International Association
for Cryptologic Research

Malicious exploitation of faults for extracting secrets is one of the most practical and potent threats to modern cryptographic primitives. Interestingly, not every possible fault for a cryptosystem is maliciously exploitable, and evaluation of the exploitability of a fault is nontrivial. In order to devise precise defense mechanisms against such rogue faults, a comprehensive knowledge is required about the exploitable part of the fault space of a cryptosystem. Unfortunately, the fault space is diversified and of formidable size even while a single crypto-primitive is considered and traditional manual fault analysis techniques may often fall short to practically cover such a fault space within reasonable time. An automation for analyzing individual fault instances for their exploitability is thus inevitable. Such an automation is supposed to work as the core engine for analyzing the fault spaces of cryptographic primitives. In this paper, we propose an automation for evaluating the exploitability status of fault instances from block ciphers, mainly in the context of Differential Fault Analysis (DFA) attacks. The proposed framework is generic and scalable, which are perhaps the two most important features for covering diversified fault spaces of formidable size originating from different ciphers. As a proof-of-concept, we reconstruct some known attack examples on AES and PRESENT using the framework and finally analyze a recently proposed cipher GIFT [21] for the first time. It is found that the secret key of GIFT can be uniquely determined with 1 nibble fault instance injected at the beginning of the 25th round with a reasonable computational complexity of 2^14 .

The College of Computer Science at King Khalid University is seeking applicants for full

time positions of Professor, Associate Professor and Assistant Professor in the following

fields:

Network Security

Information security

Computer Security

Hardware Security

Salary:

The University offers a competitive salary based on qualification, professional

experience, and the position offered, as follows:

Professor: $52,500 - $88,500 per annum.

Associate professor: $43,000- $73,000 per annum.

Assistant professor: $35,500 - $60,000 per annum.

Common Benefits:

? Free visa.

? Tax-free salary.

? Around 2-week vacation on each Islamic Eid.

? 60-days annually paid vacation.

? Annual air tickets for up to 4 family members to home country.

? Free Medical Services for all family members at all government hospitals.

? Children Education Allowance (Terms and Conditions apply).

? Annual housing allowance (Terms and Conditions apply).

? Furniture allowance upon arrival (Terms and Conditions apply).

? Weekends (Thursday and Friday) are off.

Closing date for applications:

Contact: Sarah Abu Ghazalah sabugazalah (at) kku.edu.sa

Also, all the documents should be sent via email to: ccs (at) kku.edu.sa

More information: http://www.cs.kku.edu.sa/en

Company Description

The Bosch Group operates in most countries in the world. With over 390,000 associates, a career at Bosch offers a chance to grow an exceptional career in an environment that values diversity, initiative and a drive for results.

Job Description

Ideal candidates for this position should have experience in at least one, preferably two or more of the following:

-(Distributed) system security and cloud computing, with emphasis on fault-tolerance, secure computation, secure function evaluation, implementation aspects of the above, knowledge of the blockchain and crypto currency architectures and applications thereof.

-System Security, network security, embedded security, trusted computing, hardware security

-Applied cryptography, privacy enhancing technologies

-Security and machine learning, applications of data miniing to security, intrusion detection, anomaly detection,

network security, applications of data mining to constrained environments (e.g., automotive networks)

-Software security, static and dynamic program analysis, automated vulnerability detection and patching, reverse engineering of software binaries, hardening techniques to protect software against reverse engineering, formal modelling, etc.

The candidate should have expert knowledge (evidenced by significant contributions in the form of publications and/or patents or patent applications) in at least one of the listed areas and be familiar with at least one other area (should be able to understand and contribute in deep technical discussions in the area). The candidate will be expected to be an active contributor, should have good written and oral communication skills, cross-team collaboration skills, and should be open to acquiring and applying new skills.

Closing date for applications: 31 December 2018

Contact: Contact: Dr. Jorge Guajardo Merchan (jorge DOT guajardomerchan AT us DOT bosch DOT com)

More information: https://jobs.smartrecruiters.com/BoschGroup/743999666848005-research-engineer?trid=eaeb2bda-02a4-4e9f-b357-957d3b6da7d7

The Faculty of Informatics at the Vienna University of Technology is looking for outstanding young researchers from abroad to set up and manage an independent research group as part of the Vienna Science and Technology Fund’s (WWTF) Vienna Research Groups for Young Investigators (VRG) Call 2018 - Information and Communication Technologies.

