International Association
for Cryptologic Research

This position involves research and development in the areas of Cloud Security, IoT Security, and Software Security. Our work ranges from foundational research and IPR creation to prototype development for transfer to NEC products and services. We are looking for individuals with a passion to develop and transform innovative ideas into working prototypes.

Candidates should have excellent communication skills and a deep technical background in:

• Security protocols, applied cryptography, and privacy enhancing technologies
• Software development including proven experience with programming languages, such as Java or C/C++
• Excellent understanding of Linux as a development platform; Experience with OpenStack is a plus.

Candidates with a recent Ph.D. Degree in System Security, Computer Science or a closely related field, and with a proven record of publications and software development are preferred.

NEC Laboratories in Heidelberg, Germany, provides an excellent working environment supporting individual creativity as well as strong teamwork. English is the working language in the Laboratories. The position is initially limited to two years. Please send your CV and preferably two recommendation letters and a sample code from a past project that you have been involved in electronically via the applications web system http://www.neclab.eu/staffapplication/ with reference to [1512-190-SEC].

Closing date for applications: 29 February 2016

Contact: Amardeo Sarma, General Manager. Phone +49 6221 4342-0

More information: http://www.neclab.eu/jobs.htm

We study the problem of how to efficiently outsource a sensitive computation on secret inputs to a number of untrusted workers, under the assumption that at least one worker is honest.

In our setting there are a number of clients $C_1,\ldots,C_n$ with inputs $x_1,\ldots,x_n$. The clients want to delegate a secure computation of $f(x_1,\ldots,x_n)$ to a set of untrusted workers $W_1,\ldots,W_m$. We want do so in such a way that as long as there is at least one honest worker (and everyone else might be actively corrupted) the following holds: * the privacy of the inputs is preserved; * output of the computation is correct (in particular workers cannot change the inputs of honest clients).

We propose a solution where the clients' work is minimal and the interaction pattern simple (one message to upload inputs, one to receive results), while at the same time reducing the overhead for the workers to a minimum. Our solution is generic and can be instantiated with any underlying reactive MPC protocol where linear operations are ``for free''. In contrast previous solutions were less generic and could only be instantiated for specific numbers of clients/workers.

This paper investigates the degradation properties of Boolean functions from the aspects of the distributions of dierences and linear masks, and shows two characterizations of the degraded Boolean function. One is that there exists a linear space of the input dierences, where the dierentials with the zero output dierence have probability 1; Another one is that the input linear masks of the nonzero-correlation linear approximations are included in a linear space. Those two linear spaces are orthogonal spaces. Moreover, the degradation properties are showed about the exponentiation type S-box of the SAFER block ciphers, which are applied to reduce the compute complexity in the zero-correlation linear attacks on 5-round SAFER SK/128, 4(5)-round SAFER+/128(256) and 5(6)-round SAFER++/128(256). In the attacks, some of the linear properties of PHT employed as the linear layer by the SAFER block ciphers are investigated and some zero-correlation approximations for SAFER SK, SAFER+, and SAFER++ are identied, when only the least one or two signicant bits are considered. The results show that more rounds of some of the SAFER block ciphers can be attacked, by considering the degradation properties and the zero-correlation linear relations.

We introduce a new cryptographic primitive: Proofs of Space-Time (PoSTs) and construct a practical protocol for implementing these proofs. A PoST allows a prover to convince a verifier that she spent a ``spacetime'' resource (storing data---space---over a period of time). Formally, we define the PoST resource as a linear tradeoff between CPU work and space-time (under reasonable cost assumptions, a rational user will prefer to use the lower-cost space-time resource over CPU work).

Compared to a proof-of-work, a PoST requires less energy use, as the ``difficulty'' can be increased by extending the time period over which data is stored without increasing computation costs. Our definition is very similar to ``Proofs of Space'' [ePrint 2013/796, 2013/805] but, unlike the previous definitions, takes into account amortization attacks and storage duration. Moreover, our protocol uses a very different (and simpler) technique, making use of the fact that we explicitly allow a space-time tradeoff.

