International Association
for Cryptologic Research

Modular design via a tweakable blockcipher (TBC) offers efficient authenticated encryption (AE) schemes (with associated data) that call a blockcipher once for each data block (of associated data or a plaintext). However, the existing efficient blockcipher-based TBCs are secure up to the birthday bound, where the underlying keyed blockcipher is a secure strong pseudorandom permutation. Existing blockcipher-based AE schemes with beyond-birthday-bound (BBB) security are not efficient, that is, a blockcipher is called twice or more for each data block.

In this paper, we present a TBC, XKX, that offers efficient blockcipher-based AE schemes with BBB security, by combining with efficient TBC-based AE schemes such as $\Theta$CB and $\mathbb{OTR}$. XKX is a combination of two TBCs, Minematsu's TBC and Liskov et al.'s TBC. In the XKX-based AE schemes, a nonce and a counter are taken as tweak; a nonce-dependent blockcipher's key is generated by using a pseudo-random function $F$ (from Minematsu); a counter is inputted to an almost xor universal hash function, and the hash value is xor-ed with the input and output blocks of a blockcipher with the nonce-dependent key (from Liskov et al.). For each query to the AE scheme, after the nonce-dependent key is generated, it can be reused, thereby a blockcipher is called once for each data block. We prove that the security bounds of the XKX-based AE schemes become roughly $\ell^2 q/2^n$, where $q$ is the number of queries to the AE scheme, $n$ is the blockcipher size, and $\ell$ is the number of blockcipher calls in one AE evaluation. Regarding the function $F$, we present two blockcipher-based instantiations, the concatenation of blockcipher calls, $F^{(1)}$, and the xor of blockcipher calls, $F^{(2)}$, where $F^{(i)}$ calls a blockcipher $i+1$ times. By the PRF/PRP switch, the security bounds of the XKX-based AE schemes with $F^{(1)}$ become roughly $\ell^2 q/2^n + q^2/2^n$, thus if $\ell \ll 2^{n/2}$ and $q \ll 2^{n/2}$, these achieve BBB security. By the xor construction, the security bounds of the XKX-based AE schemes with $F^{(2)}$ become roughly $\ell^2 q/2^n + q/2^n$, thus if $\ell \ll 2^{n/2}$, these achieve BBB security.

Real world physical shopping offers customers the privilege of maintaining their privacy by giving them the option of using cash, and thus providing no personal information such as their names and home addresses. On the contrary, electronic shopping mandates the use of all sorts of personally identifiable information for both billing and shipping purposes. Cryptocurrencies such as Bitcoin have created a stimulated growth in private billing by enabling pseudonymous payments. However, the anonymous delivery of the purchased physical goods is still an open research problem.

In this work, we present a blockchain-based physical delivery system called Lelantos that within a realistic threat model, offers customer anonymity, fair exchange and merchant-customer unlinkability. Our system is inspired by the onion routing techniques which are used to achieve anonymous message delivery. Additionally, Lelantos relies on the decentralization and pseudonymity of the blockchain to enable pseudonymity that is hard to compromise, and the distributed consensus mechanisms provided by smart contracts to enforce fair irrefutable transactions between distrustful contractual parties.

We study the problem of secure two-party computation in the presence of a trusted setup. If there is an unconditionally UC-secure protocol for $f$ that makes use of calls to an ideal $g$, then we say that $f$ reduces to $g$ (and write $f \sqsubseteq g$). Some $g$ are complete in the sense that all functions reduce to $g$. However, almost nothing is known about the power of an incomplete $g$ in this setting. We shed light on this gap by showing a characterization of $f \sqsubseteq g$ for incomplete $g$.

Very roughly speaking, we show that $f$ reduces to $g$ if and only if it does so by the simplest possible protocol: one that makes a single call to ideal $g$ and uses no further communication. Furthermore, such simple protocols can be characterized by a natural combinatorial condition on $f$ and $g$.

