International Association
for Cryptologic Research

Monero is one of the privacy-preserving cryptocurrencies employing CryptoNote protocol. The privacy features in Monero are provided by cryptographic techniques called linkable ring signature and one-time public key. Recent studies show that the majority of Monero inputs are traceable prior to mandatory RingCT transaction. After the RingCT was implemented, the problem was mitigated. We propose a novel attack to reduce the anonymity of Monero transactions or even to fully deanonymise the inputs. The proposed protocol can be launched in RingCT scenario and enable multiple attackers to collaborate without trusting each other. The attack scheme can be planted in the existing Monero services without extra fees and without putting the users’ money at risk.

Postdoc and PhD in cryptographic currencies and anti-surveillance at University of Edinburgh

Worried about surveillance? Imagining a world in which all data is encrypted? Concerned about mistakes in security proofs and bugs in software? Curious about what blockchain technology will look like after the crypto-currency bubble?

At the University of Edinburgh we design distributed cryptographic techniques to protect user\'s online privacy, based on scientific principles using mathematical proofs. A core enabling component is IOHK‘s Cardano blockchain.

Join as a Postdoc or PhD to work on privacy and anonymity, zero-knowledge and multi-party computation. Multiple positions are available. To apply, send your CV with a cover letter and two letters of recommendation. The positions are available until filled.

Contact: Markulf Kohlweiss, mkohlwei (at) ed.ac.uk, https://homepages.inf.ed.ac.uk/mkohlwei/

More Information:

* University of Edinburgh: http://web.inf.ed.ac.uk/security-privacy

* IOHK: https://iohk.io/

Closing date for applications: 31 May 2018

Multi-Party Computation of Oblivious RAM (MPC ORAM) implements secret-shared random access memory in a way that protects access pattern privacy against a threshold of corruptions. MPC ORAM enables secure computation of any RAM program on large data held by different entities, e.g. MPC processing of database queries on a secret-shared database. MPC ORAM can be constructed by any (client-server) ORAM, but there is an efficiency gap between known MPC ORAM's and ORAM's. Current asymptotically best MPC ORAM is implied by an "MPC friendly" variant of Path-ORAM called Circuit-ORAM, due to Wang et al. However, using garbled circuit for Circuit-ORAM's client implies MPC ORAM which matches Path-ORAM in rounds but increases bandwidth by \Omega(kappa) factor, while using GMW or BGW protocols implies MPC ORAM which matches Path-ORAM in bandwidth, but increases round complexity by \Omega(log n loglog n) factor, for kappa the security parameter and n the memory size.

In this paper we bridge the gap between MPC ORAM and client-server ORAM by showing a specialized 3PC ORAM protocol, i.e. MPC ORAM for 3 parties tolerating 1 fault, which uses only symmetric ciphers and asymptotically matches client-server Path-ORAM in round complexity and for large records also in bandwidth.

Our 3PC ORAM also allows for fast pipelined processing: With post- poned clean-up it processes b=O(log n) accesses in O(b+log n) rounds with O(D+poly(log n)) bandwidth per item, where D is record size.

In this work we provide a traitor tracing construction with ciphertexts that grow polynomially in $\log(n)$ where $n$ is the number of users and prove it secure under the Learning with Errors (LWE) assumption. This is the first traitor tracing scheme with such parameters provably secure from a standard assumption. In addition to achieving new traitor tracing results, we believe our techniques push forward the broader area of computing on encrypted data under standard assumptions. Notably, traitor tracing is substantially different problem from other cryptography primitives that have seen recent progress in LWE solutions. We achieve our results by first conceiving a novel approach to building traitor tracing that starts with a new form of Functional Encryption that we call Mixed FE. In a Mixed FE system the encryption algorithm is bimodal and works with either a public key or master secret key. Ciphertexts encrypted using the public key can only encrypt one type of functionality. On the other hand the secret key encryption can be used to encode many different types of programs, but is only secure as long as the attacker sees a bounded number of such ciphertexts. We first show how to combine Mixed FE with Attribute-Based Encryption to achieve traitor tracing. Second we build Mixed FE systems for polynomial sized branching programs (which corresponds to the complexity class LOGSPACE) by relying on the polynomial hardness of the LWE assumption with super-polynomial modulus-to-noise ratio.

