Here you can see all recent updates to the IACR webpage. These updates are also available:

21
January
2019

Event Calendar
Cloud S&P 2019: 1st Workshop on Cloud Security and Privacy
BogotÃ¡, Colombia, 5 June - 7 June 2019

Event date: 5 June to 7 June 2019

Submission deadline: 30 March 2019

Notification: 30 April 2019

Submission deadline: 30 March 2019

Notification: 30 April 2019

Event Calendar
EuroSPEC'19: 2019 European Workshop on Security and Privacy in Edge Computing
Stockholm, Sweeden, 16 June 2019

Event date: 16 June 2019

Submission deadline: 1 March 2019

Notification: 1 April 2019

Submission deadline: 1 March 2019

Notification: 1 April 2019

Event Calendar
ESORICS 2019: The 24th European Symposium on Research in Computer Security
Luxembourg, Luxembourg, 23 September - 27 September 2019

Event date: 23 September to 27 September 2019

Submission deadline: 22 April 2019

Notification: 21 June 2019

Submission deadline: 22 April 2019

Notification: 21 June 2019

PhD and Postdoc positions are available in the new research group in Applied Cryptography being set up by Kenny Paterson in the Department of Computer Science at ETH Zurich, Switzerland.

Candidates for PhD positions should already have, or be near to completing, a Masters in Computer Science and/or Mathematics. They should have a demonstrable interest in Applied Cryptography.

Candidates for Postdoc positions should additionally be able to demonstrate creativity, independence and excellence in Applied Cryptography research. Applications from people with interests in all areas of the field are welcome.

Positions are available from Spring 2019. The selection process will run until suitable candidates have been found.

Initial enquiries should be sent by email, with subject line *Application for Postdoc* or *Application for PhD*, and addressed directly to Prof. Kenny Paterson.

**Closing date for applications:** 1 December 2019

**Contact:** Kenny Paterson - kenny.paterson (at) inf.ethz.ch

**More information:** https://www.inf.ethz.ch/

The Department of Computer Science at the University of Hong Kong is looking for Postdoc Research Fellow/Research Assistants. He/she should possess experience or interest in at least some of the following research areas:

• Public Key Cryptography

• Privacy-enhancing technologies

• Blockchain security and privacy

• Applied cryptography, especially in the area of Fintech

Job requirements:

• Strong publication record in cryptography and cyber security area

• Good communication skills, self-motivated and good team players

• Some experience in programming is a plus

The funding is available for one year with a flexible starting date, a very competitive salary and a possibility of extension upon successful performance. Doing research in Hong Kong, an international financial center, allows you to have more collaboration opportunities with the industry and to apply your knowledge in the real world.

To apply for the above position, please send a copy of your recent CV to “thyuen at cs dot hku dot hk” with an email subject “Application for PDF/RA”.

**Closing date for applications:** 30 June 2019

**Contact:** Name: John Yuen

Email: thyuen at cs dot hku dot hk

18
January
2019

Job Posting
(Tenure Track) Assistant Professor Coding Theory
Eindhoven University of Technology, the Netherlands

The Coding Theory and Cryptology (CC) group of the Discrete Mathematics (DM) section of the Department of Mathematics and Computer Science (M&CS) at Eindhoven University of Technology (TU/e) intends to fill a full-time position for a (tenure-track) assistant professor in Coding Theory.

**Closing date for applications:** 14 March 2019

**Contact:** Tanja Lange, TU/e, *t.lange (at) tue.nl*

**More information:** https://jobs.tue.nl/en/vacancy/tt-assistant-professor-coding-theory-449061.html

The symmetric crypto group at the Ruhr University Bochum is looking for Ph.D. students and postdoctoral researchers in the area of symmetric crypto.

The group is part of the Horst Görtz Institute for IT Security. It is regarded as one of the top research institutions, has Europe\'s largest IT security training programs, maintains extensive networks with the scientific communication and industry, and has produced numerous successful cyber security start-ups. This outstanding environment offers excellent working conditions in an extremely topical and exciting field.

The symmetric crypto group is looking for excellent M.Sc. graduates with outstanding grades and degrees in computer science, mathematics, or related disciplines.