Looking more closely, our characterization applies only to a very wide class of $f$, and only for protocols that are deterministic or logarithmic-round. However, we give concrete examples showing that both of these limitations are inherent to the characterization itself. Functions not covered by our characterization exhibit qualitatively different properties. Likewise, randomized, superlogarithmic-round protocols are qualitatively more powerful than deterministic or logarithmic-round ones.

Many lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a round-specific constant. Generally, there is not much theory on how to choose appropriate constants. In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and Mantis7 are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the S-box layer. We also explain how to construct optimal round constants for a given, but arbitrary, linear layer.

In this paper, we initiate the study of leakage-resilient tweakable encryption schemes in the relative key-leakage model, where the adversary can obtain (arbitrary) partial information about the secret key. We also focus on the minimal and generic assumptions needed to construct such a primitive. Interestingly, we show provably secure constructions of leakage-resilient (LR) tweakable encryption based on the sole assumption that one-way functions (OWF) exist via some interesting intermediate generic connections. A central tool used in our construction of LR-tweakable encryption is the notion of Symmetric-key tweakable weak hash proof system, which we introduce. This can be seen as a generalization of the Symmetric-key weak hash proof framework of Hazay et. al (Eurocrypt'13). Along the way, we also introduce a new primitive called tweakable weak pseudo-random functions (t-wPRF) and show how to generically construct it from weak-PRF. We then construct LR-version of t-wPRF and use it to construct LR-tweakable encryption.

Singapore University of Technology and Design (SUTD) is a young university established in collaboration with MIT. Cyber security is one of its most important areas and grows very fast with rich research funding. SUTD is the proud host of world-class testbeds in cyber-physical systems (CPS) including testbeds for Secure Water Treatment (SWaT), Water Distribution (WADI), Electric Power and Intelligent Control (EPIC), and IoT.

I am looking for PhD interns on cyber-physical system security (IoT, autonomous vehicle, power grid, and water treatment etc.), especially on the topics such as 1) Lightweight and low-latency crypto algorithms for CPS devices, 2) Resilient authentication of devices and data in CPS, 3) Advanced SCADA firewall to filter more sophisticated attacking packets in CPS, 4) Big data based threat analytics for detection of both known and unknown threats, 5) Attack mitigation to increase the resilience of CPS. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Closing date for applications: 30 June 2017

Contact: jianying_zhou (at) sutd.edu.sg

More information: http://jianying.space/

Understanding how hash functions can be used in a sound manner within cryptographic protocols, as well as how they can be constructed in a sound manner from compression functions, are two important problems in cryptography with a long history. Two approaches towards solving the first problem are the random oracle model (ROM) methodology and the UCE framework, and an approach to solving the second problem is the indifferentiability framework.

This paper revisits the two problems and the above approaches and makes three contributions. First, indifferentiability, which comes with a composition theorem, is generalized to context-restricted indifferentiability (CRI) to capture settings that compose only in a restricted context. Second, we introduce a new composable notion based on CRI, called RO-CRI, to capture the security of hash functions. We then prove that a non-interactive version of RO-CRI is equivalent to the UCE framework, and therefore RO-CRI leads to natural interactive generalizations of existing UCE families. Two generalizations of split UCE-security, called strong-split CRI-security and repeated-split CRI-security, are introduced. Third, new, more fine-grained soundness properties for hash function constructions are proposed which go beyond collision-resistance and indifferentiability guarantees. As a concrete result, a new soundness property of the Merkle-Damgard construction is shown: If the compression function is strong-split CRI-secure, then the overall hash function is split secure. The proof makes use of a new lemma on min-entropy splitting which may be of independent interest.

