International Association for Cryptologic Research

IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

11 October 2017
Multidimensional linear cryptanalysis of block ciphers is improved in this work by introducing a number of new ideas. Firstly, formulae is given to compute approximate multidimensional distributions of encryption internal bits. Conventional statistics like LLR(Logarithmic Likelihood Ratio) do not fit to work in Matsui's Algorithm 2 for large dimension data, as the observation depend on too many cipher key bits. So, secondly, a new statistic which reflects the structure of the cipher round is constructed instead. Thirdly, computing the statistic values which fall into a critical region is presented as an optimisation problem for which an efficient algorithm is suggested. The algorithm works much faster than brute forcing all relevant key bits to compute the statistic. An attack for 16-round DES was implemented. We got an improvement over Matsui's attack on DES in data and time complexity keeping success probability the same.
ePrint Report A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, Anderson C. A. Nascimento
Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC assumptions are the first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3) low communication and computational complexities. Previous results in this setting only achieved static security and used costly cut-and-choose techniques. Our instantiation based on CDH achieves adaptive security at the small cost of communicating only two more group elements as compared to the gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which only achieves static security in the ROM.
ePrint Report Leakage Bounds for Gaussian Side Channels Thomas Unterluggauer, Thomas Korak, Stefan Mangard, Robert Schilling, Luca Benini, Frank Gürkaynak, Michael Muehlberghuber
In recent years, many leakage-resilient schemes have been published. These schemes guarantee security against side-channel attacks given bounded leakage of the underlying primitive. However, it is a challenging task to reliably determine these leakage bounds from physical properties. In this work, we present a novel approach to find reliable leakage bounds for side channels of cryptographic implementations when the input data complexity is limited such as in leakage-resilient schemes. By mapping results from communication theory to the side-channel domain, we show that the channel capacity is the natural upper bound for the mutual information (MI) to be learned from multivariate side-channels with Gaussian noise. It shows that this upper bound is determined by the device-specific signal-to-noise ratio (SNR). We further investigate the case when attackers are capable of measuring the same side-channel leakage multiple times and perform signal averaging. Our results here indicate that the gain in the SNR obtained from averaging is exponential in the number of points of interest that are used from the leakage traces. Based on this, we illustrate how the side-channel capacity gives a tool to compute the minimum attack complexity to learn a certain amount of information from side-channel leakage. We then show that our MI bounds match with reality by evaluating the MI in multivariate Gaussian templates built from practical measurements on an ASIC. We finally use our model to show the security of the Keccak-f[400]-based authenticated encryption scheme ISAP on this ASIC against power analysis attacks.
Code update is a very useful tool commonly used in low-end embedded devices to improve the existing functionalities or patch discovered bugs or vulnerabilities. If the update protocol itself is not secure, it will only bring new threats to embedded systems. Thus, a secure code update mechanism is required. However, existing solutions either rely on strong security assumptions, or result in considerable storage and computation consumption, which are not practical for resource-constrained embedded devices (e.g., in the context of Internet of Things). In this work, we first propose to use intrinsic device characteristics (i.e., Physically Unclonable Functions or PUF) to design a practical and lightweight secure code update scheme. Our scheme can not only ensure the freshness, integrity, confidentiality and authenticity of code update, but also verify that the update is installed correctly on a specific device without any malicious software. Cloned or counterfeit devices can be excluded as the code update is bound to the unpredictable physical properties of underlying hardware. Legitimate devices in an untrustworthy software state can be restored by filling suspect memory with PUF-derived random numbers. After update installation, the initiator of the code update is able to obtain the verifiable software state from device, and the device can maintain a sustainable post-update secure check by enforcing a secure call sequence. To demonstrate the practicality and feasibility, we also implement the proposed scheme on a low-end MCU platform (TI MSP430) by using onboard SRAM and Flash resources.
Nonlinear permutations (S-boxes) are key components in block ciphers. Differential branch number measures the diffusion power of a permutation. Differential branch number of nonlinear permutations of $\mathbb{F}_2^n$ has not been analyzed, although it is well studied for linear permutations. In this paper we obtain a bound on differential branch number of permutations (both linear and nonlinear) of $\mathbb{F}_2^n$. We also show that in case of $\mathbb{F}_2^4$, the maximum differential branch number can be achieved only by affine permutations.
ePrint Report Decentralized Multi-Client Functional Encryption for Inner Product Jérémy Chotard, Edouard Dufour Sans, Duong Hieu Phan, David Pointcheval
Multi-input functional encryption is a very useful generalization of Functional Encryption, which has been motivated by Goldwasser et al. from Eurocrypt ’14. All the constructions, however, rely on non-standard assumptions. Very recently, at Eurocrypt ’17, Abdalla et al. considered a restricted case and proposed an efficient multi-input inner-product functional encryption scheme. In this paper, regarding the case of inner product, we argue that the multi-client setting (MCFE, for Multi-Client Functional Encryption), which borrows techniques from both Functional Encryption and Private Stream Aggregation, is better suited to real-life applications because of the strong restrictions implied by linear relations. We then propose a practical solution for Multi-Client Inner-Product Functional Encryption (IP-MCFE) which relies on the sole DDH assumption and supports adaptive corruptions. In MCFE schemes, each data input is encrypted by a different client, and the clients might not trust anybody for the functional decryption keys. It thus seems quite important to remove any authority, while allowing corruptions of the clients by the adversary. We thus propose the notion of Decentralized Multi-Client Functional Encryption (DMCFE) and provide a generic construction from two MCFE schemes with particular properties. More concretely, combining two instantiations of our previous IP-MCFE, we can build an efficient and non-interactive decentralized scheme for inner product. Our construction relies on the SXDH assumption, and supports adaptive corruptions in the random oracle model.
Lattice-based cryptography has been accepted as a promising candidate for public key cryptography in the age of quantum computing. Discrete Gaussian sampling is one of fundamental operations in many lattice-based cryptosystems. In this paper, we discuss a sub-problem of discrete Gaussian sampling, which is to sample from a centered discrete Gaussian distribution over the integers with positive standard deviation and zero center. We propose three alternative rejection sampling algorithms for centered discrete Gaussian distributions with standard deviation in two specific forms. The first algorithm is designed for the case where the standard deviation is an positive integer, and it requires neither pre-computation storage nor floating-point arithmetic. While the other two algorithms are fit for a standard deviation that is an integer multiple of a fixed real number (approximately equal to 0.849). These two algorithms require fixed look-up tables of very small size (e.g. 128 bits and 320 bits respectively), but they are much more efficient than the first algorithm. The experimental results show that our algorithms have better performance than that of two rejection sampling algorithms proposed by Karney in 2016 and by Ducas et al.\ in 2013 respectively. The expected numbers of random bits used in our algorithms are significantly smaller than that of random bits used in Karney's rejection sampling algorithm.
A number of positions as tenure-track assistant professor or associate professor are available at the Department of Computer Science, Aarhus University (