Expressions of interest are sought from researchers who have recently completed their PhD (2 – 8 years ago) with an excellent research track record. Selected candidates will, together with an experienced researcher of the Faculty of Informatics as a proponent, prepare a proposal to be submitted to the WWTF. Should this proposal be successful, the proposed project will be funded to the amount of 1.6 million euro by the WWTF for a period of 6 – 8 years. The Vienna University of Technology will also contribute to the funding of the project: during this time the successful candidate(s) will set up and manage his or her own research group as a group leader, and she or he will receive a tenure-track position (assistant professor), which will be later transformed into a tenured position (associate professor) subject to a positive overall assessment, with subsequent possibility of promotion to full professor.

Expressions of interest from researchers working in any area of Security and Privacy are welcome. These should be sent in digital format (a single pdf file) to Univ. Prof. Matteo Maffei (matteo.maffei (at) tuwien.ac.at) by May 1st, 2018. The expression of interest should include

• CV
• List of publications
• Short abstract of the envisioned research project (about 1 page)

Important Dates:

• May 1st, 2018: deadline for expressions of interest
• Mid of May: notification of the first screening phase
• July 12th, 2018: deadline for the final proposal

Closing date for applications: 1 May 2018

Contact: Univ. Prof. Matteo Maffei (matteo.maffei (at) tuwien.ac.at)

More information: https://www.wwtf.at/programmes/vienna_research_groups/#VRG18

A role that operates in a fast-paced and demanding environment, you?ll draw extensively on your creativity. There?s no room for individuals happy to simply follow orders, as you use clean coding practices to test, refactor, and iteratively and incrementally develop constantly improved software.

Be encouraged to monitor and actively participate in external communities and forums in order to keep abreast of the latest developments, follow the constantly evolving requirements for Blockchain and permissioned ledgers within and across various market sectors, and expand DarkMatter?s positive presence in these communities.

Have a careful and critical eye to peer review and debug others code, and also to participate in automated deployments.

With many of our customers committed to putting all the resources necessary into developing and deploying the latest, most advanced Blockchain, cryptographic and other cyber security technologies, at DarkMatter you?ll have a chance to test your abilities, build your skills, and expand your horizons by designing for ‘impossible?, next-generation projects.

To bring your dream to life, you’ll need:

PhD or Master’s degree in Related Security field Cryptography, Applied Cryptography, Information Theory and Mathematics, IT, Computer Science

5+ years of experience working on large software projects (preferably including open-source projects)

Embedded Linux, baremetal / RTOS development and deployment

Ability to work with remote developers, leveraging git and other command-line based collaboration technologies

Comfortable developing with standard *nix toolchains (gcc, clang, perf, make, cmake, ASAN, TSAN, UBSAN)

Knowledge of symmetric and asymmetric cryptographic principles, hierarchical key management and identity management schemes

Familiarity with Financial Technology (FinTech) or related field is an added advantage

Deep understanding of Hyperledger, Ethereum or other Blockchain community technical issues

Closing date for applications: 19 December 2018

Contact: Sheila Morjaria - sheila.morjaria (at) darkmatter.ae

More information: https://grnh.se/uvwx8qo61

Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich-Goldwasser-Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev. Several heuristic countermeasures were also shown vulnerable to similar statistical attacks.

At PKC~2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that has been accepted in the round 1 of the NIST post-quantum cryptography project.

In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, dued to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis.

While we only recover partial information on the secret key, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that $100\,000$ signatures are available, the secret key may be recovered using BKZ-$138$ for first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below $80$-bits (maybe even $70$ bits), for an original claim of $128$-bits.

In this paper, we connect two interesting problems in the domain of Information-Theoretic Cryptography: "Non-malleable Codes" and "Privacy Amplification". Non-malleable codes allow for encoding a message in such a manner that any "legal" tampering will either leave the message in the underlying tampered codeword unchanged or unrelated to the original message. In the setting of Privacy Amplification, we have two users that share a weak secret $w$ guaranteed to have some entropy. The goal is to use this secret to agree on a fully hidden, uniformly distributed, key $K$, while communicating on a public channel fully controlled by an adversary.

