International Association
for Cryptologic Research

Secure authentication and authorization within Facebook’s infrastructure play important roles in protecting people using Facebook’s services. Enforcing security while maintaining a flexible and performant infrastructure can be challenging at Facebook’s scale, especially in the presence of varying layers of trust among our servers. Providing authentication and encryption on a per-connection basis is certainly necessary, but also insufficient for securing more complex flows involving multiple services or intermediaries at lower levels of trust.

To handle these more complicated scenarios, we have developed two token-based mechanisms for authentication. The first type is based on certificates and allows for flexible verification due to its public-key nature. The second type, known as “crypto auth tokens”, is symmetric-key based, and hence more restrictive, but also much more scalable to a high volume of requests. Crypto auth tokens rely on pseudorandom functions to generate independently-distributed keys for distinct identities.

Finally, we provide (mock) examples which illustrate how both of our token primitives can be used to authenticate real-world flows within our infrastructure, and how a token-based approach to authentication can be used to handle security more broadly in other infrastructures which have strict performance requirements and where relying on TLS alone is not enough.

Decentralized cryptocurrencies based on blockchains provide attractive features, including user privacy and system transparency, but lack active control of money supply and capabilities for regulatory oversight, both existing features of modern monetary systems. These limitations are critical, especially if the cryptocurrency is to replace, or complement, existing fiat currencies. Centralized cryptocurrencies, on the other hand, provide controlled supply of money, but lack transparency and transferability. Finally, they provide only limited privacy guarantees, as they do not offer recipient anonymity or payment value secrecy.

We propose a novel digital currency, called PRCash, where the control of money supply is centralized, money is represented as value-hiding transactions for transferability and improved privacy, and transactions are verified in a distributed manner and published to a public ledger for verifiability and transparency. Strong privacy and regulation are seemingly conflicting features, but we overcome this technical problem with a new regulation mechanism based on zero-knowledge proofs. Our implementation and evaluation shows that payments are fast and large-scale deployments practical. PRCash is the first digital currency to provide control of money supply, transparency, regulation, and privacy at the same time, and thus make its adoption as a fiat currency feasible.

In the context of Fully Homomorphic Encryption, which allows computations on encrypted data, Machine Learning has been one of the most popular applications in the recent past. All of these works, however, have focused on supervised learning, where there is a labeled training set that is used to configure the model. In this work, we take the first step into the realm of unsupervised learning, which is an important area in Machine Learning and has many real-world applications, by addressing the clustering problem. To this end, we show how to implement the K-Means-Algorithm. This algorithm poses several challenges in the FHE context, including a division, which we tackle by using a natural encoding that allows division and may be of independent interest. While this theoretically solves the problem, performance in practice is not optimal, so we then propose some changes to the clustering algorithm to make it executable under more conventional encodings. We show that our new algorithm achieves a clustering accuracy comparable to the original K-Means-Algorithm, but has less than $5\%$ of its runtime.

Clauser-Horne-Shimony-Holt inequality, an extension of Bell's inequality, is of great importance to modern quantum computation and quantum cryptography. So far, all experimental demonstrations of entanglement are designed to check Bell's inequality or Clauser-Horne-Shimony-Holt inequality. In this note, we specify the math assumptions needed in the argument for Clauser-Horne-Shimony-Holt inequality. We then show the math argument for this inequality is totally indispensable of any physical interpretation, including the hidden variable interperation for EPR thought experiment and the Copenhagen interpretation for quantum mechanics.

We introduce a new cryptographic primitive called laconic function evaluation (LFE). Using LFE, Alice can compress a large circuit $f$ into a small digest. Bob can encrypt some data $x$ under this digest in a way that enables Alice to recover $f(x)$ without learning anything else about Bob's data. For the scheme to be laconic, we require that the size of the digest, the run-time of the encryption algorithm and the size of the ciphertext should all be small, much smaller than the circuit-size of $f$. We construct an LFE scheme for general circuits under the learning with errors (LWE) assumption, where the above parameters only grow polynomially with the depth but not the size of the circuit. We then use LFE to construct secure 2-party and multi-party computation (2PC, MPC) protocols with novel properties:

* We construct a 2-round 2PC protocol between Alice and Bob with respective inputs $x_A,x_B$ in which Alice learns the output $f(x_A,x_B)$ in the second round. This is the first such protocol which is "Bob-optimized", meaning that Alice does all the work while Bob's computation and the total communication of the protocol are smaller than the size of the circuit $f$ or even Alice's input $x_A$. In contrast, prior solutions based on fully homomorphic encryption are "Alice-optimized".