The department has research groups within \"Algorithms and Data Structures\" Data-Intensive Systems\",\"Cryptography and Security\", \"Mathematical Computer Science\", \"Logic and Semantics\", \"Ubiquitous Computing and Interaction\", \"Computer-Mediated Activity\", \"Use, Design and Innovation\", and \"Programming Languages”. Moreover, we wish to build competencies within Machine Learning and Systems Security.

Applicants within all areas of computer science are welcome.

Applicants for tenure-track positions are expected to have a PhD and research experience corresponding to a couple of years as postdoc or similar. Applicants must document a promising record of original research and an aptitude for teaching.

Applicants for associate professor positions are expected to have research experience from several years as assistant professor or similar. Applicants must document a strong record of original research and have teaching experience at undergraduate/graduate level.

All applicants are requested to include a link to their Google Scholar profile in their application.

Recommendation letters can be uploaded together with your other application material; however, you can also ask referees to submit letters directly to the e-mail address shradras (at) no later than 5 January 2018. The subject of the e-mail should include the phrase \"Assistant Professor (tenure-track) or Associate Professor in Computer Science, name of applicant”.


All applications must be made online and received by: 5/1/2018

Closing date for applications: 5 January 2018

More information:

Job Posting Assistant Professor University of Vermont

The Department of Computer Science at the University of Vermont is seeking applicants for a tenure-track position at the rank of Assistant Professor, with duties to start in late August of 2018. Preference will be given to researchers in the areas of computer security and privacy. We interpret these areas broadly, and areas of particular interest include: network security, embedded device security including IoT and medical devices, and critical infrastructure security including health and energy systems.

