International Association
for Cryptologic Research

We consider the problem of Non-Interactive Secure Computation (NISC), a 2-message ``Sender-Receiver'' secure computation protocol that retains its security even when both parties can be malicious. While such protocols are easy to construct using garbled circuits and general non-interactive zero-knowledge proofs, this approach inherently makes a non-black-box use of the underlying cryptographic primitives and is infeasible in practice.

Ishai et al. (Eurocrypt 2011) showed how to construct NISC protocols that only use parallel calls to an ideal oblivious transfer (OT) oracle, and additionally make only a black-box use of any pseudorandom generator. Combined with the efficient 2-message OT protocol of Peikert et al. (Crypto 2008), this leads to a practical approach to NISC that has been implemented in subsequent works. However, a major limitation of all known OT-based NISC protocols is that they are subject to selective failure attacks that allows a malicious sender to entirely compromise the security of the protocol when the receiver's first message is reused.

Motivated by the failure of the OT-based approach, we consider the problem of basing \emph{reusable} NISC on parallel invocations of a standard arithmetic generalization of OT known as oblivious linear-function evaluation (OLE). We obtain the following results:

- We construct an information-theoretically secure reusable NISC protocol for arithmetic branching programs and general zero-knowledge functionalities in the OLE-hybrid model. Our zero-knowledge protocol only makes an absolute constant number of OLE calls per gate in an arithmetic circuit whose satisfiability is being proved. As a corollary, we get reusable NISC/OLE for general Boolean circuits using any one-way function. - We complement this by a negative result, showing that reusable NISC/OT is impossible to achieve, and a more restricted negative result for the case of the zero-knowledge functionality. This provides a formal justification for the need to replace OT by OLE. - We build a universally composable 2-message OLE protocol in the CRS model that can be based on the security of Paillier encryption and requires only a constant number of modular exponentiations. This provides the first arithmetic analogue of the 2-message OT protocols of Peikert et al. (Crypto 2008). - By combining our NISC/OLE protocol and the 2-message OLE protocol, we get protocols with new attractive asymptotic and concrete efficiency features. In particular, we get the first (designated-verifier) NIZK protocols where following a statement-independent preprocessing, both proving and verifying are entirely ``non-cryptographic'' and involve only a constant computational overhead.

We propose a proof of work protocol that computes the discrete logarithm of an element in a cyclic group. Individual provers generating proofs of work perform a distributed version of the Pollard rho algorithm. Such a protocol could capture the computational power expended to construct proof-of-work-based blockchains for a more useful purpose, as well as incentivize advances in hardware, software, or algorithms for an important cryptographic problem. We describe our proposed construction and elaborate on challenges and potential trade-offs that arise in designing a practical proof of work.

Recently Grubbs et al. [GLR17] initiated the formal study of message franking protocols. This new type of service launched by Facebook, allows the receiver in a secure messaging application to verifiably report to a third party an abusive message some sender has sent. A novel cryptographic primitive: committing AEAD has been initiated, whose functionality apart from confidentiality and authenticity asks for a compact commitment over the message, which is delivered to the receiver as part of the ciphertext. A new construction CEP (Committing Encrypt and PRF) has then been proposed, which is multi-opening secure and reduces the computational costs for the sender and the receiver.

Despite the merits of the message franking protocols [GLR17], our observation which launched this work, is that all the designs be it compositional or the CEP construction, leak too much when the receiver needs to open the abusive message to the third party. Namely, the receiver opens the entire message along with the opening key to the third party, thus confidentiality of the message is entirely broken. Moreover, the opening of the entire message increases the communication cost of the protocol and in cases of big messages being exchanged (attachments, videos, multimedia files, etc.) it might be unnecessary. We provide to the best of our knowledge the first formal treatment of message franking protocols with minimum leakage whereby only the abusive blocks are opened, while the rest non-abusive blocks of the message remain private.

First we give a new definition for multi-opening indistinguishability with partial opening (MO-IND-PO), which forces an adversary to distinguish encryptions of abusive blocks. We then design and analyze two protocols CEP-AOP1 (Committing Encrypt and PRF with After Opening Privacy) and CEP-AOP2, which adhere to the new privacy definition. As a side contribution we show a multi-opening secure CEP-AOP2 construction using only one PRF evaluation over the message, in a weaker but meaningful security model, relying only on standard assumptions of the underlying symmetric primitives.

We present an improved search strategy for a template attack on the secret DES key of a widely-used smart card, which is based on a Common-Criteria certified chip. We use the logarithm of the probability function as returned by the template attack itself, averaged over all 28 template positions along the rings representing the C and D Registers of the DES key schedule, as the sorting criteria for the key candidates. For weak keys - which in this attack model have a minimal rest entropy of only two bits - we find that on average only 37.75 bits need to be recovered by brute force when using only a single trace in the Exploitation Phase. This effort goes down to just a few bits for a single DES key when using only a few traces in Exploitation Phase.

