International Association
for Cryptologic Research

We pursue to formalize and instantiate a secure bidirectional channel with message franking properties. Under this model a sender may send an abusive message to the receiver and the latter wish to open it in a verifiable way to a third party. Potential malicious behavior of a sender requires message franking protocols resistant to sending messages that cannot be opened later by the receiver. An adversary impersonated by the receiver may also try to open messages that have not been sent by the sender. Wrapping a message franking protocol in a secure channel requires a more delicate treatment in order to avoid drops or replay of messages and out-of-order delivery. To the best of our knowledge we are the first to model the security of a message franking channel, which apart from integrity, confidentiality, resistance to drops, relays and out-of-order delivery is sender and receiver binding: a sender cannot send a message which cannot be opened in a verifiable way later by the receiver, and the receiver cannot claim a message that had not been truly sent by the receiver. Finally, we instantiate a bidirectional message franking channel from symmetric primitives and analyze its security.

In this work, we introduce the notion of registration-based encryption (RBE for short) with the goal of removing the trust parties need to place in the private-key generator in an IBE scheme. In an RBE scheme, users sample their own public and secret keys. There will also be a ``key curator'' whose job is only to aggregate the public keys of all the registered users and update the short public parameter whenever a new user joins the system. Encryption can still be performed to a particular ecipient using the recipient's identity and any public parameters released subsequent to the recipient's registration. Decryption requires some auxiliary information connecting users' public (and secret) keys to the public parameters. Because of this, as the public parameters get updated, a decryptor may need to obtain a few additional auxiliary information for decryption. More formally, if $n$ is the total number of identities and $\kappa$ is the security parameter, we require the following.

Efficiency requirements: (1) A decryptor only needs to obtain updated auxiliary information for decryption at most $O(\log n)$ times in its lifetime, (2) each of these updates are computed by the key curator in time $poly(\kappa,\log n)$, and (3) the key curator updates the public parameter upon the registration of a new party in time $poly(\kappa,\log n)$. Properties (2) and (3) require the key curator to have \emph{random} access to its data.

Compactness requirements: (1) Public parameters are always at most $poly(\kappa,\log n)$ bit, and (2) the total size of updates a user ever needs for decryption is also at most $poly(\kappa,\log n)$ bits.

We present feasibility results for constructions of RBE based on indistinguishably obfuscation. We further provide constructions of \emph{weakly efficient} RBE, in which the registration step is done in $poly(\kappa, n)$, based on CDH, Factoring or LWE assumptions. Note that registration is done only once per identity, and the more frequent operation of generating updates for a user, which can happen more times, still runs in time $poly(\kappa,\log n)$. We leave open the problem of obtaining standard RBE (with $poly(\kappa,\log n)$ registration time) from standard assumptions.

Bitcoin, the most popular blockchain system, does not scale even under very optimistic assumptions. Lightning networks, a layer on top of Bitcoin, composed of one-to-one lightning channels make it scale to up to 105 Million users.

Recently, Duplex Micropayment Channel factories have been proposed based on opening multiple one-to-one payment channels at once. Duplex Micropayment Channel factories rely on time-locks to update and close their channels. This mechanism yields to situation where users funds time-locking for long periods increases with the lifetime of the factory and the number of users. This makes DMC factories not applicable in real-life scenarios.

In this paper, we propose the first channel factory construction, the Lightning Factory that offers a constant collateral cost, independent of the lifetime of the channel and members of the factory.

We compare our proposed design with Duplex Micropayment Channel factories, obtaining better performance results by a factor of more than 3000 times in terms of the worst-case constant collateral cost incurred when malicious users use the factory. The message complexity of our factory is $n$ where Duplex Micropayment Channel factories need $n^2$ messages where $n$ is the number of users. Moreover, our factory copes with an infinite number of updates while in Duplex Micropayment Channel factories the number of updates is bounded by the initial time-lock.

Finally, we discuss the necessity for our Lightning Factories of BNN, a non-interactive aggregate signature cryptographic scheme, and compare it with Schnorr and ECDSA schemes used in Bitcoin and Duplex Micropayment Channels.

