International Association
for Cryptologic Research

This paper introduces dudect: a tool to assess whether a piece of code runs in constant time or not on a given platform. We base our approach on leakage detection techniques, resulting in a very compact, easy to use and easy to maintain tool. Our methodology fits in around 300 lines of C and runs on the target platform. The approach is substantially different from previous solutions. Contrary to others, our solution requires no modeling of hardware behavior. Our solution can be used in black-box testing, yet benefits from implementation details if available. We show the effectiveness of our approach by detecting several variable-time cryptographic implementations. We place a prototype implementation of dudect in the public domain.

Perfect encryption of quantum states using the Quantum One-Time Pad (QOTP) requires 2 classical key bits per qubit. Almost-perfect encryption, with information-theoretic security, requires only slightly more than 1. We improve the lower bound: we show that key length $n+2\log\frac1\varepsilon$ suffices to encrypt $n$ qubits in such a way that the cipherstate's $L_1$-distance from uniformity is upperbounded by~$\varepsilon$.

We show how to QOTP-encrypt classical plaintext in a nontrivial way: if a plaintext bit is encoded on the Bloch sphere as $\pm(1,1,1)/\sqrt3$ then applying the Pauli encryption operators results in eight possible cipherstates which are equally spread out on the Bloch sphere. This encoding, especially when combined with the half-keylength option of QOTP, has advantages over 4-state and 6-state encoding in applications such as Quantum Key Recycling and Unclonable Encryption. We propose a key recycling scheme based on the 8-state encoding.

We derive bounds on the distance between pseudorandom-keyed QOTP cipherstates and the fully mixed state. We present numerics up to 9 qubits.

Leakage-resilient cryptography is about security in the presence of leakage from side-channels. In this paper, we present several issues of the RCB block cipher mode. Agrawal et al \cite{AgrawalM2016} proposed recently RCB as a leakage-resilient authenticated encryption (AE) scheme. Our main result is that RCB fails to provide authenticity, even in the absence of leakage.

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and related-tweake impossible differential characteristics for different versions of SKINNY. We utilize meet-in-the-middle approach to construct 9-round and 10-round zero-correlation linear distinguisher. We also obtain 12-round related-tweakey impossible differential characteristics for both SKINNY-64 and 128 in TK1 model and TK2 model. To the best of our knowledge, the presented zero-correlation characteristics in this paper is the first investigation of the security of SKINNY against this attack.

This work is the extended version of [1] which proposed the first code-based group sig- nature. The new group signature scheme we present here has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to add new members during the lifetime of the group (dynamic). Plus, it appears that our scheme might be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [2] (KTY model) while handling membership revo- cation. Our security is based on a relaxation of the model of Bellare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. The main idea of our scheme consists in building an offset collision of two syndromes associated to two dif- ferent matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added. These two small weight vectors will constitute the group member’s secret signing key whose knowledge will be proved thanks to a variation of Stern’s authentication protocol. For appli- cations, we consider the case of the code-based CFS signature scheme [4] of Courtois, Finiasz and Sendrier. If one denotes by N the number of group members, CFS leads to signatures and public keys sizes in $N^{1/\sqrt{\log N}}$. Along with this work, we also introduce a new kind of proof of knowledge, Testable weak Zero Knowledge (TwZK), implicitly covered in the short version of this paper [1]. TwZK proofs appear particularly well fitted in the context of group signature schemes: it allows a verifier to test whether a specific witness is used without learning anything more from the proof. Under the Random Oracle Model (ROM), we ensure the security of our scheme by defining the One More Syndrome Decoding problem, a new code-based problem related to the Syndrome Decoding problem [5].

