International Association
for Cryptologic Research

Rotational cryptanalysis is a statistical method for attacking ARX constructions. It was previously shown that ARX-C, i.e., ARX with the injection of constants can be used to implement any function. In this paper we investigate how rotational cryptanalysis is affected when constants are injected into the state. We introduce the notion of an RX-difference, generalizing the idea of a rotational difference. We show how RX-differences behave around modular addition, and give a formula to calculate their transition probability. We experimentally verify the for- mula using Speck32/64, and present a 7-round distinguisher based on RX-differences. We then discuss two types of constants: round constants, and constants which are the result of using a fixed key, and provide recommendations to designers for optimal choice of parameters.

Shannon defined an ideal $(\kappa,n)$-blockcipher as a secrecy system consisting of $2^{\kappa}$ independent $n$-bit random permutations.

This work revisits the following question: in the ideal cipher model, can a cascade of several ideal $(\kappa,n)$-blockciphers realize $2^{2\kappa}$ independent $n$-bit random permutations, i.e. an ideal $(2\kappa,n)$-blockcipher? The motivation goes back to Shannon's theory on product secrecy systems, and similar question was considered by Even and Goldreich (CRYPTO '83) in different settings. Towards giving an answer, this work analyzes cascading independent ideal $(\kappa,n)$-blockciphers with two alternated independent keys in the indifferentiability framework of Maurer et al. (TCC 2004), and proves that for such alternating-key cascade, four stages is necessary and sufficient to achieve indifferentiability from an ideal $(2\kappa,n)$-blockcipher. This shows cascade capable of achieving key-length extension in the settings where keys are _not necessarily secret_.

Starting with Dining Cryptographers networks (DC-net), several peer-to-peer (P2P) anonymous communication protocols have been proposed. Despite their strong anonymity guarantees none of those has been employed in practice so far: Most fail to simultaneously handle the crucial problems of slot collisions and malicious peers, while the remaining ones handle those with a significant increased latency (communication rounds) linear in the number of participating peers in the best case, and quadratic in the worst case. We conceptualize these P2P anonymous communication protocols as P2P mixing, and present a novel P2P mixing protocol, DiceMix, that only requires constant (i.e., four) communication rounds in the best case, and $4+2f$ rounds in the worst case of $f$ malicious peers. As every individual malicious peer can prevent a protocol run from success by omitting his messages, we find DiceMix with its worst-case linear-round complexity to be an optimal P2P mixing solution.

On the application side, we find DiceMix to be an ideal privacy-enhancing primitive for crypto-currencies such as Bitcoin. The public verifiability of their pseudonymous transactions through publicly available ledgers (or blockchains) makes these systems highly vulnerable to a variety of linkability and deanonymization attacks. DiceMix can allow pseudonymous users to make their transactions unlinkable to each other in a manner fully compatible with the existing systems. We demonstrate the efficiency of DiceMix with a proof-of-concept implementation. In our evaluation, DiceMix requires less than 8 seconds to mix 50 messages (160 bits, i.e., Bitcoin addresses), while the best protocol in the literate requires almost 3 minutes in a very similar setting. As a representative example, we use apply DiceMix to define a protocol for creating unlinkable Bitcoin transactions.

Finally, we discover a generic attack on P2P mixing protocols that exploits the implicit unfairness of a protocol with a dishonest majority to break anonymity. Our attack uses the attacker’s real-world ability to omit some communication from a honest peer to deanonymize her input message. We also discuss how this attack is resolved in our application to crypto-currencies by employing uncorrelated input messages by across different protocol runs.