While lot of connections have been known from other gadgets to NMCs, this is the first result to show an application of NMCs to any information-theoretic primitive (other than tamper resilient circuits). Specifically, we give a general transformation that takes any augmented non-malleable code and builds a privacy amplification protocol. This leads to the following results:

(a) Assuming the existence of constant rate, optimal error (we say an $\epsilon$-(augmented) NMC has optimal error if $\epsilon$ = $2^{-O(message\ length)}$), two-state augmented non-malleable code there exists a $8$-round privacy amplification protocol with optimal entropy loss and min-entropy requirement $\Omega(\log(n)+ \kappa)$ (where $\kappa$ is the security parameter). In fact, "non-malleable randomness encoders" suffice.

(b) Instantiating our construction with the current best known augmented non-malleable code for $2$-split-state family [Li17], we get a $8$-round privacy amplification protocol with entropy loss $O(\log(n)+ \kappa \log (\kappa))$ and min-entropy requirement $\Omega(\log(n) +\kappa\log (\kappa))$.

AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias $2^{-89}$ on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted $2^{188}$ times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds $i$ and $i+2$, although the biases would require $2^{140}$ data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher.

In this paper we present a novel attack based on photonic emission analysis targeting software implementations of AES. We focus on the particular case in which the attacker can collect the photonic emission of a limited number of sense amplifiers (e.g. only one) of the SRAM storing the S-Box. The attack consists in doing hypothesis on the secret key based on the knowledge of the partial output of the SubBytes operation. We also consider the possibility to attack a masked implementation of AES using the photonic emission analysis. In the case of masking, the attacker needs 2 leakages of the same encryption to overcome the randomization of the masks. For our analysis, we assume the same physical setup described in other previous works. Reported results are based on simulations with some hypothesis on the probability of photonic emission of a single transistor.

In an anonymous subscription system (ASS), a subscribed user (SU) is able to access the services of a service provider without having to reveal its true identity. For a SU computing platform that is compliant with the Trusted Platform Module (TPM) standard, direct anonymous attestation (DAA) is an appropriate cryptographic protocol for realizing ASS, since DAA enables privacy-preserving authentication of the SU platform. This approach takes advantage of a cryptographic key that is securely embedded in the platform's hardware. Although the computing industry and academia have made significant strides in developing secure and sound DAA schemes, these schemes share a common drawback that may act as a major obstacle to their widespread deployment. In all of the existing schemes, the SU suffers from significant computational and communication costs that increase proportionally to the size of the revocation list. This drawback renders the existing schemes to be impractical when the size of the revocation list grows beyond a relatively modest size. In this paper, we propose a novel scheme called Lightweight Anonymous Subscription with Efficient Revocation (LASER) that addresses this very problem. In LASER, the computational and communication costs of the SU's signature are multiple orders of magnitude lower than the prior art. LASER achieves this significant performance improvement by shifting most of the computational and communication costs from the DAA's online procedure (i.e., signature generation) to its offline procedure (i.e., acquisition of keys/credentials). We have conducted a thorough analysis of LASER's performance-related features and compared the findings to the prior art. We have also conducted a comprehensive evaluation of LASER by implementing it on a laptop platform with an on-board TPM. To the best of our knowledge, the results presented in this paper represent the first implementation and analysis of a scheme using an actual TPM cryptoprocessor that is compliant with the most recent TPM specification version 2.0. We have thoroughly analyzed the security of LASER in the random oracle model.

Privacy-preserving data analysis in the context of federated databases distributed across multiple parties has the potential to produce richer and more accurate models than what each party can learn with their own data. Secure Multi-Party Computation (MPC) offers a robust cryptographic approach to this problem, and in fact several protocols have been proposed for various learning tasks on parametric models. In this paper we focus on $k$-NN, shifting the attention towards non-parametric models. We tackle several challenges arising in privacy-preserving $k$-NN classification on federated databases, and implement a concrete protocol for document classification. Our solution is faster than the state-of-the-art custom MPC protocol by at least one an order of magnitude.

Currently several traceable (or linkable) identity-based ring signature schemes have been proposed. However, most of them are constructed in the random oracle model. In this paper, we present a fully traceable ring signature (TRS) scheme without random oracles, which has the constant size signature and a security reduction to the computational Diffie-Hellman (CDH) assumption. Also, we give a formal security model for traceable ring signature and prove that the proposed scheme has the properties of traceability and anonymity.