Collaboration between financial institutions helps to improve detection of fraud. However, exchange of relevant data between these institutions is often not possible due to privacy constraints and data confidentiality. An important example of relevant data for fraud detection is given by a transaction graph, where the nodes represent bank accounts and the links consist of the transactions between these accounts. Previous works show that features derived from such graphs, like PageRank, can be used to improve fraud detection. However, each institution can only see a part of the whole transaction graph, corresponding to the accounts of its own customers.In this research a new method is described, making use of secure multiparty computation (MPC) techniques, allowing multiple parties to jointly compute the PageRank values of their combined transaction graphs securely, while guaranteeing that each party only learns the PageRank values of its own accounts and nothing about the other transaction graphs. In our experiments this method is applied to graphs containing up to tens of thousands of nodes. The execution time scales linearly with the number of nodes, and the method is highly parallelizable. Secure multiparty PageRank is feasible in a realistic setting with millions of nodes per party by extrapolating the results from our experiments.

Registration is now open for Real World Crypto 2019, at https://rwc.iacr.org/2019/registration.html. RWC2019 will be held January 9-11 in San Jose, CA, USA.

The School of Computing and Information Technology is seeking a full time Continuing Position Lecturer (Level B) to provide development, teaching and research within the Bachelor of Computer Science (majoring Cybersecurity). The candidate is expected to be a research active in the area of Cybersecurity, and he/she is equipped with sufficient experience for teaching undergraduate and postgraduate studies.

You will be prompted to respond to the selection criteria as part of the online application process, based on the position description below. You will be able to save your application at any time and submit at a later date if required, you will only be able to do this before the closing date of the position.

Closing date for applications: 29 October 2018

Contact: Professor Willy Susilo (wsusilo (at) uow.edu.au)

More information: https://www.uow.edu.au/content/groups/public/@web/@recruit/@pd/documents/doc/uow252142.pdf

Singapore University of Technology and Design (SUTD) is a young university which was established in collaboration with MIT. iTrust is a Cyber Security Research Center which has the world\'s best facilities in cyber-physical systems (CPS) including testbeds for Secure Water Treatment (SWaT), Water Distribution (WADI), Electric Power and Intelligent Control (EPIC), and IoT. (See more info at https://itrust.sutd.edu.sg/research/testbeds/.)

I am looking for PhD interns with interest in cyber-physical system security (IoT, water, power grid, transportation, and autonomous vehicle etc.). The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou. Only short-listed candidates will be contacted for interview.

Closing date for applications: 8 January 2019

Contact: Prof. Jianying Zhou

More information: http://jianying.space/

New York University Abu Dhabi (NYUAD) seeks to recruit tenure-track faculty at Assistant Professor level in the Computer Engineering (CmpE) program who are distinguished in both their research and teaching. As a part of a major multi-year growth plan, the following areas are of particular interest at the present time: Cyber Security, Computer Networks, and Machine Learning.

NYUAD has close collaborations with the faculty and students of the NYU Tandon School of Engineering and has access to world-class research centers in cyber security (cyber.nyu.edu) and wireless communications (wireless.engineering.nyu.edu), among others. Our students are drawn from around the world and surpass all traditional academic benchmarks.

Candidates with a strong record of interdisciplinary research in emerging areas are preferred. Candidates must have a PhD degree in CmpE or related disciplines and must have the ability to develop and lead high-quality research and attract external funding.

Review of applications will begin November 1, 2018, and shortlisted candidates will be invited to visit the campuses in New York and Abu Dhabi at the beginning of the Spring 2019 semester. Candidates should submit a cover letter, curriculum vitae, and statements of teaching and research interests. To complete the online process, applicants will be prompted to enter the names and email addresses of at least three referees. Each referee will be contacted to upload their reference letter only if the candidate is shortlisted for further consideration.

To apply for this position, please visit apply.interfolio.com/52923. If you have any questions, please e-mail nyuad.engineering (at) nyu.edu.

Closing date for applications: 1 November 2018

Contact: nyuad.engineering (at) nyu.edu

More information: https://apply.interfolio.com/52923

TENURE-TRACK FACULTY POSITIONS

The Department of Applied Mathematics at the Naval Postgraduate School, in Monterey, California invites applications for one or more tenure-track positions at the level of Assistant Professor (exceptional candidates at all levels may be considered).

We seek candidates who can teach a wide range of courses (course listings can be found at https://math.nps.edu) primarily as on-campus lectures, but sometimes delivered by VTE. Candidates will also be expected to conduct an active program of research and to direct student theses.