Linear layer is a fundamental primitive for computer science, electronic engineering, and telecommunication. The performance of a linear layer depends on two aspects: diffusion ability and implementation cost, where the latter is usually measured by the number of XORs needed to implement it. For many years, linear layers have been implemented by computing co-ordinates of the output independently. With this method, costs are determined only by the matrices representing linear layers. However, we note that the implementation cost of a given linear layer depends not only on its matrix but also on the ways with which we implement it. So, in this paper, we focus on another implementation method: modifying input vectors to output step by step (MIOSS). This method uses fewer XORs than previous methods do and needs no extra temporary register. Besides, this method makes the implementation cost of a linear layer same as that of its inverse. With the new implementation method, we first clarify the measurement of implementation cost and the optimal implementation procedure of linear layers. Here, ``optimal'' means using fewest XORs. Then, to find the optimal implementation procedure of a given linear layer, we construct a graph-theoretical model and transfer the problem to the shortest path problem in graph theory. Although there has been several algorithms for the shortest path problem, they do not perform best for the graph that we construct in this paper because of its regularity. Therefore, we adopt a new ``double-direction'' algorithm that uses less storage and makes the search for a shortest path more efficient in a regular graph. Unfortunately, this algorithm is not practical for large size linear layers because of its high space/time complexity. So, we finally construct another algorithm for finding efficient implementations of linear layers. An important advantage of this last algorithm is its extremely low complexity. We conduct it to the linear layer of AES and get very efficient implementations.

While the smart grid has the potential to have a positive impact on the sustainability and efficiency of the electricity market, it also poses some serious challenges with respect to the privacy of the consumer. One of the traditional use-cases of this privacy sensitive data is the usage for forecast prediction. The well-studied approaches to alleviate the privacy concerns for smart billing do not apply to this more complicated and computationally intensive setting.

In this paper we show how to compute the forecast prediction such that the supplier does not learn any individual consumer usage information. This is achieved by using the Fan-Vercauteren somewhat homomorphic encryption scheme. Typical prediction algorithms are based on artificial neural networks that require the computation of an activation function which is complicated to compute homomorphically. Instead of ignoring this requirement, as was done in previous work, we investigate a different approach and show that Ivakhnenko's group method of data handling is suitable for homomorphic computation.

Our results show this approach is practical: prediction for a small apartment complex of 10 households can be computed homomorphically in less than four seconds using a parallel implementation or in 90 seconds using a sequential implementation. Expressed in terms of the mean average percentage error (MAPE), the prediction accuracy is about 21%.

Estimating entropy of randomness sources is a task of crit- ical importance in the context of true random number generators, as feeding cryptographic applications with insufficient entropy is a serious real-world security risk. The challenge is to maximize accuracy and con- fidence under certain data models and resources constants. In this paper we analyze the performance of a simple collision-counting estimator, under the assumption that source outputs are independent but their distribution can change due to adversarial influences. For n samples and confidence 1 −  we achieve the following features (a) Efficiency: reads the stream in one-pass and uses constant memory (forward-only mode) (b) Accuracy: estimates the amount of extractable bits with a relative 1 error O(n − 2 log(1/)), when the source outputs are i.i.d. (c) Robustness: keeps the same error when the source outputs are inde- 1 pendent but the distribution changes up to t = O(n^0.5) times during runtime We demonstrate that the estimator is accurate enough to adjust post- processing components dynamically, estimating entropy on the fly in- stead investigating it off-line. Our work thus continues the line of re- search on “testable random number generators” originated by Bucii and Luzzi at CHES’05.

Event date: 15 January to 17 January 2017

The CISPA-Stanford Center for Cybersecurity is inviting applications for its

Postdoctoral & Faculty Positions (m/f) in Cybersecurity within a unique Elite Research Career Program.

The CISPA-Stanford Center for Cybersecurity was established as a joint program by CISPA - the Center for IT-Security, Privacy and Accountability at Saarland University - and Stanford University in 2016 and is supported by the German Federal Ministry of Education and Research (BMBF).

The Elite Research Career Program intends to offer the very best postdoctoral cybersecurity researchers a unique career path at two of the leading cybersecurity institutes in the world. The program consists of three consecutive phases:

• a preparatory 1-2-year postdoctoral phase (Phase P) at CISPA, followed by

• a 2-year appointment at Stanford University (Phase I) as a visiting assistant professor, followed by

• a 3-year position at CISPA as a junior research group leader (Phase II).

Applicants to the program must have completed an outstanding PhD and demonstrated their potential to become future leaders in their field of research.