In addition, we are looking for outstanding postdoctoral candidates with a strong track record in symmetric cryptography.

We offer three-year positions for M.Sc. graduates. Postdoctoral positions are limited to two years. The salary will be according to the remuneration group E 13 TV-L (full-time).

Are you interested?

Please send your complete application documents in one single pdf file (max. 10 MB) by January 31, 2019 to: *gregor.leander (at) rub.de*

Required documents are:

- Letter of motivation

- Curriculum vitae,

- Master\'s certificate,

- Doctoral certificate, if applicable.

At Ruhr University Bochum, we seek to promote the careers of women particularly in those areas in which they are underrepresented, and we are therefore particularly pleased to receive applications from female candidates. Applications by suitable candidates with severe disabilities and other applicants with equal legal status are likewise most welcome.

**Closing date for applications:** 31 January 2019

We are looking for outstanding Post doctoral researchers working on topics related to cryptography and IT Security.

Current topics of interest include (but are not limited to):

- Blockchains and cryptocurrencies

- Secure cryptographic implementations

- Leakage/tamper resilient cryptography

- Distributed cryptography

The application must include a curriculum vitae, a short research statement, and names of 2 contacts that can provide reference about the applicant and her/his work. The candidate shall be able to show solid expertise in cryptography/IT Security illustrated in form of publications at major crypto/security venues such as CRYPTO, EUROCRYPT, ASIACRYPT, TCC, PKC, CHES, FC, ACM CCS, IEEE S&P, USENIX Security, NDSS etc.

The position can be partially funded by the Ethereum Foundation and hence offers an internationally competitive salary including social benefits, and the opportunity for close collaboration with one of the leading cryptocurrencies.

TU Darmstadt offers excellent working environment in the heart of the Rhein-Main area, and has a strong institute for research on IT security with more than 300 researchers working on all aspects of cybersecurity.

Review of applications starts immediately until the position is filled.

Contact: Prof. Sebastian Faust, Contact: sebastian.faust(at)cs(dot)tu-darmstadt(dot)de

**Closing date for applications:** 20 March 2019

The Security & Privacy group at TU Wien and the blockchain R&D lab CoBloX are currently looking for outstanding Ph.D. candidates, with a particular focus on:

• security and privacy

• cryptography

• distributed systems

Outstanding candidates in other disciplines are also encouraged to apply. The successful candidates will conduct research in the area of blockchain and distributed ledger technologies. Research topics may cover (but are not limited to):

• formal cryptographic models for security and privacy in blockchain

• cryptographic protocols for blockchain applications

• implementation and evaluation of off-chain protocols in the COMIT network

The employment is a full-time position (40 hrs/week) and the salary is internationally competitive. The working language will be English, knowledge of German is not required.

Interested candidates should send

• a motivation letter

• a transcript of records

• a curriculum vitae

• a publication list

• contact information for two referees

to *pedro.sanchez (at) tuwien.ac.at.*

TU Wien offers an outstanding research environment and numerous professional development opportunities. The Faculty of Informatics is the largest one in Austria and is consistently ranked among the best in Europe. Vienna features a vibrant and excellence-driven research landscape, with a special focus on blockchain technologies. Finally, Vienna has been consistently ranked by Mercer over the last years the best city for quality of life worldwide.

CoBloX is a research and development (R&D) lab with a goal to make cryptocurrencies instantly spendable anytime anywhere. The mission of CoBloX is to connect anyone and anything to decentralized services in order to build the very fabric of the decentralized future. CoBloX is the creator of the COMIT network which is a completely open source and free to use the network. It is powered by unique cryptographic protocols which allow seamless and trustless cross-blockchain transactions.

**Closing date for applications:** 31 March 2019

**Contact:** Pedro Moreno-Sanchez

**More information:** https://secpriv.tuwien.ac.at/thesis_and_job_opportunities

ePrint Report
A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke
Qian Guo, Thomas Johansson, Alexander Nilsson

Hard learning problems are central topics in recent cryptographic research. Many cryptographic primitives relate their security to difficult problems in lattices, such as the shortest vector problem. Such schemes include the possibility of decryption errors with some very small probability. In this paper we propose and discuss a generic attack for secret key recovery based on generating decryption errors. In a standard PKC setting, the model first consists of a precomputation phase where
special messages and their corresponding error vectors are generated. Secondly, the messages are submitted for decryption and some decryption errors are observed. Finally, a phase with a statistical analysis of the messages/errors causing the decryption errors reveals the secret key. The idea is that conditioned on certain secret keys, the decryption error probability is significantly higher than the average case used in the error probability estimation. The attack is demonstrated in detail on one
NIST Post-Quantum Proposal, ss-ntru-pke, that is attacked with complexity below the claimed security level.

