International Association for Cryptologic Research

# IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

30 July 2016
Job Posting Ph.D student Goethe University Frankfurt, Frankfurt am Main , Germany
The Deutsche Telekom Chair of Mobile Business & Multilateral Security at Goethe University Frankfurt is looking for a committed,creative and flexible PhD candidate in the area of security, privacy and identity management.

Closing date for applications: 16 August 2016

Contact: Prof. Dr. Kai Rannenberg

29 July 2016
ePrint Report Markov Modeling of Moving Target Defense Games Mohammad Hadi Valizadeh, Hoda Maleki, William Koch, Azer Bestavros, Marten van Dijk
We introduce a Markov-model-based framework for Moving Target Defense (MTD) analysis. The framework allows modeling of broad range of MTD strategies, provides general theorems about how the probability of a successful adversary defeating an MTD strategy is related to the amount of time/cost spent by the adversary, and shows how a multi-level composition of MTD strategies can be analyzed by a straightforward combination of the analysis for each one of these strategies. Within the proposed framework we define the concept of security capacity which measures the strength or effectiveness of an MTD strategy: the security capacity depends on MTD specific parameters and more general system parameters. We apply our framework to two concrete MTD strategies.
The software performance of cryptographic schemes is an important factor in the decision to include such a scheme in real-world protocols like TLS, SSH or IPsec. In this paper, we develop a benchmarking framework to perform software performance measurements on authenticated encryption schemes. In particular, we apply our framework to independently benchmark the 29 remaining 2$^\text{nd}$ round candidates of the CAESAR competition. Many of these candidates have multiple parameter choices, or deploy software optimised versions raising our total number of benchmarked implementations to 207. We illustrate our results in various diagrams and hope that our contribution helps developers to find an appropriate cipher in their selection choice.
Dear IACR members,

With the annual CRYPTO conference coming up soon, I would like to inform you about some recent developments in the IACR.

Journal of Cryptology - Reviewers of the Year

Ivan Damgaard as the current Editor-in-Chief of the journal has awarded the title of "Reviewer of the Year" at Eurocrypt. He actually designated two colleagues for being his most reliable and helpful reviewers, with the following details:
• Vincent Rijmen, 9/9 accepted invitations, 7 completed on time, 1 late, 1 ongoing
• Jens Groth, 8/8 accepted invitations, 6 completed on time, 1 late, 1 ongoing
Congratulations!

Journal of Cryptology - Kenny Paterson new Editor-in-Chief

Ivan Damgaard is resigning from the position of Editor-in-Chief of the Journal of Cryptology. On behalf of all IACR members I would like to thank Ivan for his dedication to the journal and for his work with moving to the online submission and reviewing system.

To replace him, the Board has recently appointed Kenny Paterson as Editor in Chief for the Journal of Cryptology, for a 3-year period starting in January 2017. Congratulations!

IACR Transactions on Symmetric Cryptology (ToSC)

Earlier this year the IACR has also decided to change the publication format for the yearly FSE conference to a conference-journal hybrid. The newly established IACR Transactions on Symmetric Cryptology (ToSC) will be a journal with a rapid and strict reviewing schedule.

Publication of a paper in ToSC during the year will give the authors an opportunity to present the result at the next FSE. Publication will be online and all content is available freely (Gold Open-Access). There will be four submission deadlines, four review periods, and four issues yearly.

IACR Cryptology Schools

The IACR schools program sponsors educational schools aimed at graduate students. The grants allow organizers to invite speakers or pay for fixed costs. Proposals can be submitted by Dec. 31 and by June 30; a description of the schools program appears at iacr.org/schools.

As there were no proposals received by the recent deadline of June 30 this year, we extend this deadline to August 31, 2016. Details about submissions are explained on the website.

