Here you can see all recent updates to the IACR webpage. These updates are also available:

8
August
2017

ePrint Report
Private Collaborative Neural Network Learning
Melissa Chase, Ran Gilad-Bachrach, Kim Laine, Kristin Lauter, Peter Rindal

Machine learning algorithms, such as neural networks, create better predictive models when having access to larger datasets. In many domains, such as medicine and ﬁnance, each institute has only access to limited amounts of data, and creating larger datasets typically requires collaboration. However, there are privacy related constraints on these collaborations for legal, ethical, and competitive reasons. In this work, we present a feasible protocol for learning neural networks in a collaborative way while preserving the privacy of each record. This is achieved by combining Differential Privacy and Secure Multi-Party Computation with Machine Learning.

Logic locking is a technique that's proposed to protect outsourced IC designs from piracy and counterfeiting by untrusted foundries. A locked IC preserves the correct functionality only when a correct key is provided. Recently, the security of logic locking is threatened by a new attack called SAT attack, which can decipher the correct key of most logic locking techniques within a few hours even for a reasonably large key-size. This attack iteratively solves SAT formulas which progressively eliminate the incorrect keys till the circuit is unlocked. In this paper, we present a circuit block (referred to as Anti-SAT block) to enhance the security of existing logic locking techniques against the SAT attack. We show using a mathematical proof that the number of SAT attack iterations to reveal the correct key in a circuit comprising an Anti-SAT block is an exponential function of the key-size thereby making the SAT attack computationally infeasible. Besides, we address the vulnerability of the Anti-SAT block to various removal attacks and investigate obfuscation techniques to prevent these removal attacks. More importantly, we provide a proof showing that these obfuscation techniques for making Anti-SAT un-removable would not weaken the Anti-SAT block's resistance to SAT attack. Through our experiments, we illustrate the effectiveness of our approach to securing modern chips fabricated in untrusted foundries.

The Institute of Cybersecurity and Cryptology at the University of Wollongong (UOW) is seeking for an excellent postdoctoral research fellow (associate research fellow) for 3 years position.

This position will conduct research in the project of “Internet of Things and Blockchain Security”. It is expected that you will be research active in the area of cyber security, and are equipped with sufficient experience in publishing research outcomes in the top forums.

You will be prompted to respond to the selection criteria as part of the online application process, based on the position description available at the link below. You will be able to save your application at any time and submit at a later date if required, you will only be able to do this before the closing date of the position.

For further information about this position, please contact Head of School and the Director of Institute of Cybersecurity and Cryptology, Professor Willy Susilo on +61 2 4221 5535 or wsusilo at uow dot edu dot au

**Closing date for applications:** 14 September 2017

**Contact:** Professor Willy Susilo

**More information:** https://jobs.uow.edu.au/careersection/ext/jobdetail.ftl?job=170831&tz=GMT%2B10%3A00

7
August
2017

Job Posting
PhD scholarship
Monash University (Faculty of Information Technology), Melbourne, Australia

There are multiple 3-year (maximum 3.5 years) PhD scholarships (A$26k-36k per annual, tax free) in cyber security at the Faculty of Information Technology, Monash University (Clayton Campus), Melbourne. Australia.

Candidates must have good English (e.g. IELTS 6.5 with all bands at least 6.0) PLUS an excellent background in at least one of the following areas:

- Applied Cryptography

- Database

- Blockchain

Applicants please send your CV AND publication record to Joseph Liu at joseph.liu(at)monash.edu

Only shortlisted candidates will be contacted.

**Closing date for applications:** 31 December 2017

**Contact:** Joseph Liu

**More information:** http://users.monash.edu.au/~kailiu/

Job Posting
Research Fellow in post-quantum cryptography and/or Blockchain
Monash University (Faculty of Information Technology), Melbourne, Australia

We are looking for research fellows (2 positions) to work on post-quantum cryptography and blockchain. The positions are 3-year contract, with salary ranging from A$84,338 to A$113,166 before tax.

Applicants should have a PhD and strong background in applied cryptography, especially in post-quantum cryptography. Knowledge in blockchain is an advantage. Applicants with very strong background in blockchain only will also be considered.

Interested candidates should send a CV and a research statement to Joseph Liu at joseph.liu(at)monash.edu

Selection of applications will start immediately.