To ensure uninterrupted cryptographic security, it is important to begin planning the transition to post-quantum cryptography. In addition to creating post-quantum primitives, we must also plan how to adapt the cryptographic infrastructure for the transition, especially in scenarios such as public key infrastructures (PKIs) with many participants. The use of hybrids — multiple algorithms in parallel — will likely play a role during the transition for two reasons: “hedging our bets” when the security of newer primitives is not yet certain but the security of older primitives is already in question; and to achieve security and functionality both in post-quantum-aware and in a backwards-compatible way with not-yet-upgraded software.

In this paper, we investigate the use of hybrid digital signature schemes. We consider several methods for combining signature schemes, and give conditions on when the resulting hybrid signature scheme is unforgeable. Additionally we address a new notion about the inability of an adversary to separate a hybrid signature into its components. For both unforgeability and non-separability, we give a novel security hierarchy based on how quantum the attack is. We then turn to three real-world standards involving digital signatures and PKI: certificates (X.509), secure channels (TLS), and email (S/MIME). We identify possible approaches to supporting hybrid signatures in these standards while retaining backwards compatibility, which we test in popular cryptographic libraries and implementations, noting specially the inability of some software to handle larger certificates.

Unpredictability is an important security property of Physically Unclonable Function (PUF) in the context of statistical attacks, where the correlation between challenge-response pairs is explicitly exploited. In existing literature on PUFs, Hamming Distance test, denoted by $\mathrm{HDT}(t)$, was proposed to evaluate the unpredictability of PUFs, which is a simplified case of the Propagation Criterion test $\mathrm{PC}(t)$. The objective of these testing schemes is to estimate the output transition probability when there are $t$ or less than $t$ bits flips, and ideally, this probability value should be 0.5. In this work, we show that aforementioned two testing schemes are not enough to ensure the unpredictability of a PUF design. We propose a new test which is denoted as $\mathrm{HDT}(\mathbf{e},t)$. This testing scheme is a fine-tuned version of the previous schemes, as it considers the flipping bit pattern vector $\mathbf{e}$ along with parameter $t$. As a contribution, we provide a comprehensive discussion and analytic interpretation of $\mathrm{HDT}(t)$, $\mathrm{PC}(t)$ and $\mathrm{HDT}(\mathbf{e},t)$ test schemes for Arbiter PUF (APUF), XOR PUF and Lightweight Secure PUF (LSPUF). Our analysis establishes that $\mathrm{HDT}(\mathbf{e},t)$ test is more general in comparison with $\mathrm{HDT}(t)$ and $\mathrm{PC}(t)$ tests. In addition, we demonstrate a few scenarios where the adversary can exploit the information obtained from the analysis of $\mathrm{HDT}(\mathbf{e},t)$ properties of APUF, XOR PUF and LSPUF to develop statistical attacks on them, if the ideal value of $\mathrm{HDT}(\mathbf{e},t)=0.5$ is not achieved for a given PUF. We validate our theoretical observations using the simulated and FPGA implemented APUF, XOR PUF and LSPUF designs.

School of Computing and Information Technology (SCIT) is one of six Schools within the Faculty of Engineering and Information Sciences at the University of Wollongong. It delivers a full range of quality courses, both onshore and offshore (Dubai, Singapore, Malaysia, China, Hong Kong), ranging from undergraduate Bachelor’s degrees, through Coursework and Research Masters to PhD programs. Current research foci are Computer Security, Intelligent Systems, Software Engineering, Big Data, Multimedia Information Processing, Information Technology and Information Systems. SCIT has strong R&D links with industry, actively participates in several Co-operative Research Centres.

 

This position will be expected to provide development, teaching and research within the Bachelor of Computer Science with Cyber Security major. As well as to teach and coordinate subjects within the School at both undergraduate and postgraduate levels, and contribute to research in the areas of Cyber Security, information security and cryptology.

 

You will be prompted to respond to the selection criteria as part of the online application process, based on the position description below. You will be able to save your application at any time and submit at a later date if required, you will only be able to do this before the closing date of the position.

 

For further information about this position, please contact Professor Willy Susilo on + 61 2 4221 5535.