* We construct an MPC protocol, which allows $N$ parties to securely evaluate a function $f(x_1,...,x_N)$ over their respective inputs, where the total amount of computation performed by the parties during the protocol execution is smaller than that of evaluating the function itself! Each party has to individually pre-process the circuit $f$ before the protocol starts and post-process the protocol transcript to recover the output after the protocol ends, and the cost of these steps is larger than the circuit size. However, this gives the first MPC where the computation performed by each party during the actual protocol execution, from the time the first protocol message is sent until the last protocol message is received, is smaller than the circuit size.

In this paper, we propose cryptanalyses of all existing indistinguishability obfuscation (iO) candidates based on branching programs (BP) over GGH13 multilinear map. To achieve this, we introduce two novel techniques, program converting and matrix zeroizing, which can be applied to a wide range of obfuscation structures and BPs. We then prove that the existing general-purpose BP obfuscations over GGH13 multilinear map with the current parameters cannot achieve indistinguishability. More precisely, the recent BP obfuscation suggested by Garg et al. which is still secure against all known attack, and the rst candidate indistinguishability obfuscation with input-unpartitionable branching programs is not secure against our attack. Previously, there has been no known probabilistic polynomial time attack for these two cases.

Proof of Work (PoW), a fundamental blockchain protocol, has been widely applied and thoroughly testified in various decentralized cryptocurrencies, due to its intriguing merits including trustworthy sustainability, robustness against sybil attack, delicate incentive-compatibility, and openness to any participant. Meanwhile, PoW-powered blockchains still suffer from poor efficiency, potential selfish mining, to-be-optimized fairness and extreme inconvenience of protocol upgrading. Therefore, it is of great interest to design new PoW-based blockchain protocol to address or relieve the above issues so as to make it more applicable and feasible.

To do so, firstly we take advantage of the basic framework (i.e., two-layer chain structure) adopted in Bitcoin-NG which was introduced by Eyal et al. to extend the throughput of Bitcoin-derived blockchains significantly via blocks of a two-layer structure, inheriting the high throughput merit while ridding off the vulnerability to the attack of microblock swamping in Bitcoin-NG as well as attaining a better fairness property, by presenting two-level mining mechanism and incorporating this mechanism into the two-layer chain structure. Furthermore, to tackle the selfish mining issue, strengthen the robustness against the "51%" attack of PoW miners, and offer the flexibility for future protocol updating effectively, we borrow the idea of ticket-voting mechanism from DASH and Decred, and combine it with our improved structure elaborately to build a novel efficient, robust and flexible blockchain protocol (named Goshawk). Last but not the least, this scheme has been implemented and deployed in the testnet of the public blockchain project Hcash for months, and has demonstrated its stability and high efficiency with such real-world test.

Cryptographic security is built on two ingredients: a sufficiently large key space, and sufficiently complex processing algorithm. Driven by historic inertia we use fixed size small keys, and dial up the complexity metric in our algorithms. It's time to examine this trend. Effective cryptographic complexity is difficult to achieve, more difficult to verify, and it keeps the responsibility for security in the hands of a few cipher implementers and fewer cipher designers. By contrast, adding more key bits over simple-to-analyze mathematics may guarantee a security advantage per increased key size. What is more revolutionary is the fact that the decision how much randomness to deploy may be relegated to the owner of the protected data, (the cipher user) which is where it should reside. Such shift of security responsibility will deny government the ability to violate its citizens privacy on a wholesale basis. In order to catch on, we need a new class of ciphers. We point to several published options, and invite a community debate on this strategic proposition.

In modern as well as ancient ciphers of public key cryptography, substitution boxes find a permanent seat. Generation and cryptanalysis of 4-bit as well as 8-bit crypto S-boxes is of utmost importance in modern cryptography. In this paper, a detailed review of cryptographic properties of S-boxes has been illustrated. The generation of crypto S-boxes with 4-bit as well as 8-bit Boolean functions (BFs) and Polynomials over Galois field GF(p^q) has also been of keen interest of this paper. The detailed analysis and comparison of generated 4-bit and 8-bit S-boxes with 4-bit as well as 8-bit S-boxes of Data Encryption Standard (DES) and Advance Encryption Standard (AES) respectively, has incorporated with example. Detailed analysis of generated S-boxes claims a better result than DES and AES in view of security of crypto S-boxes.

We give a language-based security treatment of domain-specific languages and compilers for secure multi-party computation, a cryptographic paradigm that enables collaborative computation over encrypted data. Computations are specified in a core imperative language, as if they were intended to be executed by a trusted-third party, and formally verified against an information-flow policy modelling (an upper bound to) their leakage. This allows non-experts to assess the impact of performance-driven authorized disclosure of intermediate values.