17
January
2019

ePrint Report
Hunting and Gathering - Verifiable Random Functions from Standard Assumptions with Short Proofs
Lisa Kohl

A verifiable random function (VRF) is a pseudorandom function, where outputs can be publicly verified. That is, given an output value together with a proof, one can check that the function was indeed correctly evaluated on the corresponding input. At the same time, the output of the function is computationally indistinguishable from random for all non-queried inputs.
We present the first construction of a VRF which meets the following properties at once: It supports an exponential-sized input space, it achieves full adaptive security based on a non-interactive constant-size assumption and its proofs consist of only a logarithmic number of group elements for inputs of arbitrary polynomial length.
Our construction can be instantiated in symmetric bilinear groups with security based on the decision linear assumption.
We build on the work of Hofheinz and Jager (TCC 2016), who were the first to construct a verifiable random function with security based on a non-interactive constant-size assumption. Basically, their VRF is a matrix product in the exponent, where each matrix is chosen according to one bit of the input. In order to allow verification given a symmetric bilinear map, a proof consists of all intermediary results. This entails a proof size of Omega(L) group elements, where L is the bit-length of the input.
Our key technique, which we call hunting and gathering, allows us to break this barrier by rearranging the function, which - combined with the partitioning techniques of Bitansky (TCC 2017) - results in a proof size of l group elements for arbitrary l in omega(1).

ePrint Report
Message Authentication (MAC) Algorithm For The VMPC-R (RC4-like) Stream Cipher
Bartosz Zoltak

We propose an authenticated encryption scheme for the VMPC-R stream cipher. VMPC-R is an RC4-like algorithm proposed in 2013. It was created in a challenge to find a bias-free cipher within the RC4 design scope and to the best of our knowledge no security weakness in it has been published to date. The contribution of this paper is an algorithm to compute Message Authentication Codes (MACs) along with VMPC-R encryption. We also propose a simple method of transforming the MAC computation algorithm into a hash function.

We present NTTRU -- an IND-CCA2 secure NTRU-based key encapsulation scheme that uses the number theoretic transform (NTT) over the cyclotomic ring $Z_{7681}[X]/(X^{768}-X^{384}+1)$ and produces public keys and ciphertexts of approximately $1.25$ KB at the $128$-bit security level. The number of cycles on a Skylake CPU of our constant-time AVX2 implementation of the scheme for key generation, encapsulation and decapsulation is approximately $6.4$K, $6.1$K, and $7.9$K, which is more than 30X, 5X, and 8X faster than these respective procedures in the NTRU schemes that were submitted to the NIST post-quantum standardization process. These running times are also, by a large margin, smaller than those for all the other schemes in the NIST process. We also give a simple transformation that allows one to provably deal with small decryption errors in OW-CPA encryption schemes (such as NTRU) when using them to construct an IND-CCA2 key encapsulation.

ePrint Report
Fully Invisible Protean Signatures Schemes
Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig

Protean Signatures (PS), recently introduced by Krenn et al. (CANS '18), allow a semi-trusted third party, named the sanitizer, to modify a signed message in a controlled way.
The sanitizer can
edit signer-chosen parts to arbitrary bitstrings, while the sanitizer can also redact
admissible parts, which are also chosen by the signer. Thus, PSs generalize both redactable signature (RSS) and sanitizable signature (SSS)
into a single notion.
However, the current definition of invisibility does not prohibit that an outsider can decide which
parts of a message are redactable - only which parts can be edited are hidden. This negatively
impacts on the privacy guarantees provided by the state-of-the-art definition.

