverage rate) the detection of any fault. Fitting to the defined adversary model, this holds for any time of the computation and any location of the circuit - both in the data processing and in the control part. In short, we provide practical guidelines how to construct efficient CED schemes with arbitrary EDCs to achieve the desired level of protection against fault attacks. We evaluate the efficiency of our methodology in a case study considering several symmetric block ciphers (i.e., PRESENT, Skinny, Midori, GIFT, LED, and SIMON) for different design architectures and various linear EDCs with different fault detection capabilities.

We describe our recent experience, building a system that uses fully-homomorphic encryption (FHE) to approximate the coefficients of a logistic-regression model, built from genomic data. The aim of this project was to examine the feasibility of a solution that operates "deep within the bootstrapping regime," solving a problem that appears too hard to be addressed just with somewhat-homomorphic encryption.

As part of this project, we implemented optimized versions of many "bread and butter" FHE tools. These tools include binary arithmetic, comparisons, partial sorting, and low-precision approximation of "complicated functions" such as reciprocals and logarithms. Our eventual solution can handle thousands of records and hundreds of fields, and it takes a few hours to run. To achieve this performance we had to be extremely frugal with expensive bootstrapping and data-movement operations.

We believe that our experience in this project could server as a guide for what is or is not currently feasible to do with fully-homomorphic encryption.

A number of homomorphic encryption application areas, such as privacy-preserving machine learning analysis in the cloud, could be better enabled if there existed a general solution for combining sufficiently expressive logical and numerical circuit primitives to form higher-level algorithms relevant to the application domain. Logical primitives are more efficient in a binary plaintext message space, whereas numeric primitives favour a word-based message space before encryption. In a step closer to an overall strategy of combining logical and numeric operation types, this paper examines accelerating binary operations on real numbers suitable for somewhat homomorphic encryption. A parallel solution based on SIMD can be used to efficiently perform addition, subtraction and comparison operations in a single step. The result maximises computational efficiency, memory space usage and minimises multiplicative circuit depth. Performance of these primitives and their application in min-max and sorting operations are demonstrated. In sorting real numbers, a speed up of 25-30 times is observed.

This paper presents Hermes – a practical data security scheme with a reference implementation, which enables distributed sharing and collaboration, enforcing access control with the help of cryptographic methods (public key cryptography and traditional symmetric cryptography).

Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication.

For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (Eurocrypt 2017). It is based on Puncturable Encryption. Forward secrecy is achieved by "puncturing" the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 seconds and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice.

In this paper, we introduce a new primitive that we term Bloom Filter Encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes, and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.

In this paper, we propose a key-recovery attack on Trivium reduced to 855 rounds. As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855-round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on $855$-round Trivium costs time complexity $2^{77}$. As far as we know, this is the best key-recovery attack on round-reduced Trivium. To verify our attack, we also give some experimental data on 721-round reduced Trivium.

While cryptocurrencies continue to gain popularity, their energy cost is increasingly becoming unsustainable. In this paper, we present an innovative scheme which eliminates the burden of the proof of work which is the main cause of the energy waste in cryptocurrencies such as Bitcoin. The scheme is based on a green leader election scheme which guarantees a bounded average number of simultaneous mining whatever the size of the population in competition.