Specifications are then compiled into multi-party protocols. We formalize protocol security using (distributed) probabilistic information-flow and prove that compilation is security-preserving: protocols do not leak more than allowed by the source policy. The proof exploits a natural but previously missing correspondence between simulation-based cryptographic proofs and (composable) probabilistic non-interference.

Finally, we extend our framework to justify leakage cancelling, a domain-specific optimization that allows to, first, write an efficiently computable specification that fails to meet the allowed leakage upper-bound, and then apply a probabilistic pre-processing that brings the overall leakage to within the acceptable range.

Machine learning is widely used to produce models for a range of applications and is increasingly offered as a service by major technology companies. However, the required massive data collection raises privacy concerns during both training and prediction stages.

In this paper, we design and implement a general framework for privacy-preserving machine learning and use it to obtain new solutions for training linear regression, logistic regression and neural network models. Our protocols are in a three-server model wherein data owners secret share their data among three servers who train and evaluate models on the joint data using three-party computation (3PC).

Our main contribution is a new and complete framework ($ABY^3$) for efficiently switching back and forth between arithmetic, binary, and Yao 3PC which is of independent interest. Many of the conversions are based on new techniques that are designed and optimized for the first time in this paper. We also propose new techniques for fixed-point multiplication of shared decimal values that extends beyond the three-party case, and customized protocols for evaluating piecewise polynomial functions. We design variants of each building block that is secure against malicious adversaries who deviates arbitrarily.

We implement our system in C++. Our protocols are up to four orders of magnitude faster than the best prior work, hence significantly reducing the gap between privacy-preserving and plaintext training.

Event date: 23 July to 27 July 2018

The Research Group at Nanyang Technological University (NTU), Singapore, led by Prof. Anupam Chattopadhyay is seeking skilled and motivated candidates for the position of Post-Doctoral Research Fellows to participate in multiple ongoing projects focusing on system/architecture/hardware security. The research team is currently funded by several large and strategic research grants in the aforementioned areas. Salaries are highly competitive and are decided according to the successful applicants’ accomplishments, experience and qualifications. Interested applicants are encouraged send their detailed CV, cover letter and two letters of references to Prof. Anupam Chattopadhyay (anupam at ntu.edu.sg).

We are soliciting candidates to have an introductory knowledge in cryptography and strong background in digital/system design, including relevant experience in managing large-scale programming projects in C/C++/VHDL/Verilog. Candidates with prior industrial experience and familiarity with state-of-the-art tools in these domains are preferred.

Review of applications starts immediately and will continue until positions are filled.

Closing date for applications: 31 December 2018

Contact: Asst. Prof. Anupam Chattopadhyay, Nanyang Technological University (Singapore), anupam at ntu.edu.sg

NuCypher is a data privacy layer for blockchain, decentralized applications, and other distributed systems. We\'re back by Y Combinator, Polychain Capital, and many other leading investors.

We\'re looking for a scientist with expertise in fully homomorphic encryption (FHE) to assist with our research efforts on performance improvements and potential applications for smart contracts. Familiarity with related technologies like proxy re-encryption (PRE) and multi-party computation (MPC) is helpful.

Ideally, candidates have an understanding of the surrounding issues and problems and have an interest in identifying potential solutions. Due to the unproven and highly theoretical nature of these schemes, candidates should be willing to pivot research when practical solutions cannot be found. Qualified candidates are likely (but not required) to have a PhD or similarly extensive experience in cryptography.

Closing date for applications: 31 December 2018

Contact: Please email founders (at) nucypher.com with your CV and any previous research/publications you\'re able to share.

More information: http://www.nucypher.com/

Simula@UiB (simula-uib.com) has a three-year PhD position available in the field of cryptography. The position is associated with the project “qsIoT: Quantum safe cryptography for the Internet of Things”, awarded by the Research Council of Norway.

Closing date for applications: 15 June 2018

Contact: Professor Øyvind Ytrehus, Simula@UiB

Email: oyvindy (at) simula.no

More information: https://www.simula.no/about/job/call-phd-student-cryptography-simulauib

Each researcher will work on a separate project in one of the following three related areas. It is expected that all researchers will collaborate and meet together regularly as a team. The project is a collaboration between members of the NTNU Applied Cryptology Laboratory.

• Post-quantum primitives. Post-quantum public-key primitives are the main focus of the ongoing NIST standardization process that officially started on 30 November 2017. Initially 69 proposed schemes were proposed in three main categories: encryption schemes, key encapsulation mechanisms, and digital signatures. Those, and possibly new primitives, are the subject of the research for this position.