Applications from women, veterans, individuals with disabilities and people from diverse racial, ethnic, and cultural backgrounds are encouraged. The University is especially interested in candidates who can contribute to the diversity and excellence of the academic community. To that end candidates must provide a diversity impact statement as part of the application detailing how they will further the diversity of the unit through their research, teaching and/or service at the University.

The applicant must submit a current curriculum vitae identifying their specific area of expertise, a statement of teaching philosophy, a detailed statement of research interests, a teaching diversity impact statement, and names of at least three people who can provide letters of reference, at least one of which can comment on teaching. All application materials must be submitted online at, posting number [F923PO]. Inquiries may be addressed to Dr. Christian Skalka, Search Committee Chairperson (ceskalka (at) Review of applications will begin December 1, 2017 and continue until the position is filled.

Closing date for applications: 31 December 2017


Christian Skalka, Associate Professor, Search Committee Chairperson, ceskalka (at)

More information:

9 October 2017
We construct two identity-based encryption (IBE) schemes. The first one is IBE satisfying key dependent message (KDM) security for user secret keys. The second one is IBE satisfying simulation-based receiver selective opening (RSO) security. Both schemes are secure against adaptive-ID attacks and do not have any a-priori bound on the number of challenge identities queried by adversaries in the security games. They are the first constructions of IBE satisfying such levels of security.

Our constructions of IBE are very simple. We construct our KDM secure IBE by transforming KDM secure secret-key encryption using IBE satisfying only ordinary indistinguishability against adaptive-ID attacks (IND-ID-CPA security). Our simulation-based RSO secure IBE is based only on IND-ID-CPA secure IBE.

We also demonstrate that our construction technique for KDM secure IBE is used to construct KDM secure public-key encryption. More precisely, we show how to construct KDM secure public-key encryption from KDM secure secret-key encryption and public-key encryption satisfying only ordinary indistinguishability against chosen plaintext attacks.
Cryptosystems based on supersingular isogenies have been proposed recently for use in post-quantum cryptography. Three problems have emerged related to their hardness: computing an isogeny between two curves, computing the endomorphism ring of a curve, and computing a maximal order associated to it. While some of these problems are believed to be polynomial-time equivalent based on heuristics, their relationship is still unknown. We give the first reduction between these problems, with the aid of one more problem which we call Action-on-$\ell$-Torsion. We show that computing $\ell$-power isogenies reduces to computing maximal orders and Action-on-$\ell$-Torsion.

We also define the notion of a compact representation of an endomorphism, and use this to show that endomorphism rings always have polynomial representation size. We then reduce the endomorphism ring problem to computing maximal orders and Action-on-$\ell$-Torsion, thus laying the foundation for analysis of the hardness of endomorphism ring computation. This identifies these last two problems as one possible way to attack some systems, such as hash functions based on the $\ell$-isogeny graph of supersingular elliptic curves. This gives the potential to use algebraic tools in quaternion algebras to solve the problems. We also discuss how these reductions apply to attacks on a hash function of Charles, Goren, and Lauter.
ePrint Report Breaking Ed25519 in WolfSSL Niels Samwel, Lejla Batina, Guido Bertoni, Joan Daemen, Ruggero Susella
Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a random value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this random value is critical for security: knowledge of one such a random value, or partial knowledge of a series of them, allows reconstructing the signer's private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc.

In this paper we show that in use cases where power or electromagnetic leakage can be exploited, exactly the mechanism that makes EdDSA deterministic complicates its secure implementation. In particular, we break an Ed25519 implementation in WolfSSL, which is a suitable use case for IoT applications. We apply differential power analysis (DPA) on the underlying hash function, SHA-512, requiring only 4000 traces.

Finally, we present a tweak to the EdDSA protocol that is cheap and effective against the described attack while keeping the claimed advantage of EdDSA over ECDSA in terms of featuring less things that can go wrong e.g. the required high-quality randomness. However, we do argue with our countermeasure that some randomness (that need not be perfect) might be hard to avoid.
We put forward the notion of self-guarding cryptographic protocols as a countermeasure to algorithm substitution attacks. Such self-guarding protocols can prevent undesirable leakage by subverted algorithms if one has the guarantee that the system has been properly working in an initialization phase. Unlike detection-based solutions they thus proactively thwart attacks, and unlike reverse firewalls they do not assume an online external party.

