International Association
for Cryptologic Research

We investigate the effect of inserting extra linearity in the Data Encryption Standard (DES) through appropriate singular linear encodings of the output of the individual S-boxes. More specifically, we examine the general situation when the output of each S-box of the DES is precoded separately into a properly constructed copy of the inherent even-weight code of length 4. The study is focused on finding multi-round linear characteristics for thus modified DES ciphers having maximal effectiveness. It turns out, depending on the particular encodings, that the effectiveness of interest may be larger but in most cases is smaller than that one for the original DES with the same number of rounds. The latter means that the complexity of successful linear cryptanalysis against these ciphers will mainly increase comparing to the DES itself. The present research extends in a natural way our previous work [Linear Cryptanalysis and Modified DES with Parity Check in the S-boxes, LNCS 9540 (2016), pp. 60 – 78].

Lightweight stream ciphers have received serious attention in the last few years. The present design paradigm considers very small state (less than twice the key size) and use of the secret key bits during pseudo-random stream generation. One such effort, Sprout, had been proposed two years back and it was broken almost immediately. After carefully studying these attacks, a modified version named Plantlet has been designed very recently. While the designers of Plantlet do not provide any analysis on fault attack, we note that Plantlet is even weaker than Sprout in terms of Differential Fault Attack (DFA). Our investigation, following the similar ideas as in the analysis against Sprout, shows that we require only around 4 faults to break Plantlet by DFA in a few hours time. While fault attack is indeed difficult to implement and our result does not provide any weakness of the cipher in normal mode, we believe that these initial results will be useful for further understanding of Plantlet.

In FSE 2015, Armknetcht et al. proposed a new technique to design stream cipher. This technique involves repeated use of keybits in each round of keystream bit generation. This idea showed the possibility to design stream ciphers where internal state size is significantly lower than twice the key size. They proposed a new cipher based on this idea, named Sprout. But soon Sprout was proved to be insecure. In Crypto 2015, Lallemand et al. proposed an attack on Sprout, which was $2^{10}$ times faster than the exhaustive search. But the new idea used in Sprout showed a new direction in the design of stream cipher, which led to the proposal of several new ciphers with small size of internal state.

Fruit is another cipher in this direction proposed recently where both the key size and state size are 80. So far, there is no attack against this cipher. In this paper, we attack full round Fruit by a divide-and-conquer method. We use several types of sieving to reduce the possible candidates for an internal state. Our attack is equivalent to $2^{74.95}$ many Fruit encryption, which is around $16.95$ times faster than average exhaustive key search. This is the first proposed attack against Fruit.

We introduce the notion of homomorphic proxy re-authenticators, a tool that adds security and verifiability guarantees to multi-user data aggregation scenarios. It allows distinct sources to authenticate their data under their own keys, and a proxy can transform these single signatures or message authentication codes (MACs) to a MAC under a receiver's key without having access to it. In addition, the proxy can evaluate arithmetic circuits (functions) on the inputs so that the resulting MAC corresponds to the evaluation of the respective function. As the messages authenticated by the sources may represent sensitive information, we also consider hiding them from the proxy and other parties in the system, except from the receiver.

We provide a general model and two modular constructions of our novel primitive, supporting the class of linear functions. On our way, we establish various novel building blocks. Most interestingly, we formally define the notion and present a construction of homomorphic proxy re-encryption, which may be of independent interest. The latter allows users to encrypt messages under their own public keys, and a proxy can re-encrypt them to a receiver's public key (without knowing any secret key), while also being able to evaluate functions on the ciphertexts. The resulting re-encrypted ciphertext then holds an evaluation of the function on the input messages.