**Closing date for applications:** 31 December 2017

**Contact:** Joseph Liu

ePrint Report
GIFT: A Small Present (Full version)
Subhadeep Banik, Sumit Kumar Pandey, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, Yosuke Todo

In this article, we revisit the design strategy of PRESENT, leveraging all the advances provided by the research community in construction and cryptanalysis since its publication, to push the design up to its limits. We obtain an improved version, named GIFT, that provides a much increased efficiency in all domains (smaller and faster), while correcting the well-known weakness of PRESENT with regards to linear hulls.

GIFT is a very simple and clean design that outperforms even SIMON or SKINNY for round-based implementations, making it one of the most energy efficient ciphers as of today. It reaches a point where almost the entire implementation area is taken by the storage and the Sboxes, where any cheaper choice of Sbox would lead to a very weak proposal. In essence, GIFT is composed of only Sbox and bit-wiring, but its natural bitslice data flow ensures excellent performances in all scenarios, from area-optimised hardware implementations to very fast software implementation on high-end platforms.

We conducted a thorough analysis of our design with regards to state-of-the-art cryptanalysis, and we provide strong bounds with regards to differential/linear attacks.

GIFT is a very simple and clean design that outperforms even SIMON or SKINNY for round-based implementations, making it one of the most energy efficient ciphers as of today. It reaches a point where almost the entire implementation area is taken by the storage and the Sboxes, where any cheaper choice of Sbox would lead to a very weak proposal. In essence, GIFT is composed of only Sbox and bit-wiring, but its natural bitslice data flow ensures excellent performances in all scenarios, from area-optimised hardware implementations to very fast software implementation on high-end platforms.

We conducted a thorough analysis of our design with regards to state-of-the-art cryptanalysis, and we provide strong bounds with regards to differential/linear attacks.

ePrint Report
Simple Amortized Proofs of Shortness for Linear Relations over Polynomial Rings
Carsten Baum, Vadim Lyubashevsky

For a public value $y$ and a linear function $f$, giving a zero-knowledge proof of knowledge of a secret value $x$ that satisfies $f(x)=y$ is a key ingredient in many cryptographic protocols. Lattice-based constructions, in addition, require proofs of ``shortness'' of $x$. Of particular interest are constructions where $f$ is a function over polynomial rings, since these are the ones that result in efficient schemes with short keys and outputs.

All known approaches for such lattice-based zero-knowledge proofs are not very practical because they involve a basic protocol that needs to be repeated many times in order to achieve negligible soundness error. In the amortized setting, where one needs to give zero-knowledge proofs for many equations for the same function $f$, the situation is more promising, though still not yet fully satisfactory. Current techniques either result in proofs of knowledge of $x$'s that are exponentially larger than the $x$'s actually used for the proof (i.e. the \emph{slack} is exponential), or they have polynomial slack but require the number of proofs to be in the several thousands before the amortization advantages ``kick in''.

In this work, we give a new approach for constructing amortized zero-knowledge proofs of knowledge of short solutions over polynomial rings. Our proof has small polynomial slack and is practical even when the number of relations is as small as the security parameter.

All known approaches for such lattice-based zero-knowledge proofs are not very practical because they involve a basic protocol that needs to be repeated many times in order to achieve negligible soundness error. In the amortized setting, where one needs to give zero-knowledge proofs for many equations for the same function $f$, the situation is more promising, though still not yet fully satisfactory. Current techniques either result in proofs of knowledge of $x$'s that are exponentially larger than the $x$'s actually used for the proof (i.e. the \emph{slack} is exponential), or they have polynomial slack but require the number of proofs to be in the several thousands before the amortization advantages ``kick in''.

In this work, we give a new approach for constructing amortized zero-knowledge proofs of knowledge of short solutions over polynomial rings. Our proof has small polynomial slack and is practical even when the number of relations is as small as the security parameter.

ePrint Report
On Improving Integer Factorization and Discrete Logarithm Computation using Partial Triangulation
Fabrice Boudot

The number field sieve is the best-known algorithm for factoring integers and solving the discrete logarithm problem in prime fields. In this paper, we present some new improvements to various steps of the number field sieve. We apply these improvements on the current 768-bit discrete logarithm record and show that we are able to perform the overall computing time in about 1260 core$\cdot$years using these improvements instead of 2350 core$\cdot$years using the best known parameters for this problem. Moreover, we show that the pre-computation phase for a 768-bit discrete logarithm problem, that allows for example to build a massive decryption tool of IPsec traffic protected by the Oakley group~1, was feasible in reasonable time using technologies available before the year 2000.