Attribute based signature schemes (ABS) constitute important and powerful primitives when it comes to protecting the privacy of the user's identity and signing information. More specifically, ABS schemes provide the advantage of anonymously signing a message once a given policy is satisfied. As opposed to other related privacy preserving signatures, the verifier is not able to deduce from the signature, which attributes have been used to satisfy the (public) signing policy. In this work we give new and efficient constructions of lattice-based ABS signature schemes, that are not based on the traditional approach of using span programs or secret sharing schemes as for classical schemes. In fact, our approach is less involved and does not require such complex subroutines. In particular, we first construct a new $(t,B)$-threshold ABS scheme that allows to anonymously generate signatures, if $t$ out of $p=|B|$ attributes are covered by valid credentials. Based on this scheme, we propose a lattice-based ABS scheme for expressive $(\wedge,\vee)$-policies, by use of a new credential aggregation system that is built on top of a modified variant of Boyen's signature scheme. The signature size of the so obtained ABS scheme is linear in the number of disjunctive terms rather than the number of attributes.

Applications are invited for 2 postdoctoral researchers and 1 PhD student in the theory and practice of side-channels. Each post is initially for 3 years, with flexibility for the starting date and any options to extend (depending on funds). Although a background in applied cryptography is a pre-requisite, we are interested in applicants who can demonstrate some experience with one or more of the following:

- side-channel attacks, with particular emphasis on practical aspects (e.g., acquisition and signal processing),

- use, low-level (e.g., processor architecture) understanding and reverse engineering of (e.g., ARM-based) embedded systems,

- the design and implementation of compilers (e.g., LLVM),

- hardware (e.g., FPGA) and software implementation of cryptography,

- use of HPC, experience in developing large scale (research focused) software.

Although a nominal closing date is listed below, this is a rolling advert: we will select applicants until all vacancies are filled.

Closing date for applications: 31 December 2016

Contact: Prof. Elisabeth Oswald, Elisabeth.Oswald (at) bristol.ac.uk

More information: http://www.bris.ac.uk/jobs/find/list.html?keywords=cryptography

The researchers will be working under the supervision of Prof P Y A Ryan, head of the APSIA (Applied Security and Information Assurance) research group, http://wwwde.uni.lu/snt/research/apsia.

Research Associate in Information Assurance (M/F)

Ref: R-STR-5004-00-B

Fixed Term Contract 24 months (CDD), full-time (40 hrs/week), extendable to 36 months

Number of positions: 1

The research will be conducted within the VoteVerif project (Verification of Voter-Verifiable Voting Protocols), in collaboration with Polish Academy of Sciences, Warsaw, Poland. The project aims to develop novel concepts, methodologies, and tools for specification, analysis, and assessment of information security properties. The focus is on voting procedures and protocols, and in particular on their essential features like confidentiality, coercion-resistance, and voter-verifiability. The approach of the project is holistic, in the sense that we plan to develop theoretical concepts (such as strategy- based metrics of information security) not for their own sake, but in order to apply them to an important domain of social life, and come up with guidance on the conduct of elections and novel designs for secure, usable voting systems. To this end, we are going to develop algorithmic tools that help to analyze the level of security and usability. Note also that, while we focus on voting procedures in the project, the concepts and tools being developed can be also applied to other domains where information security is important.

Closing date for applications: 7 October 2016

Contact: Prof Dr Peter Y A Ryan, peter.ryan (at) uni.lu;

or Prof Dr Wojtek Jamroga: w.jamroga (at) ipipan.waw.pl

More information: http://emea3.mrted.ly/15g3f

The research will be conducted within the VoteVerif project (Verification of Voter-Verifiable Voting Protocols), in collaboration with Polish Academy of Sciences, Warsaw, Poland. The project aims to develop novel concepts, methodologies, and tools for specification, analysis, and assessment of information security properties. The focus is on voting procedures and protocols, and in particular on their essential features like confidentiality, coercion-resistance, and voter-verifiability. The approach of the project is holistic, in the sense that we plan to develop theoretical concepts (such as strategy- based metrics of information security) not for their own sake, but in order to apply them to an important domain of social life, and come up with guidance on the conduct of elections and novel designs for secure, usable voting systems. To this end, we are going to develop algorithmic tools that help to analyze the level of security and usability. Note also that, while we focus on voting procedures in the project, the concepts and tools being developed can be also applied to other domains where information security is important.

