International Association
for Cryptologic Research

Secure Remote Password (SRP) protocol is an augmented Password-based Authenticated Key Exchange (PAKE) protocol based on discrete logarithm problem (DLP) with various attractive security features. Compared with basic PAKE protocols, SRP does not require server to store user's password and user does not send password to server to authenticate. These features are desirable for secure client-server applications. SRP has gained extensive real-world deployment, including Apple iCloud, 1Password etc. However, with the advent of quantum computer and Shor's algorithm, classic DLP-based public key cryptography algorithms are no longer secure, including SRP. Motivated by importance of SRP and threat from quantum attacks, we propose a RLWE-based SRP protocol (RLWE-SRP) which inherit advantages from SRP and elegant design from RLWE key exchange. We also present parameter choice and efficient portable C++ implementation of RLWE-SRP. Implementation of our 209-bit secure RLWE-SRP is more than 3x faster than 112-bit secure original SRP protocol, 5.5x faster than 80-bit secure J-PAKE and 14x faster than two 184-bit secure RLWE-based PAKE protocols with more desired properties.

In this paper, we introduce CAPA: a combined countermeasure against physical attacks. Our countermeasure provides security against higher-order SCA, multiple-shot DFA and combined attacks, scales to arbitrary protection order and is suitable for implementation in embedded hardware and software. The methodology is based on an attack model which we call tile-probe-and-fault, which is an extension (in both attack surface and capabilities) of prior work such as the wire-probe model. The tile-probe-and-fault leads one to naturally look (by analogy) at actively secure multi-party computation protocols such as SPDZ. We detail several proof-of-concept designs using the CAPA methodology: a hardware implementation of the KATAN and AES block ciphers, as well as a software bitsliced AES S-box implementation. We program a second-order secure version of the KATAN design into a Spartan-6 FPGA and perform a side-channel evaluation. No leakage is detected with up to 18 million traces. We also deploy a second-order secure software AES S-box implementation into an ARM Cortex-M4. Neither first- nor second-order leakage is detected with up to 200 000 traces. Both our implementations can detect faults within a strong adversarial model with arbitrarily high probability.

Nachef et al used differential cryptanalysis to study four types of Generalized Feistel Scheme (GFS). They gave the lower bound of maximum number of rounds that is indistinguishable from a random permutation. In this paper, we study the security of several types of GFS by exploiting the asymmetric property. We show that better lower bounds can be achieved for the Type-1 GFS, Type-3 GFS and Alternating Feistel Scheme. Furthermore, we give the first general results regarding to the lower bound of the Unbalanced Feistel Scheme.

Glitches entail a great issue when securing a cryptographic implementation in hardware. Several masking schemes have been proposed in the literature that provide security even in the presence of glitches. The key property that allows this protection was introduced in threshold implementations as non-completeness. We address crucial points to ensure the right compliance of this property especially for low-latency implementations. Specifically, we first discuss the existence of a flaw in DSD 2017 implementation of Keccak by Gross et al. in violation of the non-completeness property and propose a solution. We perform a side-channel evaluation on the first-order and second-order implementations of the proposed design where no leakage is detected with up to 55 million traces. Then, we present a method to ensure a non-complete scheme of an unrolled implementation applicable to any order of security or algebraic degree of the shared function. By using this method we design a two-rounds unrolled first-order Keccak-f [200] implementation that completes an encryption in 20.61ns, the fastest implementation in the literature to this date.

Two post-quantum password-based authenticated key exchange (PAKE) protocols were proposed at CT-RSA 2017. Following this work, we give much more efficient and portable C++ implementation of these two protocols. We also choose more compact parameters providing 200-bit security. Compared with original implementation, we achieve 21.5x and 18.5x speedup for RLWE-PAK and RLWE-PPK respectively. Compare with quantum-vulnerable J-PAKE protocol, we achieve nearly 8x speedup. We also integrate RLWE-PPK into TLS to construct a post-quantum TLS ciphersuite. This allows simpler key management, mutual authentication and resistant to phishing attack. Benchmark shows that our ciphersuite is indeed practical.