ePrint Report
CAKE: Code-based Algorithm for Key Encapsulation
Paulo S. L. M. Barreto, Shay Gueron, Tim Gueneysu, Rafael Misoczki, Edoardo Persichetti, Nicolas Sendrier, Jean-Pierre Tillich

Current widely-used key-exchange (KE) mechanisms will be vulnerable to quantum attacks when sufficiently strong quantum computers become available. Therefore, devising quantum-resistant replacements that combine efficiency with solid security guarantees is an important and challenging task. This paper proposes several contributions towards this goal. First, we introduce ``{\em CAKE}'', a key-encapsulation algorithm based on the QC-MDPC McEliece encryption scheme, with two major improvements: a) the use of ephemeral keys that defeats a recent reaction-attack against MDPC decoding of the corresponding encryption scheme and b) a highly efficient key-generation procedure for QC-MDPC-based cryptosystems. Then, we present an authenticated key-exchange protocol based on CAKE, which is suitable for the Internet Key-Exchange (IKE) standard. We prove that CAKE is IND-CCA secure, that the protocol is SK-Secure, and suggest practical parameters. Compared to other post-quantum schemes, we believe that CAKE is a promising candidate for post-quantum key-exchange standardization.

ePrint Report
Verifiable Private Polynomial Evaluation
Xavier Bultel, Manik Lal Das, Hardik Gajera, David Gérault, Matthieu Giraud, Pascal Lafourcade

Delegating the computation of a polynomial to a server in a verifiable way is challenging. An even more challenging problem is ensuring that this polynomial remains hidden to clients who are able to query such a server. In this paper, we formally define the notion of \emph{Private Polynomial Evaluation} (PPE). Our main contribution is to design a rigorous security model along with relations between the different security properties. We define \emph{polynomial protection} (PP), \emph{proof unforgeability} (UNF), and \emph{indistinguishability against chosen function attack} (INDCFA), which formalizes the resistance of a PPE against attackers trying to guess which polynomial is used among two polynomials of their choice. As a second contribution, we give a cryptanalysis of two PPE schemes of the literature. Finally, we design a PPE scheme called PIPE and we prove that it is PP-, UNF- and INDCFA-secure under the decisional Diffie-Hellman assumption in the random oracle model.

ePrint Report
Efficient, Reusable Fuzzy Extractors from LWE
Daniel Apon, Congwon Cho, Karim Eldefrawy, Jonathan Katz

A fuzzy extractor (FE), proposed for deriving cryptographic keys from biometric data, enables reproducible generation of high-quality randomness from noisy inputs having sufficient min-entropy. FEs rely in their operation on a public \helper string" that is guaranteed not to leak too much information about the original input. Unfortunately, this guarantee may not hold when multiple independent helper strings are generated from correlated inputs as would occur if a user registers their biometric data with multiple servers; reusable FEs are needed in that case. Although the notion of reusable FEs was introduced in 2004, it has received relatively little attention since then.

We first analyze an FE proposed by Fuller et al. (Asiacrypt 2013) based on the learning-with-errors (LWE) assumption, and show that it is not reusable. We then show how to adapt their construction to obtain a weakly reusable FE. We also show a generic technique for turning any weakly reusable FE to a strongly reusable one, in the random-oracle model. Finally, we give a direct construction of a strongly reusable FE based on the LWE assumption, that does not rely on random oracles.

We first analyze an FE proposed by Fuller et al. (Asiacrypt 2013) based on the learning-with-errors (LWE) assumption, and show that it is not reusable. We then show how to adapt their construction to obtain a weakly reusable FE. We also show a generic technique for turning any weakly reusable FE to a strongly reusable one, in the random-oracle model. Finally, we give a direct construction of a strongly reusable FE based on the LWE assumption, that does not rely on random oracles.

ePrint Report
Long-Term Secure Time-Stamping using Preimage-Aware Hash Functions
Ahto Buldas, Matthias Geihs, Johannes Buchmann

Commonly used digital signature schemes have a limited lifetime because their security is based on computational assumptions that will potentially break in the future when more powerful computers are available.
In 1993, Bayer et al.\ proposed a method for prolonging the lifetime of a digital signature by time-stamping the signature together with the signed document.
Based on their idea long-term timestamp schemes have been developed that generate renewable timestamps.
To minimize the risk of a design failure that affects the security of these schemes, it is important to formally analyze their security.
However, many of the proposed schemes have not been subject to a formal security analysis yet.
In this paper, we address this issue by formally analyzing the security of a hash-based long-term timestamp scheme that is based on the ideas of Bayer et al.
Our analysis shows that the security level of this scheme degrades cubic over time, a security loss that needs to be taken into account when the scheme is used in practice.