Location information has wide applications in customization and personalization of services, as well as secure authentication and access control. We introduce {\em in-Region Authentication (inRA)}, a novel type of authentication, that allows a prover to prove to a set of cooperating verifiers that they are in possession of the correct secret key, and are inside a specified (policy) region of arbitrary shape. These requirements naturally arise when a privileged service is offered to registered users within an area. Locating a prover without assuming GPS (Global Positioning System) signal however, incurs error. We discuss the challenge of designing secure protocols that have quantifiable error in this setting, define and formalize correctness and security properties of the protocols, and propose a systematic approach to designing a family of protocols with provable security where error can be flexibly defined and efficiently minimized. We give a concrete instance of this family that starts with two verifiers, prove its security and evaluate its application to four different policy regions. Our results show that in all cases false acceptance and false rejection of below $6\%$ can be achieved. We compare our results with related works, and propose directions for future research.

Private Set Intersection (PSI) is a popular cryptographic primitive that allows two parties, a client and a server, to compute the intersection of their private sets, so that the client only receives the output of the computation, while the server learns nothing besides the size of the client's set. A common limitation of PSI is that a dishonest client can progressively learn the server's set by enumerating it over different executions. Although these ``oracle attacks'' do not formally violate security according to traditional secure computation definitions, in practice, they often hamper real-life deployment of PSI instantiations, especially if the server's set does not change much over multiple interactions.

In a first step to address this problem, this paper presents and studies the concept of Reactive PSI (RePSI). We model PSI as a reactive functionality, whereby the output depends on previous instances, and use it to limit the effectiveness of oracle attacks. We introduce a general security model for RePSI in the (augmented) semi-honest model and a construction which enables the server to control how many inputs have been used by the client across several executions. In the process, we also present the first construction of a Size-Hiding PSI (SHI-PSI) protocol in the standard model, which may be of independent interest.

This work introduces the concept of flexible signatures. In a flexible signature scheme, the verification algorithm quantifies the validity of a signature based on the number of computations performed such that the signature's validation (or confidence) level in $[0,1]$ improves as the algorithm performs more computations. Importantly, the definition of flexible signatures does not assume the resource restriction to be known in advance until the verification process is hard stopped by a system interrupt. Although prominent traditional signature schemes such as RSA, (EC)DSA, EdDSA seem unfit towards building flexible signatures, we find updated versions of the Lamport-Diffie one-time signature and Merkle authentication tree to be suitable for building flexible signatures. We present a flexible signature construction based on these hash-based primitives and prove its security with a concrete security analysis. We also perform a thorough validity-level analysis demonstrating an attractive computation-vs-validity trade-off offered by our construction: a security level of $80$ bits can be ensured by performing only around $\frac{2}{3}$rd of the total hash computations for our flexible signature construction with a Merkle tree of height $20$.

We see this work as the first step towards realizing flexible-security cryptographic primitives. Beyond flexible signatures, our flexible-security conceptualization offers an interesting opportunity to build similar primitives in the asymmetric as well as symmetric cryptographic domains. Apart from being theoretically interesting, these flexible security primitives can be of particular interest to real-time systems as well as the Internet of things: rigid all-or-nothing guarantees offered by the traditional cryptographic primitives have been particularly unattractive to these unpredictably resource-constrained

This paper presents MergeMAC, a MAC that is particularly suitable for environments with strict time requirements and extremely limited bandwidth. MergeMAC computes the MAC by splitting the message into two parts. We use a pseudorandom function (PRF) to map messages to random bit strings and then merge them with a very efficient keyless function. The advantage of this approach is that the outputs of the PRF can be cached for frequently needed message parts. We demonstrate the merits of MergeMAC for authenticating messages on the CAN bus where bandwidth is extremely limited and caching can be used to recover parts of the message counter instead of transmitting it. We recommend an instantiation of the merging function MERGE and analyze the security of our construction. Requirements for a merging function are formally defined and the resulting EUF-CMA security of MergeMAC is proven.

