International Association
for Cryptologic Research

Log files are the primary source of information when the past peration of a computing system needs to be determined. Keeping correct and accurate log files is importantfor after-the-fact forensics, as well as for system administration, maintenance, and auditing. Therefore, a line of research has emerged on how to cryptographically protect the integrity of log files even against intruders who gain control of the logging machine. We contribute to this line of research by devising a scheme where one can verify integrity not only of the log file as a whole, but also of excerpts. This is helpful in various scenarios, including cloud provider auditing.

Masking is a popular countermeasure to thwart side-channel attacks on embedded systems. Many proposed masking schemes, even carrying ``security proofs'', are eventually broken because they are flawed by design. The security validation process is nowadays a lengthy, tedious and manual process.

In this paper, we report on a method to verify the soundness of a masking scheme before implementing it on a device. We show that by instrumenting a high-level implementation of the masking scheme and by applying leakage detection techniques, a system designer can quickly assess at design time whether the masking scheme is flawed or not, and to what extent. Our method requires not more than working high-level source code and is based on simulation. Thus, our method can be used already in the very early stages of design. We validate our approach by spotting in an automated fashion first-, second- and third-order flaws in recently published state-of-the-art schemes in a matter of seconds with limited computational resources. We also present a new second-order flaw on a table recomputation scheme, and show that the approach is useful when designing a hardware masked implementation.

We are looking for a seasoned cryptography engineer for a development role in the Technology group. This role focuses on the implementation of cutting-edge cryptographic protocols for use at web scale in CloudFlare’s systems.

Candidates will have extensive experience in implementing real-world cryptographic protocols such as TLS. Substantial contributions to cryptographic software such as OpenSSL are preferred. Experience in Go, C, and assembly are required. Cryptography Engineers are expected to be familiar with the nuances of implementing public-key cryptography (PKI), side-channel attacks, padding oracles, constant-time implementations, and have deep domain knowledge.

Requirements

• B.S. or M.S. Computer Science or related field, or equivalent experience
• Experience building security in a fast-paced, web-scale environment
• Advance knowledge of networking protocols - TCP/IP, DNS, SMTP, BGP etc.
• In-depth knowledge of authentication protocols, applied cryptography, PKI and SSL/TLS
• Proficiency in these languages - Go, C, and x86/amd64 assembly
• Knowledge of the latest attack trends, tools and the threat landscape
• Proven track record of independently driving security projects in a fast-paced environment
• Excellent communication skills on both technical and non-technical issues

Bonus Points:

• Substantial contributions to cryptography software such as OpenSSL
• Experience with high throughput/low latency real-time systems and/or content delivery networks

Closing date for applications: 15 June 2016

Contact: https://careers.jobscore.com/careers/cloudflare/jobs/cryptography-engineer-c0wW9i590r5BqSeMg-44q7

More information: https://careers.jobscore.com/careers/cloudflare/jobs/cryptography-engineer-c0wW9i590r5BqSeMg-44q7

Event date: 21 August to 26 August 2016
Submission deadline: 22 April 2016
Notification: 6 May 2016

Over the last few years a new breed of cryptographic primitives has arisen: on one hand they have previously unimagined utility and on the other hand they are not based on simple to state and tried out assumptions. With the on-going study of these primitives, we are left with several different candidate constructions each based on a different, not easy to express, mathematical assumptions, where some even turn out to be insecure.

A {\em combiner} for a cryptographic primitive takes several candidate constructions of the primitive and outputs one construction that is as good as any of the input constructions. Furthermore, this combiner must be efficient: the resulting construction should remain polynomial-time even when combining polynomially many candidate. Combiners are especially important for a primitive where there are several competing constructions whose security is hard to evaluate, as is the case for indistinguishability obfuscation (IO) and witness encryption (WE).

One place where the need for combiners appears is in design of a {\em universal construction}, where one wishes to find ``one construction to rule them all": an explicit construction that is secure if {\em any} construction of the primitive exists.

In a recent paper, Goldwasser and Kalai posed as a challenge finding universal constructions for indistinguishability obfuscation and witness encryption. In this work we resolve this issue: we construct universal schemes for IO, and for witness encryption, and also resolve the existence of combiners for these primitives along the way. For IO, our universal construction and combiners can be built based on \emph{either} assuming DDH, or assuming LWE, with security against subexponential adversaries. For witness encryption, we need only one-way functions secure against polynomial time adversaries.