Event date: 29 January to 31 January 2018
Submission deadline: 15 December 2017
Notification: 12 January 2018

Event date: 27 August to 30 August 2018
Submission deadline: 15 April 2018
Notification: 1 June 2018

Event date: 8 August to 10 August 2018
Submission deadline: 16 February 2018
Notification: 6 April 2018

Event date: 4 June 2018
Submission deadline: 15 January 2018
Notification: 1 March 2018

The Cryptolux team of the University of Luxembourg is offering one 3 year Postdoc and two Ph.D. student positions in Applied Cryptography for the FinCrypt project funded by the Luxembourg research fund (FNR). The project will study security, scalability and privacy of distributed ledgers and smart contracts. Candidates with expertise or interest in the following areas are welcome to apply:

- Applied Cryptography (SK or PK)

- Crypto-currencies, smart-contracts, financial cryptography

- Privacy enhancing technologies

- Distributed consensus protocols

- Cybersecurity

We offer

You will work in an exciting international environment and will carry leading edge research in these rapidly evolving areas, which will have direct impact on the future. Luxembourg’s financial center is one of the largest in Europe and our team is part of Security and Trust (SnT) research center (>200 people researching all aspects of IT security). The University offers highly competitive salaries and is an equal opportunity employer.

Applications, written in English, should be submitted by e-mail, and will be considered on receipt therefore applying before the deadline is encouraged.

Closing date for applications: 28 February 2018

Contact: Prof. Alex Biryukov

More information: https://www.cryptolux.org/index.php/Vacancies

For the French research project PACLIDO (Protocoles et Algorithmes Cryptographiques Légers pour l’Internet des Objets) the University of Limoges recruits a post-doc for 18 to 24 months.

His main role will be to design and evaluate lightweight cryptographic algorithms (dedicated to IoT) secured against side channel analysis.

Skills in design of block ciphers and in side channel analysis will be favourably considered.

Closing date for applications:

Contact: Christophe Clavier (christophe.clavier at unilim.fr)

The Security Engineering Group at TU Darmstadt, led by Stefan Katzenbeisser, is offering a

Post-Doc position.

The research focus of the candidate shall be embedded in the group’s current research topics, which encompass among others

- Hardware Security

- Applied cryptography

- Privacy Enhancing Technologies

- Security in Critical Infrastructures

We are looking for highly motivated candidates, who have completed their PhD within the last three years and a proven track record in one or more of the following or related areas: trusted computing, applied cryptography, secure embedded systems, software security, or privacy. We expect professional and independent commitment in both research and teaching (one course per year). We offer a professional work environment and support our staff in the acquisition of external funds and provide many opportunities to work with international collaboration partners from academia and industry through our joint research projects CRISP and CROSSING.

The salary is internationally competitive based on the TU Darmstadt’s wage agreement (TV-TUD) and includes social benefits. TU Darmstadt is an equal-opportunities employer and encourages applications from women. In case of equal qualifications, applicants with a degree of disability of at least 50% will be given preference. Part-time work is possible.

Please send your applications including your CV, a list of publications, two representative copies of your publications, and a letter of motivation to Prof. Stefan Katzenbeisser, TU Darmstadt, Security Engineering Group, Mornewegstrasse 32, 64293 Darmstadt or email to katzenbeisser (at) seceng.informatik.tu-darmstadt.de.

Number: 397

Term for filing application: January 30, 2018

Closing date for applications: 30 January 2018

Contact: Prof. Stefan Katzenbeisser

TU Darmstadt

Security Engineering Group

Mornewegstrasse 32

64293 Darmstadt

katzenbeisser (at) seceng.informatik.tu-darmstadt.de

We are offering two postdoc positions in the area of cryptography in the Cryptography and Data Security Group at the Department of Mathematics, Informatics and Mechanics at University of Warsaw. The position is supported by a grant \"Cryptographic Defence Against Malicious Hardware Manufacturers\".