ePrint Report
CryptHOL: Game-based Proofs in Higher-order Logic
David A. Basin, Andreas Lochbihler, S. Reza Sefidgar

Game-based proofs are a well-established paradigm for structuring security arguments and simplifying their understanding. We present a novel framework, CryptHOL, for rigorous game-based proofs that is supported by mechanical theorem proving. CryptHOL is based on a new semantic domain with an associated functional programming language for expressing games. We embed our framework in the Isabelle/HOL theorem prover and, using the theory of relational parametricity, we tailor Isabelle’s existing proof automation to game-based proofs.

By basing our framework on a conservative extension of higher-order logic and providing sufficient automation support, the resulting proofs are trustworthy and comprehensible, and the framework is extensible and widely applicable. We evaluate our framework by formalizing different game-based proofs from the literature and comparing the results with existing formal-methods tools.

By basing our framework on a conservative extension of higher-order logic and providing sufficient automation support, the resulting proofs are trustworthy and comprehensible, and the framework is extensible and widely applicable. We evaluate our framework by formalizing different game-based proofs from the literature and comparing the results with existing formal-methods tools.

ePrint Report
Attribute-Based Group Homomorphic Encryption and Additively Homomorphic IBE
Michael Clear, Ciaran McGoldrick

Group Homomorphic Encryption (GHE), formally defined by Armknecht, Katzenbeisser and Peter, is a public-key encryption primitive where the decryption algorithm is a group homomorphism. Hence it suports homomorphic evaluation of a single algebraic operation such as modular addition or modular multiplication. Most classical homomorphic encryption schemes such as as Goldwasser-Micali and Paillier are instances of GHE. In this work, we extend GHE to the attribute-based setting. We introduce and formally define the notion of Attribute-Based GHE (ABGHE) and explore its properties. Our main result is the construction of an Identity-Based Encryption (IBE) scheme supporting homomorphic addition modulo a poly-sized prime $e$, which is an instance of ABGHE. Our construction builds upon the IBE scheme of Boneh, LaVigne and Sabin (BLS). BLS relies on a hash function that maps identities to $e^{\text{th}}$ residues. However there is no known way to securely instantiate such a function. Our construction extends BLS so that it can use a hash function that can be securely instantiated. We prove our scheme IND-ID-CPA secure under the (slightly modified) $e^{\text{th}}$ residuosity assumption in the random oracle model and show that it supports a (modular) additive homomorphism. By using multiple instances of the scheme with distinct primes and leveraging the Chinese Remainder Theorem, we can support homomorphic addition modulo a ``large'' (i.e. superpolynomial) integer, the first such IBE scheme. We also show that our scheme for $e > 2$ is anonymous assuming the hardness of deciding solvability of a special system of multivariate polynomial equations. Finally, we define a primitive for attribute-based group homomorphisms in the multi-key setting, introduce an important security property and present a generic construction of the primitive meeting this security property.

ePrint Report
Twisting Lattice and Graph Techniques to Compress Transactional Ledgers
Rémi Géraud, David Naccache, Răzvan Roşie

Keeping track of financial transactions (e.g., in banks and blockchains) means keeping track of an ever-increasing list of exchanges between accounts. In fact, many of these transactions can be safely “forgotten”, in the sense that purging a set of them that compensate each other does not impact the network’s semantic meaning (e.g., the accounts’ balances). We call nilcatenation a collection of transactions having no effect on a network’s semantics. Such exchanges may be archived and removed, yielding a smaller, but equivalent ledger. Motivated by the computational and analytic benefits obtained from more compact representations of numerical data, we formalize the problem of finding nilcatenations, and propose detection methods based on graph and lattice-reduction techniques. Atop interesting applications of this work (e.g., decoupling of centralized and distributed databases), we also discuss the original idea of a “community-serving proof of work”: finding nilcatenations constitutes a proof of useful work, as the periodic removal of nilcatenations reduces the transactional graph’s size.

