International Association
for Cryptologic Research

In a highly influential paper from fifteen years ago, Canetti, Goldreich, and Halevi showed a fundamental separation between the Random Oracle Model (ROM) and the Standard Model. They constructed a signature scheme which can be shown to be secure in the ROM, but is insecure when instantiated with any hash function (and thus insecure in the standard model). In 2011, Boneh et al. defined the notion of the Quantum Random Oracle Model (QROM), where queries to the random oracle may be made in quantum superposition. Because the QROM generalizes the ROM, a proof of security in the QROM is stronger than one in the ROM. This leaves open the possibility that security in the QROM could imply security in the standard model. In this work, we show that this is not the case, and that security in the QROM cannot imply standard model security. We do this by showing that the original schemes that show a separation between the standard model and the ROM are also secure in the QROM. We consider two schemes that establish such a separation, one with length-restricted messages, and one without, and show both to be secure in the QROM. Our results give further understanding to the landscape of proofs in the ROM versus the QROM or standard model, and point towards the QROM and ROM being much closer to each other than either is to standard model security.

Event date: 1 May to 22 May 2020
Submission deadline: 22 February 2020

The Institute of Cybersecurity and Cryptology (iC2) as a part of the School of Computing and Information Technology (SCIT) is seeking a Lecturer with expertise in cyber security. The primary task of this position is to support the newly developed online course in Master of Cyber Security. Experience with delivering online course in cyber security is highly desirable.

Closing date for applications:

Contact: Professor Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=191851&tz=GMT%2B11%3A00&tzname=Australia%2FSydney

The Institute of Cybersecurity and Cryptology (iC2) as a part of The School of Computing and Information Technology (SCIT) is looking to recruit two new staff members (Level B) to start ideally to be ready to teach in Spring 2020 predominately to meet the teaching requirements by UOW's SWS undertaking. SCIT aims to be a world class Research School and this position is expected to contribute towards that aim. One important part of the degrees offered by SCIT is the Bachelor of Computer Science (majoring cybersecurity) and Master of Computer Science (with major in Information Security).

Closing date for applications:

Contact: Professor Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=191859&tz=GMT%2B11%3A00&tzname=Australia%2FSydney

The Institute of Cybersecurity and Cryptology (iC2) as a part of the School of Computing and Information Technology (SCIT) is seeking a full-time continuing Associate Professor with expertise in cyber security. The position will act as the Academic Program Director for delivering a new degree for the Master in Cyber Security.

Closing date for applications:

Contact: Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=191858&tz=GMT%2B11%3A00&tzname=Australia%2FSydney

Event date: 8 July to 10 July 2020
Submission deadline: 14 February 2020
Notification: 15 April 2020

Simplistic assumptions, modeling attack discovery by a Poisson point process, lead to quantifiable statistical estimates for security assurances, supporting the wisdom that more independent effort spent on cryptanalysis leads to better security assurance, but hinting security assurance also relies significantly upon general optimism.

The estimates also suggest somewhat better security assurance from compounding two independent cryptosystems, but perhaps not enough to outweigh the extra cost.

We investigate the minimal assumptions necessary for minimal interaction zero-knowledge type primitives—ZAPs (two-round, public coin, witness indistinguishable proofs), NIWI (non-interactive witness indistinguishable proofs) and NIZK (non-interactive zero-knowledge proofs)—in the standard (no trusted setup) model. Since our goal is to obtain constructions from Minicrypt and/or worst-case assumptions only, we consider the setting where the prover is computationally more powerful than the simulator/zero-knowledge distinguisher. This covers both the traditional setting of computationally unbounded provers, as well as a new “fine-grained” setting that we introduce, where the prover is polynomial time and the verifier/simulator/zero-knowledge adversary are in a lower complexity class, such as NC1.

