International Association
for Cryptologic Research

A recent paper by Derler, Ramacher, and Slamanig (IEEE EuroS&P 2018) constructs double-authentication preventing signatures ("DAP signatures", a specific self-enforcement enabled variant of signatures where messages consist of an address and a payload) that have---if the supported address space is not too large---keys and signatures that are considerably more compact than those of prior work. We embark on their approach to restrict attention to small address spaces and construct novel DAP schemes that beat their verification key sizes by a factor of two, their signature sizes by a factor of five, and reduce their signing key sizes from linear to constant. We construct our DAP signatures generically from identification protocols, using a transform similar to but crucially different from that of Fiat and Shamir. We use random oracles. We don't use pairings.

Some voting systems are reliant on external authentication services. Others use cryptography to implement their own. We combine digital signatures and non-interactive proofs to derive a generic construction for voting systems with their own authentication mechanisms, from systems that rely on external authentication services. We prove that our construction produces systems satisfying ballot secrecy and election ver- ifiability, assuming the underlying voting system does. Moreover, we observe that works based on similar ideas provide neither ballot secrecy nor election verifiability. Finally, we demonstrate applicability of our results by applying our construction to the Helios voting system.

Memory Hard Functions (MHFs) have been proposed as an answer to the growing inequality between the computational speed of general purpose CPUs and Application Specific Integrated Circuits (ASICs). MHFs have seen widespread applications including password hashing, key stretching and proofs of work. Several metrics have been proposed to quantify the `memory hardness' of a function. Cumulative memory complexity (CMC) (Alwen and Serbinenko, STOC 2015) (or amortized Area $\times$ Time complexity (Alwen et. al., CCS 2017)) attempts to quantify the amortized cost to acquire/build the hardware to evaluate the function --- amortized by the number of instances of the function that can be evaluated of this hardware. By contrast, bandwidth hardness (Ren and Devadas, TCC 2017) attempts to quantify the amortized energy costs of evaluating this function on hardware --- which in turn is largely dominated by the number of cache misses. Ideally, a good MHF would be both bandwidth hard and have high cumulative memory complexity. While the cumulative memory complexity of leading MHF candidates is well understood, little is known about the bandwidth hardness of many of the most prominent MHF candidates.

Our contributions are as follows: First, we provide the first reduction proving that, in the parallel random oracle model, the bandwidth hardness of a Data-Independent Memory Hard Function (iMHF) is described by the red-blue pebbling cost of the directed acyclic graph (DAG) associated with that iMHF. Second, we show that the goals of designing an MHF with high CMC/bandwidth hardness are well aligned. In particular, we prove that any function with high CMC also has relatively high bandwidth costs. This result leads to the first unconditional lower bound on the bandwidth cost of scrypt. Third, we analyze the bandwidth hardness of several prominent iMHF candidates such as Argon2i (Biryukov et. al., 2015), winner of the password hashing competition, aATSample and DRSample (Alwen et. al., CCS 2017) --- the first practical iMHF with asymptotically optimal CMC. More specifically, we show that Argon2i is maximally bandwidth hard as long as the cache-size $m$ is at most $m \in O(n^{2/3-\epsilon})$ where $n$ is the total number of data-labels produced during computation. We also show that aATSample and DRSample are maximally bandwidth hard as long as the cache-size is $m \in O(n^{1-\epsilon})$. Finally, we show that the problem of finding a red-blue pebbling with minimum bandwidth cost is NP-hard.

Oblivious RAM is a well-known cryptographic primitive to hide data access patterns. However, the best known ORAM schemes require a logarithmic computation time in the general case which makes it infeasible for use in real-world applications. In practice, hiding data access patterns should incur a constant latency per access.