The successful candidate for this position will possess a doctorate in Mathematics or a closely related area from an accredited university. Teaching experience is highly desirable and evidence of exceptional research potential is necessary. All areas of research will be considered, but preference will be given to candidates specializing in areas of computational discrete mathematics that support existing departmental research efforts (cryptography, graph theory, network science, etc.). Effective teaching is essential and candidates must have excellent communication skills (both written and oral), as well as strong interpersonal and organizational abilities. U. S. citizenship is required.

Applicants must submit a cover letter describing their qualifications for these positions, a comprehensive curriculum vitae or resume and contact and e-mail address information for a minimum of three references. The application material must clearly state the applicant’s citizenship. Applications may be submitted electronically or in hard copy to:

Review of applications will begin immediately and applications will be accepted until the positions are filled. Candidates applying by November 1, 2018 will receive full consideration.

The Naval Postgraduate School is an equal opportunity employer. For additional information about NPS, please refer to the website at http://www.nps.edu

Closing date for applications: 1 February 2019

Contact: Prof. Frank Giraldo

Email: fxgirald (at) nps.edu (preferred)

Postal Mail:

Department of Applied Mathematics

Naval Postgraduate School

Monterey, CA 93943-5121

USA

More information: https://math.nps.edu

The Physical Analysis and Cryptographic Engineering (PACE), Temasek Laboratories @ Nanyang Technological University, Singapore is seeking one motivated researcher, in the area of hardware security.

Candidates should ideally have already completed, or be close to completing a PhD degree in mathematics, computer science, electrical engineering, or related disciplines, with strong track record in R&D (publications in international journals and conferences). Master degree with relevant research experience can be considered.

You will be joining a dynamic group performing research on embedded security, specific to physical attacks. This position is available from December 2018. The initial contract will be one year. There are strong possibilities for extensions upon successful performance. TL offers competitive salary package plus other benefits.

Review of applications will start immediately until position is filled.

Interested candidates should send their detailed CVs, cover letter and references,

Closing date for applications: 31 December 2018

Contact: Shivam Bhasin, Co-Principle Investigator: sbhasin (at) ntu.edu.sg

Cybersecurity research group at North Carolina State University is seeking multiple PhD students in the field of embedded and hardware security. These positions are available starting Spring 2019. Interested applicants can email aaysu (at) ncsu.edu. Please include your CV, publication list, and a statement of research interests. Candidates having one or more of the following research expertise are preferred.

• Cryptography: especially on post-quantum cryptography or blockchain technologies

• Machine learning: theoretical analysis or application-oriented experience with an emphasis on deep neural networks and their implementation.

• Computer architectures and embedded software: RISC-V ISA and assembly programming

• Implementation attacks: side-channel analysis and fault attacks

• Hardware design on FPGAs or ASIC. Having an ASIC tape-out experience is highly preferred.

• Design automation and high-level (C-to-RTL) synthesis

Electrical and Computer Engineering Department of North Carolina State University is ranked top 10 in annual research expenditures. The graduate School of Engineering has been ranked #24 and the graduate Computer Engineering program has been ranked #26 by US News Rankings 2018.

Bio: Dr. Aydin Aysu is currently a post-doctoral researcher at the University of Texas at Austin and is joining the Department of Electrical and Computer Engineering of North Carolina State University starting Fall 2018. He received his PhD at Virginia Tech in 2016, his MS and BS at Sabanci University in 2010 and 2008, respectively. He conducts research in the broad field of cybersecurity with an emphasis on hardware-based security, and he leads the HECTOR (Hardware and Embedded Cyber-Threat Research) lab.

