International Association
for Cryptologic Research

A central tenet of theoretical cryptography is the study of the minimal assumptions re- quired to implement a given cryptographic primitive. One such primitive is the one-time memory (OTM), introduced by Goldwasser, Kalai, and Rothblum [CRYPTO 2008], which is a classical functionality modeled after a non-interactive 1-out-of-2 oblivious transfer, and which is complete for one-time classical and quantum programs. It is known that secure OTMs do not exist in the standard model in both the classical and quantum settings.

Here, we propose a scheme for using quantum information, together with the assumption of stateless (i.e., reusable) hardware tokens, to build statistically secure OTMs. Via the semidefinite programming-based quantum games framework of Gutoski and Watrous [STOC 2007], we prove security for a malicious receiver, against a linear number of adaptive queries to the token, in the quantum universal composability framework. We prove stand-alone security against a malicious sender, but leave open the question of composable security against a malicious sender, as well as security against a malicious receiver making a polynomial number of adaptive queries. Compared to alternative schemes derived from the literature on quantum money, our scheme is technologically simple since it is of the “prepare-and-measure” type. We also show our scheme is “tight” according to two scenarios.

Videos from talks at Crypto 2018 are now available on the IACR Youtube Channel. This includes the rump session and the affiliated workshop titled "Beyond Crypto: A TCS Perspective". See https://youtube.com/TheIACR

The Department of Information Technology and Electrical Engineering (www.ee.ethz.ch) at ETH Zurich invites applications for Professor or Assistant Professor (Tenure Track) of Hardware Security position.

The successful candidate will build a leading research programme in the area of computing architectures that addresses security concerns (data integrity, user authentication, and privacy) from a hardware perspective. Topics of interest include, but are not limited to, the development of architectures designed with both performance and security in mind, such as specific hardware implementations for computing on encrypted data, efficient post-quantum cryptography and novel hardware solutions to prevent side-channel (power, timing) attacks. He or she is expected to collaborate and interact with colleagues in the department and at ETH Zurich, benefiting from strong activities on integrated circuits (e.g. the Microelectronic Design Center) and on security and privacy (e.g. the Zurich Information Security and Privacy Center).

Closing date for applications: 15 January 2019

Contact: Applications through online forms from the URL below:

More information: https://bit.ly/2CGCTXg

The School of Engineering & Technology at the University of Washington Tacoma is seeking applications from qualified candidates for a full-time lecturer position for the Master of Cybersecurity & Leadership Program (MCL) program, with an emphasis on Cyber Risk Management, Cloud Computing/Cloud Security, IoT Security, Mobile Security, and Blockchains. This is a full-time, renewable position with an initial appointment of one to three years based on experience, beginning September 2019. Reappointments are up to five years. The successful candidate(s) will teach master and undergraduate courses in Cybersecurity and Leadership and Information Technology in one or more of the following areas:

Network and Internet Security

Principles of Cybersecurity

Information Assurance, Risk Management and Security Strategies

Cybersecurity Management

Server-Side Web Programming

Database Systems Design & Administration

Network and System Administration

Course description can be found at: https://www.washington.edu/students/crscatt/tcsl.html, and

https://www.washington.edu/students/crscatt/tinfo.html

Screening of applications will begin on December 15, 2018, and will continue until the position is filled. Salary is competitive and will be commensurate with experience and qualifications. For additional information, please contact MCL/IT Lecturer Search Committee at mcl (at) uw.edu.

Required Education:

This position requires a minimum of an MS or foreign equivalent in Cybersecurity, Information Technology, or a related field at the time of appointment.

Required Work Experience:

This position requires at least 1 year of teaching experience in Cybersecurity/ Information Technology-related areas.

Application Instructions

Curriculum Vitae

A cover letter including:

A list of courses in which you feel qualified for teaching

Evidence of prior teaching success

Statement about demonstrated commitment to diversity in teaching, mentoring, and/or service

Contact information for three references

Closing date for applications: 31 March 2019

More information: http://apply.interfolio.com/53684

For the DFG Collaborative Research Center CRC 1119 CROSSING (Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments) the University Duisburg-Essen, Faculty of Business Administration and Economics, Department Computer Science, Working Group Computer Science with focus on Secure Software Systems at Campus Essen seeks to hire one Research Assistant / PhD Student (full position, salary based on E-13 TV-L, federal state salary rate)

Description of Position:

Conducting research in computer security, especially in the areas of Trusted Computing technologies (remote attestation), system and software security, mobile security, hardware security, IoT security. Opportunity for further qualification (doctoral dissertation) is given.