Authenticated ciphers, like all physical implementations of cryptography, are vulnerable to side-channel attacks, including differential power analysis (DPA). The t-test leakage detection methodology has been used to verify improved resistance of block ciphers to DPA after application of countermeasures. However, extension of the t-test methodology to authenticated ciphers is non-trivial, since authenticated ciphers require additional input and output conditions, complex interfaces, and long test vectors interlaced with protocol necessary to describe authenticated cipher operations. In this research we augment an existing side-channel analysis architecture (FOBOS) with t-test leakage detection for authenticated ciphers. We use this capability to show that implementations in the Spartan-6 FPGA of the CAESAR Round 3 candidates ACORN, ASCON, CLOC (AES and TWINE), SILC (AES, PRESENT, and LED), JAMBU (AES and SIMON), and Ketje Jr., as well as AES-GCM, are vulnerable to 1st order DPA. We then implement versions of the above ciphers, protected against 1st order DPA, using threshold implementations. The t-test leakage detection methodology is used to verify improved resistance to 1st order DPA of the protected cipher implementations. Finally, we benchmark unprotected and protected cipher implementations in the Spartan-6 FPGA, and compare the costs of 1st order DPA protection in terms of area, frequency, throughput, throughput-to-area (TP/A) ratio, power, and energy-per-bit. Our results show that ACORN has the lowest area (in LUTs), the highest TP/A ratio, and is the most energy-efficient of all DPA-resistant implementations. However, Ketje Jr. has the highest throughput.

In this paper, we introduce the notion of delegatable attribute-based anonymous credentials (DAAC). Such systems offer fine-grained anonymous access control and they give the credential holder the ability to issue more restricted credentials to other users. In our model, credentials are parameterized with attributes that (1) express what the credential holder himself has been certified and (2) define which attributes he may issue to others. Furthermore, we present a practical construction of DAAC. For this construction, we deviate from the usual approach of embedding a certificate chain in the credential. Instead, we introduce a novel approach for which we identify a new primitive we call dynamically malleable signatures (DMS) as the main ingredient. This primitive may be of independent interest. We also give a first instantiation of DMS with efficient protocols.

RankSign is a code-based signature scheme proposed to the NIST competition for post-quantum cryptography [AGHRZ17]. It is based on the rank metric and enjoys remarkably small key sizes, about 10KBytes for an intended level of security of 128 bits. It is also one of the fundamental blocks used in the rank metric identity based encryption scheme [GHPT17]. Unfortunately we will show that all the parameters proposed for this scheme in [AGHRZ17] can be broken by an algebraic attack that exploits the fact that the augmented LRPC codes used in this scheme have very low weight codewords.

Intuit is seeking an experienced cryptographer to help us secure the financial information of millions of customers and small businesses. Intuit Security R&D develops services where security and cryptography are used in industry-unique ways to protect our customers' data at the highest security standards.

Responsibilities:

• Participate in driving internal key management and encryption services, providing the business units with the best cryptography while keeping a complex and widespread system secure
• Use the latest research and conduct original research to allow operations over encrypted data, where the data is highly sensitive and solutions need to scale to a very high volume of concurrent transactions
• Validate newly developed cryptographic protocols using both manual proofs and automated formal verification
• Publish regularly as an active participant in the academic cryptographic community, and ensure Intuit is up to date on the latest cryptographic research
• Cooperate with engineering teams to ensure quality implementation of cryptographic protocols
• Work across a diverse and geographically distributed team, maintaining excellent communication and trust

Qualifications

• PhD from a credible institution with a focus on cryptography
• At least 3 years of experience working with industry in the cryptography domain
• At least 2 years of experience designing and developing software
• Proven experience with security issues outside of cryptography is highly desired
• Candidates should possess strong written and oral communication skills
• Demonstrated experience with developing partnerships to influence across organizational boundaries

The preferred location for this position is either Hod Hasharon, Israel or Mountain View, CA, however we are willing to consider other locations.

Closing date for applications: 15 August 2018

Contact: Yaron Sheffer, Director, Security Technologies Product Development, yaron_sheffer at intuit.com.

More information: https://careers.intuit.com/job-category/1/software-engineering/job/00132574/principal-cryptography-researcher

Fully homomorphic encryption schemes (FHE) allow to apply arbitrary efficient computation to encrypted data without decrypting it first. In Quantum FHE (QFHE) we may want to apply an arbitrary quantumly efficient computation to (classical or quantum) encrypted data.

We present a QFHE scheme with classical key generation (and classical encryption and decryption if the encrypted message is itself classical) with comparable properties to classical FHE. Security relies on the hardness of the learning with errors (LWE) problem with polynomial modulus, which translates to the worst case hardness of approximating short vector problems in lattices to within a polynomial factor. Up to polynomial factors, this matches the best known assumption for classical FHE. Similarly to the classical setting, relying on LWE alone only implies leveled QFHE (where the public key length depends linearly on the maximal allowed evaluation depth). An additional circular security assumption is required to support completely unbounded depth. Interestingly, our circular security assumption is the same assumption that is made to achieve unbounded depth multi-key classical FHE.