We present constructions of basic primitives for (public-key and private-key) encryption and for signatures. We also argue that the model captures attacks with malicious hardware tokens and show how to self-guard a PUF-based key exchange protocol.
Attribute-based encryption (ABE) is a cryptographic primitive which supports fine-grained access control on encrypted data, making it an appealing building block for many applications. In this paper, we propose, implement, and evaluate fully automated methods for proving security of ABE in the Generic Bilinear Group Model (Boneh, Boyen, and Goh, 2005, Boyen, 2008), an idealized model which admits simpler and more efficient constructions, and can also be used to find attacks. Our method is applicable to Rational-Fraction Induced ABE, a large class of ABE that contains most of the schemes from the literature, and relies on a Master Theorem, which reduces security in the GGM to a (new) notion of symbolic security, which is amenable to automated verification using constraint- based techniques. We relate our notion of symbolic security for Rational-Fraction Induced ABE to prior notions for Pair Encodings. Finally, we present several applications, including automated proofs for new schemes.
Secure messaging apps have enjoyed huge uptake, and with the headline figure of one billion active WhatsApp users there has been a corresponding burst of academic research on the topic. One might therefore wonder: how far is the academic community from providing concrete, applicable guarantees about the apps that are currently in widespread use? We argue that there are still significant gaps between the security properties that users might expect from a communication app, and the security properties that have been formally proven. These gaps arise from dubious technical assumptions, tradeoffs in the name of reliability, or simply features out of scope of the analyses. We survey these gaps, and discuss where the academic community can contribute. In particular, we encourage more transparency about analyses' restrictions: the easier they are to understand, the easier they are to solve.
A crucial issue, that mostly affects the performance of actively secure computation of RAM programs, is the task of reading/writing from/to memory in a private and authenticated manner. Previous works in the active security and multiparty settings are based purely on the SPDZ (reactive) protocol, hence, memory accesses are treated just like any input to the computation. However, a garbled-circuit-based construction (such as BMR), which benefits from a lower round complexity, must resolve the issue of converting memory data bits to their corresponding wire keys and vice versa.

In this work we propose three techniques to construct a secure memory access, each appropriates to a different level of abstraction of the underlying garbling functionality. We provide a comparison between the techniques by several metrics. To the best of our knowledge, we are the first to construct, prove and implement a concretely efficient garbled-circuit-based actively secure RAM computation with dishonest majority.

Our construction is based on our third (most efficient) technique, cleverly utilizing the underlying SPDZ authenticated shares (Damgård et al., Crypto 2012), yields lean circuits and a constant number of communication rounds per physical memory access. Specifically, it requires no additional circuitry on top of the ORAM's, incurs only two rounds of broadcasts between every two memory accesses and has a multiplicative overhead of 2 on top of the ORAM's storage size.