The desired qualifications include

• very good programming skills, especially in system-level programming (C, C++, Assembler)
• very good background in system and software security
• additional background in one of the following areas: hardware programming, side channel attacks, reverse-engineering

All candidates must have an excellent M.Sc./Diploma degree in computer science, computer security, or related fields, and must show high motivation and interest in creative conceptual and practical work.

More information on how to apply can be found at the website of the Secure Software Systems research group.

Closing date for applications: 30 November 2018

Contact: Prof. Lucas Davi

More information: https://www.syssec.wiwi.uni-due.de/en/team/open-positions/

Project

We are looking for a Ph.D. student to work on the FWO research project ESCALATE (Efficient and Scalable Algorithms for Large Flow Detection) in cooperation with and coordinated by ETH Zurich. The project starts on February 1 and has a duration of 4 years. The objectives of the project are two-fold:

1. To develop novel algorithms for efficient in-network large-flow detection. This is important for QoS (Quality of Service) schemes and DDoS (Distributed Denial of Service) defense mechanisms.
2. To decrease the detection overhead through FPGA acceleration, and to enable dynamic adaptation to ?ow distribution at run-time.

The applicant will mainly work on objective 2 in collaboration with the Ph.D. student at ETH Zurich that will be working on objective 1.

Research group

This project will be carried out as a Ph.D. project within the group of Associate Professor dr. Nele Mentens. The applicant will be a member of the ES&S (Embedded Systems & Security) group on Campus Diepenbeek and the COSIC (Computer Security and Industrial Cryptography) group in Leuven. This is the perfect setting to benefit from the decades of experience in data security and hardware design in both groups.

Profile

Candidates must hold a master’s degree in electronics engineering or computer engineering, have good grades, experience in FPGA design and a keen interest in security. We prefer candidates who can demonstrate that they have developed their research skills during their master’s studies. Adequate English (written and verbal communication) for scientific interactions is required.

Closing date for applications: 9 November 2018

Contact: Nele Mentens, Associate Professor, nele.mentens (at) kuleuven.be

More information: https://www.kuleuven.be/personeel/jobsite/jobs/54883962?hl=en&lang=en

Simula UiB (simula-uib.com) has six three-year PhD positions available in the field of cryptography. More information about the positions, Simula UiB, and how to submit the application can be found at https://www.simula.no/about/job/call-phd-students-cryptography-simula-uib.

Closing date for applications: 30 November 2018

Contact: Håvard Raddum

email: haavardr (at) simula.no

More information: https://www.simula.no/about/job/call-phd-students-cryptography-simula-uib

The Department of Mathematics & Statistics of the University of South Florida seeks to fill a 9 month, full-time and tenure-earning, Assistant Professor position in Cryptography/Cybersecurity to begin August 7, 2019.

Ph.D. in Mathematics or a closely-related field is required, with preference in disciplines related to Cryptography/Cybersecurity (e.g., Algebra, Number Theory, Algebraic Geometry, Combinatorics, etc.). Applications from individuals who are ABD will be accepted, but the degree must be conferred by appointment start date.

Closing date for applications: 15 November 2018

Contact: Denise Marks: denise (at) usf.edu

More information: http://www.math.usf.edu/about/18548/

Side-channel attacks and evaluations typically utilize leakage models to extract sensitive information from measurements of cryptographic implementations. Efforts to establish a true leakage model is still an active area of research since Kocher proposed Differential Power Analysis (DPA) in 1999. Leakage certification plays an important role in this aspect to address the following question: "how good is my leakage model?". However, existing leakage certification methods still need to tolerate assumption error and estimation error of unknown leakage models. There are many probability density distributions satisfying given moment constraints. As such, finding the most unbiased and most reasonable model still remains an unresolved problem. In this paper, we address a more fundamental question: "what's the true leakage model of a chip?". In particular, we propose Maximum Entropy Distribution (MED) to estimate the leakage model as MED is the most unbiased, objective and theoretically the most reasonable probability density distribution conditioned upon the available information. MED can theoretically use information on arbitrary higher-order moments to infinitely approximate the true leakage model. It well compensates the theory vacancy of model profiling and evaluation. Experimental results demonstrate the superiority of our proposed method for approximating the leakage model using MED estimation.