Verifiable random functions are pseudorandom functions producing publicly verifiable proofs for their outputs, allowing for efficient checks of the correctness of their computation. In this work, we introduce a new computational hypothesis, the n-Eigen-Value assumption, which can be seen as a relaxation of the U_n-MDDH assumption, and prove its equivalence with the n-Rank assumption. Based on the newly introduced computational hypothesis, we build the core of a verifiable random function having an exponentially large input space and reaching adaptive security under a static assumption. The final construction achieves shorter public and secret keys compared to the existing schemes reaching the same properties.

ePrint Report
Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency
Ioannis Demertzis, Dimitrios Papadopoulos, Charalampos Papamanthou

We propose the first linear-space searchable encryption scheme with constant locality and sublogarithmic read efficiency, strictly improving the previously best known read efficiency bound (Asharov et al., STOC 2016) from $\Theta(\log N\log \log N)$ to $O(\log N/\log \log N)$, where $N$ is the size of the dataset. Our scheme is size-sensitive, meaning our bound is tight only for keyword lists whose sizes lie within the specific range $(N^{1-1/\log\log N},N/\log^2 N]$---outside this range the read efficiency improves to $O(\log^{2/3} N)$. For our construction we develop two techniques that can be of independent interest: New probability bounds for the offline two-choice allocation problem and a new I/O-efficient oblivious RAM with $o(\sqrt {n})$ bandwidth overhead and zero failure probability.

ePrint Report
Efficient reductions in cyclotomic rings - Application to R-LWE based FHE schemes
Jean-Claude Bajard, Julien Eynard, Anwar Hasan, Paulo Martins, Leonel Sousa, Vincent Zucca

With Fully Homomorphic Encryption (FHE), it is possible to process encrypted data without having an access to the private-key. This has a
wide range of applications, most notably the offloading of
sensitive data processing. Most research on FHE has focused on the
improvement of its efficiency, namely by introducing schemes based on
the Ring-Learning With Errors (R-LWE) problem, and techniques such as batching, which allows for the encryption of
multiple messages in the same ciphertext. Much of the related research has focused on RLWE relying on power-of-two cyclotomic polynomials. While it is possible to achieve efficient arithmetic with such polynomials, one cannot exploit batching. Herein, the efficiency of ring arithmetic underpinned by non-power-of-two cyclomotic polynomials is analysed and improved. Two methods for polynomial reduction are proposed, one based on the Barrett reduction and
the other on a Montgomery representation. Speed-ups up to 2.66 are obtained for the reduction operation using an i7-5960X processor when compared with a straightforward implementation of the Barrett reduction. Moreover, the proposed methods are exploited to enhance homomorphic multiplication of FV and BGV encryption schemes, producing experimental speed-ups up to 1.37.

ePrint Report
sLiSCP: Simeck-based Permutations for Lightweight Sponge Cryptographic Primitives
Riham AlTawy, Raghvendra Rohit, Morgan He, Kalikinkar Mandal, Gangqiang Yang, Guang Gong

In this paper, we propose a family of lightweight cryptographic permutations called sLiSCP, with the sole aim to provide a realistic minimal design}that suits a variety of lightweight device applications. More precisely, we argue that for such devices the chip area dedicated for security purposes should, not only be consumed by an encryption or hashing algorithm, but also provide as many cryptographic functionalities as possible. Our main contribution is the design of a lightweight permutation employing a 4-subblock Type-2 Generalized-like Structure (GFS) and round-reduced unkeyed Simeck with either 48 or 64-bit block length as the two round functions, thus resulting in two lightweight instances of the permutation, sLiSCP-192 and sLiSCP-256. We leverage the extensive security analysis on both Simeck (Simon-like functions) and Type-2 GFSs and present bounds against differential and linear cryptanalysis. In particular, we provide an estimation on the maximum differential probability of the round-reduced Simeck and use it for bounding the maximum expected differential/linear characteristic probability for our permutation. Due to the iterated nature of the Simeck round function and the simple XOR and cyclic shift mixing layer of the GFS that fosters the propagation of long trails, the long trail strategy}is adopted to provide tighter bounds on both characteristics. Moreover, we analyze sLiSCP against a wide range of distinguishing attacks, and accordingly, claim that there exists no structural distinguishers for sLiSCP with a complexity below $2^{b/2}$ where $b$ is the state size. We demonstrate how sLiSCP can be used as a unified round function in the duplex sponge construction to build (authenticated) encryption and hashing functionalities.
The parallel hardware implementation area of the unified duplex mode of sLiSCP-192 (resp. sLiSCP-256) in CMOS $65\,nm$ ASIC is 2289 (resp. 3039) GEs with a throughput of 29.62 (resp. 44.44) kbps, and their areas in CMOS $130\, nm$ are 2498 (resp. 3319) GEs.

