International Association
for Cryptologic Research

Event date: 13 September 2018
Submission deadline: 25 May 2018
Notification: 22 June 2018

Quantum Key Recycling aims to re-use the keys employed in quantum encryption and quantum authentication schemes. We consider QKR protocols where classical information is embedded in qubit states. A partial security analysis for such protocols was done in [LS2018]. In the current paper we introduce a number of small protocol modifications and provide a security proof. Our proof is based on a computation of the statistical distance between the real quantum state of the system and a state in which the keys are completely secure. This is a non-asymptotic result. It also determines how much privacy amplification is needed as a function of the bit error rate. It turns out that less privacy amplification is needed than suggested by the min-entropy analysis in [LS2018].

With regards to the development of modern power systems, Smart Grid (SG) as an intelligent generation of electricity networks has been faced with a tremendous attention. Fine-grained data sharing in SG plays a vital role in efficiently managing data flow in the SG. As these data commonly contain sensitive information, design of the secure and efficient privacy-preserving schemes for such networks with plenty of resource constrained devices is one of the most controversial issues. In this paper, we propose a secure Ciphertext-Policy Attribute-Based SignCryption (CP-ABSC) scheme which simultaneously provides the authenticity and privacy of the users by enforcing an arbitrary access control policy on encrypted data. Since the number of required pairings in the signcryption and designcryption algorithms are independent to the number of the involved attributes, the computational overhead is reduced in comparison with the existing schemes in the literature. In addition, we formally prove that the unforgeability and indistinguishability of the proposed scheme are reducible to the well-known hardness assumption of the q-Bilinear Diffie-Hellman Exponent (q-BDHE) problem. Moreover, we show that embedding a Physical Unclonable Function (PUF) in each smart meter will significantly reduce the storage overhead of the protocol and secure it against non-volatile memory attackers.

Cryptocurrencies are historically divided in two broad groups with respect to the style of transactions that they accept. In the account-based style, each address is seen as an account with a balance, and transactions are transfers of value from one account to another. In the UTXO-based style, transactions inductively spend outputs generated by previous trans- actions and create new unspent outputs, and there is no intrinsic notion of account associated with an address. Each style has advantages and disadvantages. This paper formally defines: the two styles; translations that allow to simulate one style by the other; new transaction types that allow both styles of transactions to co-exist on the same ledger; and a new transaction type that combines features from both styles.

Event date: 1 January to 30 June 2019
Submission deadline: 31 March 2018

Event date: 8 November to 9 November 2018
Submission deadline: 17 September 2018
Notification: 16 October 2018

Event date: 28 November to 30 November 2018
Submission deadline: 29 August 2018
Notification: 17 October 2018

Group signatures are used extensively for privacy in anonymous credentials schemes and in real-world systems for hardware enclave attestation. As such, there is a strong interest in making these schemes post-quantum secure. In this paper we initiate the study of group signature schemes built only from symmetric primitives, such as hash functions and PRFs, widely regarded as the safest primitives for post-quantum security. We present two constructions in the random oracle model. The first is a group signature scheme satisfying the EPID group signature syntax and security definitions needed for private hardware attestation used in Intel’s SGX. The second achieves significantly shorter signatures for many applications, including the use case of remote hardware attestation. While our group signatures for attestation are longer than standard (nongroup) post-quantum signatures, they are short enough for applications where the data being signed is large, such as analytics on large private data sets, or streaming media to a trusted display. We evaluate several instantiations of our schemes so that the costs and benefits of these constructions are clear. Along the way we also give improvements to the zero-knowledge Merkle inclusion proofs of Derler et al. (2017).

MDS matrices are an important element for the design of block ciphers such as the AES. In recent years, there has been a lot of work on the construction of MDS matrices with a low implementation cost, in the context of lightweight cryptography. Most of the previous efforts focused on local optimization, constructing MDS matrices with coefficients that can be efficiently computed. In particular, this led to a matrix with a direct xor count of only 106, while a direct implementation of the MixColumn matrix of the AES requires 152 bitwise xors. More recently, techniques based on global optimization have been introduced, were the implementation can reuse some intermediate variables. In particular, Kranz \emph{et al.} used optimization tools to a find good implementation from the description of an MDS matrix. They have lowered the cost of implementing the MixColumn matrix to 97 bitwise xors, and proposed a new matrix with only 72 bitwise xors, the lowest cost known so far. In this work we propose a different approach to global optimization. Instead of looking for an optimized circuit of a given matrix, we run a search through a space of circuits, to find optimal circuits yielding MDS matrices. This results in MDS matrices with an even lower cost, with only 67 bitwise xors.