Our protocol outperforms the state of the art in this settings when deployed over WAN. Even when simulating a very conservative RTT of 100ms our protocol is at least one order of magnitude faster than the current state of the art protocol of Keller and Scholl (Asiacrypt 2015).
ePrint Report Yoyo Tricks with AES Sondre R{\o}njom, Navid Ghaedi Bardeh, Tor Helleseth
In this paper we present new fundamental properties of SPNs. These properties turn out to be particularly useful in the adaptive chosen ciphertext/plaintext setting and we show this by introducing for the first time key-independent yoyo-distinguishers for 3- to 5-rounds of AES. All of our distinguishers beat previous records and require respectively $3, 4$ and $2^{25.8}$ data and essentially zero computation except for observing differences. In addition, we present the first key-independent distinguisher for 6-rounds AES based on yoyos that preserve impossible zero differences in plaintexts and ciphertexts. This distinguisher requires an impractical amount of $2^{122.83}$ plaintext/ciphertext pairs and essentially no computation apart from observing the corresponding differences. We then present a very favorable key-recovery attack on 5-rounds of AES that requires only $2^{11.3}$ data complexity and $2^{31}$ computational complexity, which as far as we know is also a new record. All our attacks are in the adaptively chosen plaintext/ciphertext scenario. Our distinguishers for AES stem from new and fundamental properties of generic SPNs, including generic SAS and SASAS, that can be used to preserve zero differences under the action of exchanging values between existing ciphertext and plaintext pairs. We provide a simple distinguisher for 2 generic SP-rounds that requires only 4 adaptively chosen ciphertexts and no computation on the adversaries side. We then describe a generic and deterministic yoyo-game for 3 generic SP-rounds which preserves zero differences in the middle but which we are not capable of exploiting in the generic setting.
ePrint Report Privacy-Preserving Ridge Regression over Distributed Data from LHE Irene Giacomelli, Somesh Jha, Marc Joye, C. David Page, Kyonghwan Yoon
Linear regression with 2-norm regularization (i.e., ridge regression) is an important statistical technique that models the relationship between some explanatory values and an outcome value using a linear function. In many current applications (e.g., predictive modelling in personalized health-care), these values represent sensitive data owned by several different parties who are unwilling to share them. In this setting, training a linear regression model becomes challenging and needs specific cryptographic solutions. This problem was elegantly addressed by Nikolaenko et al. in S&P (Oakland) 2013. They suggested a two-server system that uses linearly-homomorphic encryption (LHE) and Yao’s two-party protocol (garbled circuits). In this work, we propose a novel system that can train a ridge linear regression model using only linearly-homomorphic encryption (i.e., without using Yao’s protocol). This greatly improves the overall performance (both in computation and communications) as Yao’s protocol was the main bottleneck in the previous solution. The efficiency of the proposed system is validated both on synthetically-generated and real-world datasets.
Job Posting PhD in Applied Cryptography University of Luxembourg, CryptoLux team
The University of Luxembourg seeks to hire outstanding PhD candidate at the Computer Science and Communications Research Unit. The positions are part of the FNR PRIDE doctoral training program on Security and Privacy for System Protection. CryptoLUX/SnT team is an established leading European team in the area of applied cryptography, information security and privacy.

He or she will contribute to a research project on future directions in one or more of the following topics:

o Design and Cryptanalysis of lightweight block ciphers, authenticated encryption schemes

o Side-channel attacks on symmetric cryptosystems and countermeasures

o Design and security analysis of IoT and blockchain security protocols

o Strong whitebox-cryptography

Your Profile

• M.Sc. degree in Computer Science, Applied Mathematics, Electrical Engineering, or a related field

• Strong mathematical and algorithmic CS background (complexity of algorithms; probability/statistics; discrete math; basic cryptography, algebra)

• Background in cryptography or information security or ethical hacking - a plus

• Good skills in programming, scripting languages . Math tools a plus.

• Commitment, team working and a critical mind

• Participation in competitions, Olympiads, CTFs - a big plus

• Fluent written and verbal communication skills in English are mandatory

We offer

Duration of Ph.D. is typically between 3-4 years. The University offers highly competitive salaries and is an equal opportunity employer. You will work in an exciting international environment and will have the opportunity to participate in the development of a newly created research center.

Applications, written in English, should be submitted online and should include:

• Curriculum Vitae (including your contact address, photo, work experience, publications)

• A research statement indicating your interest, prior research (if any) and your motivation (max 1 page)

Closing date for applications: 30 November 2017

Contact: Prof. Alex Biryukov (e-mail: name dot family name (at)

More information:

7 October 2017
Job Posting PhD/MSc Interns in Blockchain and Network Security Singapore University of Technology and Design, Singapore
Singapore University of Technology and Design (SUTD) is a young university established in collaboration with MIT and security is one of its major focuses. SUTD hosts the iTrust and STE-SUTD centres for research in cyber security.

I am looking for highly motivated PhD interns (strong MSc students will also be considered) who are interested in conducting research in at least one of the following fields:

- blockchain security (Bitcoin, Ethereum, cryptocurrencies, smart contracts, ...)

- network and systems security (Internet, SSL/TLS, PKI, ...)

Candidates should have an excellent background in computer science (or related), ability to work on inter-disciplinary research projects, good design and programming skills, and a strong interest in at least one of the listed fields.

The attachment should be between 3 and 6 months, and an allowance will be provided for local expenses.

If you are interested please send your CV to Pawel Szalachowski.