Closing date for applications: 15 January 2019

Contact: Dr. Aydin Aysu

aaysu (at) ncsu.edu

Assistant Professor at the Electrical and Computer Engineering Department

Adjunct Professor at the Computer Science Department

North Carolina State University

More information: https://research.ece.ncsu.edu/aaysu/

Highly efficient encryption and authentication of short messages has been identified as an essential requirement for enabling security in constrained computation and communication scenarios such as the CAN FD in automotive systems (with maximum message length of 64 bytes), massive IoT and critical communication domains of 5G, and Narrowband IoT (NB-IoT), to mention some. Accordingly, NIST has specified, as a design requirement in the lightweight cryptography project, that AEAD submissions shall be “optimized to be efficient for short messages (e.g., as short as 8 bytes)”. We propose AEAD schemes that exceed in efficiency over all previous general-purpose modular AEAD designs at processing (very) short inputs. The main ingredient in our solution is a new low-level primitive, called a tweakable forkcipher, which we introduce and formalize in this paper. We give an instance of the tweakable forkcipher and dub it ForkAES. It is based on the tweakable blockcipher KIASU, which relies on the round function of AES and uses the TWEAKEY framework to derive round keys from a 128-bit secret key and a 64-bit tweak. Finally, we demonstrate the applicability of a tweakable forkcipher by designing several provably secure nonce-based AEAD modes of operation, optimized to be efficient for short messages. Considering the AES block size (16 bytes) as a reference, our new AE schemes can beat all known schemes for single-block messages while still performing better than majority of the existing schemes for combined message and associated data lengths up to 4 blocks. While ForkAES as a concrete instantiation for a forkcipher is based on KIASU, we note that our solution provides a general recipe for lightweight AEAD for short messages, even for very resource-constrained scenarios in which AES may not be considered a lightweight option. In those environments, our schemes can be instantiated using a forkcipher that is realized based on the best off-the-shelf lightweight blockcipher, following the TWEAKEY framework.

Recently, Chen et al. proposed the first non-delegatable certificateless strong designated verifier signature scheme and claimed that their scheme achieves all security requirements. However, in this paper, we disprove their claim and present a concrete attack which shows that their proposed scheme is forgeable. More precisely, we show that there exist adversaries who are able to forge any signer's signature for any designated verifier on any message of his choice.

Constrained pseudorandom functions (CPRFs) are a type of PRFs that allows one to derive a constrained key $\mathsf{K}_C$ from the master key $\mathsf{K}$. While the master key $\mathsf{K}$ allows one to evaluate on any input as a standard PRF, the constrained key $\mathsf{K}_C$ only allows one to evaluate on inputs $x$ such that $C(x) = 1$. Since the introduction of CPRFs by Boneh and Waters (ASIACRYPT'13), Kiayias et al. (CCS'13), and Boyle et al. (PKC'14), there have been various constructions of CPRFs. However, thus far, almost all constructions (from standard assumptions and non-trivial constraints) are only proven to be secure if at most one constrained key $\mathsf{K}_C$ is known to the adversary, excluding the very recent work of Davidson and Nishimaki (EPRINT'18). Considering the interesting applications of CPRFs such as ID-based non-interactive key exchange, we desire CPRFs that are collusion resistance with respect to the constrained keys. In this work, we make progress in this direction and construct a CPRF for the bit-fixing predicates that are collusion resistance for a constant number of constrained keys. Surprisingly, compared to the heavy machinery that was used by previous CPRF constructions, our construction only relies on the existence of one-way functions.

We reconsider the security guarantee that can be achieved by general protocols for secure multiparty computation in the most basic of settings: information-theoretic security against a semi-honest adversary.

Since the 1980s, we have elegant solutions to this problem that offer full security, as long as the adversary controls a minority of the parties, but fail completely when that threshold is crossed. In this work, we revisit this problem, questioning the optimality of the standard notion of security. We put forward a new notion of information-theoretic security which is strictly stronger than the standard one, and which we argue to be ``best possible.'' Our new notion still requires full security against dishonest minority in the usual sense, but also requires a meaningful notion of information-theoretic security against dishonest majority.

We present protocols for useful classes of functions that satisfy this new notion of security. Our protocols have the unique feature of combining the efficiency benefits of protocols for an honest majority and (most of) the security benefits of protocols for dishonest majority. We further extend some of the solutions to the malicious setting.

In this paper, we revisit the round complexity of designing zero-knowledge (ZK) arguments via a black-box construction from minimal assumptions. Our main result implements a 4-round ZK argument for any language in NP, based on injective one-way functions, that makes black-box use of the underlying function. As a corollary, we also obtain the first 4-round perfect zero-knowledge argument for NP based on claw-free permutations via a black-box construction and 4-round input-delayed commit-and-prove zero-knowledge argument based on injective one-way functions.

Fairness in classification has become an increasingly relevant and controversial issue as computers replace humans in many of today’s classification tasks. In particular, a subject of much recent debate is that of finding, and subsequently achieving, suitable definitions of fairness in an algorithmic context. In this work, following the work of Hardt et al. (NIPS’16), we consider and formalize the task of sanitizing an unfair classifier C into a classifier C' satisfying an approximate notion of "equalized odds", or fair treatment. Our main result shows how to take any (possibly unfair) classifier C over a finite outcome space, and transform it—-by just perturbing the output of C—according to some distribution learned by just having black-box access to samples of labeled, and previously classified, data, to produce a classifier C' that satisfies fair treatment; we additionally show that our derived classifier is near-optimal in terms of accuracy. We also experimentally evaluate the performance of our method.