Conference locations and appointments

At its meeting during Eurocrypt 2016 in Vienna, the Board has received two very strong proposals for future Eurocrypts. Exceptionally it has decided to fix the location of a Eurocrypt conference three years ahead:
• Eurocrypt 2018, 29 Apr-3 May, Tel Aviv (IL), with Orr Dunkelman as General Chair
• Eurocrypt 2019, Apr/May, Darmstadt (DE), with Marc Fischlin as General Chair
Furthermore, the Board has appointed as Program Co-Chairs:
• Thomas Peyrin as Program Co-Chair of Asiacrypt 2017-18
• Hovav Shacham as Program Co-Chair of CRYPTO 2017-18
Awards for cryptographers

Excellent people from our discipline continue to be recognized by prominent awards, which cover researchers from a much broader domain. After several ACM Turing Awards, the most recent one this year, it is my pleasure to congratulate two colleagues:
• Tal Rabin has been elected to the American Academy of Arts & Sciences.
• Brent Waters has received the 2015 Grace Murray Hopper Award for the introduction and development of the concepts of attribute-based and functional encryption.
Asiacrypt 2016

Last but not least, the planning for this year's Asiacrypt in Hanoi (4-8 Dec) is progressing well. See the website for all further information: www.asiacrypt2016.com.

I am looking forward to seeing many of you in Santa Barbara or in Hanoi.

Best regards,

Christian Cachin
President, IACR
ARM\'s Internet of Things Business Unit are looking for a talented individual to join the team responsible for development of the mbed TLS library. As an open source project, the mbed TLS library provides support for the TLS/SSL protocol and the necessary cryptographic primitives to provide a complete TLS solution for embedded devices, servers and the emerging field of Internet of Things.

We are open to offer the possibility to work from home internationally.

You will have a strong interest in security and cryptography as well as in helping secure the emerging market for Internet of Things type devices. You will have the opportunity to help us deliver a vital part of future Internet of Things devices, helping to ensure they will stay secure and robust.

The role offers unique challenges working in a new business space where you can help shape the future of Internet of Things and the security of these emerging technologies and devices.

Description of Role:

* Contribute to system and architectural designs, from server to device, providing security input

* Perform risk analysis, as well as vulnerability and security assessments

* Write and develop high assurance software in C and assembly

* Participate in code reviews, testing and architectural planning of new products

* To work with the open source community in the development of the library

* To contribute to project planning of new features, design and implementation

* To mentor and coach others in security best practices

* Provide support to both internal and external customers

* Participate in standards meetings

* To keep pace with the fast moving fields of cryptography and software security

Closing date for applications: 30 October 2016

Contact: Applications should be made directly through ARM\'s online application system.

Job Posting Principal Engineer/Senior Engineer/Engineer (Cyber Security) Hong Kong Applied Science and Technology Research Institite Company Limited
Hong Kong Applied Science and Technology Research Institute (ASTRI) was founded by the Government of the Hong Kong Special Administrative Region in 2000 with the mission of enhancing Hong Kong’s competitiveness in technology-based industries through applied research

Job Responsibilities

•Research on latest security threat and cloud computing security.

•Develop and implement secure software systems.

•Develop cryptographic, encryption technologies, and mobile security solutions.

•Develop and implement cyber-threat intelligence and defense technologies.

•Be able to perform security investigation on cyber security and e-commerce systems.

•Conduct R&D in various areas which include but not limited to software, network, distributed systems, database, reverse engineering, malware analysis and mobile security.

Requirements

•Bachelor’s degree in Computer Science, Electrical Engineering or other relevant discipline with 6 years relevant experience. Master’s degree with 3+ years’ experience, or PhD holder with less experience. Candidates with less experience will be considered as Engineer.

•Solid experience in software and system development (C/C++, C#, Java, Python, Android, iPhone or Java Script).

•Experience in hands-on R&D projects, especially on software systems.

•Experience in planning, organizing, leading and implementing novel R&D projects, especially on information security and data analytics related areas.

•Preferably with certificates or formal training in information security or with experience in security assessment, but not a must.

•Experience in well-known data analysis challenge or ACM competition is a big plus.

•Experience in financial technologies such as algorithm trading, blockchain, etc. is a big plus.

•Good team player and passionate about producing quality software and enhancing user experience.

•Good interpersonal communication and presentation skills.

•Good command of both written and spoken English and Chinese.

Closing date for applications: 15 August 2016

Contact: charlenechoo (at) astri.org

Job Posting Senior Engineer/Engineer (Cyber-Security Assessment) Hong Kong Applied Science and Technology Research Institute Company Limited
Hong Kong Applied Science and Technology Research Institute (ASTRI) was founded by the Government of the Hong Kong Special Administrative Region in 2000 with the mission of enhancing Hong Kong’s competitiveness in technology-based industries through applied research

Job Responsibilities

•Conduct research on advanced ethical hacking, penetration testing, reverse engineering.