Event date: 16 June to 20 June 2018
Submission deadline: 11 November 2018
Notification: 3 December 2018

Event date: 7 December to 9 December 2018
Submission deadline: 1 November 2018

As a Senior Cryptography Engineer - Cloud Engineer, you will:

Design, implement and deploy cryptographic algorithms tailored for a cloud environment.

Conduct research and development in differential privacy, secret sharing, multi-party secure computation and fully homomorphic encryption.

Perform security assessments of crypto-primitives, cryptosystems and cloud security solutions at the theoretical and implementation level.

Work closely with the other teams in the organization to design and deploy safe cloud-based solutions .

Be involved in the integration of developed cryptosystems within DarkMatter products.

Enjoy all the cultural, educational and travel opportunities Abu Dhabi offers

To bring your dream to life, you’ll need:

PhD degree in Cryptography, Applied Cryptography, Information Theory and Mathematics or Computer Science.

Extensive experience developing in various programming languages.

A desire to innovate in the UAE

 

Closing date for applications: 3 March 2019

Contact: Sheila Morjaria

Mehdi Messaoudi

More information: https://grnh.se/d694fd601

As a Cryptography Embedded Systems Engineer, you will:

• Design, implement and deploy cryptographic algorithms tailored for resource-constrained devices.

• Conduct research and development in lightweight cryptography.

• Perform security assessments of crypto-primitives and cryptosystems suitable for resource-constrained devices at the theoretical and implementation level.

• Work closely with the other teams in the organization to deploy secure embedded systems.

• Be involved in the integration of developed cryptosystems within DarkMatter products.

• Enjoy all the cultural, educational and travel opportunities Abu Dhabi offers.

To bring your dream to life, you’ll need:

• MS or PhD degree in Computer Science, Computer Engineering, Electrical Engineering, Cryptography or related field.

• Development experience within embedded systems, RFID and sensor networks.

• Knowledge of Unix/Linux environments and kernel development.

• Knowledge of one or more of the following: Microcontrollers, SoC, TrustZone, ARM processors, performance optimization, bootloading, firmware, x86 assembly, system BIOS or hardware/software integration.

• Knowledge of side-channel attacks and countermeasures.

• Experience coding in C/C++.

• A desire to innovate in the UAE

Closing date for applications: 3 April 2019

Contact: Sheila Morjaria

Mehdi Messaoudi

More information: https://grnh.se/fb5c073f1

About the Department

Cloudflare’s Technology team is working on building the future of Cloudflare by tackling strategic projects that have a large impact on the way Cloudflare systems, and the Internet at large, work. Engineers in the Technology team are expected to research new ideas and technologies, dive into existing codebases to make meaningful changes, work independently on greenfield projects, and collaborate closely with the engineering organization to achieve common goals.

The Cryptography team is a sub-team of the Technology team focused on solving difficult problems in security, performance, and privacy at scale using cryptographic tools. This involves systems engineering, open source software development, protocol design, the implementation of cryptographic primitives, contributions to cutting-edge research in collaboration with academia, participation in Internet standards organizations like the IETF, and more.

Closing date for applications: 1 July 2019

Contact: Nick Sullivan

More information: https://www.cloudflare.com/careers/departments/technology-research/

DTU Compute\'s Section for Cyber Security, invites applications for an appointment as Associate Professor/Assistant Professor within cryptology. The position is available from May 1, 2019 or according to mutual agreement.

The department, DTU Compute, is an internationally unique academic environment spanning the science disciplines mathematics, statistics and computer science. At the same time, we are an engineering department covering informatics and communication technologies (ICT) in their broadest sense. Finally, we play a major role in addressing the societal challenges of the digital society where ICT is a part of every industry, service, and human endeavor.

Responsibilities and tasks

Through the position, the University seeks to strengthen the research within cyber security. The cyber security section at DTU has experts in cryptology, in particular the design and analysis of ciphers and hash functions, but wishes to further strengthen its research within cryptology.

Topics of particular interest include but are not limited to:

• symmetric cryptology

• lightweight and resource-efficient cryptography

• post-quantum cryptology

• provable security of cryptographic primitives

• side-channel attacks and physical cryptanalysis

• analysis and protection of cryptographic implementations

• algorithmic aspects of cryptology

• efficient implementation of cryptographic primitives

Candidates with strong expertise in any other area of cryptology are also encouraged to apply.