Localization based on premeasured WiFi fingerprints is a popular method for indoor localization where satellite based positioning systems are unavailable. In these systems, privacy of the users' location is lost because the location is computed by the service provider. In INFOCOM'14, Li et al. presented PriWFL, a WiFi fingerprint localization system based on additively homomorphic Paillier encryption, that was claimed to protect both the users' location privacy and the service provider's database privacy. In this paper, we demonstrate a severe weakness in PriWFL that allows an attacker to compromise the service provider's database under a realistic attack model and also identify certain other problems in PriWFL that decrease its localization accuracy. Hence, we show that PriWFL does not solve the privacy problems of WiFi fingerprint localization. We also explore different solutions to implement secure privacy-preserving WiFi fingerprint localization and propose two schemes based on Paillier encryption which do not suffer from the weakness of PriWFL and offer the same localization accuracy as the privacy-violating schemes.

This paper investigates the security of the KTANTAN block cipher against differential fault analysis. This attack is considered to be first side channel analysis of KTANTAN in the literature. KTANTAN is a relative to the KATAN block cipher. Therefore, the previous fault analysis on KATAN family of block cipher is revisited. Similar to KATAN, KTANTAN has three variants namely KTANTAN32, KTANTAN48 and KTANTAN64. The inner structure of KTANTAN is similar to KATAN except the key schedule algorithms. KATAN has been practically broken by using fault analysis, employing a transient single-bit fault model, with the assumption is that the attacker is able to inject faults randomly into the internal state of the cipher. The attack is empowerd by extended cube method similarly as applied on KATAN. The complexity of this attack is $2^{74}$ for KTANTAN32 and $2^{76}$ for both KTANTAN48 and KTANTAN64. Furthermore, based on the obtained results, this paper concludes that KTANTAN is more robust against fault analysis compared to KATAN.

We study the indifferentiability of classical constructions in the quantum setting, such as the Sponge construction or Feistel networks. (But the approach easily generalizes to other constructions, too.) We give evidence that, while those constructions are known to be indifferentiable in the classical setting, they are not indifferentiable in the quantum setting. Our approach is based on an quantum-information-theoreoretical conjecture.

In 2013, Misoczki, Tillich, Sendrier and Barreto proposed a variant of the McEliece cryptosystem based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes. This proposal uses an iterative bit-flipping algorithm in its decryption procedure. Such algorithms fail with a small probability.

At Asiacrypt 2016, Guo, Johansson and Stankovski (GJS) exploited these failures to perform a key recovery attack. They introduced the notion of the distance spectrum of a sparse vector and showed that the knowledge of the spectrum is enough to find the vector. By observing many failing plaintexts they recovered the distance spectrum of the QC-MDPC secret key.

In this work, we explore the underlying causes of this attack, ways in which it can be improved, and how it can be mitigated.

We prove that correlations between the spectrum of the key and the spectrum of the error induce a bias on the distribution of the syndrome weight. Hence, the syndrome weight is the fundamental quantity from which secret information leaks. Assuming a side-channel allows the observation of the syndrome weight, we are able to perform a key-recovery attack, which has the advantage of exploiting all known plaintexts, not only those leading to a decryption failure. Based on this study, we derive a timing attack. It performs well on most decoding algorithms, even on the recent variants where the decryption failure rate is low, a case which is more challenging to the GJS attack. To our knowledge, this is the first timing attack on a QC-MDPC scheme.

Finally, we show how to construct a new KEM, called ParQ that can reduce the decryption failure rate to a level negligible in the security parameter, without altering the QC-MDPC parameters. This is done through repeated encryption. We formally prove the IND-CCA2 security of ParQ, in a model that considers decoding failures. This KEM offers smaller key sizes and is suitable for purposes where the public key is used statically.

The department of Computer Science at Aarhus University has an opening for a full professorship. All areas of CS are interesting for us, including of course cryptography, privacy, system security and related areas.

The department is one of the strongest CS departments in Europe, with world class research groups in cryptography, algorithms, programming languages and verification, and HCI.

Closing date for applications: 3 May 2018

Contact: Ivan Damgård

More information: http://www.au.dk/en/about/vacant-positions/scientific-positions/stillinger/Vacancy/show/965870/5283/

Applications are invited for a Research Associate (postdoc) position (Salary: £29,301 to £38,183).

Fixed term for 2 years, full time.

Closing date: 7 April 2018

You will work on the project “Practical Data-intensive Secure Computation: a Data Structural Approach”. This is a project funded by the EPSRC. The aim of the project is to investigate how data structures can be used as an efficiency and scalability booster in the context of secure computation. The project has a particular emphasis on putting theory into practice. The project will investigate both data structures and cryptography.

You will design novel cryptographic data structures and associated protocols for efficient secure computation, as well as apply them in domains such as cloud computing and data mining in order to solve real-world security/privacy problems. Other responsibilities include: writing papers, presenting work at international conferences, and contributing to an open source software package. There will be opportunities to collaborate with industrial research labs and other leading universities.

The candidate must have:

* a PhD (or equivalent) in a relevant area;

* a strong background in cryptography/security;

* good programming skills (C++/Java, parallel/GPU computing experience is a plus).

* good communication and time management skills.