The goal of this project is to design methods for preventing attacks by malicious hardware manufacturers. Such attacks are possible because manufacturing of integrated circuits is frequently outsourced to external companies. Due to the complexity of these devices it is practically impossible to inspect them in order to check that they were manufactured correctly. Hence, a malicious manufacturer can alter the device\'s design, by introducing the so-called \"hardware Trojan horses\". Such devices can later cause significant damage to their users by malfunctioning, or leaking users\' secrets to the adversary. This is very worrying, especially given a tremendous dependence of modern society on the electronic devices. Another threat associated with the third-party manufacturing is the intellectual property theft and piracy, as the manufacturer gets full access to the device\'s specification. In this project we address these problems by applying state-of-the-art cryptographic techniques.

Profile:

All candidates with a PhD degree and a publication record in cryptography or data security are encouraged to apply and will be carefully considered.

We offer excellent networking and training opportunities, including participation in international workshops and conferences.

The salary will depend on qualifications and will be in the range of approximately PLN 7000 - 8,500 (net/month).

Successful candidates can start from January 2017. Funding is available for 22 months (with possible extensions).

There is no official deadline for this call. We will start looking at the applications from Jan 20, 2018.

,

Closing date for applications: 20 January 2018

Contact: Stefan Dziembowski

More information: http://www.crypto.edu.pl/positions/postdoc

The security and privacy group at the School of Informatics at the University of Edinburgh is looking to hire two faculty at the level of lecturer/senior lecturer/reader (equivalent to assistant professor, associate professor in the US).

Closing Dates:

03 January 2018 at 5pm GMT (Security and IoT)

19 January 2018 at 5pm GMT (general post)

For more information please see:

https://www.vacancies.ed.ac.uk/pls/corehrrecruit/erq_jobspec_version_4.jobspec?p_id=042150

https://www.vacancies.ed.ac.uk/pls/corehrrecruit/erq_jobspec_version_4.jobspec?p_id=041914

Closing date for applications: 19 January 2018

Contact: Professor Aggelos Kiayias at akiayias (at) inf.ed.ac.uk or +44 (0) 131 650 5129.

We are looking to hire blockchain guru to join our team at Ammbr Research Labs (ARL) (www.ammbr.com). Someone with a strong knowledge, publications (aka some evidence of work) and coding skills in any of the following:

1. technical knowledge of the Hyperledger Fabric architecture and code base

2. technical knowledge of emerging distributed ledger technology

consensus algorithms, smart contracts etc

3. technical knowledge of Byzantine fault tolerant algorithms

4. technical knowledge of open and permissioned blockchain networks

5. knowledge of innovative concepts such as zero knowledge proof

The role will have a strong research and development focus working across the intersection of blockchain, networking and self sovereign digital identifiers to solve some of the core problems related to

universal Internet access and critical services in emerging markets. The person is expected to build the team and lead the crypto group within ARL. ARL will closely collaborate with Prof Leandro Navarro\'s team at UPC in Barcelona and Prof Jean-Jacques Quisquater\'s crypto group at UCL in Belgium. The team will be based out of our Cambridge (UK) city centre office. Good salary, tokens and stock options. Expected start date: March 2018.