In this work, we present PRO-ORAM --- an ORAM construction that achieves constant latencies per access in a large class of applications. PRO-ORAM theoretically and empirically guarantees this for read-only data access patterns, wherein data is written once followed by read requests. It makes hiding data access pattern practical for read-only workloads, incurring sub-second computational latencies per access for data blocks of 256 KB, over large (gigabyte-sized) datasets.PRO-ORAM supports throughputs of tens to hundreds of MBps for fetching blocks, which exceeds network bandwidth available to average users today. Our experiments suggest that dominant factor in latency offered by PRO-ORAM is the inherent network throughput of transferring final blocks, rather than the computational latencies of the protocol. At its heart, PRO-ORAM utilizes key observations enabling an aggressively parallelized algorithm of an ORAM construction and a permutation operation, as well as the use of trusted computing technique (SGX) that not only provides safety but also offers the advantage of lowering communication costs.

Lightweight block ciphers rely on simple operations to allow compact implementation. Thanks to its efficiency, bit permutation has emerged as an optimal choice for state-wise diffusion. It can be implemented by simple wiring or shifts. However, as recently shown by Spectre and Meltdown attacks, efficiency and security often go against each other.

In this work, we show how bit permutations introduce a side-channel vulnerability that can be exploited to extract the secret key from the cipher. Such vulnerabilities are specific to bit permutations and do not occur in other state-wise diffusion alternatives. We propose Side-Channel Assisted Differential-Plaintext Attack (SCADPA) which targets this vulnerability in bit permutation operation. SCADPA is experimentally demonstrated on PRESENT-80 on an 8-bit microcontroller, with the best case key recovery in 17 encryptions. The attack is then extended to latest bit-permutation based cipher GIFT, allowing full key recovery in 36 encryptions. We also propose and experimentally verify an automatic threshold method which can be easily applied to SCADPA, allowing automation of the attack. Moreover, SCADPA on bit permutations has other applications. Application for reverse engineering secret sboxes in PRESENT-like proprietary ciphers is shown. We also highlight a special case, where fixing one vulnerability opens another one. This is shown by applying SCADPA on some assembly level fault attack countermeasures, rendering it less secure than unprotected implementations. Lastly, we also provide several different attack scenarios, such as targeting different encryption modes.

Cryptographic implementations are often vulnerable against physical attacks, fault injection analysis being among the most popular techniques. On par with development of attacks, the area of countermeasures is advancing rapidly, utilizing both hardware- and software-based approaches. When it comes to software encoding countermeasures for fault protection and their evaluation, there are very few proposals so far, mostly focusing on single operations rather than on cipher as a whole.

In this paper we propose an evaluation framework that can be used for analyzing the effectivity of software encoding countermeasures against fault attacks. We first formalize the encoding schemes in software, helping us to define what properties are required when designing a fault protection. These findings show that using anticodes in such countermeasure can increase its detection capabilities. We provide a way to generate a code according to user criteria and also a method to evaluate the level of protection of assembly implementations using encoding schemes. This evaluation is based on static code analysis and provides a practical information on how good will the protection be on a real device. Finally, we verify our findings by implementing a block cipher PRESENT, protected by encoding scheme based on anticodes, and provide a detailed evaluation of such implementation.

Towards advancing the use of BIG keys as a practical defense against key exfiltration, this paper provides efficiency improvements for cryptographic schemes in the bounded retrieval model (BRM). We identify probe complexity (the number of scheme accesses to the slow storage medium storing the big key) as the dominant cost. Our main technical contribution is what we call the large-alphabet subkey prediction lemma. It gives good bounds on the predictability under leakage of a random sequence of blocks of the big key, as a function of the block size. We use it to significantly reduce the probe complexity required to attain a given level of security. Together with other techniques, this yields security-preserving performance improvements for BRM symmetric encryption schemes and BRM public-key identification schemes.

We construct new four-party protocols for secure computation that are secure against a single malicious corruption. Our protocols can perform computations over a binary ring, and require sending just 1.5 ring elements per party, per gate. In the special case of Boolean circuits, this amounts to sending 1.5 bits per party, per gate. One of our protocols is robust, yet requires almost no additional communication. Our key technique can be viewed as a variant of the “dual execution” approach, but, because we rely on four parties instead of two, we can avoid any leakage, achieving the standard notion of security.