Experience/knowledge in one or more of the following areas would be desirable but not essential: computer networks, operating systems, databases, statistics and data mining.

The post is available from now. The post is based in the Security & Resilient Systems (SRS) Group within the School of Computing Science. The School is one of the Academic Centres of Excellence in Cyber Security Research (ACE-CSR) in the UK. In the latest 2014 Research Excellence Framework (REF) assessment, the School ranked 9th overall and 1st for Research Impact among computer science departments in the UK.

Closing date for applications: 7 April 2018

Contact: Dr Changyu Dong (changyu.dong AT ncl.ac.uk)

More information: https://goo.gl/JtaMwe

Event date: 8 August to 10 August 2018
Submission deadline: 20 April 2018
Notification: 15 May 2018

IIT Jammu, established as an Institute of national importance by the government of India, invites applications from Indian Nationals, Persons of Indian Origins (PIOs) and Overseas Citizens of India (OCIs) and Foreign Nationals with proven academic credentials and having passion for teaching and research for faculty positions at the level of Associate Professor, Assistant Professor (Grade I & II) and Visiting Professor in the various disciplines including Cryptography and Systems Information Security

This is a rolling advertisement and there is no last date. However, the applications received by the 15 March 2018 will be considered in the present round of selection process.

Closing date for applications: 7 March 2018

Contact: faculty.recruitment (at) iitjammu.ac.in

More information: http://www.iitjammu.ac.in/

Topology-hiding communication protocols allow a set of parties, connected by an incomplete network with unknown communication graph, where each party only knows its neighbors, to construct a complete communication network such that the network topology remains hidden even from a powerful adversary who can corrupt parties. This communication network can then be used to perform arbitrary tasks, for example secure multi-party computation, in a topology-hiding manner.

Previously proposed protocols could only tolerate so-called passive corruption. This paper proposes protocols that can also tolerate so-called fail-corruption (i.e., the adversary can crash any player at any point in time) and so-called semi-malicious corruption (i.e., the adversary can control a corrupted party's randomness), without leaking more than an arbitrarily small fraction of a bit of information about the topology. A small-leakage protocol was recently proposed by Ball et al. [Eurocrypt'18], but only under the unrealistic set-up assumption that each party has a trusted hardware module containing secret correlated pre-set keys, and with the further two restrictions that only passively corrupted parties can be crashed by the adversary, and semi-malicious corruption is not tolerated. Since leaking a small amount of information is unavoidable, as is the need to abort the protocol in case of failures, our protocols seem to achieve the best possible goal in a model with fail-corruption.

Further contributions of the paper are applications of the protocol to obtain secure MPC protocols, which requires a way to bound the aggregated leakage when multiple small-leakage protocols are executed in parallel or sequentially. Moreover, while previous protocols are based on the DDH assumption, a new so-called PKCR public-key encryption scheme based on the LWE assumption is proposed, allowing to base topology-hiding computation on LWE. Furthermore, a protocol using fully-homomorphic encryption achieving very low round complexity is proposed.

Security concerns have been raised since big data became a prominent tool in data analysis. For instance, many machine learning algorithms aim to generate prediction models using training data which contain sensitive information about individuals. Cryptography community is considering secure computation as a solution for privacy protection. In particular, practical requirements have triggered research on the efficiency of cryptographic primitives. This paper presents a practical method to train a logistic regression model while preserving the data confidentiality. We apply the homomorphic encryption scheme of Cheon et al. (ASIACRYPT 2017) for an efficient arithmetic over real numbers, and devise a new encoding method to reduce storage of encrypted database. In addition, we adapt Nesterov's accelerated gradient method to reduce the number of iterations as well as the computational cost while maintaining the quality of an output classifier. Our method shows a state-of-the-art performance of homomorphic encryption system in a real-world application. The submission based on this work was selected as the best solution of Track 3 at iDASH privacy and security competition 2017. For example, it took about six minutes to obtain a logistic regression model given the dataset consisting of 1579 samples, each of which has 18 features with a binary outcome variable.

Today's global society strongly relies on collaborative document editing, which plays an increasingly large role in sensitive workflows. While other collaborative venues, such as secure messaging, have seen secure protocols being standardized and widely implemented, the same cannot be said for collaborative document editing. Popular tools such as Google Docs, Microsoft Office365 and Etherpad are used to collaboratively write reports and other documents which are frequently sensitive and confidential, in spite of the server having the ability to read and modify text undetected.

Capsule is the first formalized and formally verified protocol standard that addresses secure collaborative document editing. Capsule provides confidentiality and integrity on encrypted document data, while also guaranteeing the ephemeral identity of collaborators and preventing the server from adding new collaborators to the document. Capsule also, to an extent, prevents the server from serving different versions of the document being collaborated on.

In this paper, we provide a full protocol description of Capsule. We also provide formal verification results on the Capsule protocol in the symbolic model. Finally, we present a full software implementation of Capsule, which includes a novel formally verified signing primitive implementation.