We investigate sampling procedures that certify that an arbitrary quantum state on $n$ subsystems is close to an ideal mixed state $\varphi^{\otimes n}$ for a given reference state $\varphi$, up to errors on a few positions. This task makes no sense classically: it would correspond to certifying that a given bitstring was generated according to some desired probability distribution. However, in the quantum case, this is possible if one has access to a prover who can supply a purification of the mixed state.

In this work, we introduce the concept of mixed-state certification, and we show that a natural sampling protocol offers secure certification in the presence of a possibly dishonest prover: if the verifier accepts then he can be almost certain that the state in question has been correctly prepared, up to a small number of errors.

We then apply this result to two-party quantum coin-tossing. Given that strong coin tossing is impossible, it is natural to ask ``how close can we get". This question has been well studied and is nowadays well understood from the perspective of the bias of individual coin tosses. We approach and answer this question from a different---and somewhat orthogonal---perspective, where we do not look at individual coin tosses but at the global entropy instead. We show how two distrusting parties can produce a common high-entropy source, where the entropy is an arbitrarily small fraction below the maximum.

We continue the study of protocols for secure multiparty computation (MPC) that require only two rounds of interaction. The recent works of Garg and Srinivasan (Eurocrypt 2018) and Benhamouda and Lin (Eurocrypt 2018) essentially settle the question by showing that such protocols are implied by the minimal assumption that a two-round oblivious transfer (OT) protocol exists. However, these protocols inherently make a non-black-box use of the underlying OT protocol, which results in poor concrete efficiency. Moreover, no analogous result was known in the information-theoretic setting, or alternatively based on one-way functions, given an OT correlations setup or an honest majority.

Motivated by these limitations, we study the possibility of obtaining information-theoretic and ``black-box'' implementations of two-round MPC protocols. We obtain the following results:

- Two-round MPC from OT correlations. Given an OT correlations setup, we get protocols that make a black-box use of a pseudorandom generator (PRG) and are secure against a malicious adversary corrupting an arbitrary number of parties. For a semi-honest adversary, we get similar information-theoretic protocols for branching programs.

- New NIOT constructions. Towards realizing OT correlations, we extend the DDH-based non-interactive OT (NIOT) protocol of Bellare and Micali (Crypto '89) to the malicious security model, and present new NIOT constructions from the Quadratic Residuosity Assumption (QRA) and the Learning With Errors (LWE) assumption.

- Two-round black-box MPC with strong PKI setup. Combining the two previous results, we get two-round MPC protocols that make a black-box use of any DDH-hard or QRA-hard group. The protocols can offer security against a malicious adversary, and require a PKI setup that depends on the number of parties and the size of computation, but not on the inputs or the identities of the participating parties.

- Two-round honest-majority MPC from secure channels. Given secure point-to-point channels, we get protocols that make a black-box use of a pseudorandom generator (PRG), as well as information-theoretic protocols for branching programs. These protocols can tolerate a semi-honest adversary corrupting a strict minority of the parties, where in the information-theoretic case the complexity is quasi-polynomial in the number of parties.

We construct Indistinguishability Obfuscation (iO) and Functional Encryption (FE) schemes in the Turing machine model from the minimal assumption of compact FE for circuits (CktFE). Our constructions overcome the barrier of sub-exponential loss incurred by all prior work. Our contributions are:

1. We construct iO in the Turing machine model from the same assumptions as required in the circuit model, namely, sub-exponentially secure FE for circuits. The previous best constructions [41, 6] require sub-exponentially secure iO for circuits, which in turn requires sub-exponentially secure FE for circuits [5, 15].

2. We provide a new construction of single input FE for Turing machines with unbounded length inputs and optimal parameters from polynomially secure, compact FE for circuits. The previously best known construction by Ananth and Sahai [7] relies on iO for circuits, or equivalently, sub-exponentially secure FE for circuits.

3. We provide a new construction of multi-input FE for Turing machines. Our construction supports a fixed number of encryptors (say k), who may each encrypt a string xi of unbounded length. We rely on sub-exponentially secure FE for circuits, while the only previous construction [10] relies on a strong knowledge type assumption, namely, public coin differing inputs obfuscation.

Our techniques are new and from first principles, and avoid usage of sophisticated iO specific machinery such as positional accumulators and splittable signatures that were used by all relevant prior work [41, 7, 6].