This paper presents a secure cloud storage scheme based on hybrid cryptosystem, which consists of Elliptic Curve Cryptography (ECC), Advanced Encryption Standard (AES), and one-way hash function. Here, the data owner exports large volume of encrypted data to a cloud storage provider. The exported encrypted data is over-encrypted by the cloud storage provider, and the data is sent to the requesting user. An existing hybrid cryptosystem based dynamic key management scheme with hierarchical access control has been incorporated in our scheme. The key management scheme groups users in various security classes, and helps to derive efficiently, as well as directly the secret keys of the lower order security classes. The incorporated key management scheme in our proposed scheme incurs low computational, communication, and storage overheads for key generation, and derivation purposes. The security analysis, and the simulation results run on the AVISPA tool (formal security verification tool) show that the proposed scheme is protected from the adversaries. This scheme is useful in `owner-write-users-read' application areas, and the end users may use resource-constrained wireless mobile devices securely in this proposed scheme.

Increasingly connectivity becomes integrated in products and devices that previously operated in a stand-alone setting. This observation holds for many consumer ap- plications in the so-called "Internet of Things" (IoT) as well as for corresponding industry applications (IIoT), such as industrial process sensors. Often the only practicable means for authentication of human users is a weak password. The security of password-based authentication schemes frequently form the weakest point of the security infrastructure. In this paper we first expose, why a tailored protocol designed for the IIoT use case is considered necessary. The differences between IIoT and to the conventional Internet use-cases result in largely modified threats and require special procedures for allowing both, convenient and secure use in the highly constrained industrial setting. Specifically the use of a verifier-based password-authenticated key-exchange (V-PAKE) protocol as a hedge against public-key-infrastructure (PKI) failures is considered important. Availability concerns for the case of failures of (part of) the communication infrastructure makes local storage of access credentials mandatory. The larger threat of physical attacks make it important to use memory-hard password hashing. This paper presents a corresponding tailored protocol AuCPace together with a security proof within the Universal Composability (UC) framework considering fully adaptive adversaries. We also introduce a new security notion of partially augmented PAKE that provides specific performance advantages and allows, thus, for suitability for a larger set of IIoT applications. We also present an actual instantiation of our protocol, AuCPace25519, and present performance results on ARM Cortex-M0 and Cortex-M4 microcontrollers. Our implementation realizes new speed-records for PAKE and X25519 Diffie-Hellman for the ARM Cortex M4 architecture.

Event date: 14 September to 15 September 2018
Submission deadline: 13 April 2018

Third-party applications on Facebook can collect personal data of the users who install them, but also of their friends. This raises serious privacy issues as these friends are not notified by the applications nor by Facebook, and they have not given consent. This paper presents a detailed multi-faceted study of the collateral information collection of the applications on Facebook. To investigate the views of the users, we designed a questionnaire and collected the responses of 114 participants. The results show that participants are concerned about the collateral information collection and in particular about the lack of notification and of mechanisms to control the data collection. Based on real data, we compute the likelihood of collateral information collection affecting users: we show that the probability is significant and greater than 80% for popular applications such as TripAdvisor. We also demonstrate that a substantial amount of profile data can be collected by applications, which enables application providers to profile users. To investigate whether collateral information collection is an issue to users’ privacy we analysed the legal framework in light of the new General Data Protection Regulation. We provide a detailed analysis of the entities involved and investigate which entity is accountable for the collateral information collection. To provide countermeasures, we propose a privacy dashboard extension that implements privacy scoring computations to enhance transparency towards collateral information collection. Furthermore, we discuss alternative solutions highlighting other countermeasures such as notification and access control mechanisms, cryptographic solutions and application auditing. To the best of our knowledge, this is the first work that provides a detailed multi-faceted study of this problem and that analyses the threat of user profiling by application providers.

It is known that correlation-immune (CI) Boolean functions used in the framework of side channel attacks need to have low Hamming weights. In 2013, Bhasin et al. studied the minimum Hamming weight of $d$-CI Boolean functions, and presented an open problem: the minimal weight of a $d$-CI function in $n$ variables might not increase with $n$. Very recently, Carlet and Chen proposed some constructions of low-weight CI functions, and gave a conjecture on the minimum Hamming weight of $3$-CI functions in $n$ variables.