ePrint Report
On the Tightness of Forward-Secure Signature Reductions
Michel Abdalla, Fabrice Benhamouda, David Pointcheval

In this paper, we revisit the security of factoring-based signature schemes built via the Fiat-Shamir transform and show that they can admit tighter reductions to certain decisional complexity assumptions such as the quadratic-residuosity, the high-residuosity, and the $\phi$-hiding assumptions. We do so by proving that the underlying identification schemes used in these schemes are a particular case of the lossy identification notion recently introduced by Abdalla et al. at Eurocrypt 2012. Next, we show how to extend these results to the forward-security setting based on ideas from the Itkis-Reyzin forward-secure signature scheme. Unlike the original Itkis-Reyzin scheme, our construction can be instantiated under different decisional complexity assumptions and has a much tighter security reduction. Moreover, we also show that the tighter security reductions provided by our proof methodology can result in concrete efficiency gains in practice, both in the standard and forward-security setting, as long as the use of stronger security assumptions is deemed acceptable. Finally, we investigate the design of forward-secure signature schemes whose security reductions are fully tight.

In their foundational paper on pseudorandom bit generation, Blum and Micali showed that the discrete logarithm problem could be solved efficiently given a ``magic box'' oracle that computes the most significant bit of the discrete logarithm with a slight advantage over guessing. This magic box can be realized on a quantum computer with a new, simplified variant of Shor's algorithm. The resulting combination of Blum and Micali's reduction and this new quantum magic box offers an intriguing hybrid approach to solving the discrete logarithm problem with a quantum computer. Because the only requirement on the quantum portion of the algorithm is that it provide an approximate estimate of a single bit of the discrete logarithm, the new algorithm may be easier to implement, more resilient to errors, and more amenable to optimization than previous approaches. Further analysis is needed to quantify the extent of these benefits in practice. The result applies to the discrete logarithm problem over both finite fields and elliptic curves. (The views expressed are my own and do not necessarily reflect those of my employer.)

ePrint Report
Binary Hash Tree based Certificate Access Management
Virendra Kumar, Jonathan Petit, William Whyte

We present a certificate access management system to support the USDOT's proposed rule on Vehicle-to-Vehicle (V2V) communications, Federal Motor Vehicle Safety Standard (FMVSS) No.~150. Our proposal, which we call Binary Hash Tree based Certificate Access Management (BCAM) eliminates the need for vehicles to have bidirectional connectivity with the Security Credential Management System (SCMS) for certificate update. BCAM significantly improves the ability of the SCMS to manage large-scale software and/or hardware compromise events. Vehicles are provisioned at the start of their lifetime with all the certificates they will need. However, certificates and corresponding private key reconstruction values are provided to the vehicle encrypted, and the keys to decrypt them are only made available to the vehicles shortly before the start of the validity periods of those certificates. Vehicles that are compromised can be effectively removed from the V2V system by preventing them from decrypting the certificates. We demonstrate that the system is feasible with a broadcast channel for decryption keys and other revocation information, even if that channel has a relatively low capacity.

Bernstein et al. have proposed a new permutation, Gimli, which aims to provide simple and performant implementations on a wide variety of platforms. One of the tricks used to make Gimli performant is that it processes data mostly in 96-bit columns, only occasionally swapping 32-bit words between them.

Here we show that this trick is dangerous by presenting a distinguisher for reduced-round Gimli. Our distinguisher takes the form of an attack on a simple and practical PRF that should be nearly 192-bit secure. Gimli has 24 rounds. Against 15.5 of those rounds, our distinguisher uses two known plaintexts, takes about $2^{64}$ time and uses enough memory for a set with $2^{64}$ elements. Against 19$\frac12$ rounds, the same attack uses three non-adaptively chosen plaintexts, and uses twice as much memory and about $2^{128}$ time. Against $22\frac12$ rounds, it requires about $2^{138.5}$ work, $2^{129}$ bits of memory and $2^{10.5}$ non-adaptively chosen plaintexts. The same attack would apply to 23$\frac12$ rounds if Gimli had more rounds.

Our attack does not use the structure of the SP-box at all, other than that it is invertible, so there may be room for improvement. On the bright side, our toy PRF puts keys and data in different positions than a typical sponge mode would do, so the attack might not work against sponge constructions.