We extend PSs to be fully invisible. This strengthened notion guarantees that an outsider can neither decide which parts of a message can be edited nor which parts can be redacted. To achieve our goal, we introduce the new notions of Invisible RSSs and Invisible Non-Accountable SSSs (SSS'), along with a consolidated framework for aggregate signatures. Using those building blocks, our resulting construction is significantly more efficient than the original scheme by Krenn et al., which we demonstrate in a prototypical implementation.

We extend PSs to be fully invisible. This strengthened notion guarantees that an outsider can neither decide which parts of a message can be edited nor which parts can be redacted. To achieve our goal, we introduce the new notions of Invisible RSSs and Invisible Non-Accountable SSSs (SSS'), along with a consolidated framework for aggregate signatures. Using those building blocks, our resulting construction is significantly more efficient than the original scheme by Krenn et al., which we demonstrate in a prototypical implementation.

Identity-based broadcast encryption (IBBE) is an effective method to protect the data security and privacy in multi-receiver scenarios, which can make broadcast encryption more practical. This paper further expands the study of scalable revocation methodology in the setting of IBBE, where a key authority releases a key update material periodically in such a way that only non-revoked users can update their decryption keys. Following the binary tree data structure approach, a concrete instantiation of revocable IBBE scheme is proposed using asymmetric pairings of prime order bilinear groups. Moreover, this scheme can withstand decryption key exposure, which is proven to be semi-adaptively secure under chosen plaintext attacks in the standard model by reduction to static complexity assumptions. In particular, the proposed scheme is very efficient both in terms of computation costs and communication bandwidth, as the ciphertext size is constant, regardless of the number of recipients. To demonstrate the practicality, it is further implemented in Charm, a framework for rapid prototyping of cryptographic primitives.

This paper presents a very practical key recovery attack on Speck32/64 reduced to 11 rounds based on a novel type of differential distinguisher using machine learning. These distinguishers exceed distinguishers based on the entire differential distribution table of Speck32/64 in accuracy, specificity and sensitivity. We show that they obtain significant gain from features of the output distribution that are invisible to the differential distribution table. The key recovery attack has been completely verified empirically and has an average runtime of approximately three minutes on a desktop computer with a fast graphics card or about 30 minutes on the same machine when not using the graphics card. This corresponds to roughly 41 bits of remaining security for 11-round Speck32/64, which is a substantial improvement over previous literature. The average data complexity of our attack is slightly lower than the best previous attack on the same number of rounds.

While our attack is based on a known input difference taken from the literature, we also show that neural networks can be used to rapidly (within a matter of minutes on our machine) find good input differences without using prior human cryptanalysis.

While our attack is based on a known input difference taken from the literature, we also show that neural networks can be used to rapidly (within a matter of minutes on our machine) find good input differences without using prior human cryptanalysis.

ePrint Report
Non-Zero Inner Product Encryption Schemes from Various Assumptions: LWE, DDH and DCR
Shuichi Katsumata, Shota Yamada

In non-zero inner product encryption (NIPE) schemes, ciphertexts and secret keys are associated with vectors and decryption is possible whenever the inner product of these vectors does not equal zero. So far, much effort on constructing bilinear map-based NIPE schemes have been made and this has lead to many efficient schemes. However, the constructions of NIPE schemes without bilinear maps are much less investigated. The only known other NIPE constructions are based on lattices, however, they are all highly inefficient due to the need of converting inner product operations into circuits or branching programs.

To remedy our rather poor understanding regarding NIPE schemes without bilinear maps, we provide two methods for constructing NIPE schemes: a direct construction from lattices and a generic construction from functional encryption schemes for inner products (LinFE). For our first direct construction, it highly departs from the traditional lattice-based constructions and we rely heavily on new tools concerning Gaussian measures over multi-dimensional lattices to prove security. For our second generic construction, using the recent constructions of LinFE schemes as building blocks, we obtain the first NIPE constructions based on the DDH and DCR assumptions. In particular, we obtain the first NIPE schemes without bilinear maps or lattices.