A Bit-Mixer is a function of fixed size input and output, which computes uncorrelated output from correlated input values, and its behavior is altered by parameters, called keys. Several bit-mixer constructions have been published with very fast, power efficient implementations in electronic hardware, having very little side channel leakage. In this paper a dozen cryptographic applications are discussed, in most of which the output of the employed bit-mixers are hidden from an adversary. In these cases bit-mixers don’t have to satisfy strict cryptographic requirements, but the security of the applications is improved by reducing exploitable correlations among intermediate values, and by diminishing side channel leakage of electronic implementations

A new concept, the Bit-Mixer is introduced. It is a function of fixed, possibly different size of input and output, which computes statistically uncorrelated output from correlated input values, and its behavior is altered by parameters, called keys. Several constructions are presented, with very fast, power efficient implementations in electronic hardware, having very little side channel leakage. In information security bit-mixers have many applications, mostly when their output is hidden from an adversary. They include key generators, parallel stream ciphers, hash functions, data dependent authentication codes, and many more

Event date: 11 May to 12 May 2017
Submission deadline: 3 April 2017
Notification: 10 April 2017

Event date: 22 March to 23 March 2017

Event date: 22 March to 23 March 2017

Event date: 11 September to 15 September 2017
Submission deadline: 9 April 2017
Notification: 16 June 2017

The Cyber Security (CSec) research group and the Centre for Parallel Computing (CPC) at the University of Westminster are looking for one Research Associate in Cloud Security to carry out research within the EU funded H2020 COLA (Cloud Orchestration at the Level of Application) project. COLA will define and provide a reference implementation of a generic and pluggable framework that supports the optimal and secure deployment and run-time orchestration of cloud applications. The successful candidate will carry out tasks in relation to the design and development of novel secure and privacy-preserving cloud orchestration solutions, specifically targeting and supporting application developers. In addition to that, the successful candidate will be also expected to contribute in writing project deliverables and research papers related to the project.

We expect candidates to have a strong research background in network security and/or applied cryptography. Proven research in areas such as trusted computing, cloud security, safety verification, security verification, data privacy, cyber-physical and internet of things security and cloud or mobile security will be considered as a plus.

The primary objective of the Cyber Security Research Group at the University of Westminster is to bring together expertise in education, research and practice in the field of information security and privacy. The group members conduct research in areas spanning from the theoretical foundations of cryptography to the design and implementation of leading edge efficient and secure communication protocols. To this end, we welcome applications from candidates whose research areas complement the existing research of the group.

• Job reference number: 50046999
• Salary: £33,387 to £38,489 per annum
• Contract: Fixed Term until June 2019
• Closing date: 10th March 2017
• Interviews are likely to be held on: 22nd March 2017

Closing date for applications: 10 March 2017

Contact: For an informal discussion contact Dr Antonis Michalas (a.michalas (at) westminster.ac.uk) or Dr Tamas Kiss (T.Kiss (at) westminster.ac.uk).

More information: https://tinyurl.com/hdawr6e

This position in the Laboratories’ Security Group as a research scientist / senior researcher involves research and development in the area of Blockchain security and privacy. Our work ranges from foundational research and IPR creation to prototype development for transfer to NEC products and services. We are looking for individuals with a passion to develop and transform innovative blockchain ideas into working prototypes.

NEC Laboratories in Heidelberg (Germany) provides an excellent working environment supporting individual creativity as well as strong teamwork. English is the working language in the Laboratories. This position is (initially) limited to two years.

Applicants are sought with experiences /skills in these areas:

- Strong experience in blockchain security, system security, and applied cryptography.

- Strong experience with distributed systems and consensus protocols.

- Experience in software development including proven experience with programming languages, such as Golang, Java, or C/C++.

Candidates with a fresh Ph.D. in Security, Computer Science or a closely related field, and with an excellent publication track record are preferred

Closing date for applications: 1 April 2017

Contact: - Dr. Ghassan Karame, Manager & Chief of Security group at NEC Labs Europe. Email: ghassan.karame (at) neclab.eu

- Amardeo Sarma, General Manager at NEC Labs Europe. Email: amardeo.sarma (at) neclab.eu

More information: http://www.neclab.eu/jobs/openings/staff/NEC-NLE-1701-223-SEC-1-Blockchain_Researcher.pdf

Shor’s algorithm factors an integer N in two steps. The quantum step computes the order of an element (a mod N) where (a) is relatively prime to N. The classical step uses this order to factor N. Descriptions of the classical step require the order, s, to be even and that (a) raised to the (s/2) power is not (-1 mod N). If these requirements fail, the quantum step is repeated. This paper describes how each prime divisor of the order s, not just 2, can be used to factor N.