Here we show that this trick is dangerous by presenting a distinguisher for reduced-round Gimli. Our distinguisher takes the form of an attack on a simple and practical PRF that should be nearly 192-bit secure. Gimli has 24 rounds. Against 15.5 of those rounds, our distinguisher uses two known plaintexts, takes about $2^{64}$ time and uses enough memory for a set with $2^{64}$ elements. Against 19$\frac12$ rounds, the same attack uses three non-adaptively chosen plaintexts, and uses twice as much memory and about $2^{128}$ time. Against $22\frac12$ rounds, it requires about $2^{138.5}$ work, $2^{129}$ bits of memory and $2^{10.5}$ non-adaptively chosen plaintexts. The same attack would apply to 23$\frac12$ rounds if Gimli had more rounds.

Our attack does not use the structure of the SP-box at all, other than that it is invertible, so there may be room for improvement. On the bright side, our toy PRF puts keys and data in different positions than a typical sponge mode would do, so the attack might not work against sponge constructions.

As an invited speaker of the ACISP 2017 conference, Dongxi Liu recently
introduced a new lattice-based encryption scheme (joint work with Li, Kim
and Nepal) designed for lightweight IoT applications, and announced plans
to submit it to the NIST postquantum competition. The new scheme is based
on a variant of standard LWE called Compact-LWE, but is claimed to
achieve high security levels in considerably smaller dimensions than
usual lattice-based schemes. In fact, the proposed parameters, allegedly
suitable for 138-bit security, involve the Compact-LWE assumption in
dimension only 13.

In this note, we show that this particularly aggressive choice of parameters fails to achieve the stated security level. More precisely, we show that ciphertexts in the new encryption scheme can be decrypted using the public key alone with >99.9% probability in a fraction of a second on a standard PC, which is not quite as fast as legitimate decryption, but not too far off.

In this note, we show that this particularly aggressive choice of parameters fails to achieve the stated security level. More precisely, we show that ciphertexts in the new encryption scheme can be decrypted using the public key alone with >99.9% probability in a fraction of a second on a standard PC, which is not quite as fast as legitimate decryption, but not too far off.

ePrint Report
Dynamic Searchable Public-Key Ciphertexts with Fast Performance and Practical Security
Peng Xu, Xia Gao, Wei Wang, Willy Susilo, Qianhong Wu, Hai Jin

Public-key encryption with keyword search (PEKS) allows a sender to generate keyword-searchable ciphertexts using
a receiver’s public key and upload them to a server. Upon receiving a keyword-search trapdoor from the receiver, the
server finds all matching ciphertexts. Due to the characteristics of public-key encryption, PEKS is inherently suitable
for the application of numerous senders. Hence, PEKS is a well-known method to achieve secure keyword search over
the encrypted email system. However, we find that without a keyword-search trapdoor, the traditional concept of PEKS
still allows the server to have the obvious advantage to distinguish ciphertexts in practice. In other words, the traditional
PEKS cannot guarantee the well-recognized semantic security in practice. To solve this problem, this paper defines a new
concept called dynamic searchable public-key encryption (DSPE). It can hide the relationships between keyword-searchable
ciphertexts and their corresponding encrypted files, and guarantee semantic security in both theory and practice. In addition,
it allows the server to delete the intended ciphertexts according to the receiver’s requirement. Then, we construct a DSPE
instance with provable semantic security in the random oracle model. In terms of performance, the proposed instance also
has the advantage that it only requires sublinear complexity to determine all matching ciphertexts or to delete the intended
ciphertexts. Finally, we experimentally demonstrate the practicability of the instance.

ePrint Report
Convolutional Neural Networks with Data Augmentation against Jitter-Based Countermeasures -- Profiling Attacks without Pre-Processing --
Eleonora Cagli, C\'ecile Dumas, Emmanuel Prouff

In the context of the security evaluation of cryptographic implementations, profiling attacks (aka Template Attacks) play a fundamental role. Nowadays the most popular Template Attack strategy consists in approximating the information leakages by Gaussian distributions. Nevertheless this approach suffers from the difficulty to deal with both
the traces misalignment and the high dimensionality of the data. This forces the attacker to perform critical preprocessing phases, such as the selection of the points of interest and the realignment of measurements. Some software and hardware countermeasures have been conceived exactly to create such a misalignment. In this paper we propose an end-to-end profiling attack strategy based on the Convolutional Neural Networks: this strategy greatly facilitates the attack roadmap, since it does not require a previous trace realignment nor a precise selection of points of interest. To significantly increase the performances of the CNN, we moreover propose to equip it with the data augmentation technique that is classical in other applications of Machine Learning. As a validation, we present several experiments against traces misaligned by different kinds of countermeasures, including the augmentation of the clock jitter effect in a secure hardware implementation over a modern chip. The excellent results achieved in these experiments prove that Convolutional Neural Networks approach combined with data augmentation gives a very efficient alternative to the state-of-the-art profiling attacks.