Applicants should submit their CV, copies of their school and university reports, a list of publications highlighting their five most relevant ones, names of 3-5 references, a brief description of their previous research, and a research proposal outlining their research vision. Please send them as a single PDF file to: application (at) cispa-stanford.org.

Application deadline: January 30, 2017.

The CISPA-Stanford Center for Cybersecurity is an equal opportunity employer and women are encouraged to apply. Applications of severely disabled candidates with equivalent qualifications will be given priority. We intend to arrange future rounds of application periodically.

Closing date for applications: 30 January 2017

Contact: Prof. Dr. Michael Backes

Saarland University

Center for IT-Security, Privacy and Accountability

Campus E 9 1, 66123 Saarbrücken, Germany

Email: application (at) cispa-stanford.org

More information: https://www.cispa-stanford.org/application.html

We seek to recruit candidates for the post of Lecturer, or Senior Lecturer, or Reader, or Professor in Secure Information Technologies to commence 2017. We are seeking candidates that can demonstrate an excellent track record of achievements and significant potential for future academic leadership in any of the following areas: hardware and embedded systems security, post-quantum cryptography, multi-factor authentication technologies, cloud and virtualised datacentre security, software defined network security, IoT security and secure industrial control systems - including SCADA, Smart Grid and automotive systems. Candidates should also demonstrate ability to inspire students and facilitate motivational learning within core undergraduate and specialist postgraduate curricula.

The post holder will be a member of the Centre for Secure Information Technologies (CSIT). CSIT is a UK Innovation and Knowledge Centre (IKC) established in 2009 with initial 5 year funding of £30M from EPSRC/Innovate UK, industry, Invest NI and QUB. CSIT has a proven track record of success and in 2015 was awarded a further 5 years of funding from EPSRC/InnovateUK and £9M from Queen’s to build on its achievements to date as part of a package potentially worth over £38M. CSIT focuses on the electronic security of Smart Cities and the Internet of Things. In 2012 it was recognised by GCHQ and EPSRC as an Academic Centre of Excellence in Cyber Security Research and in 2015 CSIT was awarded a Queen’s Anniversary Prize for Higher and Further Education. This is a biennial award scheme within the UK’s national honours system and is UK’s most prestigious form of national recognition open to a UK academic or vocational institution. Over 20 industrial partners, large global companies as well as SMEs, have committed to supporting the centre through the provision of funding and market intelligence. CSIT has also established strong relationships with similar international centres in cyber security.

Closing date for applications: 12 December 2016

Contact: Professor Dimitrios Nikolopoulos, Head of School, email: eeecs-hos (at) qub.ac.uk

More information: http://www.qub.ac.uk/sites/QUBJobVacancies/

Event date: 7 April 2017
Submission deadline: 9 December 2016
Notification: 19 January 2017

Event date: 10 April to 27 October 2017
Submission deadline: 10 April 2017
Notification: 4 August 2017

The Physical Analysis and Cryptographic Engineering (PACE), Temasek Laboratories (TL) @ Nanyang Technological University, Singapore is seeking one motivated researcher, in the area of hardware security.

Candidates should ideally have already completed, or be close to completing a PhD degree in mathematics, computer science, electrical engineering, or related disciplines, with strong track record in R&D (publications in international journals and conferences). Master degree with relevant research experience can be considered.

You will be joining a dynamic group performing research on embedded security, specific to physical attacks. This position is available from February 2017. The initial contract will be one year. There are strong possibilities for extensions upon successful performance. TL offers competitive salary package plus other benefits.

Review of applications will start immediately until position is filled.

Interested candidates should send their detailed CVs, cover letter and references

Closing date for applications: 30 April 2017

Contact: Shivam Bhasin, Co-Principle Investigator: sbhasin (at) ntu.edu.sg

We are offering two postdoc positions in the area of cryptography in the Cryptography and Data Security Group at the Department of Mathematics, Informatics and Mechanics at University of Warsaw. The position is supported by a grant \"Cryptographic Defence Against Malicious Hardware Manufacturers\".