 

Closing date for applications: 9 July 2017

Contact: Professor Willy Susilo (wsusilo at uow dot edu dot au)

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=170476&tz=GMT%2B10%3A00

School of Computing and Information Technology (SCIT) is one of six Schools within the Faculty of Engineering and Information Sciences at the University of Wollongong. It delivers a full range of quality courses, both onshore and offshore (Dubai, Singapore, Malaysia, China, Hong Kong), ranging from undergraduate Bachelor’s degrees, through Coursework and Research Masters to PhD programs. Current research foci are Computer Security, Cyber Security, Intelligent Systems, Software Engineering, Big Data, Multimedia Information Processing, and Information Systems. SCIT has strong R&D links with industry, actively participates in several Co-operative Research Centres.

 

This position is expected to provide development, teaching and research within the Bachelor of Computer Science with Digital Systems Security and Master in Computer Science with major in Network and Information Security. As well as teach and coordinate subjects within the School at both undergraduate and postgraduate levels, and contribute to research in the areas of Digital Systems Security. In particular, the position will require the Lecturer/Senior Lecturer to predominantly teach and be located at the Liverpool campus.

 

You will be prompted to respond to the selection criteria as part of the online application process, based on the position description below. You will be able to save your application at any time and submit at a later date if required, you will only be able to do this before the closing date of the position.

 

For further information about this position, please contact Professor Willy Susilo on + 61 2 4221 5535.

Closing date for applications: 30 July 2017

Contact: Prof. Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=170477&tz=GMT%2B10%3A00

Efficient and secure third party computation has many practical applications in cloud computing. We develop new approach for building fully homomorphic encryption (FHE) schemes, by starting with the intuition of using algebraic descriptions of the encryption and decryption functions to construct a functionally complete set of homomorphic boolean operators. We use this approach to design a compact efficient asymmetric cryptosystem that supports secure third party evaluation of arbitrary boolean functions. In the process, we introduce a new hard problem that is a more difficult variant of of the classical Isomorphism of Polynomials (IP) that we call the Obfuscated-IP.

For conventional secret sharing, if cheaters can submit possibly forged shares after observing shares of the honest users in the reconstruction phase, they can disturb the protocol and reconstruct the true secret. To overcome the problem, secret sharing scheme with properties of cheater-identification have been proposed. Existing protocols for cheater-identifiable secret sharing assumed non-rushing cheaters or honest majority. In this paper, we remove both conditions simultaneously, and give its universal construction from any secret sharing scheme. To resolve this end, we propose the concepts of "individual identification" and "agreed identification".

Proxy re-encryption (PRE) and Proxy re-signature (PRS) were introduced by Blaze, Bleumer and Strauss [Eurocrypt '98]. Basically, PRE allows a semi-trusted proxy to transform a ciphertext encrypted under one key into an encryption of the same plaintext under another key, without revealing the underlying plaintext. Since then, many interesting applications have been explored, and many constructions in various settings have been proposed, while PRS allows a semi-trusted proxy to transform Alice's signature on a message into Bob's signature on the same message, but the proxy cannot produce new valid signature on new messages for either Alice or Bob.

Recently, for PRE related progress, Cannetti and Honhenberger [CCS '07] defined a stronger notion -- CCA-security and construct a bi-directional PRE scheme. Later on, several work considered CCA-secure PRE based on bilinear group assumptions. Very recently, Kirshanova [PKC '14] proposed the first single-hop CCA1-secure PRE scheme based on learning with errors (LWE) assumption. For PRS related progress, Ateniese and Hohenberger [CCS'05] formalized this primitive and provided efficient constructions in the random oracle model. At CCS 2008, Libert and Vergnaud presented the first multi-hop uni-directional proxy re-signature scheme in the standard model, using assumptions in bilinear groups.