If you are interested, send me an email with your CV to arjuna (at) ammbr.com

Closing date for applications: 1 March 2018

Contact: Arjuna Sathiaseelan arjuna (at) ammbr.com

director of N4D lab,

University of Cambridge | GAIUS Networks | Ammbr | GAIA Labs

Personal: http://www.cl.cam.ac.uk/~as2330/

N4D Lab: http://www.cl.cam.ac.uk/~as2330/n4d

The common approach to defining secure channels in the literature is to consider transportation of discrete messages provided via atomic encryption and decryption interfaces. This, however, ignores that many practical protocols (including TLS, SSH, and QUIC) offer streaming interfaces instead, moreover with the complexity that the network (possibly under adversarial control) may deliver arbitrary fragments of ciphertexts to the receiver. To address this deficiency, we initiate the study of stream-based channels and their security. We present notions of confidentiality and integrity for such channels, akin to the notions for atomic channels, but taking the peculiarities of streams into account. We provide a composition result for our setting, saying that combining chosen-plaintext confidentiality with integrity of the transmitted ciphertext stream lifts confidentiality of the channel to chosen-ciphertext security. Notably, for our proof of this theorem in the streaming setting we need an additional property, called error predictability. We give an AEAD-based construction that achieves our notion of a secure stream-based channel. The construction matches rather well the one used in TLS, providing validation of that protocol's design. Finally, we study how applications that actually aim at transporting atomic messages can do so safely over a stream-based channel. We provide corresponding security notions and a generic and secure 'encode-then-stream' paradigm.

The advent of Machine Learning as a Service (MLaaS) makes it possible to outsource a visual object recognition task to an external (e.g. cloud) provider. However, out- sourcing such an image classification task raises privacy concerns, both from the image provider’s perspective, who wishes to keep their images confidential, and from the clas- sification algorithm provider’s perspective, who wishes to protect the intellectual property of their classifier. We pro- pose PICS, a private image classification system, based on polynomial kernel support vector machine (SVM) learn- ing. We selected SVM because it allows us to apply only low-degree functions for the classification on private data, which is the reason why our solution remains computation- ally efficient. Our solution is based on Secure Multiparty Computation (MPC), it does not leak any information about the images to be classified, nor about the classifier param- eters, and it is provably secure. We demonstrate the practi- cality of our approach by conducting experiments on realis- tic datasets. We show that our approach achieves high accu- racy, comparable to that achieved on non-privacy-protected data while the input-dependent phase is at least 100 times faster than the similar approach with Fully Homomorphic Encryption.

Many web hosts are still vulnerable to one of the oldest attacks against RSA in TLS. We show that Bleichenbacher’s RSA vulnerability from 1998 is still very prevalent in the Internet and affects almost a third of the top 100 domains in the Alexa Top 1 Million list, among them Facebook and Paypal. We identified vulnerable products from at least eight different vendors and open source projects, among them F5, Citrix, Radware, Cisco, Erlang, Bouncy Castle, and WolfSSL. Further we have demonstrated practical exploitation by signing a message with the private key of facebook.com’s HTTPS certificate. Finally, we discuss countermeasures against Bleichenbacher attacks in TLS and recommend to deprecate the RSA encryption key exchange in TLS and the PKCS #1 v1.5 standard.

In this paper, we introduce a new concept of digital signature that we call \emph{fuzzy signature}, which is a signature scheme that uses a noisy string such as biometric data as a private key, but \emph{does not require user-specific auxiliary data} (which is also called a helper string in the context of fuzzy extractors), for generating a signature. Our technical contributions are three-fold: (1) We first give the formal definition of fuzzy signature, together with a formal definition of a \lq\lq setting'' that specifies some necessary information for fuzzy data. (2) We give a generic construction of a fuzzy signature scheme based on a signature scheme that has certain homomorphic properties regarding keys and satisfies a kind of related key attack security with respect to addition, and a new tool that we call \emph{linear sketch}. (3) We specify two concrete settings for fuzzy data, and for each of the settings give a concrete instantiation of these building blocks for our generic construction, leading to two concrete fuzzy signature schemes.

We also discuss how fuzzy signature schemes can be used to realize a biometric-based PKI that uses biometric data itself as a cryptographic key, which we call the \emph{public biometric infrastructure (PBI)}.

We show that any OT extension protocol based on one-way functions (or more generally any symmetric-key primitive) either requires an additional round compared to the base OTs or must make a non-black-box use of one-way functions. This result also holds in the semi-honest setting or in the case of certain setup models such as the common random string model. This implies that OT extension in any secure computation protocol must come at the price of an additional round of communication or the non-black-box use of symmetric key primitives. Moreover, we observe that our result is tight in the sense that positive results can indeed be obtained using non-black-box techniques or at the cost of one additional round of communication.