In this work, we propose a first version of an e-voting scheme that achieves end-to-end verifiability, everlasting privacy and efficient coercion resistance in the JCJ setting. Everlasting privacy is achieved assuming an anonymous channel, without resorting to dedicated channels between the election authorities to exchange private data. In addition, the proposed scheme achieves coercion resistance under standard JCJ assumptions. As a core building block of our scheme, we also propose a new primitive called publicly auditable conditional blind signature (PACBS), where a client receives a token from the signing server after interaction; the token is a valid signature only if a certain condition holds and the validity of the signature can only be checked by a designated verifier. We utilize this primitive to blindly mark votes under coercion in an auditable manner

Nowadays, RFID systems have earned an important place in our everyday lives. Its adoption is growing in areas where data security or privacy or both must be guaranteed. Since the RFID tag can be cloned, it is necessary to develop appropriate security solutions for these systems. Fortunately, many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is too complicated for the RFID tag (which has very limited computing resources). In this paper we introduce a new authentication protocol using a new approach. Our proposal named R-MAC is well suited for RFID tags since it uses simple and lightweight constructions. R-MAC is at least as secure as the Mirror-Mac protocol introduced by Petros Mol et al.

Quantum computers are expected to have a dramatic impact on numerous fields, due to their anticipated ability to solve classes of mathematical problems much more efficiently than their classical counterparts. This particularly applies to domains involving integer factorisation and discrete logarithms, such as public key cryptography. In this paper we consider the threats a quantum-capable adversary could impose on Bitcoin, which currently uses the Elliptic Curve Digital Signature Algorithm (ECDSA) to sign transactions. We then propose a simple but slow commit-delay-reveal protocol, which allows users to securely move their funds from old (non-quantum-resistant) outputs to those adhering to a quantum-resistant digital signature scheme. The transition protocol functions even if ECDSA has already been compromised. While our scheme requires modifications to the Bitcoin protocol, these can be implemented as a soft fork.

In this work, we examine the feasibility of secure and undetectable point-to-point communication in a world where governments can read all the encrypted communications of their citizens. We consider a world where the only permitted method of communication is via a government-mandated encryption scheme, instantiated with government-mandated keys. Parties cannot simply encrypt ciphertexts of some other encryption scheme, because citizens caught trying to communicate outside the government's knowledge (e.g., by encrypting strings which do not appear to be natural language plaintexts) will be arrested. The one guarantee we suppose is that the government mandates an encryption scheme which is semantically secure against outsiders: a perhaps reasonable supposition when a government might consider it advantageous to secure its people's communication against foreign entities. But then, what good is semantic security against an adversary that holds all the keys and has the power to decrypt?

We show that even in the pessimistic scenario described, citizens can communicate securely and undetectably. In our terminology, this translates to a positive statement: all semantically secure encryption schemes support subliminal communication. Informally, this means that there is a two-party protocol between Alice and Bob where the parties exchange ciphertexts of what appears to be a normal conversation even to someone who knows the secret keys and thus can read the corresponding plaintexts. And yet, at the end of the protocol, Alice will have transmitted her secret message to Bob. Our security definition requires that the adversary not be able to tell whether Alice and Bob are just having a normal conversation using the mandated encryption scheme, or they are using the mandated encryption scheme for subliminal communication.

Our topics may be thought to fall broadly within the realm of steganography: the science of hiding secret communication within innocent-looking messages, or cover objects. However, we deal with the non-standard setting of an adversarially chosen distribution of cover objects (i.e., a stronger-than-usual adversary), and we take advantage of the fact that our cover objects are ciphertexts of a semantically secure encryption scheme to bypass impossibility results which we show for broader classes of steganographic schemes. We give several constructions of subliminal communication schemes under the assumption that key exchange protocols with pseudorandom messages exist (such as Diffie-Hellman, which in fact has truly random messages). Each construction leverages the assumed semantic security of the adversarially chosen encryption scheme, in order to achieve subliminal communication.