To remedy our rather poor understanding regarding NIPE schemes without bilinear maps, we provide two methods for constructing NIPE schemes: a direct construction from lattices and a generic construction from functional encryption schemes for inner products (LinFE). For our first direct construction, it highly departs from the traditional lattice-based constructions and we rely heavily on new tools concerning Gaussian measures over multi-dimensional lattices to prove security. For our second generic construction, using the recent constructions of LinFE schemes as building blocks, we obtain the first NIPE constructions based on the DDH and DCR assumptions. In particular, we obtain the first NIPE schemes without bilinear maps or lattices.

ePrint Report
Using TopGear in Overdrive: A more efficient ZKPoK for SPDZ
Daniele Cozzo, Nigel P. Smart

We present a modification to the ZKPoKs used in the HighGear offline protocol for the SPDZ Multi-Party Computation protocol. This modification allows us to both increase the security of the underlying protocols, whilst at the same time maintaining roughly the same performance in terms of memory and bandwidth consumption. The last two being major constraints of the original HighGear protocol. We argue the inefficiency of HighGear means that current implementations of SPDZ use far too low security parameters in a number of places. We show that using TopGear one can select high security parameters for all cases.

ePrint Report
A Formal Treatment of Hardware Wallets
Myrto Arapinis, Andriana Gkaniatsou, Dimitris Karakostas, Aggelos Kiayias

Bitcoin, being the most successful cryptocurrency, has been repeatedly attacked with many users losing their funds. The industry's response to securing the user's assets is to offer tamper-resistant hardware wallets. Although such wallets are considered to be the most secure means for managing an account, no formal attempt has been previously done to identify, model and formally verify their properties. This paper provides the first formal model of the Bitcoin hardware wallet operations. We identify the properties and security parameters of a Bitcoin wallet and formally define them in the Universal Composition (UC) Framework. We present a modular treatment of a hardware wallet ecosystem, by realizing the wallet functionality in a hybrid setting defined by a set of protocols. This approach allows us to capture in detail the wallet's components, their interaction and the potential threats. We deduce the wallet's security by proving that it is secure under common cryptographic assumptions, provided that there is no deviation in the protocol execution. Finally, we define the attacks that are successful under a protocol deviation, and analyze the security of commercially available wallets.

ePrint Report
FE for Inner Products and Its Application to Decentralized ABE
Zhedong Wang, Xiong Fan, Feng-Hao Liu

In this work, we revisit the primitive functional encryption (FE) for inner products and show its application to decentralized attribute- based encryption (ABE). Particularly, we derive an FE for inner prod- ucts that satisfies a stronger notion, and show how to use such an FE to construct decentralized ABE for the class $\{0,1\}$-LSSS against bounded collusions in the plain model. We formalize the FE notion and show how to achieve such an FE under the LWE or DDH assumption. Therefore, our resulting decentralized ABE can be constructed under the same standard assumptions, improving the prior construction by Lewko and Waters (Eurocrypt 2011). Finally, we also point out challenges to construct decentralized ABE for general functions by establishing a relation between such an ABE and witness encryption for general NP statements.

ePrint Report
Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation
Steven Galbraith, Jake Massimo, Kenneth G. Paterson

We consider the problem of constructing Diffie-Hellman (DH) parameters which pass standard approaches to parameter validation but for which the Discrete Logarithm Problem (DLP) is relatively easy to solve. We consider both the finite field setting and the elliptic curve setting.

For finite fields, we show how to construct DH parameters $(p,q,g)$ for the safe prime setting in which $p=2q+1$ is prime, $q$ is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and $g$ is of order $q$ mod $p$. The construction involves modifying and combining known methods for obtaining Carmichael numbers. Concretely, we provide an example with 1024-bit $p$ which passes OpenSSL's Diffie-Hellman validation procedure with probability $2^{-24}$ (for versions of OpenSSL prior to 1.1.0i). Here, the largest factor of $q$ has 121 bits, meaning that the DLP can be solved with about $2^{64}$ effort using the Pohlig-Hellman algorithm. We go on to explain how this parameter set can be used to mount offline dictionary attacks against PAKE protocols.