Application procedure

To apply, please read the full job advertisement at www.career.dtu.dk

Please submit your online application no later than 1 December 2018.

Closing date for applications: 31 December 2018

We are looking for research fellows with expertise on blockchain and PKC, and offer a competitive salary. If you are interested, please send your CV to Prof. Jianying Zhou . Only short-listed candidates will be contacted for interview.

Closing date for applications: 8 January 2019

Contact: Prof. Jianying Zhou

Email: jianying_zhou (at) sutd.edu.sg

More information: http://jianying.space/

At the Graz University of Technology / Faculty of Computer Science and Biomedical Engineering the position of

University Professor of Information Security

is to be filled at the institute of Applied Information Processing and Communications (IAIK) as a full time permanent position according to section 98 of the Austrian Universities Act (§98 UG). IAIK is an internationally visible research center at TU Graz where more than 60 researchers work on a multitude of topics in information security.

We are seeking a candidate with proven scientific expertise who will represent the field of Information Security in research and teaching. The successful candidate will complement existing strengths at the institute and be an engaged teacher in the Computer Science programs at the bachelor, master, and PhD level.

Closing date for applications: 3 December 2018

Contact: Stefan Mangard, Email: Stefan.Mangard (at) iaik.tugraz.at

More information: https://www.tugraz.at/fakultaeten/infbio/news/vacancies/professor-of-information-security/

A conjunction is a function $f(x_1,\dots,x_n) = \bigwedge_{i \in S} l_i$ where $S \subseteq [n]$ and each $l_i$ is $x_i$ or $\neg x_i$. Bishop et al. (CRYPTO 2018) recently proposed obfuscating conjunctions by embedding them in the error positions of a noisy Reed-Solomon codeword and encoding the codeword in a group exponent. They prove distributional virtual black box (VBB) security in the generic group model for random conjunctions where $|S| \geq 0.226n$. While conjunction obfuscation was known from LWE due to Wichs and Zirdelis (FOCS 2017) and Goyal et al. (FOCS 2017), these constructions rely on substantial technical machinery.

In this work, we conduct an extensive study of simple conjunction obfuscation techniques.

- We abstract the Bishop et al. scheme to obtain an equivalent yet more efficient "dual'' scheme that can handle conjunctions over exponential size alphabets. This scheme admits a straightforward proof of generic group security, which we combine with a novel combinatorial argument to obtain distributional VBB security for $|S|$ of any size.

- If we replace the Reed-Solomon code with a random binary linear code, we can prove security from standard LPN and avoid encoding in a group. This addresses an open problem posed by Bishop et al. to prove security of this simple approach in the standard model.

- We give a new construction that achieves information theoretic distributional VBB security and weak functionality preservation for $|S| \geq n - n^\delta$ and $\delta < 1$. Assuming discrete log and $\delta < 1/2$, we satisfy a stronger notion of functionality preservation for computationally bounded adversaries while still achieving information theoretic security.

Linear cryptanalysis considers correlations between linear input and output combiners for block ciphers and stream ciphers. Daeman and Rijmen (2007) had obtained the distributions of the correlations between linear input and output combiners of uniform random functions and uniform random permutations. Our first contribution is to generalise these results to obtain the distributions of the correlations between arbitrary input and output combiners of uniform random functions and uniform random permutations. Recently, Todo et al. (2018) have proposed nonlinear invariant attacks which consider correlations between nonlinear input and output combiners for a key-alternating block cipher. In its basic form, a nonlinear invariant attack is a distinguishing attack. The second and the main contribution of this paper is to obtain precise expressions for the errors of nonlinear invariant attacks in distinguishing a key-alternating cipher from either a uniform random function or a uniform random permutation.

Physical attacks, especially side-channel attacks, are threats to IoT devices which are located everywhere in the field. For these devices, the authentic functionality is important so that the IoT system becomes correct, and securing this functionality against side-channel attacks is one of our emerging issues. Toward that, Coron et al. gave an efficient arithmetic-to-Boolean mask conversion algorithm which enables us to protect cryptographic algorithms including arithmetic operations, such as hash functions, from the attacks. Recently, Biryukov et al. improved it by locally optimizing subroutines of the conversion algorithm. In this paper, we revisit the algorithm. Unlike Biryukov et al., we improve the Coron et al.'s algorithm with integrative optimizations over the subroutines. The gains against these algorithms are about $22.6\%$ and $7.0\%$ in the general setting. We also apply our algorithm to HMAC-SHA-1 and have an experiment to show that the implementation on a test vehicle smartcard leaks no sensitive information with the ISO/IEC17825 test.