•Conduct assessment on network infrastructure, web and mobile security.

•Assisting on IT security enforcement and enhancement.

•Design secure application testing approaches, integrate quality assurance testings with security functionalities.

•Candidate with strong programming background will also be involved in security tool/signature development.

•Design and implement preventive security controls, application code review and analysis, code scanning and testing tools, web application scanning and penetration tests.

•Manage vendor and service provider on security tools and technologies project engagement and delivery.

Qualification/Required Experience & Skills

•Bachelor’s degree or above in Computer Science, Electrical Engineering or other relevant disciplines with a minimum of 5 years of experience in security assessment, less experience will also be considered for the Engineer level.

•Experience in financial industry is preferred but not mandatory.

•Demonstrate wide working knowledge of application security.

•Experience in application development life cycle, application testing and code scanning, with exposure in penetration test, finding exploits, vulnerabilities, unauthorized access, or other malicious activities in computer systems.

•Proficient in English, spoken and written.

•High integrity and professional work practice.

•Appreciation of people and cultures of different countries.

Closing date for applications: 15 August 2016

Contact: charlenechoo (at) astri.org

Job Posting 4 Postdocs and 1 PhD IMDEA Software Institute, Madrid, Spain
The IMDEA Software Institute (Madrid, Spain) invites applications for one PhD position in the area of Cryptography and four Postdoc positions in the areas of Cryptography, Anonymity, Privacy, Programming Languages, Verification, and Side-channel Attacks.

The positions are based in Madrid, Spain where the IMDEA Software Institute is situated. Salaries are internationally competitive and include attractive conditions such as access to an excellent public healthcare system. The working language at the institute is English.

PhD applicants should have completed, or be close to completing, a Masters degree in computer science, mathematics or a related discipline. The successful PhD applicant will do research in cryptography. Knowledge of cryptography (in particular public key cryptography and provable security) is required, and proven experience in the form of theses or published papers will be considered positively. The application requires: curriculum vitae, a motivation letter, and names of 3 persons that can provide reference about you and your work. For further enquiries on the PhD position, please contact Dario Fiore.

Postdoc applicants should have already completed, or be close to completing, a PhD in computer science, mathematics, or a related discipline, and should have an excellent research track record. The application requires: curriculum vitae, a research statement, and names of 3 persons that can provide reference about you and your work. The postdoctoral positions are available from September 2016 for the duration of up to two years.

Applicants interested in the position should send an email to the faculty members they would like to work with, and submit the application documents at https://careers.imdea.org/software/. Review of applications starts immediately until the positions are filled.

Closing date for applications: 31 December 2016

Gilles Barthe gilles.barthe (at) imdea.org

Dario Fiore, dario.fiore (at) imdea.org

Boris Koepf, boris.koepf (at) imdea.org

Carmela Troncoso, carmela.troncoso (at) imdea.org

To apply: https://careers.imdea.org/software/

Job Posting One year Post-Doc École polytechnique, Palaiseau, France
Context

Safran Identity and Security and the computer science department of École polytechnique will conduct a study on the manipulation of centrally issued documents on blockchains.

Object of the study

There already exist various protocols designed for manipulating sensitive documents on blockchains, from straightforward ones (hashes), to advanced protocols (ZeroCash).

Objectives

The objective is to sort out the various proposition for anonymising transactions or data on blockchains, and to design a new one relevant to our application domain. Since the application domain is concerned with documents issued by a trusted third party (a government in case of a passport), our application domain may not be well fitted by existing approaches. Some software developments may be conducted.

Profile

The candidate should have either a rather good knowledge of a few advanced cryptographic protocols, or have a very good understanding of bitcoin (or ethereum) and in particular its programmable features (smart contracts, OP_RETURN).

The candidate will spend 20% of his research time within Safran Identity and Security, (Issy-les-Moulineaux), and 40% in the computer science department of École polytechnique (Palaiseau), within INRIA project-team Grace.

Safran Identity and Security

Safran Identity & Security is a global leader in security and identity solutions, deploying solutions in more than 100 countries, and employing more than 8,700 people in 57 countries. Its solutions manage identities, secure payments and transactions and safeguard privacy, for an increasingly digital and connected world.