Closing date for applications: 31 October 2016

Contact: Prof Dr Peter Y A Ryan, peter.ryan (at) uni.lu; or

Prof Dr Wojtek Jamroga w.jamroga (at) ipipan.waw.pl

More information: http://emea3.mrted.ly/15g2h

Event date: 21 February to 22 February 2017
Submission deadline: 1 October 2016
Notification: 1 December 2016

The Department of Computer Science at the University of Surrey is seeking to recruit a full-time researcher for up to three years.

The position offers the platform for the research fellow to work within a group and develop skills to become an independent researcher. The successful candidate will be expected to work closely with Dr Treharne and Professor Schneider in the development or evaluation of security and safety systems (including IoT based Systems of Systems, distributed ledger technologies, transport systems, cloud architectures and data privacy systems). There is the opportunity for the successful candidate to contribute to setting the research direction within this.

The fellowship allows for flexibility in the profile of applicants:

· Practically-minded applicants who have good programming skills, experience in working in embedded systems, trusted execution environments and platforms, networking protocols and security, cloud security architectures and privacy schemes;

· Applicants with a background in formal verification techniques and security/safety analysis.

Experience in both is preferred but in-depth knowledge of only one is expected. Additionally, an enthusiasm to learn about the other area will be required. We are looking for applicants that demonstrate strong research and analytical skills, have strong communication skills and enthusiasm for developing their own research ideas.

Applicants should have a PhD in a relevant subject or be close to finishing or equivalent professional experience.

The post is available for 36 months, with some flexibility in the start date.

Salary range: £32600 to £34576

Closing date: 13 September, 2016

Interview Date: 26 September, 2016.

Closing date for applications: 13 September 2016

Contact: Dr Helen Treharne (h.treharne (at) surrey.ac.uk) and Professor Steve Schneider (s.schneider (at) surrey.ac.uk)

More information: https://jobs.surrey.ac.uk/Vacancy.aspx?ref=032116-R

Fully-funded PhD Position Available

Enabling Progress in Genomic Research via Privacy-Preserving Data Sharing

University College London (UCL)

Closing date for applications: 30 October 2016

Contact: Dr Emiliano De Cristofaro (google me)

More information: https://www.prism.ucl.ac.uk/#!/?project=196

The Department of Informatics has a vacancy for a PhD position within cryptography. The position is for a fixed-term period of 3 years, starting in the beginning of 2017, and funded by the project “Modern Methods and Tools for Theoretical and Applied Cryptology” (CryptoWorld), awarded by the Research Council of Norway.

About the Department: The Department has 6 research groups, Algorithms, Bioinformatics, Optimization, Programming Theory, Reliable Communication and Visualization. The Department is ranked first in Norway with respect to the quality of its research by the Research Council of Norway. For more information visit our Web pages: http://www.uib.no/en/ii

About the project/work tasks:

Develop new methods of algebraic cryptanalysis and apply them to modern cryptographic primitives. Analyse how malicious software can affect the authentication in various applications. Improve the security and efficiency of cloud technologies by designing ciphers with special properties.

Closing date for application: 1 October 2016,

Closing date for applications: 1 October 2016

Contact: Professor Tor Helleseth, Tor.Helleseth (at) uib.no (Department of Informatics), (+47) 55 58 41 60 or Professor Igor Semaev, Igor.Semaev (at) uib.no (Department of Informatics), (+47) 55 58 42 79.

More information: https://www.jobbnorge.no/ledige-stillinger/stilling/128402/stipendiat-i-kryptografi

In vehicular ad hoc networks, message authentication using proxy vehicles was proposed to reduce the computational overhead of roadside unites. In this type of message authentication schemes, proxy vehicles with verifying multiple messages at the same time improve computational efficiency of roadside unites when there are a large number of vehicles in their coverage areas. In this paper, first we show that the only proxy-based authentication scheme presented for this goal by Liu et al. is not resistant against false acceptance of batching invalid signatures and modification attack. Next, we propose an new identitybased message authentication scheme with employing proxy vehicles. Then, unforgeability of underlying signature is proved under Elliptic Curve Discrete Logarithm Problem in the random oracle model to show that it is secure against modification attack. It should be highlighted that our proposed scheme not only is more efficient than Liu et al.’s scheme since it is pairing-free and does not use mapto- point hash functions, but also it satisfies security and privacy requirements of vehicular ad hoc networks.