We present constructions of ZAPs and NIWI for AM from Minicrypt and worst-case assumptions. We also present (a form of) NIZK with uniform soundness for NP, from Minicrypt and worst-case assumptions. We present analogous “fine-grained” constructions of all of the above, where the zero- knowledge adversary is limited to NC1. Specifically, we achieve “fine-grained” ZAPs and NIWI for NP from worst-case assumptions only and achieve a form of “fine-grained” NIZK with uniform soundness for NP from worst-case and Minicrypt assumptions.

The active participation of external entities in the manufacturing flow has produced numerous hardware security issues in which piracy and overproduction are likely to be the most ubiquitous and expensive ones. The main approach to prevent unauthorized products from functioning is logic encryption that inserts key-controlled gates to the original circuit in a way that the valid behavior of the circuit only happens when the correct key is applied. The challenge for the security designer is to ensure neither the correct key nor the original circuit can be revealed by different analyses of the encrypted circuit. However, in state-of-the-art logic encryption works, a lot of performance is sold to guarantee security against powerful logic and structural attacks. This contradicts the primary reason of logic encryption that is to protect a precious design from being pirated and overproduced. In this paper, we propose a bilateral logic encryption platform that maintains high degree of security with small circuit modification. The robustness against exact and approximate attacks is also demonstrated.

Common for the overwhelming majority of privacy-preserving greater-than integer comparison schemes is that cryptographic computations are conducted in a bitwise manner. To ensure the secrecy, each bit must be encoded in such a way that nothing is revealed to the opposite party. The most noted disadvantage is that the computational and communication cost of the bitwise encoding is as best linear to the number of bits. Also, many proposed schemes have complex designs that may be difficult to implement and are not intuitive. Carlton et al. proposed in 2018 an interesting scheme that avoids bitwise decomposition and works on whole integers. % It uses a special composite RSA modulus. A variant was proposed by Bourse et al. in 2019. In this paper, we show that in particular the Bourse scheme does not provide the claimed security. Inspired by the two mentioned papers, we propose a comparison scheme with a somewhat simpler construction and with clear security reductions.

Internet of Things(IoT) consists of a large number of interconnected coexist heterogeneous entities, including Radio-frequency identification(RFIDs) based devices and other sensors to detect and transfer various information such as temperature, personal health data, brightness, etc. Security, in particular, authentication, is one of the most important parts of information security infrastructure in  IoT systems. Given that an IoT system has many resource-constrained devices, a goal could be designing a proper authentication protocol that is lightweight and can resist against various common attacks, targeting such devices. Recently, using Physical Unclonable Functions (PUF) to design lightweight authentication protocols has received a lot of attention among researchers. In this paper, we analyze two recently proposed authentication protocols based on PUF chains called PHEMAP and Salted PHEMAP. We show that these protocols are vulnerable to impersonate, desynchronization and traceability attacks.

We review several widely deployed solutions for the Byzantine Fault Tolerance (BFT) problem and analyze their security in asynchronous networks. There are two types of widely accepted definitions for partial synchronous net- works. In the Type I network, Denial of Service (DoS) attack is not allowed and in the Type II network, DoS attack is allowed before the Global Stabilization Time (GST). When DoS attack is allowed, the point-to-point communication channel and the broadcast channel are not reliable. We show that if either the broadcast channel or the point-to-point communication channel is not reliable (before or after GST) then several widely deployed BFT protocols such as PBFT and Tendermint BFT would reach a deadlock and could not achieve liveness property. Specifically, we show that if a malicious participant could broadcast a message to a subset of users instead of all users (before or after GST), then PBFT, Tendermint BFT, and several other BFT systems (e.g., Polkadot’s GRANDPA) would reach a deadlock. To make things worse, we show that, for most of our attacks, the adversary only needs to control one participant to carry out the attack instead of controlling (n-1)/3 participants. Thus these BFT protocols are not secure in the Type II partial synchronous networks. Furthermore, in these protocols, if a participant does not receive appropriate messages within a fixed time period, it initiates a view change process. After a view change, participants will no long accept messages from previous views. Thus our attacks on these protocols in Type II networks will work in the Type I network also. Consequently, these protocols are not secure in any of the widely accepted partial synchronous networks. It should be noted that PBFT has been adopted in many blockchain systems such as Hyperledger sawtooth and Tendermint BFT has been adopted in more than 40% deployed Proof of Stake Blockchains such as Cosmos and Hyperledger burrow. Based on our analysis of BFT security requirements for partial synchronous networks, we propose a BFT protocol BDLS and prove its security in partial synchronous networks. The BDLS protocol could be used in several application scenarios such as state machine replication or as blockchain finality gadgets.