In the elliptic curve case, we use an algorithm of Broker and Stevenhagen to construct an elliptic curve $E$ over a finite field ${\mathbb{F}}_p$ having a specified number of points $n$. We are able to select $n$ of the form $h\cdot q$ such that $h$ is a small co-factor, $q$ is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and $E$ has a point of order $q$. Concretely, we provide example curves at the 128-bit security level with $h=1$, where $q$ passes a single random-base Miller-Rabin primality test with probability $1/4$ and where the elliptic curve DLP can be solved with about $2^{44}$ effort. Alternatively, we can pass the test with probability $1/8$ and solve the elliptic curve DLP with about $2^{35.5}$ effort. These ECDH parameter sets lead to similar attacks on PAKE protocols relying on elliptic curves.

Our work shows the importance of performing proper (EC)DH parameter validation in cryptographic implementations and/or the wisdom of relying on standardised parameter sets of known provenance.

For finite fields, we show how to construct DH parameters $(p,q,g)$ for the safe prime setting in which $p=2q+1$ is prime, $q$ is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and $g$ is of order $q$ mod $p$. The construction involves modifying and combining known methods for obtaining Carmichael numbers. Concretely, we provide an example with 1024-bit $p$ which passes OpenSSL's Diffie-Hellman validation procedure with probability $2^{-24}$ (for versions of OpenSSL prior to 1.1.0i). Here, the largest factor of $q$ has 121 bits, meaning that the DLP can be solved with about $2^{64}$ effort using the Pohlig-Hellman algorithm. We go on to explain how this parameter set can be used to mount offline dictionary attacks against PAKE protocols.

In the elliptic curve case, we use an algorithm of Broker and Stevenhagen to construct an elliptic curve $E$ over a finite field ${\mathbb{F}}_p$ having a specified number of points $n$. We are able to select $n$ of the form $h\cdot q$ such that $h$ is a small co-factor, $q$ is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and $E$ has a point of order $q$. Concretely, we provide example curves at the 128-bit security level with $h=1$, where $q$ passes a single random-base Miller-Rabin primality test with probability $1/4$ and where the elliptic curve DLP can be solved with about $2^{44}$ effort. Alternatively, we can pass the test with probability $1/8$ and solve the elliptic curve DLP with about $2^{35.5}$ effort. These ECDH parameter sets lead to similar attacks on PAKE protocols relying on elliptic curves.

Our work shows the importance of performing proper (EC)DH parameter validation in cryptographic implementations and/or the wisdom of relying on standardised parameter sets of known provenance.

ePrint Report
Collusion Resistant Broadcast and Trace from Positional Witness Encryption
Rishab Goyal, Satyanarayana Vusirikala, Brent Waters

An emerging trend is for researchers to identify cryptography primitives for which feasibility was first established under obfuscation and then move the realization to a different setting. In this work we explore a new such avenue — to move obfuscation-based cryptography to the assumption of (positional) witness encryption. Our goal is to develop techniques and tools, which we will dub “witness encryption friendly” primitives and use these to develop a methodology for building advanced cryptography from positional witness encryption.
We take a bottom up approach and pursue our general agenda by attacking the specific problem of building collusion-resistant broadcast systems with tracing from positional witness encryption. We achieve a system where the size of ciphertexts, public key and private key are polynomial in the security parameter $\lambda$ and independent of the number of users N in the broadcast system. Currently, systems with such parameters are only known from indistinguishability obfuscation.

ePrint Report
Analysis of Two Countermeasures against the Signal Leakage Attack
Ke Wang, Zhenfeng Zhang

In 2017, a practical attack, referred to as the signal leakage
attack, against reconciliation-based RLWE key exchange protocols was
proposed. In particular, this attack can recover a long-term private key
if a key pair is reused.
Directly motivated by this attack, recently, Ding et al. proposed two
countermeasures against the attack. One is the RLWE key exchange
protocol with reusable keys (KERK), which is included in the Ding Key
Exchange, a NIST submission. The idea for this construction is using zero
knowledge proof. The other is the practical randomized RLWE-based key
exchange (PRKE) (TOC’18), which mixes more randomization.
We found that the two countermeasures above can effectively prevent
malicious Alice from recovering the private key of Bob when keys are
reused. However, both countermeasures don’t consider the case where
malicious Bob tries to recover the private key of Alice. In particular,
malicious Bob can recover the private key of Alice by carefully choosing
what he sends and observing whether shared keys match. By analyzing
the complexities of these attacks, the results show these attacks are
practical and effective.
Notice that the key to carry out these attacks is that malicious Bob
chooses a RLWE sample with the special structure as his public key.
Therefore, other RLWE-based schemes, including KEM (or key exchange)
and PKE, are also vulnerable to these attacks. In response to these attacks,
we propose a mechanism where one party can construct a new
”public key” of the other party, and in order to illustrate the mechanism,
we give an improved KERK.