The goal of this project is to design methods for preventing attacks by malicious hardware manufacturers. Such attacks are possible because manufacturing of integrated circuits is frequently outsourced to external companies. Due to the complexity of these devices it is practically impossible to inspect them in order to check that they were manufactured correctly. Hence, a malicious manufacturer can alter the device\'s design, by introducing the so-called \"hardware Trojan horses\". Such devices can later cause significant damage to their users by malfunctioning, or leaking users\' secrets to the adversary. This is very worrying, especially given a tremendous dependence of modern society on the electronic devices. Another threat associated with the third-party manufacturing is the intellectual property theft and piracy, as the manufacturer gets full access to the device\'s specification. In this project we address these problems by applying state-of-the-art cryptographic techniques.

Profile:

All candidates with a PhD degree and a publication record in cryptography or data security are encouraged to apply and will be carefully considered.

We offer excellent networking and training opportunities, including participation in international workshops and conferences.

The salary will depend on qualifications and will be in the range of approximately PLN 7000 - 8,500 (net/month).

Successful candidates can start from January 2017. Funding is available for 3 years.

There is no official deadline for this call. We will start looking at the applications from Dec 15, 2016.

Closing date for applications: 15 December 2016

Contact: Stefan Dziembowski

stefan.dziembowski (at) crypto.edu.pl

More information: http://www.crypto.edu.pl/positions/postdoc

The Department of Computer Science at Stevens Institute of Technology invites applications for four tenure-track positions at the rank of Assistant Professor to begin in Fall 2017.

We are particularly interested in applicants whose research focuses on system aspects in areas of Computer Science that include but are not limited to:

Machine learning and AI,

Formal software verification,

Security for systems including operating systems, networking and data management,

Pervasive computing and HCI.

We are also interested in applicants whose research complements existing strengths in the department, to support collaborative research efforts in topics such as data science, mobile health, computer vision, programming languages and cybersecurity. However, exceptional candidates and in all areas of Computer Science will be considered.

Closing date for applications: 31 March 2017

More information: https://academicjobsonline.org/ajo/Stevens/CS

SKINNY is a new lightweight tweakable block cipher family proposed by Beierle $et$ $al$. in CRYPTO 2016. SKINNY-$n$-$t$ is a block cipher with $n$-bit state and $t$-bit tweakey (key and tweak). It is designed to compete with the recent NSA SIMON block cipher. In this paper, we present impossible differential attacks against all the 6 variants of SKINNY, namely, SKINNY-$n$-$n$, SKINNY-$n$-2$n$ and SKINNY-$n$-3$n$ ($n=64$ or $n=128$) in the single-tweakey model. More precisely, we present impossible differential attacks against 18, 20 and 22 rounds of SKINNY-$n$-$n$, SKINNY-$n$-2$n$ and SKINNY-$n$-3$n$ ($n=64$ or $n=128$), respectively. These attacks are based on the same 11-round impossible differential distinguisher. To the best of our knowledge, these are the best attacks against these 6 variants of the cipher in the single-tweakey model.

We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.

In this paper, we consider a special type of secret sharing scheme known as Visual Cryptographic Scheme (VCS) in which the secret reconstruction is done visually without any mathematical computation unlike other secret sharing schemes. We put forward an efficient direct construction of a visual cryptographic scheme for compartmented access structure which generalizes the access structure for threshold as well as for threshold with certain essential participants. Up to the best of our knowledge, the scheme is the first proposed scheme for compartmented access structure in the literature of visual cryptography. Finding the closed form of relative contrast of a scheme is, in general, a combinatorially hard problem. We come up with a closed form of both pixel expansion as well as relative contrast. Numerical evidence shows that our scheme performs better in terms of both relative contrast as well as pixel expansion than the cumulative array based construction obtained as a particular case of general access structure.

A good linear diffusion layer is a prerequisite in the design of block ciphers. Usually it is obtained by combining matrices with optimal diffusion property over the Sbox alphabet. These matrices are constructed either directly using some algebraic properties or by enumerating a search space, testing the optimal diffusion property for every element. For implementation purposes, two types of structures are considered: Structures where all the rows derive from the first row and recursive structures built from powers of companion matrices. In this paper, we propose a direct construction for new recursive-like MDS matrices. We show they are quasi-involutory in the sense that the matrix-vector product with the matrix or with its inverse can be implemented by clocking a same LFSR-like architecture.