This paper presents an attack based on side-channel information and information set decoding on the Niederreiter cryptosystem and an evaluation of the practicality of the attack using a physical side channel. First, we describe a basic plaintext-recovery attack on the decryption algorithm of the Niederreiter cryptosystem. Our attack is an adaptation of the timing side-channel plaintext-recovery attack by Shoufan et al. from 2010 on the McEliece cryptosystem using the non-constant time Patterson's algorithm for decoding. We then enhance our attack by utilizing an Information Set Decoding approach to support the basic attack and we introduce column chunking to further significantly reduce the number of required side-channel measurements. Our practical evaluation of the attack targets the FPGA-implementation of the Niederreiter cryptosystem in the NIST submission ``Classic McEliece'' with a constant time decoding algorithm and is feasible for all proposed parameters sets of this submission. The attack idea is to distinguish between successful and failed error correction based on the Hamming weight of the decrypted plaintext using the electromagnetic field as side channel. We theoretically estimate that our attack improvements have a significant impact on reducing the number of required side-channel traces. We confirm our findings experimentally and run successful attacks against the ``Classic McEliece'' NIST submission parameter sets. E.g., for the 256bit-security parameter set kem/mceliece6960119 we require starting from a basic attack with 6962 traces over a plain ISD approach with 5415 traces down to on average about 606 traces to mount a successful plaintext recovery attack.

Given the inherent ad-hoc nature of popular communication platforms, out-of-band authenticated key-exchange protocols are becoming widely deployed: Key exchange protocols that enable users to detect man-in-the-middle attacks by manually authenticating one short value. In this work we put forward the notion of immediate key delivery for such protocols, requiring that even if some users participate in the protocol but do not complete it (e.g., due to losing data connectivity or to other common synchronicity issues), then the remaining users should still agree on a shared secret. A property of a similar flavor was introduced by Alwen, Correti and Dodis (EUROCRYPT '19) asking for immediate decryption of messages in user-to-user messaging while assuming that a shared secret has already been established -- but the underlying issue is crucial already during the initial key exchange and goes far beyond the context of messaging.

Equipped with our immediate key delivery property, we formalize strong notions of security for out-of-band authenticated group key exchange, and demonstrate that the existing protocols either do not satisfy our notions of security or are impractical (these include, in particular, the protocols deployed by Telegram, Signal and WhatsApp). Then, based on the existence of any passively-secure key-exchange protocol (e.g., the Diffie-Hellman protocol), we construct an out-of-band authenticated group key-exchange protocol satisfying our notions of security. Our protocol is inspired by techniques that have been developed in the context of fair string sampling in order to minimize the effect of adversarial aborts, and offers the optimal tradeoff between the length of its out-of-band value and its security.

Updatable encryption allows a client to outsource ciphertexts to some untrusted server and periodically rotate the encryption key. The server can update ciphertexts from an old key to a new key with the help of an update token, received from the client, which should not reveal anything about keys or plaintexts to an adversary. We provide a new and highly efficient updatable encryption scheme called SHINE. Ciphertext generation consists of applying one permutation and one exponentiation (per message block), while updating ciphertexts requires just one exponentiation. We also define a new security notion for updatable encryption schemes that implies prior notions (for schemes with randomized and deterministic updates). We prove that SHINE and the previous best scheme, RISE, are secure under our new definition.