École polytechnique

École Polytechnique is a leading French institute which combines top-level research, academics, and innovation at the cutting-edge of science and technology. Its curriculum promotes a culture of excellence  with a strong emphasis on science, anchored in humanist traditions.

Closing date for applications: 31 December 2016

Contact: Daniel Augot, INRIA senior researcher, Daniel.Augot (at) inria.fr

Job Posting Post-Doc NTT Secure Platform Laboratories, Tokyo, Japan
Post-Doc Position in Cryptography, NTT Labs, Tokyo, Japan.

A postdoctoral research position in cryptography is available in NTT Secure Platform Laboratories, Tokyo, Japan. The position is initially for one year, and could be extended up to three years on year-by-year basis.

Candidates must hold a PhD in mathematics or computer science, and publications in major conferences related to cryptography. The research topics include foundation and applications in public-key cryptography. Interest in two-party / multi-party computation is an advantage.

Applications (CV, list of publications, and at least two letters of recommendations with contact details) and requests for more information should be directed to all of:

Saho Uchida (Secretary) uchida.saho (at) lab.ntt.co.jp ,

Koutarou Suzuki (Senior Researcher) suzuki.koutarou (at) lab.ntt.co.jp , and

Kazumaro Aoki (Research Group Leader) aoki.kazumaro (at) lab.ntt.co.jp .

Closing date: October 1st, 2016.

Preferred starting date: January-March, 2017.

Closing date for applications: 1 October 2016

The University of Luxembourg invites applications for a doctoral candidate (PhD student) in the field of cryptography.

The PhD student will be a member of the Computer Science and Communications Research Unit (CSC) research unit within the Faculty of Science, Technology and Communication at the University of Luxembourg.

He/she will work under supervision of Prof. Dr. Jean-Sebastien Coron on one of the following topics :

* Fully Homomorphic encryption and multilinear maps

* Side-channel attacks and countermeasures

The candidate must have a master’s degree or diploma in computer science or mathematics. We offer:

* Personal work space at the University

* Highly competitive salary

* Dynamic and multicultural environment.

Jean-Sebastien Coron: jean-sebastien.coron - at - uni.lu

To apply:

http://emea3.mrted.ly/1503l

Closing date for applications: 15 September 2016

28 July 2016
ePrint Report Unconditionally Secure Signatures Ryan Amiri, Aysajan Abidin, Petros Wallden, Erika Andersson
Digital signatures are one of the most important cryptographic primitives. In this work we construct an information-theoretically secure signature scheme which, unlike prior schemes, enjoys a number of advantageous properties such as short signature length and high generation efficiency, to name two. In particular, we extend symmetric-key message authentication codes (MACs) based on universal hashing to make them transferable, a property absent from traditional MAC schemes. Our main results are summarised as follows.

- We construct an unconditionally secure signature scheme which, unlike prior schemes, does not rely on a trusted third party or anonymous channels. In our scheme, a sender shares with each of the remaining protocol participants (or recipients) a set of keys (or hash functions) from a family of universal hash functions. Also, the recipients share with each other a random portion of the keys that they share with the sender. A signature for a message is a vector of tags generated by applying the hash functions to the message. As such, our scheme can be viewed as an extension of MAC schemes, and therefore, the practical implementation of our scheme is straightforward.

- We prove information-theoretic security of our scheme against forging, repudiation, and non-transferability.

- We compare our schemes with existing both "classical" (not employing quantum mechanics) and quantum unconditionally secure signature schemes. The comparison shows that our new scheme has a number of unparalleled advantages over the previous schemes.