6
August
2017

NXP is hiring **13 security experts** in various domains (security architecture, vulnerability analysis, innovation, evaluation & certification, assessment, business development, ...) in various locations, such as Gratkorn, Hamburg, Glasgow, Eindhoven, Mougins, San Jose, San Diego, Austin or Shanghai.

Please go to https://nxp.wd3.myworkdayjobs.com/en-US/careers and browse through the various positions which you find under keyword ‘security’.

**Closing date for applications:** 31 December 2017

**Contact:** Marc Joye, NXP Fellow

**More information:** https://nxp.wd3.myworkdayjobs.com/en-US/careers/

“NUS-Singtel Cyber Security R&D Lab” (http://nus-singtel.nus.edu.sg/) is a 5 years joint project with about SGD 43 mil (approximately USD 31 mil) of funds contributed by Singapore Telecommunications Limited (SingTel), National University of Singapore (NUS), and National Research Foundation (NRF) of Singapore. The R&D Lab will conduct research in four broad areas of cyber security having strategic relevance to Singtel’s business: (1) Predictive Security Analytics; (2) Network, Data and Cloud Security; (3) Internet-of-Things and Industrial Control Systems; (4) Future-Ready Cyber Security Systems.

NUS currently has two research fellow positions with competitive pay and available to (fresh) PhD graduates in computer science/engineering from Singapore or overseas.

Position 1: To conduct R&D work in cloud and data security. Design and implement secure cloud computing services, including practical privacy-preserving computation (e.g. for healthcare and finance related use cases) in a cloud environment. Topics like practical partially homomorphic encryption or practical secure multi-party computation are within our key focus.

Position 2: To conduct R&D work in key management, authentication, and trusted computing, using cryptography and secure hardware (e.g. Intel SGX, TPM, PUF).

Applicants should have strong background in applied cryptography or trusted computing. Applicants are also expected to be self-motivated and good team players. To apply for any of the above positions, please send a copy of your recent CV to *comxj (at) nus.edu.sg* with an email subject “Application for RF”.

**Closing date for applications:** 31 December 2017

**Contact:** *comxj (at) nus.edu.sg*

**More information:** http://nus-singtel.nus.edu.sg

4
August
2017

The faculty of Computer Science and Biomedical Engineering at Graz University of Technology is seeking applicants for a tenured Professorship in Information Security.

We are looking for a scientifically excellent candidate who will represent the field Information Security in research and teaching. The successful candidate will complement existing strengths at the Institute for Applied Information Processing and Communications (IAIK) and be an engaged teacher in the Computer Science programs at the Bachelor’s, Master’s, and PhD level. Graz University of Technology offers excellent possibilities for interdisciplinary collaborations within the university and with other universities.

TU Graz is committed to increase the number of female employees, especially in executive and research positions. We therefore explicitly encourage qualified women to apply. Preference is given to female applicants with equivalent qualifications until the balanced proportion between men and women is achieved. We explicitly invite qualified applicants with disabilities to apply.

Candidates should submit an application by 31 October 2017. For details, refer to https://www.tugraz.at/go/professorships-vacancies/.

**Closing date for applications:** 31 October 2017

**Contact:** Stefan Mangard, Stefan.M*angard (at) iaik.tugraz*.at

**More information:** https://www.tugraz.at/go/professorships-vacancies/

Job Posting
PostDoc Positions in Multi-Party Computation (University of Bristol)
University of Bristol

We are looking for Post-Docs to work on theory, implementation and applications of MPC. We are looking for different individuals to contribute to each of these three areas. The positions are multi-year, and you will be working in a vibrant group working on trying to make MPC a reality; with strong links with both other research groups, and industrial applications.

**Closing date for applications:** 31 December 2017

**Contact:** Nigel Smart

**More information:** http://www.bristol.ac.uk/jobs/find/details.html?nPostingID=5521&nPostingTargetID=25254