We investigate security of key exchange protocols supporting so-called zero round-trip time (0-RTT), enabling a client to establish a fresh provisional key without interaction, based only on cryptographic material obtained in previous connections. This key can then be already used to protect early application data, transmitted to the server before both parties interact further to switch to fully secure keys. Two recent prominent examples supporting such 0-RTT modes are Google's QUIC protocol and the latest drafts for the upcoming TLS version 1.3.

We are especially interested in the question how replay attacks, enabled through the lack of contribution from the server, affect security in the 0-RTT case. Whereas the first proposal of QUIC uses state on the server side to thwart such attacks, the latest version of QUIC and TLS 1.3 rather accept them as inevitable. We analyze what this means for the key secrecy of both the preshared-key-based 0-RTT handshake in draft-14 of TLS 1.3 as well as the Diffie-Hellman-based 0-RTT handshake in TLS 1.3 draft-12. As part of this we extend previous security models to capture such cases, also shedding light on the limitations and options for 0-RTT security under replay attacks.

Recently, Mu\c{s}, Kiraz, Cenk and Sertkaya proposed an improvement over the present Estonian Internet voting vote verification scheme. This paper points to the weaknesses and questionable design choices of the new scheme. We show that the scheme does not fix the vote privacy issue it claims to. It also introduces a way for a malicious voting application to manipulate the vote without being detected by the verification mechanism, hence breaking the cast-as-intended property. In addition, the proposal would seriously harm usability of the Estonian vote verification scheme.

Private-key functional encryption enables fine-grained access to symmetrically-encrypted data. Although private-key functional encryption (supporting an unbounded number of keys and ciphertexts) seems significantly weaker than its public-key variant, its known realizations all rely on public-key functional encryption. At the same time, however, up until recently it was not known to imply any public-key primitive, demonstrating our poor understanding of this extremely-useful primitive.

Recently, Bitansky et al. [TCC '16B] showed that sub-exponentially-secure private-key function encryption bridges from nearly-exponential security in Minicrypt to slightly super-polynomial security in Cryptomania, and from sub-exponential security in Cryptomania to Obfustopia. Specifically, given any sub-exponentially-secure private-key functional encryption scheme and a nearly-exponentially-secure one-way function, they constructed a public-key encryption scheme with slightly super-polynomial security. Assuming, in addition, a sub-exponentially-secure public-key encryption scheme, they then constructed an indistinguishability obfuscator.

We settle the problem of positioning private-key functional encryption within the hierarchy of cryptographic primitives by placing it in Obfustopia. First, given any quasi-polynomially-secure private-key functional encryption scheme, we construct an indistinguishability obfuscator for circuits with inputs of poly-logarithmic length. Then, we observe that such an obfuscator can be used to instantiate many natural applications of indistinguishability obfuscation. Specifically, relying on sub-exponentially-secure one-way functions, we show that quasi-polynomially-secure private-key functional encryption implies not just public-key encryption but leads all the way to public-key functional encryption for circuits with inputs of poly-logarithmic length. Moreover, relying on sub-exponentially-secure injective one-way functions, we show that quasi-polynomially-secure private-key functional encryption implies a hard-on-average distribution over instances of a PPAD-complete problem.

Underlying our constructions is a new transformation from single-input functional encryption to multi-input functional encryption in the private-key setting. The previously known such transformation [Brakerski et al., EUROCRYPT '16] required a sub-exponentially-secure single-input scheme, and obtained a scheme supporting only a slightly super-constant number of inputs. Our transformation both relaxes the underlying assumption and supports more inputs: Given any quasi-polynomially-secure single-input scheme, we obtain a scheme supporting a poly-logarithmic number of inputs.