• Post-quantum ecosystem. Current public key cryptosystems have a large associated ecosystem of auxiliary protocols and tools, such as proofs of knowledge, proofs of relations, verifiable decryption, and shuffles of ciphertexts. This ecosystem is sparse for most post-quantum schemes. Our group has already begun working on new tools, such as shuffles and verifiable decryption, mostly for lattice-based cryptosystem. We intend to continue this line of research, with a focus on lattice-based cryptography, but we will also work on code-based and multivariate cryptography.

• Post-quantum key exchange. This project will focus on how to achieve efficient quantum-secure key exchange which can achieve some useful key exchange properties, such as: forward secrecy, key compromise impersonation, deniability, anonymity, contributiveness, and key control. Strong models of security, such as those accounting for ephemeral key leakage and side channels, and different settings, such as password-based key exchange and group key exchange, will also be investigated.

  Closing date for applications: 1 June 2018

  Contact: Professor Kristian Gjøsteen (kristian.gjosteen (at) ntnu.no), or Professor Colin Boyd (colin.boyd (at) ntnu.no), or Professor Danilo Gligoroski (danilo.gligoroski (at) ntnu.no)

  More information: https://www.jobbnorge.no/en/available-jobs/job/152421/

Relay attacks on contactless e-payments were demonstrated in 2015. Since, countermeasures have been proposed and Mastercard has recently adopted a variant of these in their specifications. These relay-counteractions are based on the payment-terminal checking that the card is close-by. To this end, several other EMV-adaptations have emerged, with the aim to impede dishonest cards cheating on their proximity-proofs. However, we argue that both the former and the latter measures are ineffective.

We only sketch possible designs in the right directions, with the idea to pass on the message that these problems should be look at much more carefully.

We shortly debate what should and should not be the case w.r.t. confirmation of EMV contactless payments.

We also discuss alternative views onto making contactless payments secure against relay-attacks via proximity-checking.

SYmmetric and Lightweight cryptography Lab (SYLLAB) at Nanyang Technological University (NTU), Singapore, is seeking highly motivated candidates for 1 research fellow position (from fresh post-docs to senior research fellows) in the areas of symmetric key cryptography and machine learning. The research team is supported by a Temasek Laboratories funding from Singapore. Salaries are competitive and are determined according to the successful applicants accomplishments, experience and qualifications. Interested applicants should send their detailed CVs, cover letter and references to Prof. Thomas Peyrin (thomas.peyrin (at) ntu.edu.sg).

Candidates are expected to have a strong backgroung in symmetric-key cryptography and/or machine learning, with good experience in programming with C/C++ and/or Python.

Review of applications starts immediately and will continue until positions are filled.

Closing date for applications: 31 December 2018

Contact: Assoc. Prof. Thomas Peyrin, Nanyang Technological University (Singapore), thomas.peyrin (at) ntu.edu.sg

DarkMatter is currently looking for several Security Researchers to join his Lab in the sunny city of Abu Dhabi (45min from Dubai).

If you are looking for a real technical challenge within a top of the notch Lab, using the most recent technologies, a true work life balance, a tax free salary and the beach all year round, feel free to go on our website to apply for these open postions below:

- Hardware Security Researcher

- Embedded Security Researcher

- Malware Researcher

- Software Security Researcher

- Cryptanalyst

Apply here : https://careers.darkmatter.ae/jobs/search

Have a nice day !

Closing date for applications: 1 October 2018

Contact: Mehdi Messaoudi

Talent Acquisition Specialist at DarkMatter

mehdi.messaoudi (at) darkmatter.ae

More information: https://careers.darkmatter.ae/jobs/search

Direct Anonymous Attestation (DAA) is an anonymous digi- tal signature that aims to provide both signer authentication and privacy. DAA was designed for the attestation service of the Trusted Platform Module (TPM). In this application, a DAA signer role is divided into two parts: the principal signer which is a TPM, and an assistant signer which is a standard computing platform in which the TPM is embedded, called the Host. A design feature of a DAA solution is to make the TPM workload as low as possible. This paper presents a lattice-based DAA (L-DAA) scheme to meet this requirement. Security of this scheme is proved in the Universally Composable (UC) security model under the hard assumptions of the Ring Inhomogeneous Short Integer Solution (Ring-ISIS) and Ring Learning With Errors (Ring-LWE) problems. Our L-DAA scheme includes two building blocks, one is a modication of the Boyen lattice based signature scheme and another is a modication of the Baum et al. lattice based commitment scheme. These two building blocks may be of independent interest.