This paper presents an area-optimized FPGA architecture of the Montgomery modular multiplication algorithm on a low power reconfigurable IGLOO® 2 FPGA of Microsemi®. Our contributions consist of the mapping of the Montgomery algorithm to the specific architecture of the target FPGA, using the pipelined Math blocks and the embedded memory blocks. We minimize the occupation of these blocks as well as the usage of the regular FPGA cells (LUT4 and Flip Flops) through an dedicated scheduling algorithm. The obtained results suggest that a 224-bit modular multiplication can be computed in 2.42 µs, at a cost of 444 LUT4, 160 Flip Flops, 1 Math Block and 1 64x18 RAM, with a power consumption of 25.35 mW. If more area resources are considered, modular multiplication can be performed in 1.30 µs at a cost of 658 LUT4, 268 Flip Flops, 2 Math Blocks, 2 64x18 RAMs and a power consumption of 36.02 mW.

A constrained pseudorandom function (CPRF) $F \colon {\cal K} \times {\cal X} \to {\cal Y}$ for a family ${\cal T}$ of subsets of $\cal X$ is a function where for any key $k \in {\cal K}$ and set $S \in {\cal T}$ one can efficiently compute a short constrained key $k_S$, which allows to evaluate $F(k,\cdot)$ on all inputs $x \in S$, while the outputs on all inputs $x \notin S$ look random even given $k_S$.

Abusalah et al. recently constructed the first constrained PRF for inputs of arbitrary length whose sets $S$ are decided by Turing machines. They use their CPRF to build broadcast encryption and the first ID-based non-interactive key exchange for an unbounded number of users. Their constrained keys are obfuscated circuits and are therefore large.

In this work we drastically reduce the key size and define a constrained key for a Turing machine $M$ as a short signature on $M$. For this, we introduce a new signature primitive with constrained signing keys that let one only sign certain messages, while forging a signature on others is hard even when knowing the coins for key generation.

Proxy re-encryption (PRE) was introduced by Blaze, Bleumer and Strauss [Eurocrypt '98]. Basically, PRE allows a semi-trusted proxy to transform a ciphertext encrypted under one key into an encryption of the same plaintext under another key, without revealing the underlying plaintext. Since then, many interesting applications have been explored, and many constructions in various settings have been proposed. In 2007, Cannetti and Honhenberger [CCS '07] defined a stronger notion -- CCA-security and construct a bi-directional PRE scheme. Later on, several work considered CCA-secure PRE based on bilinear group assumptions. Very recently, Kirshanova [PKC '14] proposed the first single-hop CCA-secure PRE scheme based on learning with errors (LWE) assumption.

In this work, we first point out a subtle but serious mistake in the security proof of the work by Kirshanova. This reopens the direction of lattice-based CCA-secure constructions, even in the single-hop setting. Then we propose a new LWE-based single-hop CCA-secure PRE scheme. Finally, we extend the construction to support multi-hop re-encryptions for different levels of security under different settings.

In recent years, public key encryption with equality test (PKEET) has become a hot research topic in the cryptography community due to the advancement of cloud computing. Recently, Ma et al. proposed a new related primitive, called public key encryption with equality test supporting flexible authorization (PKEET-FA), and constructed a concrete scheme. In their proposal, four types of authorization were presented to support different authorization policies. However, their proposal is based on bilinear pairings which are time costing operations compared with modular exponentiations. In this paper, we present a new PKEET-FA scheme without bilinear pairings. Compared with the existing work, our proposal is more efficient.