Bootstrapping in fully homomorphic encryption (FHE) over the integers is a homomorphic evaluation of the squashed decryption function suggested by van Dijk et al. The typical approach for the bootstrapping is representing the decryption function as a binary circuit with a fixed message space. All bootstrapping methods in FHEs over the integers use this approach; however, these methods require too many homomorphic multiplications, slowing down the whole procedure. In this paper, we propose an efficient bootstrapping method using various message spaces. Our bootstrapping method requires only $O(\log^{2}\lambda)$ number of homomorphic multiplications, which is significantly lower than $\tilde{O}(\lambda^{4})$ of the previous methods. We implement our bootstrapping method on the scale-invariant FHE over the integers; the CLT scheme introduced by Coron, Lepoint and Tibouchi. It takes 6 seconds for a 500-bit message space and a 72-bit security in PC. This is the fastest result among the bootstrapping methods on FHEs over the integers. We also apply our bootstrapping method to evaluate an AES-128 circuit homomorphically. As a result, it takes about 8 seconds per 128-bit block and is faster than the previous result of homomorphic evaluation of AES circuit using FHEs over the integers without bootstrapping.

We propose new algorithms with \emph{small memory consumption} for the Learning Parity with Noise (LPN) problem, both classically and quantumly. Our goal is to predict the hardness of LPN depending on both parameters, its dimension $k$ and its noise rate $\tau$, as accurately as possible both in theory and practice. Therefore, we analyze our algorithms asymptotically, run experiments on medium size parameters and provide bit complexity predictions for large parameters.

Our new algorithms are modifications and extensions of the simple Gaussian elimination algorithm with recent advanced techniques for decoding random linear codes. Moreover, we enhance our algorithms by the dimension reduction technique from Blum, Kalai, Wasserman. This results in a hybrid algorithm that is capable for achieving the best currently known run time for any fixed amount of memory.

On the asymptotic side, we achieve significant improvements for the run time exponents, both classically and quantumly. To the best of our knowledge, we provide the first quantum algorithms for LPN.

Due to the small memory consumption of our algorithms, we are able to solve for the first time LPN instances of medium size, e.g. with $k=243, \tau = \frac 1 8$ in only 15 days on 64 threads.

Our algorithms result in bit complexity prediction that require relatively large $k$ for small $\tau$. For instance for small noise LPN with $\tau= \frac 1 {\sqrt k}$, we predict $80$-bit classical and only $64$-bit quantum security for $k~\geq~2048$. For the common cryptographic choice $k=512, \tau = \frac 1 8$, we achieve with limited memory classically $97$-bit and quantumly $70$-bit security.

In this paper we generalize the quantum algorithm for computing short discrete logarithms previously introduced by Ekerå so as to allow for various tradeoffs between the number of times that the algorithm need be executed on the one hand, and the complexity of the algorithm and the requirements it imposes on the quantum computer on the other hand.

Furthermore, we describe applications of algorithms for computing short discrete logarithms. In particular, we show how other important problems such as those of factoring RSA integers and of finding the order of groups under side information may be recast as short discrete logarithm problems. This immediately gives rise to an algorithm for factoring RSA integers that is less complex than Shor’s general factoring algorithm in the sense that it imposes smaller requirements on the quantum computer.

In both our algorithm and Shor’s algorithm, the main hurdle is to compute a modular exponentiation in superposition. When factoring an n bit integer, the exponent is of length 2n bits in Shor’s algorithm, compared to slightly more than n/2 bits in our algorithm.

LS-Designs are a family of SPN-based block ciphers whose linear layer is based on the so-called interleaved construction. They will be dedicated to low-end devices with high performance and low-resource constraints, objects which need to be resistant to physical attacks. In this paper we describe a complete Differential Fault Analysis against LS-Designs and also on other families of SPN-based block ciphers. First we explain how fault attacks can be used against their implementations depending on fault models. Then, we validate the DFA in a practical example on a hardware implementation of SCREAM running on an FPGA. The faults have been injected using electromagnetic pulses during the execution of SCREAM and the faulty ciphertexts have been used to recover the key’s bits. Finally, we discuss some countermeasures that could be used to thwart such attacks.