A increasingly popular approach to proving the security of protocols is to define the desired security and functional properties by an ideal functionality and then to prove that a protocol realizes the functionality within a universal composability framework. When specifying such ideal functionalities, one often requires the adversary (or environment) to provide some meta-information, such as cryptographic values of signatures, ciphertexts, and keys. Similarly, when designing protocols, the adversary/environment needs to provide, for example, signaling information and corruption statuses of protocol participants. Intuitively, one would expect that such requests are answered immediately. However, in none of the existing models for universal composability this is guaranteed: adversaries and environments can freely activate protocols and ideal functionalities without answering such requests, resulting in dangling and interleaving requests. We call this issue the non-responsiveness problem. It is typically very cumbersome to properly deal with such intermediate activations and interleaved requests and there is no generally applicable method to handle such activations. If fact, protocol designers often do not even consider this issue and miss to specify the behavior of their protocols and ideal functionalities in these situations. This unfortunately results in undefined or even flawed specifications, making it impossible to use such protocols/ideal functionalities in higher level protocols and carrying out rigorous security proofs. What makes the non-responsiveness problem and its consequences particularly disturbing is that they are merely a modeling artifact: it would be very natural if the mentioned requests were answered immediately by adversaries/environments as they are used for modeling purposes only and allowing adversaries/environments to not answer them immediately does not model any real attack.

This paper solves the non-responsiveness problem and its negative consequences by proposing a framework for universal composability with responsive environments and adversaries. In a nutshell, when a protocol or functionality sends what we call a restricting message to the adversary/environment, the latter must provide a valid response before any other protocol/functionality is activated. Hence, protocol designers can declare requests for meta-information to be restricting in order to guarantee that such requests are answered immediately, and hence, they do not have to worry about modeling artefacts resulting from such requests not being answered immediately. Our concepts apply to all existing models for universal composability, we provide formal theorems for the IITM model and discuss it the UC and GNUC models.

The use of Physically Unclonable Functions (PUFs) in cryptographic protocols attracted an increased interest over recent years. Since sound security analysis requires a concise specification of the alleged properties of the PUF, there have been numerous trials to provide formal security models for PUFs. However, all these approaches have been tailored to specific types of applications or specific PUF instantiations. For the sake of applicability, composability, and comparability, however, there is a strong need for a unified security model for PUFs (to satisfy, for example, a need to answer whether a future protocol requirements match a new and coming PUF realization properties). In this work, we propose a PUF model which generalizes various existing PUF models and includes security properties that have not been modeled so far. We prove the relation between some of the properties, and also discuss the relation of our model to existing ones.

Typically, secure channels are constructed from an authenticated key exchange (AKE) protocol, which authenticates the communicating parties based on long-term public keys and establishes secret session keys. In this paper we address the partial leakage of long-term secret keys of key exchange protocol participants due to various side-channel attacks. Security models for two-party authenticated key exchange protocols have developed over time to provide security even when the adversary learns certain secret values. This paper combines and extends the advances of security modelling for AKE protocols addressing more granular partial leakage of long-term secrets of protocol participants.

The utilization of private Attribute-based credentials (ABC) in everyday life could enable citizens to only partially reveal their identity in economic transactions and communication with public institutions. This means citizens could control in a practical way the information related to their own life and identity in many contexts. At the time of writing, the Identity Mixer (Idemix) by IBM is the only credential system that offers enough flexibility to proof a considerable variety of properties of the attributes of a credential. Despite many practitioners have proposed different strategies for implementing ABCs on smart cards in the last few years, the complexity of the assumptions these primitives usually rely on, undermines fast and practical implementations of ABCs. The lack of smart cards with powerful hardware arithmetic accelerators is not the only problem for speeding up the computation of these primitives since one need to perform fast arithmetic operations with operands stored in RAM. Moreover, the implementation of complex Zero-Knowledge Proofs (ZKP) needs a considerable amount of pseudorandomness. In order to overcome these limitations, we proposed to use a Pseudo-Random Number Generator (PRNG) for recomputing pseudorandomness and we use it tandem with variable reconstruction in order to implement complex proofs. The utilization of this simple technique enable us to compute pseudonyms, domain pseudonyms, multi-credential proofs and to rely on the AND, NOT and OR operators to prove inner properties of the attributes of the credential whereas prior art only addressed the selective disclosure of one attribute on a given credential. Moreover, we show how to increase the number of attributes stored on the card via this construction. Finally, we show how to chain proofs based on AND, NOT and OR operators in order to extend the amount of properties of a credential that can be showed via external and internal commitment reordering.