In this work we apply information theoretically optimal arithmetic coding and a number of novel side-channel blinding countermeasure techniques to create BLZZRD, a practical, compact, and more quantum-resistant variant of the BLISS Ring-LWE Signature Scheme. We show how the hash-based random oracle can be modified to be more secure against quantum preimage attacks while decreasing signature size at any given security level. Most lattice-based cryptographic algorithms require non-uniformly distributed ciphertext, signature, and public/private key data to be stored and transmitted; hence there is a requirement for compression. Arithmetic Coding offers an information theoretically optimal compression for stationary and memoryless sources, such as the discrete Gaussian distributions often used in Lattice-based cryptography. We show that this technique gives better signature sizes than the previously proposed advanced Huffman-based compressors. We further demonstrate that arithmetic decoding from an uniform source to target distribution is also an optimal Gaussian sampling method in the sense that a minimal amount of true random bits is required. Performance of the new Binary Arithmetic Coding (BAC) sampler is comparable to other mainstream samplers. The same code, tables, or circuitry can be utilised for both tasks, eliminating the need for separate sampling and compression components. We also describe a simple blinding technique that can be applied to anti-cyclic polynomial multiplication to mask timing- and power consumption side-channels in ring arithmetic. We further show that Gaussian sampling can also be blinded by a split-and-permute technique while reducing the size of required CDF tables.

Event date: 5 July to 7 July 2016
Submission deadline: 17 April 2016
Notification: 27 May 2016

Event date: 29 August to 30 August 2016
Submission deadline: 9 May 2016
Notification: 17 June 2016

Job description: The research group Cryptography and IT Security (headed by Profs. Jörn Müller-Quade and Dennis Hofheinz) of the Institute of Theoretical Informatics at KIT has an opening for a PhD position in the scope of the project "CyPhyCrypt: Advanced Crypto for New and Next-Generation Cyber-Physical Systems" (PIs: Andy Rupp @ KIT and Christof Paar @ RUB). This project is fully funded by the German Research Foundation (DFG). It deals with the development of novel CPS security mechanisms with provable security guarantees and computational requirements that can be met in practical settings, based on sound advanced cryptographic constructions (e-cash, anonymous reputation systems, optimistic fair-exchange, etc.). The PhD candidate will be working on security models for the considered CPS as well as on cryptographic constructions which can be shown secure in these models.

Qualification:

• Very good university degree (Master or equivalent) in Computer Science or Mathematics.
• Solid background in provable security, e.g., demonstrated by excellent grades in corresponding postgraduate courses or by publications.
• Self-motivation, team spirit, and willingness to work in interdisciplinary projects.

Application: Please send your application (CV, transcripts and certificates, names of references) by e-Mail to: andy.rupp (at) kit.edu

KIT is an equal opportunity employer. Women are especially encouraged to apply. Applicants with disabilities will be preferentially considered if equally qualified.

Closing date for applications: 15 April 2016

Contact: Andy Rupp, Karlsruhe Institute of Technology, Institute of Theoretical Informatics, email: andy.rupp (at) kit.edu, phone: +49 721/608-41862.

More information: https://www.pse.kit.edu/downloads/stellenangebote/PhD_Student-ITI-CyPhyCrypt_V2-16-04-15.pdf

In electronic devices there is a trend to implement ever more functionality in software instead of hardware. Software has the advantage of being less costly, more scalable, easier to personalize, and easier to update. This trend exists also for security-sensitive functionality. For instance, payment schemes are increasingly implemented in software running on the host CPU of a mobile phone instead of in secured hardware.

A critical question now becomes how to hide secret data and algorithms in software that is running on a fully open platform. The challenge here is that an attacker should be assumed to have full access to and full control over the execution environment. This question is particular relevant for cryptographic keys. For hardware implementations, the protection of keys is a well-studied topic, and evaluation labs are well able to judge the security level of an implementation. For software, however, the evaluation of such solutions, called white-box implementations, is still in its infancy and evaluation labs are not yet able to rate their security level.

This project aims to improve our knowledge of white-box cryptography and white-box attacks to the point where certification of software security becomes meaningful.

We are looking for a candidate who meets the following requirements:

• Master degree in Computer Science, Mathematics, or another closely related discipline;
• an interest in computer security and cryptography
• knowledge of side-channel attacks on protected hardware (e.g. DPA, Fault injection) is a plus
• ability to work in a team, cooperate with industrial partners
• fluent in spoken and written English

Closing date for applications: 17 April 2016

Contact: prof.dr.ir. W.P.A.J. Michiels , email: w.p.a.j.michiels (at) tue.nl

More information: http://jobs.tue.nl/nl/vacature/phd-student-for-the-cowbois-project-256116.html

The LPN problem, lying at the core of many cryptographic constructions for lightweight and post-quantum cryptography, receives quite a lot attention recently. The best published algorithm for solving it at Asiacrypt 2014 improved the classical BKW algorithm by using covering codes, which claimed to marginally compromise the $80$-bit security of HB variants, LPN-C and Lapin. In this paper, we develop faster algorithms for solving LPN based on an optimal precise embedding of cascaded concrete perfect codes, in a similar framework but with many optimizations. Our algorithm outperforms the previous methods for the proposed parameter choices and distinctly break the 80-bit security bound of the instances suggested in cryptographic schemes like HB$^+$, HB$^\#$, LPN-C and Lapin.