This paper proposes a simple single bit flip fault attack applicable to several LWE (Learning With Errors Problem) based lattice based schemes like KYBER, NEWHOPE, DILITHIUM and FRODO which were submitted as proposals for the NIST call for standardisation of post quantum cryptography. We have identified a vulnerability in the usage of nonce, during generation of secret and error components in the key generation procedure. Our fault attack, based on a practical bit flip model (single bit flip to very few bit flips for proposed parameter instantiations) enables us to retrieve the secret key from the public key in a trivial manner. We fault the nonce in order to maliciously use the same nonce to generate both the secret and error components which turns the LWE instance into an exactly defined set of linear equations from which the secret can be trivially solved for using Gaussian elimination.

We give a simple and efficient method for obfuscating pattern matching with wildcards. In other words, we construct a way to check an input against a secret pattern, which is described in terms of prescribed values interspersed with unconstrained “wildcard” slots. As long as the support of the pattern is sufficiently sparse and the pattern itself is chosen from an appropriate distribution, we prove that a polynomial-time adversary cannot find a matching input, except with negligible probability. We rely upon the generic group heuristic (in a regular group, with no multilinearity). Previous work provided less efficient constructions based on multilinear maps or LWE.

Event date: 8 August to 9 August 2018
Submission deadline: 20 April 2018
Notification: 10 June 2018

The New Zealand Institute for Security and Crime Science (NZISCS) aims to reduce crime and increase security through multi-disciplinary, evidence-based research, and builds on the global leadership of the Cyber Security Researchers of Waikato (CROW). As NZ’s first cyber security research programme, CROW created the NZ Cyber Security Challenge, and leads the Ministry of Business, Innovation and Employment funded STRATUS project (NZD12.2 mil). CROW collaborates with fifty other local and international organisations, including STRATUS end-user partners Interpol and NZ Police.

We are seeking to appoint a full time fixed term Research Fellow to contribute to our research objectives associated with cybercrime, computer security and cloud computing. This position has responsibilities to achieve research objectives associated with the STRATUS industry partners.

A PhD in cyber security, cybercrime, computer science or a related field is essential as is having demonstrated research ability in cyber security and cybercrime. A requirement of this position is the ability to commercialise research prototypes into products/services and the demonstrated ability to publish in high quality academic journals, work collaboratively with others and undertake some teaching if required. Preference will be given to candidates who have work experience with cybercrime, security, intelligence, or law enforcement agencies including work experience in the cybercrime, security digital forensics, machine learning, applied cryptography, etc. Salary will be in the range of NZ$74,034 to NZ$89,163 per year, depending on qualifications, skills and experience.

Enquiries of an academic nature should be sent to Assoc. Prof. Ryan Ko – Director, NZ Institute for Security and Crime Science, ryan.ko (at) waikato.ac.nz

Fixed-term until October 2020. Closing date: 16 March 2018 (NZ time) Vacancy number: 380090

Closing date for applications: 16 March 2018

Contact: Ryan Ko (ryan.ko AT waikato.ac.nz)

More information: http://www.jobs.waikato.ac.nz

The University of Waikato seeks applicants for the position of Aura Professor of Cyber Security.

Cyber security represents a large growth industry, which both tertiary and private sector organisations are collaborating on. The University of Waikato and NZ’s leading cyber security consultancy firm Aura information security are jointly seeking applicants for an exciting new position within the computer science faculty based in Hamilton. The Aura professor of cyber security will be expected to contribute to both the research and teaching programmes of the University, and in the research and consulting programme of Aura Information Security. The focus of the research programme for the University and Aura is in penetration testing, but expertise in other areas of cyber security (e.g. artificial intelligence and machine learning for cyber security, post-quantum cryptography, applied cryptography, cryptanalysis, etc) will also be helpful. This position will suit an ambitious academic with an outstanding teaching and research record and a strong interest in engagement with the cyber security industry, as well as research and development leaders in the cyber security industry who wishes to operate in an academic environment. Salary is negotiable.