In view of the expected progress in cryptanalysis it is important to find alternatives for currently used signature schemes such as RSA and ECDSA. The most promising lattice-based signature schemes to replace these schemes are BLISS (CRYPTO 2013) and GLP (CHES 2012). Both come with a security reduction from a lattice problem and have high performance. However, their parameters are not chosen according to their provided security reduction, i.e., the instantiation is not provably secure. In this paper, we present the first lattice-based signature scheme with good performance when provably secure instantiated. To this end, we provide a tight security reduction for the new scheme from the ring learning with errors problem which allows for provably secure and efficient instantiations. We present experimental results obtained from a software implementation of our scheme. They show that our scheme, when provably secure instantiated, performs comparably with BLISS and the GLP scheme.

In this paper we will present various hardware architecture designs for implementing the SIMON 64/128 block cipher as a cryptographic component offering encryption, decryption and self-contained key-scheduling capabilities and discuss the issues and design options we encountered and the tradeoffs we made in implementing them. Finally, we will present the results of our hardware architectures' implementation performances on the Xilinx Spartan-6 FPGA series.

In this document we present an introductory overview of the algorithms and design components underlying the Keccac cryptographic primitive and the Keyak encryption scheme for authenticated (session-supporting) encryption. This document aims to familiarize readers with the basic principles of authenticated encryption, the Sponge and Duplex constructions (full-state, keyed as well as regular versions), the permutation functions underlying Keccak and Keyak as well as Keyak v2's Motorist mode of operation.

We present the Balloon family of password hashing functions. These are the first cryptographic hash functions with proven space-hardness properties that: (i) use a password-independent access pattern, (ii) build exclusively upon standard cryptographic primitives, and (iii) are fast enough for real-world use. Space-hard functions require a large amount of working space to evaluate efficiently and, when used for password hashing, they dramatically increase the cost of offline dictionary attacks. The central technical challenge of this work was to devise the graph-theoretic and linear-algebraic techniques necessary to prove the space-hardness properties of the Balloon functions (in the random-oracle model). To motivate our interest in security proofs, we demonstrate that it is possible to compute Argon2i, a recently proposed space-hard function that lacks a formal analysis, in a fifth of the claimed required space with no increase in the computation time.

The reported power analysis attacks on hardware implementations of the MICKEY family of streams ciphers require a large number of power traces. The primary motivation of our work is to break an implementation of the cipher when only a limited number of power traces can be acquired by an adversary. In this paper, we propose a novel approach to mount a Template attack (TA) on MICKEY-128 2.0 stream cipher using Particle Swarm Optimization (PSO) generated initialization vectors (IVs). In addition, we report the results of power analysis against a MICKEY-128 2.0 implementation on a SASEBO-GII board to demonstrate our proposed attack strategy. The captured power traces were analyzed using Least Squares Support Vector Machine (LS-SVM) learning algorithm based binary classifiers to segregate the power traces into the respective Hamming distance (HD) classes. The outcomes of the experiments reveal that our proposed power analysis attack strategy requires a much lesser number of IVs compared to a standard Correlation Power Analysis (CPA) attack on MICKEY-128 2.0 during the key loading phase of the cipher.

The related-key model is now considered an important scenario for block cipher security and many schemes were broken in this model, even AES-192 and AES-256. Recently were introduced efficient computer-based search tools that can produce the best possible related-key truncated differential paths for AES. However, one has to trust the implementation of these tools and they do not provide any meaningful information on how to design a good key schedule, which remains a challenge for the community as of today.

We provide in this article the first human-readable proof on the minimal number of active Sboxes in the related-key model for AES-128, without any help from a computer. More precisely, we show that any related-key differential paths for AES-128 will respectively contain at least 0, 1, 3 and 9 active Sboxes for 1, 2, 3 and 4 rounds. Our proof is tight, not trivial, and actually exhibits for the first time the interplay between the key state and the internal state of an AES-like block cipher with an AES-like key schedule. As application example, we leverage our proofs to propose a new key schedule, that is not only faster (a simple permutation on the byte positions) but also ensures a higher number of active Sboxes than AES-128's key schedule. We believe this is an important step towards a good understanding of efficient and secure key schedule designs.

BIP70 is a community-accepted Payment Protocol standard that governs how merchants and customers perform payments in Bitcoin. This standard is supported by most major wallets and the two dominant Payment Processors: Coinbase and BitPay, who collectively provide the infrastructure for accepting Bitcoin as a form of payment to more than 100,000 merchants. In this paper, we present new attacks on the Payment Protocol, which affect all BIP70 merchants. The Silkroad Trader attack highlights an authentication vulnerability in the Payment Protocol while the Marketplace Trader attack exploits the refund policies of existing Payment Processors. Both attacks have been experimentally verified on real-life merchants using a modified Bitcoin wallet. The attacks have been acknowledged by both Coinbase and Bitpay with temporary mitigation measures put in place. However, to fully address the identified issues will require revising the BIP70 standard. We present a concrete proposal to revise BIP70 by providing the merchant with publicly verifiable evidence to prevent both attacks.