In this paper, algorithms for multivariate public key cryptography and digital signature are described. Plain messages and encrypted messages are arrays, consisting of elements from a fixed finite ring or field. The encryption and decryption algorithms are based on multivariate mappings. The security of the private key depends on the difficulty of solving a system of parametric simultaneous multivariate equations involving polynomial or exponential mappings. The method is a general purpose utility for most data encryption, digital certificate or digital signature applications.

Differential privacy is a mathematical definition of privacy for statistical data analysis. It guarantees that any (possibly adversarial) data analyst is unable to learn too much information that is specific to an individual. Mironov et al.~(CRYPTO 2009) proposed several computational relaxations of differential privacy (CDP), which relax this guarantee to hold only against computationally bounded adversaries. Their work and subsequent work showed that CDP can yield substantial accuracy improvements in various multiparty privacy problems. However, these works left open whether such improvements are possible in the traditional client-server model of data analysis. In fact, Groce, Katz and Yerukhimovich~(TCC 2011) showed that, in this setting, it is impossible to take advantage of CDP for many natural statistical tasks.

Our main result shows that, assuming the existence of sub-exponentially secure one-way functions and 2-message witness indistinguishable proofs (zaps) for NP, that there is in fact a computational task in the client-server model that can be efficiently performed with CDP, but is infeasible to perform with information-theoretic differential privacy.

Starting this year, FSE has moved to a new open-access journal/conference hybrid model. Submitted articles undergo a journal-style reviewing process. Accepted papers are published in Gold Open Access (free availability from day one) by the Ruhr University of Bochum in an issue of the newly established journal IACR Transactions on Symmetric Cryptology.

For more information, see the call for papers or submission server.

Second round deadline: September 1, 2016
Third round deadline: November 23, 2016

The list of papers accepted to TCC 2016-B is now available at http://tcc2016b.sklois.cn/accepted-papers.html. TCC will be held October 31 - Nov 3 in Beijing.

Event date: 19 June to 23 June 2017

Event date: 26 June to 28 June 2017

Event date: 22 June to 23 June 2017

We extend the simulation-based definition of Virtual Grey Box (VGB) security -- originally proposed for obfuscation (Bitansky and Canetti, 2010) -- to a broad class of cryptographic primitives. These include functional encryption, graded encoding schemes, bi-linear maps (with uber assumptions), as well as unexplored ones like homomorphic functional encryption.

Our main result is a characterization of VGB security, in all these cases, in terms of an indistinguishability-preserving notion of security, called $\Gamma^*-s-\textsf{IND}-\textsf{PRE}$ security, formulated using an extension of the recently proposed Cryptographic Agents framework (Agrawal et al., 2015). We further show that this definition is equivalent to an indistinguishability based security definition that is restricted to 'concentrated' distributions (wherein the outcome of any computation on encrypted data is essentially known ahead of the computation).

A result of Bitansky et al. (2014), who showed that VGB obfuscation is equivalent to strong indistinguishability obfuscation (SIO), is obtained by specializing our result to obfuscation. Our proof, while sharing various elements from the proof of Bitansky et al., is simpler and significantly more general, as it uses $\Gamma^*-s-\textsf{IND}-\textsf{PRE}$ security as an intermediate notion. Our characterization also shows that the semantic security for graded encoding schemes (Pass et al. 2014), is in fact an instance of this same definition.

We also present a composition theorem for rtestfamily-sINDPRE security. We can then recover the result of Bitansky et al. (2014) regarding the existence of VGB obfuscation for all NC1 circuits, simply by instantiating this composition theorem with a reduction from obfuscation of NC1 circuits to graded encoding schemas (Barak et al., 2014) and the assumption that there exists an $\Gamma^*-s-\textsf{IND}-\textsf{PRE}$ secure scheme for the graded encoding schema (Pass et al. 2014).