- Finally, although our scheme does not rely on trusted third parties, we discuss this, showing that having a trusted third party makes our scheme even more attractive.
In this paper I propose the fully homomorphic public-key encryption(FHPKE) scheme with zero norm noises that is based on the discrete logarithm assumption(DLA) and computational Diffie–Hellman assumption(CDH) of multivariate polynomials on octonion ring. Since the complexity for enciphering and deciphering become to be small enough to handle, the cryptosystem runs fast.
ePrint Report Zero Knowledge Authentication Protocols With Algebraic Geometry Techniques Edgar González, Guillermo Morales-Luna, Feliú D. Sagols
Several cryptographic methods have been developed based on the difficulty to determine the set of solutions of a polynomial system over a given field. We build a polynomial ideal whose algebraic set is related to the set of isomorphisms between two graphs. The problem {\sc isomorphism}, posed in the context of Graph Theory, has been extensively used in zero knowledge authentication protocols. Thus, any cryptographic method based on {\sc isomorphism} can be translated into an equivalent method based on the problem of finding rational points in algebraic sets associated to polynomial ideals.
ePrint Report Efficient and Private Scoring of Decision Trees, Support Vector Machines and Logistic Regression Models based on Pre-Computation Martine De Cock, Rafael Dowsley, Caleb Horst, Raj Katti, Anderson C. A. Nascimento, Stacey C. Newman, Wing-Sea Poon
Many data-driven personalized services require that private data of users is scored against a trained machine learning model. In this paper we propose a novel protocol for privacy-preserving classification of decision trees, a popular machine learning model in these scenarios. Our solutions are composed out of building blocks, namely a secure comparison protocol, a protocol for obliviously selecting inputs, and a protocol for evaluating polynomials. By combining some of the building blocks for our decision tree classification protocol, we also improve previously proposed solutions for classification of support vector machines and logistic regression models. Our protocols are information theoretically secure and, unlike previously proposed solutions, do not require modular exponentiations. We show that our protocols for privacy-preserving classification lead to more efficient results from the point of view of computational and communication complexities. We present accuracy and runtime results for 7 classification benchmark datasets from the UCI repository.
Threshold secret sharing is a protocol that allows a dealer to share a secret among $n$ players so that any coalition of $t$ players learns nothing about the secret, but any $t+1$ players can reconstruct the secret in its entirety.

Robust secret sharing (RSS) provides the additional guarantee that even if $t$ malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret.

When $t < \frac{n}{3}$, Shamir sharing is known to be robust, and when $t > \frac{n}{2}$, RSS is known to be impossible, but for $\frac{n}{3} < t < \frac{n}{2}$ much less is known.

When $\frac{n}{3} < t < \frac{n}{2}$ previous RSS protocols could either achieve optimal share size with inefficient (exponential time) reconstruction procedures, or sub-optimal share size with polynomial time reconstruction.

In this work, we construct a simple RSS protocol for $t = \left\{ \frac{1}{2} - \epsilon\right\}n$ that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of $O(\kappa + \log n)$, and reconstruction succeeds except with probability at most $2^{-\kappa}$.

This provides a partial solution to a problem posed by Cevallos et al. in Eurocrypt 2012. Namely, when $t = \left\{ \frac{1}{2} - O(1) \right\}n$ we show that the share size in RSS schemes do not require an overhead that is linear in $n$.

Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC '89) and Cevallos et al. (Eurocrypt '12) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the $n$ players as nodes in an expander graph, each player only checks its neighbors in the expander graph.

When $t = \left\{ \frac{1}{2} - O(1) \right\}n$, the concurrent, independent work of Cramer et al. (Eurocrypt '16) shows how to achieve shares that \emph{decrease} with the number of players using completely different techniques.
ePrint Report Efficient Oblivious Transfer Protocols based on White-Box Cryptography Aram Jivanyan, Gurgen Khachatryan, Andriy Oliynyk, Mykola Raievskyi
Oblivious transfer protocol is an important cryptographic primitive having numerous applications and particularly playing an essential role in secure multiparty computation protocols. On the other hand existing oblivious transfer protocols are based on computationally expensive public-key operations which remains the main obstacle for employing such protocols in practical applications. In this paper a novel approach for designing oblivious transfer protocols is introduced based on the idea of replacing public-key operations by white-box cryptography techniques. As a result oblivious transfer protocols based on white-box cryptography run several times faster and require less communication bandwidth compared with the existing protocols.
Over the past decade, the hybrid lattice reduction and meet-in-the middle attack (called the Hybrid Attack) has been used to evaluate the security of many lattice-based cryprocraphic schemes such as NTRU, NTRU prime, BLISS, and more. However, unfortunately none of the previous analyses of the Hybrid Attack is entirely satisfactory: they are based on simplifying assumptions that may distort the security estimates. Such simplifying assumptions include setting probabilities equal to $1$, which, for the parameter sets we analyze in this work, are in fact as small as $2^{-92}$. Many of these assumptions yield more conservative security estimates. However, some lead to overestimating the scheme's security, and without further analysis, it is not clear which is the case. Therefore, the current security estimates against the Hybrid Attack are not reliable and the actual security levels of many lattice-based schemes are unclear.