Lattices lead to promising practical post-quantum digital signatures, combining asymptotic efficiency with strong theoretical security guarantees. However, tuning their parameters into practical instantiations is a delicate task. On the one hand, NIST round 2 candidates based on Lyubashevsky's design (such as dilithium and qtesla) allow several tradeoffs between security and efficiency, but at the expense of a large bandwidth consumption. On the other hand, the hash-and-sign falcon signature is much more compact and is still very efficient, but it allows only two security levels, with large compactness and security gaps between them. We introduce a new family of signature schemes based on the falcon design, which relies on module lattices. Our concrete instantiation enjoys the compactness and efficiency of falcon, and allows an intermediate security level. It leads to the most compact lattice-based signature achieving a quantum security above 128 bits.

In this paper, we extend the notion of server-aided revocable identity-based encryption (SR-IBE) to the hierarchical IBE (HIBE) setting and propose a generic construction of server-aided revocable hierarchical IBE (SR-HIBE) schemes with decryption key exposure resistance (DKER) from any (weak) L-level revocable HIBE scheme without DKER and (L+1)-level HIBE scheme. In order to realize the server-aided revocation mechanism, we use the “double encryption” technique, and this makes our construction has short ciphertext size. Furthermore, when the maximum hierarchical depth is one, we obtain a generic construction of SR-IBE schemes with DKER from any IBE scheme and two-level HIBE scheme.

In this work we consider the following problem: in a Multi-Prover environment, how close can we get to prove the validity of an NP statement in Zero-Knowledge ? We exhibit a set of two novel Zero-Knowledge protocols for the 3-COLorability problem that use two (local) provers or three (entangled) provers and only require them to reply two trits each. This greatly improves the ability to prove Zero-Knowledge statements on very short distances with very minimal equipment.

The "Intelligent System Security" research group at Karlsruhe Institute of Technology (KIT) is seeking to fill the position of

Two PhD Students/ Research Assistants (f/m/d)
in the field of Computer Security and Artificial Intelligence

Both positions are fully funded with the German salary level TV-L 13 (100%) and should be filled at the soonest possible date. In the beginning, the positions are limited to two years, but they offer the possibility of funding the entire duration of the PhD.

Research

Our research group works on the application of machine learning for computer security. In particular, we develop methods in the area of application security and system security, for instance, approaches for attack detection or vulnerability discovery in software and embedded devices. Also, the robustness, security, and interpretability of machine learning methods are central to our research.

Your Profile

We are looking for talented candidates that fulfill the following criteria and intend to pursue a PhD in computer science:

• Diploma or Master's degree in computer science or any related field
• Very good knowledge of computer security and/or machine learning
• Enthusiasm for conducting research on computer security

Field of Work

Possible research topics include, but are not limited to:

• The analysis of attacks and malware using machine learning
• Assisted discovery of vulnerabilities
• Fuzz Testing (Fuzzing) using machine learning
• Attacks against learning-based systems
• Explainability of machine learning in computer security

Application

Please send your application including a cover letter, your CV, and certificates/references to applications@intellisec.org. Make sure to point out why you are a good fit for us and research in computer security.

Application Deadline

12. January 2020

Closing date for applications:

Contact: Christian Wressnegger, https://intellisec.org/chris

More information: https://intellisec.de/jobs/phd-2020-en.html

DTU Compute’s Section for Cyber Security invites applications for an appointment as Associate Professor/Assistant Professor within cryptology. The position is available from 1 April 2020 or according to mutual agreement. Deadline January 15, 2020

Closing date for applications:

Contact: Further information may be obtained Head of the Cyber Security Section Christian Damsgaard Jensen, mail: cdje@dtu.dk or Professor of Cryptology Lars Ramkilde Knudsen, mail: lrkn@dtu.dk.

More information: https://www.dtu.dk/english/about/job-and-career/vacant-positions/job?id=7b31b1b3-fb26-41cc-9852-59134bb47a9d