Technically, we rely on the outline of Mahadev (arXiv 2017) which achieves this functionality by relying on super-polynomial LWE modulus and on a new circular security assumption. We observe a connection between the functionality of evaluating quantum gates and the circuit privacy property of classical homomorphic encryption. While this connection is not sufficient to imply QFHE by itself, it leads us to a path that ultimately allows using classical FHE schemes with polynomial modulus towards constructing QFHE with the same modulus.

Sanitizable signature schemes are signature schemes which support the delegation of modification rights. The signer can allow a sanitizer to perform a set of admissible operations on the original message and then to update the signature, in such a way that basic security properties like unforgeability or accountability are preserved. Recently, Camenisch et al. (PKC 2017) devised new schemes with the previously unattained invisibility property. This property says that the set of admissible operations for the sanitizer remains hidden from outsiders. Subsequently, Beck et al. (ACISP 2017) gave an even stronger version of this notion and constructions achieving it. Here we characterize the invisibility property in both forms by showing that invisible sanitizable signatures are equivalent to IND-CPA-secure encryption schemes, and strongly invisible signatures are equivalent to IND-CCA2-secure encryption schemes. The equivalence is established by proving that invisible (resp. strongly invisible) sanitizable signature schemes yield IND-CPA-secure (resp. IND-CCA2-secure) public-key encryption schemes and that, vice versa, we can build (strongly) invisible sanitizable signatures given a corresponding public-key encryption scheme.

The Supersingular Isogeny Diffie-Hellman protocol (SIDH) has recently been the subject of increased attention in the cryptography community. Conjecturally quantum-resistant, SIDH has the feature that it shares the same data flow as ordinary Diffie-Hellman: two parties exchange a pair of public keys, each generated from a private key, and combine them to form a shared secret. To create a potentially quantum-resistant scheme, SIDH depends on a new family of computational assumptions involving isogenies between supersingular elliptic curves which replace both the discrete logarithm problem and the computational and decisional Diffie-Hellman problems. Like in the case of ordinary Diffie-Hellman, one is interested in knowing if these problems are related. In fact, more is true: there is a rich network of reductions between the isogeny problems securing the private keys of the participants in the SIDH protocol, the computational and decisional SIDH problems, and the problem of validating SIDH public keys. In this article we explain these relationships, which do not appear elsewhere in the literature, in hopes of providing a clearer picture of the SIDH problem landscape to the cryptography community at large.

Modular exponentiation represents a signicant workload for public key cryptosystems. Examples include not only the classical RSA, DSA, and DH algorithms, but also the partially homomorphic Paillier encryption. As a result, efficient software implementations of modular exponentiation are an important target for optimization. This paper studies methods for using Intel's forthcoming AVX512 Integer Fused Multiply Accumulate (AVX512IFMA) instructions in order to speed up modular (Montgomery) squaring, which dominates the cost of the exponentiation. We further show how a minor tweak in the architectural definition of AVX512IFMA has the potential to further speed up modular squaring.

QARMA is a family of lightweight tweakable block ciphers, which is used to support a software protection feature in the ARMv8 architecture. In this paper, we study the security of QARMA family against the impossible differential attack. First, we generalize the concept of truncated difference. Then, based on the generalized truncated difference, we construct the first 6-round impossible differential dinstinguisher of QARMA. Using the 6-round distinguisher and the time-and-memory trade-off technique, we present 10-round impossible differential attack on QARMA. This attack requires $2^{119.3}$ (resp. $2^{237.3}$) encryption units, $2^{61}$ (resp. $2^{122}$) chosen plaintext and $2^{72}$ 72-bit (resp. $2^{144}$ 144-bit) space for QARMA-64 (resp. QARMA-128). Further, if allowed with higher memory complexity (about $2^{116}$ 120-bit and $2^{232}$ 240-bit space for QARMA-64 and QARMA-128, respectively), our attack can break up 11 rounds of QARMA. To the best of our knowledge, these results are currently the best results with respect to attacked rounds.