In this work we present an improved runtime analysis of the Hybrid Attack that gets rid of incorrect simplifying assumptions. Our improved analysis can be used to derive reliable and accurate security estimates for many lattice-based schemes. In addition, we reevaluate the security against the Hybrid Attack for the NTRU, NTRU prime, and R-BinLWEEnc encryption schemes as well as for the BLISS and GLP signature schemes. Our results show that there exist both over- and underestimates of up to $80$ bits of security in the literature. Our results further show that the common claim that the Hybrid Attack is the best attack on all NTRU parameter sets is in fact a misconception based on incorrect analyses of the attack.
In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear invariant attack on the underlying (tweakable) block cipher can be extended to a ciphertext-only attack in well-known modes of operation such as CBC or CTR. The plaintext of the authenticated encryption schemes SCREAM and iSCREAM can be practically recovered only from the ciphertexts in the nonce-respecting setting. This is the first result breaking a security claim of SCREAM. Moreover, the plaintext in Midori64 with well-known modes of operation can practically be recovered. All of our attacks are experimentally verified.
27 July 2016
RFID technology is a system which uses radio frequency to transmit data. Data transmission between Tags and Readers is wireless which can be easily eavesdropped by adversary. Due to security and privacy reasons, various authentication protocols proposed. In this paper, we cryptanalyze two different RFID authentication protocols and it is shown that either of them have some weaknesses. In 2014, Chang et al. proposed a mutual authentication protocol for RFID technology based on EPC Class 1 Generation 2 standard. We show that their protocol is not safe regard to privacy and cannot repulse neither Traceability attack nor Forward Traceability attack. Also, in 2015, Pourpouneh et al. proposed a server-less authentication protocol. We discover that their protocol is not able to thwart security and privacy attacks such as Secret Parameter Reveal, Traceability and Forward Traceability. In addition, we robust the two schemes to defend those attacks which can protect RFID users against different threats. Then, analyzing of the protocols are compared with some state-of-art ones.
ePrint Report Leakage-Resilient Public-Key Encryption from Obfuscation Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Liu, Adam O'Neill, Hong-Sheng Zhou
The literature on leakage-resilient cryptography contains various leakage models that provide different levels of security. In this work, we consider the \emph{bounded leakage} and the \emph{continual leakage} models. In the bounded leakage model (Akavia et al. -- TCC 2009), it is assumed that there is a fixed upper bound $L$ on the number of bits the attacker may leak on the secret key in the entire lifetime of the scheme. Alternatively, in the continual leakage model (Brakerski et al. -- FOCS 2010, Dodis et al. -- FOCS 2010), the lifetime of a cryptographic scheme is divided into time periods'' between which the scheme's secret key is updated. Furthermore, in its attack the adversary is allowed to obtain some bounded amount of leakage on the current secret key during each time period.

In the continual leakage model, a challenging problem has been to provide security against \emph{leakage on key updates}, that is, leakage that is a function not only of the current secret key but also the \emph{randomness used to update it}. We propose a new, modular approach to overcome this problem. Namely, we present a compiler that transforms any public-key encryption or signature scheme that achieves a slight strengthening of continual leakage resilience, which we call \emph{consecutive} continual leakage resilience, to one that is continual leakage resilient with leakage on key updates, assuming \emph{indistinguishability obfuscation} (Barak et al. --- CRYPTO 2001, Garg et al. -- FOCS 2013). Under the stronger assumption of \emph{public-coin differing-inputs obfuscation} (Ishai et al. -- TCC 2015) the leakage rate tolerated by our compiled scheme is essentially as good as that of the starting scheme. Our compiler is obtained by making a new connection between the problems of leakage on key updates and so-called sender-deniable'' encryption (Canetti et al. -- CRYPTO 1997), which was recently realized for the first time by Sahai and Waters (STOC 2014).