15
January
2019

ePrint Report
Upper Bound on $\lambda_1(\Lambda^{\bot}(\mathbf A))$
Huiwen Jia, Yupu Hu, Chunming Tang, Yanhua Zhang

It has been shown that, for appropriate parameters, solving the $\mathsf{SIS}$ problem in the average case is at least as hard as approximating certain lattice problems in the worst case %on any $n$-dimensional lattice
to within polynomial factor $\beta\cdot\widetilde{O}(\sqrt n)$, where typically $\beta=O(\sqrt{n\log n})$ such that random $\mathsf{SIS}$ instances admit a solution. In this work, we show that $\beta=O(1)$, i.e., $\beta$ is essentially upper-bounded by a constant. This directly gives us a poly-time exhaustive search algorithm for solving the $\mathsf{SIS}$ problem (resulting in approximating certain worst-case lattice problems to within $\widetilde{O}(\sqrt n)$ factor). Although the exhaustive search algorithm is rather inefficient for typical setting of parameters, our result indicates that lattice-based cryptography is not secure, at least in an asymptotical sense. Our work is based on an observation of the lower/upper bounds on the smoothing parameter for lattices.

ePrint Report
nQUIC: Noise-Based QUIC Packet Protection
Mathias Hall-Andersen, David Wong, Nick Sullivan, Alishah Chator

We present nQUIC, a variant of QUIC-TLS that uses the Noise protocol framework for its key exchange and basis of its packet protector with no semantic transport changes. nQUIC is designed for deployment in systems and for applications that assert trust in raw public keys rather than PKI-based certificate chains. It uses a fixed key exchange algorithm, compromising agility for implementation and verification ease. nQUIC provides mandatory server and optional client authentication, resistance to Key Compromise Impersonation attacks, and forward and future secrecy of traffic key derivation, which makes it favorable to QUIC-TLS for long-lived QUIC connections in comparable applications. We developed two interoperable prototype implementations written in Go and Rust. Experimental results show that nQUIC finishes its handshake in a comparable amount of time as QUIC-TLS.

Group signatures allow members of a group to anonymously produce signatures on behalf of the group. They are an important building block for privacy-enhancing applications, e.g., enabling user data to be collected in authenticated form while preserving the user’s privacy. The linkability between the signatures thereby plays a crucial role for balancing utility and privacy: knowing the correlation of events significantly increases the utility of the data but also severely harms the user’s privacy. Therefore group signatures are unlinkable per default, but either support linking or identity escrow through a dedicated central party or offer user-controlled linkability. However, both approaches have significant limitations. The former relies on a fully trusted entity and reveals too much information, and the latter requires exact knowledge of the needed linkability at the moment when the signatures are created. However, often the exact purpose of the data might not be clear at the point of data collection. In fact, data collectors tend to gather large amounts of data at first, but will need linkability only for selected, small subsets of the data. We introduce a new type of group signatures that provide a more flexible and privacy-friendly access to such selective linkability. When created, all signatures are fully unlinkable. Only when strictly needed or desired, should the required pieces be made linkable with the help of a central entity. For privacy, this linkability is established in an oblivious and non-transitive manner. We formally define the requirements for this new type of group signatures and provide an efficient instantiation that provably satisfies these requirements under discrete-logarithm based assumptions.

ePrint Report
Non-malleable encryption with proofs of plaintext knowledge and applications to voting
Ben Smyth, Yoshikazu Hanatani

Non-malleable asymmetric encryption schemes which prove plaintext knowledge are sufficient for secrecy in some domains. For example, ballot secrecy in voting. In these domains, some applications derive encryption schemes by coupling malleable ciphertexts with proofs of plaintext knowledge, without evidence that the sufficient condition (for secrecy) is satisfied nor an independent security proof (of secrecy). Consequently, it is unknown whether these applications satisfy desirable secrecy properties. In this article, we propose a generic construction for such a coupling and show that our construction produces non-malleable encryption schemes which prove plaintext knowledge. Furthermore, we show how our results can be used to prove ballot secrecy of voting systems. Accordingly, we facilitate the development of applications satisfying their security objectives.