Recently, Kumari et al. pointed out that Chang et al.’s scheme “Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update” not only has several drawbacks, but also does not provide any session key agreement. Hence, they proposed an improved remote user authentication Scheme with key agreement on Chang et al.’s Scheme. After cryptanalysis, they confirm the security properties of the improved scheme. However, we determine that the scheme suffers from both anonymity breach and he smart card loss password guessing attack, which are in the ten basic requirements in a secure identity authentication using smart card, assisted by Liao et al. Therefore, we modify the method to include the desired security functionality, which is significantly important in a user authentication system using smart card.

Event date: 22 June to 24 June 2016
Submission deadline: 15 April 2016
Notification: 15 May 2016

Please join us in congratulating Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith for being awarded the 2nd annual TCC Test of Time Award. Their article Calibrating Noise to Sensitivity in Private Data Analysis, published at TCC 2006, is recognized for introducing the definition of differential privacy, and providing a solid mathematical foundation for a vast body of subsequent work on private data analysis. The award was presented Monday at the TCC 2016 conference in Tel Aviv, Israel.

The TCC Test of Time award was introduced in 2015. It recognizes outstanding papers, published in the Theory of Cryptography Conference (TCC) at least eight years ago, making a significant contribution to the theory of cryptography, preferably with influence also in other area of cryptography, theory, and beyond. For more information about the Test of Time award, including information on nominating a paper, please see the page at http://www.iacr.org/workshops/tcc/awards.html

1.Laboratory, Job Title and Position Description: Division of Electrical, Electronic and Information Engineering, Graduate School of Engineering, Osaka University

Specially Appointed Assistant Professor (Full-Time): 1

The positions will primarily focus on JST CREST Project on \"The Security Infrastructure Technology for Integrated Utilization of Big Data\" at Graduate School of Engineering, Osaka University (Research Director, Prof. Atsuko Miyaji. Launch from October, 2014.)

2. Qualification:

1. Ph.D. in cryptography, network and system security or data science is required.
2. Specialized knowledge in information security area is required.
3. English language ability sufficient to fulfill one’s work duties.

3. Research Topics:

A primary objective of this position is to promote to establish a platform for big data collection, analysis and utilization in a secure and privacy-preserving manner such as secure data management, privacy-preserving data mining and secure data utility.

4. Period of Employment:

As early as possible (no later than April 1, 2016) – March 31, 2017
(Renewal of the contract might be possible. At longest, up to March 31, 2019.)

5. Application Documents Required:

Applicants must submit the following items:

1. CV (photograph attached).
2. A list of candidate’s experienced research activities and accomplishments in reversed chronological order according to the following categories: international journal publications, reviewed international conference papers, domestic journal and conference publications, and others such as editorship for international journals and membership of conference program committees.
3. Statement of your previous research and future plans for research and education activities.
4. A list of names and contact information (mailing address, e-mail, telephone and fax numbers) from three referees.
5. Recommendation letters from three referees above.
6. Hard copies of at most 5 most significant publications.
7. Other supporting documents if you think they are necessary.

Closing date for applications: 25 January 2016

Contact: (By postal mail EMS) Atsuko Miyaji, Professor
Department of Information and Communications Technology, Graduate School of Engineering, Osaka University
2-1 Yamadaoka, Suita, Osaka Prefecture 565-0871, JAPAN
*Write "Application Forms for CREST Research fellow" on the envelope in red ink.
(By e-mail) crest-inf (at) crypto-cybersec.comm.eng.osaka-u.ac.jp

(Phone) +81-6-6879-7714

More information: http://bigdata.comm.eng.osaka-u.ac.jp/index.en.html

In this note, using rather elementary technique and the derived formula that relates the coefficients of a polynomial over a finite field and its derivative, we deduce many interesting results related to derivatives of Boolean functions and derivatives of mappings over finite fields. For instance, we easily identify several infinite classes of polynomials which cannot possess linear structures. The same technique can be applied for deducing a nontrivial upper bound on the degree of so-called planar mappings.