We study secret sharing schemes for general (non-threshold) access structures. A general secret sharing scheme for $n$ parties is associated to a monotone function $\mathsf F:\{0,1\}^n\to\{0,1\}$. In such a scheme, a dealer distributes shares of a secret $s$ among $n$ parties. Any subset of parties $T \subseteq [n]$ should be able to put together their shares and reconstruct the secret $s$ if $\mathsf F(T)=1$, and should have no information about $s$ if $\mathsf F(T)=0$. One of the major long-standing questions in information-theoretic cryptography is to minimize the (total) size of the shares in a secret-sharing scheme for arbitrary monotone functions $\mathsf F$.

There is a large gap between lower and upper bounds for secret sharing. The best known scheme for general $\mathsf F$ has shares of size $2^{n-o(n)}$, but the best lower bound is $\Omega(n^2/\log n)$. Indeed, the exponential share size is a direct result of the fact that in all known secret-sharing schemes, the share size grows with the size of a circuit (or formula, or monotone span program) for $\mathsf F$. Indeed, several researchers have suggested the existence of a {\em representation size barrier} which implies that the right answer is closer to the upper bound, namely, $2^{n-o(n)}$.

In this work, we overcome this barrier by constructing a secret sharing scheme for any access structure with shares of size $2^{0.994n}$ and a linear secret sharing scheme for any access structure with shares of size $2^{0.999n}$. As a contribution of independent interest, we also construct a secret sharing scheme with shares of size $2^{\tilde{O}(\sqrt{n})}$ for $2^{{n\choose n/2}}$ monotone access structures, out of a total of $2^{{n\choose n/2}\cdot (1+O(\log n/n))}$ of them. Our construction builds on recent works that construct better protocols for the conditional disclosure of secrets (CDS) problem.

\"Backside shieldings and protections for integrated ciruits against physical attacks\"

Summary : Secure chip manufacturers must ensure the protection of the confidential information contained in their component. This involves software countermeasures (data encryption by a crypto-processor) as well as hardware protections since attackers are now able to access information by attacking the chip with physical methods. Unlike the active side which already includes countermeasures, the back side of the chips remains a preferred target because it is more vulnerable and closer to the active layers of the circuit.

CEA-Leti is working on the development of an efficient, low cost and low power protection using technologies derived from 3D integration. An innovative backside shield, designed and patented by the Leti / DCOS packaging laboratory, was fabricated and showed its effectiveness against fault injection and other typical attacks. Some improvements in the design and structure of the shield have been identified to make it even more difficult to attack. Finally, an extension of the concept to a whole system has been considered in order to collectively protect the back side of several chips.

As part of this thesis, the improvement of the structure and its extension to a system will be studied, in order to propose an optimized design and to lead the technological developments necessary to its implementation on a demonstrator. The PhD student will conduct thermo-mechanical simulation work to size the protection elements for optimal efficiency, then he will participate in the design of the masks necessary for their realization. He will follow the process developments in the clean room and will take part in the physical and / or electrical characterizations. Throughout these processes, he will interact with Leti\'s security experts to ensure that the developments are consistent with the state of the art in terms of attacks and countermeasures.

Closing date for applications: 31 May 2018

Contact: Dr Stefan Borel

stephan.borel (at) cea.fr

Several PhD positions currently open on hardware security at the CEA Leti (please note that for the first three subjects, nationality restrictions might apply):

- \"On the use of wavelets for side-channel analysis\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/ondelettes-pour-le-traitement-des-signaux-compromettants,18-0769.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/wavelets-applied-to-side-channel-analysis,18-0769/pdf.html

- \"Integrated circuit modification with focalized X-Ray beams and a FIB\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/modification-de-circuits-electroniques-avec-lutilisation-de-rayons-x-et-dun-fib,18-0633.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/integrated-circuit-modification-with-focalized-xrays-beam-and-fib,18-0633/pdf.html

- \"Symbolic execution methods on binary codes to detect perturbations attacks vulnerabilities\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/methodes-d-execution-symbolique-de-code-binaire-pour-detections-de-vulnerabilites-contre-les,18-0767.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/symbolic-execution-methods-on-binary-codes-to-detect-perturbations-attacks-vulnerabilities,18-0767/pdf.html

- \"Secure implementation of stream ciphers\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/securisation-de-l-implementation-des-mecanismes-de-chiffrements-par-flot,18-0762.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/secure-implementation-of-stream-ciphers,18-0762/pdf.html

Closing date for applications: 31 May 2018

Contact: Jacques Fournier, PhD, HDR

Senior Scientist

jacques.fournier (at) cea.fr