ePrint Report
STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers
Yu Liu, Huicong Liang, Muzhou Li, Luning Huang, Kai Hu, Chenhe Yang, Meiqin Wang

Automatic tools have played an important role in designing new cryptographic primitives and evaluating the security of ciphers. Simple Theorem Prover constraint solver (STP) has been used to search for differential/linear trails of ciphers. This paper proposes general STP-based models searching for differential and linear trails with the optimal probability and correlation for S-box based ciphers. In order to get trails with the best probability or correlation for ciphers with arbitrary S-box, we give an efficient algorithm to describe probability or correlation of S-Box. Based on the algorithm we present a search model for optimal differential and linear trails, which is efficient for ciphers with S-Boxes whose DDTs/LATs contain entities not equal to the power of two. Meanwhile, the STP-based model for single-key impossible differentials considering key schedule is proposed, which traces the propagation of values from plaintext to ciphertext instead of propagations of differences. And we found that there is no 5-round AES-128 single-key truncated impossible differential considering key schedule, where input and output differences have only one active byte respectively. Finally, our proposed models are utilized to search for trails of bit-wise ciphers GIFT-128, DES, DESL and ICEBERG and word-wise ciphers ARIA, SM4 and SKINNY-128. As a result, improved results are presented in terms of the number of rounds or probabilities/correlations.

ePrint Report
A publicly verifiable quantum signature scheme based on asymmetric quantum cryptography
Yalin Chen, Jue-Sam Chou, Fang-Qi Zhou

In 2018, Shi et al. 's showed that Kaushik et al.'s quantum signature scheme is defective. It suffers from the forgery attack. They further proposed an improvement, trying to avoid the attack. However, after examining we found their improved quantum signature is deniable, because the verifier can impersonate the signer to sign a message. After that, when a dispute occurs, he can argue that the signature was not signed by him. It was from the signer. To overcome the drawback, in this paper, we raise an improvement to make it publicly verifiable and hence more suitable to be applied in real life. After cryptanalysis, we confirm that our improvement not only resist the forgery attack but also is undeniable.

14
January
2019

Subspace Labs is building the future of decentralized cloud-based services. The subspace protocol and ecosystem enables developers to easily build web and mobile apps that give end users full ownership and control over their data. We are venture backed and have received a National Science Foundation (NSF) research grant to fund this position. We are seeking a Cryptographer who has familiarity with the blockchain space and existing decentralized protocols to help us develop and implement a new set of cryptographic primitives while ensuring the protocol is secure across a public network of untrusted nodes.

Requirements

• An MS or Ph.D. in cryptography or computer security

• Proficiency in at least one of the following languages: C,Python, Rust or Javascript. Proficiency in NodeJS and Typescript is a plus.

• Previous work and contribution to open-source projects, especially those dealing with blockchains or decentralized protocols.

• Experience with Proof-of-Space, Proof-of-Storage and Proof-of-Time cryptographic primitives

• Experience with the OpenPGP protocol, specifically OpenPGP-JS

• Experience with a canonical signature scheme such as BLS

• Local to the San Francisco Bay Area or willing to relocate

• Must be based in the United States for grant compliance purposes.

Responsibilities

• Develop and implement a hybrid proof-of-space that allows for both blockchain consensus and validation of storage pledges

• Select and implement a lightweight proof-of-replication, possibly based on Verifiable Delay Functions (VDFs)

• Take over primary responsibility for the Subspace Credit Leger, a modular component of the Subspace Protocol that is an early implementation of a Proof of Space-Time blockchain

• Optimize the existing usage of OpenPGP JS, explore replacement with another cryptosystem, and implement a canonical signature scheme for immutable records.

• Conduct a full security analysis of the protocol before developing and implementing necessary countermeasures

**Closing date for applications:** 31 January 2019

**Contact:** Jeremiah Wagstaff

Cofounder & CEO

*jeremiah (at) subspace.networ*k

**More information:** https://www.subspace.network