Multilevel and compartmented access structures are two important classes of access structures where participants are grouped into levels/compartments with different degrees of trust and privileges. The construction of secret sharing schemes for such access structures has been in the attention of researchers for a long time. Two main approaches have been taken so far: one of them is based on polynomial interpolation and the other one is based on the Chinese Remainder Theorem (CRT).

In this paper we propose the first asymptotically ideal CRT-based secret sharing schemes for (disjunctive, conjunctive) multilevel and compartmented access structures. Our approach is compositional and it is based on a variant of the Asmuth-Bloom secret sharing scheme where some participants may have public shares. Based on this, we show that the proposed secret sharing schemes for multilevel and compartmented access structures are asymptotically ideal if and only if they are based on 1-compact sequences of co-primes.

The quantum secure supersingular isogeny Diffie-Hellman (SIDH) key exchange is a promising candidate in NIST's on-going post-quantum standardization process. The evaluation of various implementation characteristics is part of this standardization process, and includes the assessment of the applicability on constrained devices. When compared to other post-quantum algorithms, SIDH appears to be well-suited for the implementation on those constrained devices due to its small key sizes. On the other hand, SIDH is computationally complex, which presumably results in long computation times. Since there are no published results to test this assumption, we present speed-optimized implementations for two small microcontrollers and set a first benchmark that can be of relevance for the standardization process. We use state-of-the art field arithmetic algorithms and optimize them in assembly. However, an ephemeral key exchange still requires more than 18 seconds on a 32-bit Cortex-M4 and more than 11 minutes on a 16-bit MSP430. Those results show that even with an improvement by a factor of 4, SIDH is in-fact impractical for small embedded devices, regardless of further possible improvements in the implementation. On a positive note, we also analyzed the implementation security of SIDH and found that appropriate DPA countermeasures can be implemented with little overhead.

The technology of homomorphic encryption has improved rapidly in a few years. The cutting edge implementations are efficient enough to use in practical applications. Recently, Cheon et al. (ASIACRYPT'17) proposed a homomorphic encryption scheme which supports an arithmetic of approximate numbers over encryption. This scheme shows the current best performance in computation over the real numbers, but its implementation could not employ core optimization techniques based on the Residue Number System (RNS) decomposition and the Number Theoretic Transformation (NTT).

In this paper, we present a variant of approximate homomorphic encryption which is optimal for implementation on standard computer system. We first introduce a new structure of ciphertext modulus which allows us to use both the RNS decomposition of cyclotomic polynomials and the NTT conversion on each of the RNS components. We also suggest new approximate modulus switching procedures without any RNS composition. Compared to previous exact algorithms requiring multi-precision arithmetic, our algorithms can be performed by using only word size (64-bit) operations.

Our scheme achieves a significant performance gain from its full RNS implementation. For example, compared to the earlier implementation, our implementation showed speed-ups 17.3, 6.4, and 8.3 times for decryption, constant multiplication, and homomorphic multiplication, respectively, when the dimension of a cyclotomic ring is 32768. We also give experimental result for evaluations of some advanced circuits used in machine learning or statistical analysis. Finally, we demonstrate the practicability of our library by applying to machine learning algorithm. For example, our single core implementation takes 1.8 minutes to build a logistic regression model from encrypted data when the dataset consists of 575 samples, compared to the previous best result 3.5 minutes using four cores.

ElGamal cryptosystem is typically developed in the multiplicative group $\mathbb{Z}_p^*$ ($p$ is a prime number), but it can be applied to the other groups in which discrete logarithm problem should be computationally infeasible. Practically, instead of ElGamal in $\mathbb Z_p^*$, various variants such as ECElGamal (ElGamal in elliptic curve group), CRTElGamal (ElGamal in subgroup of $\mathbb Z_n^*$ where $n=pq$ and $p,q,(p-1)/2,(q-1)/2$ are primes) have already been used for the semantic security. In this paper, for the fast decryption, we reduced the private CRT exponent $x_p$ ($= x mod (p - 1)$) and $x_q$ ($= x mod (q-1)$)maintaining full sized private exponent $x$ ($0<x<n$) in CRTElGamal as reducing $d_p$ ($= d mod (p - 1)$) and $d_q$ ($= d mod (q-1)$) in RSA for the fast decryption. (i.e. as in rebalanced RSA). In this case, unlike rebalanced RSA, decryption of CRTElGamal can be done faster without losing of encryption speed. As a result, it is possible to propose the fast public key cryptosystem that has fast encryption and fast decryption.

Any $d$-regular graph on $n$ vertices with spectral expansion $\lambda$ satisfying $n = \Omega(d^3\log(d)/\lambda)$ yields a $O\left(\frac{\lambda^{3/2}}{d}\right)$-non-malleable code in the split-state model.