In this paper, we determine the values of the minimum Hamming weights of $d$-CI Boolean functions in $n$ variables for infinitely many $n$'s and give a negative answer to the open problem proposed by Bhasin et al. We then present a method to construct minimum-weight 2-CI functions through Hadamard matrices, which can provide all minimum-weight 2-CI functions in $4k-1$ variables. Furthermore, we prove that the Carlet-Chen conjecture is equivalent to the famous Hadamard conjecture. Most notably, we propose an efficient method to construct low-weight $n$-variable CI functions through $d$-linearly independent sets, which can provide numerous minimum-weight $d$-CI functions. Particularly, we obtain some new values of the minimum Hamming weights of $d$-CI functions in $n$ variables for $n\leq 13$. We conjecture that the functions constructed by us are of the minimum Hamming weights if the sets are of absolute maximum $d$-linearly independent. If our conjecture holds, then all the values for $n\leq 13$ and most values for general $n$ are determined.

In this paper we propose a rank based algorithm for sorting encrypted data using monomials. Greedy Sort is a sorting technique that achieves to minimize the depth of the homomorphic evaluations. It is a costly algorithm due to excessive ciphertext multiplications and its implementation is cumbersome. Another method Direct Sort has a slightly deeper circuit than Greedy Sort, nevertheless it is simpler to implement and scales better with the size of the input array. Our proposed method minimizes both the circuit depth and the number of ciphertext multiplications. In addition to its performance, its simple design makes it more favorable compared to the alternative methods which are hard to parallelize, e.g. not suitable for fast GPU implementations. Furthermore, we improve the performance of homomorphic sorting algorithm by adapting the SIMD operations alongside message slot rotation techniques. This method allow us to pack $N$ integers into a single ciphertext and compute $N$ comparisons at once, thus reducing $\mathcal{O}(N^2)$ comparisons to $\mathcal{O}(N)$.

We propose a security model for authenticated key establishment in the quantum setting. Our model is the first for authenticated key establishment that allows for quantum superpositions of queries. The model builds on the classical Canetti-Krawczyk model but allows quantum interactions between the adversary and quantum oracles that emulate classical parties. We demonstrate that this new security definition is satisfiable by giving a generic construction from simpler cryptographic primitives and a specific protocol which is secure in the quantum random oracle model, under the supersingular isogeny decisional Diffie-Hellman assumption (SIDH).

The notion of Functional Encryption (FE) has recently emerged as a strong primitive with several exciting applications. In this work, we initiate the study of the following question: Can existing public key encryption schemes be ``upgraded'' to Functional Encryption schemes without changing their public keys or the encryption algorithm? We call a public-key encryption with this property to be FE-compatible.

Indeed, assuming ideal obfuscation, it is easy to see that every CCA-secure public-key encryption scheme is FE-compatible. Despite the recent success in using indistinguishability obfuscation to replace ideal obfuscation for many applications, we show that this phenomenon most likely will not apply here. We show that assuming fully homomorphic encryption and the learning with errors (LWE) assumption, there exists a CCA-secure encryption scheme that is provably not FE-compatible. We also show that a large class of natural CCA-secure encryption schemes proven secure in the random oracle model are not FE-compatible in the random oracle model.

Nevertheless, we identify a key structure that, if present, is sufficient to provide FE-compatibility. Specifically, we show that assuming sub-exponentially secure iO and sub-exponentially secure one way functions, there exists a class of public key encryption schemes which we call Special-CCA secure encryption schemes that are in fact, FE-compatible.

In particular, each of the following popular CCA secure encryption schemes (some of which existed even before the notion of FE was introduced) fall into the class of Special-CCA secure encryption schemes and are thus FE-compatible:

1) The scheme of Canetti, Halevi and Katz (Eurocrypt 2004) when instantiated with the IBE scheme of Boneh-Boyen (Eurocrypt 2004). 2) The scheme of Canetti, Halevi and Katz (Eurocrypt 2004) when instantiated with any Hierarchical IBE scheme. 3) The scheme of Peikert and Waters (STOC 2008) when instantiated with any Lossy Trapdoor Function.