Ph.D. positions in information security (M/F)
Ref: R-STR-5014-00B
Fixed Term Contract 3 year (CDD) full-time (40 hrs/week)
Probation: 6 months
Number of positions: 2

Your Role: The successful candidate will participate in the activities of the APSIA research group (http://apsia.uni.lu/) led by Prof. P. Y. A. Ryan. The group specializes in the mathematical foundations of information assurance.

Research Context: The positions are within a national partnership project about the design and the analysis of security of communication protocols for the encrypted exchange and storage of information. Such activities are meant to make it possible to assess rigorously the security of the protocols developed as components of a \'Privacy by Default\' product, and to instil security in the engineering processes from the design of the communication logic down to the implementation of the running code obtained by automatic translation. The analysis can be extended to ensure security to upper layers, including those interacting with the users.

Duties: Under the direction of a senior scientist research and a professor, the candidates will carry research, write scientific papers, present research results at conferences, collaborate with research partners, and write and defend a Ph.D. thesis.

Closing date for applications: 31 March 2016

Contact: Gabriele Lenzini, Peter Y A Ryan

More information: http://emea3.mrted.ly/z3hn

Mobile devices, laptops, and USB memory usually store large amounts of sensitive information frequently unprotected. Unauthorized access to or release of such information could reveal business secrets, users habits, non-public data or anything else. Full Disk Encryption (FDE) solutions might help users to protect sensitive data in the event that devices are lost or stolen. In this paper we focus on the security of Linux Unified Key Setup (LUKS) specifications, the most common FDE solution implemented in Linux based operating systems. In particular, we analyze the key management process used to compute and store the encryption key, and the solution adopted to mitigate the problem of brute force attacks based on weak user passwords. Our testing activities show that unwitting users can significantly reduce the security of a LUKS implementation by setting specific hash functions and aggressive power management options.

Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.

Consider a setting where inputs $x_1,\ldots,x_n$ are encrypted under independent public keys. Given the ciphertexts $\{c_i = Enc(pk_i,x_i)\}_i$, Alice outputs ciphertexts $c'_1,\ldots,c'_n$ that decrypt to $y_1,\ldots,y_n$ respectively. What relationships between the $x_i$'s and $y_i$'s can Alice induce?

Motivated by applications to delegating computations, Dwork, Langberg, Naor, Nissim and Reingold (unpublished manuscript, 2004) showed that a semantically secure scheme disallows signaling in this setting, meaning that $y_i$ cannot depend on $x_j$ for $j \neq i$ . On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each $y_i$ can be an arbitrary function of $x_i$. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such ``spooky'' relationships. Answering this question is the focus of our work.

Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of ``spooky'' relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function $f$, Alice can ensure that $y_1,\ldots,y_n$ are random subject to $\sum_{i=1}^n y_i = f(x_1,\ldots,x_n)$. For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of $n=2$ inputs, we get a scheme that supports an even larger class of spooky relationships.

We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. (ICALP, 2000) for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions.

We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any non-malleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.

At Eurocrypt 2016, Méaux et al. proposed FLIP, a new family of stream ciphers intended for use in Fully Homomorphic Encryption systems. Unlike its competitors which either have a low initial noise that grows at each successive encryption, or a high constant noise, the FLIP family of ciphers achieves a low constant noise thanks to a new construction called filter permutator. In this paper, we present an attack on the early version of FLIP that exploits the structure of the filter function and the constant internal state of the cipher. Applying this attack to the two instantiations proposed by Méaux et al. allows for a key recovery in $2^{54}$ basic operations (resp. $2^{68}$), compared to the claimed security of $2^{80}$ (resp. $2^{128}$).