Applications close 23 March 2018.

Closing date for applications: 23 March 2018

Contact: Ryan Ko (ryan.ko (at) waikato.ac.nz)

More information: https://www.waikato.ac.nz/vacancies/current-vacancies

Are you interested in joining a dynamic, inclusive, and growing applied cryptography start-up? Duality Technologies is an established funded start-up co-founded by experienced technology professionals including MIT professors, a Turing award winner, an experienced entrepreneur, members of the DARPA community and former technical leadership at RSA. We are commercializing encrypted computing technologies that address pressing unmet needs in the market, using techniques including homomorphic encryption, secure multi-party computation and more.

Duality Technologies is hiring a cryptographic engineer who has interest in developing and applying encrypted computing technologies. Implementation or prototyping experience is a plus, but not critical. The ideal candidate is a team player who is looking to grow with the company.

We are interested in candidates who have had exposure to a mixture of homomorphic encryption, secure multi-party computation, set intersection, functional encryption, cryptographic obfuscation and related techniques, but we don’t expect a successful candidate to have expertise in all of these areas.

We are interested in candidates at all levels from a fresh PhD graduate to experienced researchers / scientists / engineers. The candidate is expected to work some of the time from our office in Newark NJ. Occasional travel to other offices in Cambridge MA or Tel Aviv Israel is expected.

Requirements:

• A PhD in Computer Science, Computer Engineering, Applied Mathematics or a related field.

• Experience with modern encrypted computing technologies.

• An ability and willingness to work on a team.

Desired Skills:

• Experience with homomorphic encryption, lattice cryptography, secure multiparty computation or other encrypted computing technologies

• Experience implementing lattice cryptography in software or hardware

• Familiarity with C/C++, Java, Python

• Able to work in a dynamic, fast-paced environment

Closing date for applications: 31 December 2019

Contact: Kurt Rohloff, PhD.

CTO, Duality Technologies

krohloff (at) duality.cloud

More information: https://www.duality.cloud

The cryptography group at University of Salerno (ITALY) invites expressions of interest for post-doc positions in the field of privacy-preserving cryptography and distributed ledger technology, to be supervised by Ivan Visconti.

Candidates are expected to have a strong publication record (e.g., IACR conferences, CCS, IEEE S&P,....). The positions will be available soon.

Closing date for applications: 31 May 2018

Contact: Ivan Visconti, ivan.visconti (at) gmail.com

More information: https://sites.google.com/site/ivanvisconti/post-doc

The Cryptography Group and Cybersecurity Group work on a diverse range of topics, spanning from theoretical cryptography, protocols, and implementations/architecture/leakage, to large scale infrastructures and human aspects of security. Jointly the groups have 10 associated academics, nearly as many postdoctoral researchers, and 15 doctoral students. And we are expanding!

This advert is for:

S4 Compiler and Language based Leakage Mitigation: the aim of the studentship is to explore techniques by which programs written in standard C, or Assembly, can be augmented to include information about leakage sensitive variables with the aim of feeding this information down into the various compilation steps such that tools can insert mitigation strategies with minimal user interaction. The ideal candidate will have a strong background (or at least interest) in computer science (in particular languages and compilers), and some familiarity with side channel attacks.

Supervisor: Elisabeth Oswald

The studentship S4 supports EU/UK nationals with a tax-free stipend of around 22k GBP. The latest starting date for students is September 30th 2018.

You may apply for one, some, or all advertised studentships simultaneously (please explain your choice in your application). Your application needs to be filed via: http://www.bristol.ac.uk/study/postgraduate/apply/.

This advert has a nominal end date of 1.5.2018, but we will make appointments as soon as we have identified candidates with the right background.

Closing date for applications: 1 May 2018

Contact: Prof. Elisabeth Oswald, Elisabeth.Oswald (at) bristol.ac.uk