Closing date for applications:

Contact: pawel (at)

The Department of Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign (ECE ILLINOIS) invites applications for full-time faculty positions at all levels and in all areas of electrical and computer engineering, broadly defined, with particular emphasis in the areas of bio-electronics, bio-computation, bio-imaging including MRI, and health; machine learning, control, and optimization for dynamic complex systems; robotics; machine vision; power electronics and electric machines; quantum computing; cybersecurity and reliability; embedded computing systems and the internet of things; networked and distributed computing; data-centric computer systems and storage. Applications are encouraged from candidates whose research programs are in core as well as broad interdisciplinary areas of electrical and computer engineering.

Closing date for applications: 15 November 2017

More information:

Job Posting Senior Research Engineer Indra Sistemas (Madrid, Spain)
Our Cybersecurity Technology Area conducts cutting-edge innovation in several areas of cybersecurity, including: cyber situational awareness, digital identity, predictive intelligence for cybersecurity, cyber range, and applied cryptography. Its main objective is to produce innovative solutions that help our customers to effectively counter advanced and emerging cyberthreats. We actively collaborate with renowned Research Centres and Universities across Europe, maximising the expert knowledge and scientific advances in cybersecurity and related fields.

We are looking for a senior research engineer for the cyber situational awareness research line. The candidate must prove the ability to undertake applied research and innovation, from exploratory thinking to prototyping and demonstration. The candidate should demonstrate the ability to generate new ideas, develop novel conceptual models and architectures and validate them with proof-of-concepts and functional prototypes. The candidate must have strong programming skills, in different languages and environments.


  • Ph.D. in Computer Science or similar, cybersecurity topic.
  • +5 years of experience in cybersecurity, having participated in projects in/for the private sector.
  • Experience in complex systems modelling and design.
  • Knowledge in vulnerability assessment, attack detection techniques, risk management, threat intelligence.
  • Good track of scientific publications.
  • Be eligible to obtain NATO/EU Security Clearance.
  • English: C1 (CEFR). Fluent in Spanish is a plus, but not required.


  • Knowledge in cyber situational awareness or related field, such as dynamic risk management, cyber mission impact assessment, predictive intelligence, visual analytics.
  • Knowledge in big data, data mining, machine learning.

If you are interested, please submit your CV in PDF format to the contact person.

Closing date for applications: 31 December 2017

Contact: Dr. Jorge Lopez Hernandez-Ardieta

Head of Cybersecurity Product Innovation

jlhardieta at

More information:

Job Posting Senior Researcher Cybernetica, Information Security Institute
Cybernetica\'s Information Security Institute has an open position for a


We are looking for applicants that complement our existing competencies and at the same time have necessary abilities to lead an independent industrial research group.

The list of potential topics of interest includes but is not limited to

• new directions in cryptography (especially post-quantum cryptography),

• cryptanalysis,

• formal methods (sociotechnical risk models, protocol analysis),

• privacy-preserving computations,

• data mining and/or machine learning for security,

• secure software and systems development,

• hardware-level and embedded systems security (Internet-of-Things, smart cards, side channel attacks).

We stress once more that the previous list is not exhaustive. We a looking for a candidate who creates synergies with our existing senior researchers.

Successful applicant has a

• PhD degree in computer science, mathematics, software engineering or in a closely related field, together with a

• proven track record showing academic and/or industrial performance in the field of computer security or cryptography.

We offer

• opportunity to integrate new research activities into Cybernetica\'s R&D portfolio, as well as to contribute to existing themes;

• to work with, learn from, and teach highly qualified professionals, both in research and development;

• to be part of, and improve the Estonian e-society;

• (reasonable) funds to set up your research environment, should your research topics require the purchase or rent of specialized hardware, high-performance computing resources, etc;

• funds to hire a junior researcher working on your research topics;

• being part of a growing team either in our Tallinn or Tartu office;

• flexible working hours.