In the bounded leakage model, we develop a new approach to constructing leakage-resilient encryption from obfuscation, based upon the public-key encryption scheme from $\iO$ and punctured pseudorandom functions due to Sahai and Waters (STOC 2014). In particular, we achieve leakage-resilient public key encryption tolerating $L$ bits of leakage for any $L$ from $\iO$ and one-way functions. We build on this to achieve leakage-resilient public key encryption with optimal leakage rate of $1-o(1)$ based on public-coin differing-inputs obfuscation and collision-resistant hash functions. Such a leakage rate is not known to be achievable in a generic way based on public-key encryption alone. We then develop entirely new techniques to construct a new public key encryption scheme that is secure under (consecutive) continual leakage resilience (under appropriate assumptions), which we believe is of independent interest.
ePrint Report Attacks on cMix - Some Small Overlooked Details Herman Galteland, Stig F. Mjølsnes, Ruxandra F. Olimid
Chaum et al. have very recently introduced cMix as the first practical system that offers senders-receivers unlinkability at scale. cMix is claimed by its authors to be secure unless all nodes collude (or less than two senders are honest). We argue their assertion does not hold and sustain our statement by three different types of attacks: tagging attack, insider attack and passive attack. For each one, we discuss the settings that make it feasible and possible countermeasures.
Searchable Symmetric Encryption aims at making possible searching over an encrypted database stored on an untrusted server while keeping privacy of both the queries and the data, by allowing some small controlled leakage to the server. Recent works showed that dynamic schemes – in which the data is efficiently updatable – leaking some informations on updated keywords are subjects to devastating adaptative attacks breaking the queries’ privacy. The only way to thwart this attack is to design forward-private schemes whose update procedure does not leak if a newly inserted element matches previous search queries. This work proposes \Sigma o\phi o\varsigma as a forward-private SSE scheme with performance similar to existing less secure schemes, and that is conceptually simpler (and also more efficient) than previous forward-private constructions. In particular, it only relies on trapdoor permutations and does not use an ORAM-like construction. We also explain why \Sigma o\phi o\varsigma is an optimal point of the security/performance tradeoff for SSE. Finally, an implementation and evaluation results demonstrate its practical efficiency.
ePrint Report Improvements on the Individual Logarithm Step in exTNFS Yuqing Zhu, Jincheng Zhuang, Chang Lv, Dongdai Lin
The hardness of discrete logarithm problem over finite fields is the foundation of many cryptographic protocols. When the characteristic of the finite field is medium or large, the state-of-art algorithms for solving the corresponding problem are the number field sieve and its variants. There are mainly three steps in such algorithms: polynomial selection, factor base logarithms computation, and individual logarithm computation. Note that the former two steps can be precomputed for fixed finite field, and the database containing factor base logarithms can be used by the last step for many times. In certain application circumstances, such as Logjam attack, speeding up the individual logarithm step is vital.