In this work, we first point out a subtle but serious mistake in the security proof of the work by Kirshanova. This reopens the direction of lattice-based CCA1-secure constructions, even in the single-hop setting. Then we construct a single-hop PRE scheme that is proven secure in our new tag-based CCA-PRE model. Next, we construct the first multi-hop PRE construction. Lastly, we also construct the first PRS scheme from lattices that is proved secure in our proposed unified security model

In this work, we design a new lattice encoding structure for vectors. Our encoding can be used to achieve a packed FHE scheme that allows some SIMD operations and can be used to improve all the prior IBE schemes and signatures in the series. In particular, with respect to FHE setting, our method improves over the prior packed GSW structure of Hiromasa et al. (PKC '15), as we do not rely on a circular assumption as required in their work. Moreover, we can use the packing and unpacking method to extract each single element, so that the homomorphic operation supports element-wise and cross-element-wise computation as well. In the IBE scenario, we improves over previous constructions supporting $O(\lambda)$-bit length identity from lattices substantially, such as Yamada (Eurocrypt '16), Katsumata, Yamada (Asiacrypt '16) and Yamada (Eprint '17), by shrinking the master public key to three matrices from standard Learning With Errors assumption. Additionally, our techniques from IBE can be adapted to construct a compact digital signature scheme, which achieves existential unforgeability under the standard Short Integer Solution (SIS) assumption with small polynomial parameters.

Algorand is a new cryptocurrency system that can confirm transactions with latency on the order of a minute while scaling to many users. Algorand ensures that users never have divergent views of confirmed transactions, even if some of the users are malicious and the network is partitioned. In contrast, existing cryptocurrencies allow for temporary forks and therefore require a long time, on the order of an hour, to confirm transactions with high confidence.

Algorand uses a new Byzantine Agreement (BA) protocol to reach consensus among users on the next set of transactions. To scale the consensus to many users, Algorand uses a novel mechanism based on Verifiable Random Functions that allows users to privately check whether they are selected to participate in the BA to agree on the next set of transactions, and to include a proof of their selection in their network messages. In Algorand's BA protocol, users do not keep any private state except for their private keys, which allows Algorand to replace participants immediately after they send a message. This mitigates targeted attacks on chosen participants after their identity is revealed.

We implement Algorand and evaluate its performance on 1,000 EC2 virtual machines, simulating up to 500,000 users. Experimental results show that Algorand confirms transactions in under a minute, achieves 30$\times$ Bitcoin's throughput, and incurs almost no penalty for scaling to more users.

We take a critical look at established security definitions for predicate encryption (PE) with public index under chosen-plaintext attack (CPA) and under chosen-ciphertext attack (CCA). In contrast to conventional public-key encryption (PKE), security definitions for PE have to deal with user collusion which is modeled by an additional key generation oracle. We identify three different formalizations of key handling in the literature implicitly assumed to lead to the same security notion. Contrary to this assumption we prove that the corresponding models result in two different security notions under CPA and three different security notions under CCA. Similarly to the recent results for PKE and conventional key-encapsulation mechanism (KEM) (Journal of Cryptology, 2015) we also analyze subtleties in security definitions for PE and predicate key-encapsulation mechanism (P-KEM) regarding the so-called "no-challenge-decryption" condition. While the results for PE and PKE are similar, the results for P-KEM significantly differ from the corresponding results for conventional KEM. Our analysis is based on appropriate definitions of semantic security and indistinguishability of encryptions for PE under different attacks scenarios. These definitions complement related security definitions for identity-based encryption and functional encryption. As a result of our work we suggest security definitions for PE and P-KEM under different attack scenarios.

Event date: 1 November to 3 November 2017
Submission deadline: 15 July 2017
Notification: 31 August 2017

Event date: 1 November to 3 November 2017
Submission deadline: 15 June 2017
Notification: 31 July 2017

Event date: 30 November to 2 December 2017
Submission deadline: 25 July 2017
Notification: 12 September 2017