Closing date for applications: 15 November 2017

Contact: Helena Sarapuu

Head of HR

Cybernetica AS

E-mail: job (at)

Address: Mäealuse 2/1, 12618 Tallinn, Estonia

More information:

Job Posting PhD interns on cyber-physical system security Singapore University of Technology and Design (SUTD)
Singapore University of Technology and Design (SUTD) is a young university which was established in collaboration with MIT. iTrust is a Cyber Security Research Center with about 15 multi-discipline faculty members from SUTD. It has the world’s best facilities in cyber-physical systems (CPS) including testbeds for Secure Water Treatment (SWaT), Water Distribution (WADI), Electric Power and Intelligent Control (EPIC), and IoT. (See more info at

I am looking for PhD interns with interest in cyber-physical system security (IoT, autonomous vehicle, and power grid etc.), especially on the topics such as 1) Lightweight and low-latency crypto algorithms for CPS devices, 2) Resilient authentication of devices and data in CPS, 3) Advanced SCADA firewall to filter more sophisticated attacking packets in CPS, 4) Big data based threat analytics for detection of both known and unknown threats, 5) Attack mitigation to increase the resilience of CPS. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Contact: Prof. Jianying Zhou

Email:  jianying_zhou (at)


Closing date for applications: 31 October 2017

Contact: Prof. Jianying Zhou

More information:

Event date: 9 July to 11 July 2018
Submission deadline: 5 February 2018
Notification: 5 April 2018
Event date: 1 October to 13 April 2018
Submission deadline: 13 April 2018
Notification: 13 June 2018
Event Calendar Africacrypt 2018 Marrakesh, Morocco, 7 May - 9 May 2018
Event date: 7 May to 9 May 2018
Submission deadline: 7 January 2018
Notification: 20 February 2018
5 October 2017
Recently, Döttling and Garg (CRYPTO 2017) showed how to build identity-based encryption (IBE) from a novel primitive termed Chameleon Encryption, which can, in turn, be realized from simple number theoretic hardness assumptions such as the computational Diffie-Hellman assumption (in groups without pairings) or the factoring assumption. In a follow-up work (TCC 2017), the same authors showed that IBE can also be constructed from a slightly weaker primitive called One-Time Signatures with Encryption (OTSE).

In this work, we show that OTSE can be instantiated from hard learning problems such as the Learning With Errors (LWE) and the Learning Parity with Noise (LPN) problems. This immediately yields the first IBE construction from the LPN problem and a construction based on a weaker LWE assumption compared to previous works.

Finally, we show that the notion of one-time signatures with encryption is also useful for the construction of key-dependent-message (KDM) secure public-key encryption. In particular, our results imply that a KDM-secure public key encryption can be constructed from any KDM-secure secret-key encryption scheme and any public-key encryption scheme.
In this paper, quantum attacks against symmetric-key schemes are presented in which adversaries only make classical queries but use quantum computers for offline computations. Our attacks are not as efficient as polynomial-time attacks making quantum superposition queries, while our attacks use the realistic model and overwhelmingly improve the classical attacks. Our attacks convert a type of classical meet-in-the-middle attacks into quantum ones. The attack cost depends on the number of available qubits and the way to realize the quantum hardware. The tradeoff between data complexity $D$ and time complexity $T$ against the problem of cardinality $N$ is $D^2 \cdot T^2 =N$ and $D \cdot T^6 = N^3$ in the best and worst case scenarios to the adversary respectively, while the classic attack requires $D\cdot T = N$. This improvement is meaningful from an engineering aspect because several existing schemes claim beyond-birthday-bound security for $T$ by limiting the maximum $D$ to be below $2^{n/2}$ according to the classical tradeoff $D\cdot T = N$. Those schemes are broken if quantum offline computations are performed by adversaries. The attack can be applied to many schemes such as a tweakable block-cipher construction TDR, a dedicated MAC scheme Chaskey, an on-line authenticated encryption scheme McOE-X, a hash function based MAC H$^2$-MAC and a permutation based MAC keyed-sponge. The idea is then applied to the FX-construction to discover new tradeoffs in the classical query model.
Garbled circuits have been highly optimized for practice over the last several years. Today's most efficient constructions treat different types of gates (e.g., AND vs XOR) differently; as such, they leak the type of each gate. In many applications of garbled circuits, the circuit itself is public, so such leakage is tolerable. In other settings, however, it is desirable to hide the type of each gate.

In this paper we consider optimizing garbled circuits for the gate-hiding case. We observe that the best state-of-the-art constructions support only a limited class of gate functions, which turns out to undermine their improvements in several settings. These state-of-the-art constructions also require a non-minimal hardness assumption.

We introduce two new gate-hiding constructions of garbled circuits. Both constructions achieve the same communication complexity as the best state-of-the-art schemes, but support a more useful class of boolean gates and use only the minimal assumption of a secure PRF.

newer items   older items