In this paper, we devise a method to improve the individual logarithm step by exploring certain subfield structure. Our technique is based on the extended tower number field sieve method and generalizes the idea used by Guillevic. The method achieves more significant improvement when the extension degree has a large proper factor. We also perform some experiments to illustrate our algorithm and confirm the result.
The information ratio of a secret sharing scheme $\Sigma$ measures the size of the largest share of the scheme, and is denoted by $\sigma(\Sigma)$. The optimal information ratio of an access structure $\Gamma$ is the infimum of $\sigma(\Sigma)$ among all schemes $\Sigma$ for $\Gamma$, and is denoted by $\sigma(\Gamma)$. The main result of this work is that for every two access structures $\Gamma$ and $\Gamma'$, $|\sigma(\Gamma)- \sigma(\Gamma')|\leq|\Gamma\cup\Gamma'|-|\Gamma\cap\Gamma'|$. As a consequence of this result, we see that close access structures admit secret sharing schemes with similar information ratio. We show that this property is also true for particular families of secret sharing schemes and models of computation, like the family of linear secret sharing schemes, span programs, Boolean formulas and circuits. In order to understand this property, we also study the limitations of the techniques for finding lower bounds on the information ratio and other complexity measures. We analyze the behavior of these bounds when we add or delete subsets from an access structure
Fully Homomorphic Encryption is a powerful cryptographic tool that enables performing arbitrary meaningful computations over encrypted data. Despite its evolution over the past 7 years, FHE schemes are still not suitable for practical use due to performance inefficiencies, where a simple operation can be performed in several seconds. In this paper, a new architecture for accelerating homomorphic function evaluation on FPGA is proposed. While ideas such as the small/large-CRT representation are reused from previous architectures, a modified version of the cached NTT algorithm is presented in this paper, allowing it to be efficiently computed in a multi-core environment. In order to compute an N-point NTT, the architecture consists of sqrt(N) cores, each capable of computing a sqrt(N)-point NTT, with a special purpose Network-on-Chip (NoC) for coefficient reordering. The proposed NoC enables reordering coefficients in time O(sqrt(N)), leading to an overall parallel NTT algorithm of time complexity O(sqrt(N)log(sqrt(N))). The architecture has been implemented on Xilinx Virtex 7 XC7V1140T FPGA. The design consumes 22% of the registers, 95% of the LUTs, 91% of the DSPs and 85% of the Block RAMs. The implementation performs 32-bit 2^(16)-point NTT algorithm in 23.8 us, achieving speed-up of 14x over the state of the art architecture in this crucial operation. The architecture has been evaluated by computing a block of each of the AES and SIMON-64/128 on the LTV and YASHE schemes. The proposed architecture can evaluate the AES circuit using the LTV scheme in 4 minutes, processing 2048 blocks in parallel, which leads to an amortized performance of 117 ms/block, which is the fastest performance reported to the best of our knowledge.
ePrint Report SPORT: Sharing Proofs of Retrievability across Tenants Frederik Armknecht, Jens-Matthias Bohli, David Froelicher, Ghassan O. Karame
Proofs of Retrievability (POR) are cryptographic proofs which provide assurance to a single tenant (who creates tags using his secret material) that his files can be retrieved in their entirety. However, POR schemes completely ignore storage-efficiency concepts, such as multi-tenancy and data deduplication, which are being widely utilized by existing cloud storage providers. Namely, in deduplicated storage systems, existing POR schemes would incur an additional overhead for storing tenants’ tags which grows linearly with the number of users deduplicating the same file. This overhead clearly reduces the (economic) incentives of cloud providers to integrate existing POR/PDP solutions in their offerings. In this paper, we propose a novel storage-efficient POR, dubbed SPORT, which transparently supports multi-tenancy and data deduplication. More specifically, SPORT enables tenants to securely share the same POR tags in order to verify the integrity of their deduplicated files. By doing so, SPORT considerably reduces the storage overhead borne by cloud providers when storing the tags of different tenants deduplicating the same content.We show that SPORT resists against malicious tenants/cloud providers (and against collusion among a subset of the tenants and the cloud). Finally, we implement a prototype based on SPORT, and evaluate its performance in a realistic cloud setting. Our evaluation results show that our proposal incurs tolerable computational overhead on the tenants and the cloud provider.
ePrint Report Robust Multi-Property Combiners for Hash Functions Marc Fischlin, Anja Lehmann, Krzysztof Pietrzak
A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously.

We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2n + \omega(log n). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length.
26 July 2016
The proceedings for FSE 2016 are now available via SpringerLink. Through our agreement with Springer, IACR members can access these proceedings for free by logging into this access page. FSE 2016 is the last proceedings of FSE to be published through Springer, as FSE is transitioning to a conference-journal hybrid whose papers will be published in the new Transactions on Symmetric Cryptology.
Job Posting Faculty position (Full Professor, W3) Center for IT-Security, Privacy, and Accountability, Saarland University, Saarbrücken, Germany
Faculty position (Full Professor, W3) for Computer Science, with a focus on "IT Security, Privacy, and Cryptography"

CISPA, the Center for IT-Security, Privacy, and Accountability at Saarland University in Germany is searching for excellent applicants with a strong international standing from all areas of IT Security, Privacy, and Cryptography.

Applicants are expected to display outstanding scientific research abilities, management skills, as well as excellent teaching skills and a strong dedication towards teaching. The scientific qualification should be especially proven by publications at the leading international IT-Security Conferences. University courses for Master’s studies and at the Graduate School are taught in English. The chosen applicant is expected to participate actively in the development of CISPA.

Closing date for applications: 12 August 2016

Contact: Prof. Dr. Michael Backes

Full Professor at Saarland University

Director of the Center for IT-Security, Privacy, and Accountability

Campus E 9 1, 66123 Saarbrücken, Germany

Email: backes (at) cispa.saarland

Phone: +49 681 302-3249