Event date: 7 December to 8 December 2018
Submission deadline: 26 October 2018
Notification: 5 November 2018

Event date: 4 June to 6 June 2019
Submission deadline: 10 February 2019
Notification: 8 April 2019

A key-dependent message (KDM) secure encryption scheme is secure even if an adversary obtains encryptions of messages that depend on the secret key. Such key-dependent encryptions naturally occur in scenarios such as harddisk encryption, formal cryptography, or in specific protocols. However, there are not many provably secure constructions of KDM-secure encryption schemes. Moreover, only one construction, due to Camenisch, Chandran, and Shoup (Eurocrypt 2009) is known to be secure against active (i.e., CCA) attacks.

In this work, we construct the first public-key encryption scheme that is KDM-secure against active adversaries and has compact ciphertexts. As usual, we allow only circular key dependencies, meaning that encryptions of arbitrary *entire* secret keys under arbitrary public keys are considered in a multi-user setting.

Technically, we follow the approach of Boneh, Halevi, Hamburg, and Ostrovsky (Crypto 2008) to KDM security, which however only achieves security against passive adversaries. We explain an inherent problem in adapting their techniques to active security, and resolve this problem using a new technical tool called ``lossy algebraic filters'' (LAFs). We stress that we significantly deviate from the approach of Camenisch, Chandran, and Shoup to obtain KDM security against active adversaries. This allows us to develop a scheme with compact ciphertexts that consist only of a constant number of group elements.

We initiate the study of general tight reductions in cryptography. There already exist a variety of works that offer tight reductions for a number of cryptographic tasks, ranging from encryption and signature schemes to proof systems. However, our work is the first to provide a universal definition of a tight reduction (for arbitrary primitives), along with several observations and results concerning primitives for which tight reductions have not been known.

Technically, we start from the general notion of reductions due to Reingold, Trevisan, and Vadhan (TCC 2004), and equip it with a quantification of the respective reduction loss, and a canonical multi-instance extension to primitives. We then revisit several standard reductions whose tight security has not yet been considered. For instance, we revisit a generic construction of signature schemes from one-way functions, and show how to tighten the corresponding reduction by assuming collision-resistance from the used one-way function. We also obtain tightly secure pseudorandom generators (by using suitable rerandomisable hard-core predicates), and tightly secure lossy trapdoor functions.

An obfuscated program reveals nothing about its design other than its input/output behavior. A digital locker is an obfuscated program that outputs a stored cryptographic key if and only if a user enters a previously stored password. A digital locker is private if it provides an adversary with no information with high probability. An ideal digital locker would also prevent an adversary from mauling an obfuscation on one password and key into a new program that obfuscates a related password or key. There are no known constructions of non-malleable digital lockers (in the standard model).

Komargodski and Yogev (Eurocrypt, 2018) constructed a simpler primitive: a non-malleable keyless digital locker. For this functionality, a user can only confirm if their point is correct. This primitive is known as non-malleable point obfuscation. Their construction prevents an adversary from transforming an obfuscation into an obfuscation on a related password.

This work proposes two new composable and nonmalleable digital lockers for short keys, one for a single bit key and a second for a logarithmic length keys. Using these construction we construct the first two non-malleable digital lockers. Our full design combines a digital locker for short keys, non-malleable codes, and universal hashing. Our constructions require a common reference string.

Since the introduction of Bitcoin in 2008, cryptocurrency has been undergoing a quick and explosive development. At the same time, privacy protection, one of the key merits of cryptocurrency, has attracted much attention by the community. In this paper, we identify a security vulnerability of the privacy-preserving key derivation algorithm of Monero, which is one of the most popular privacy-centric cryptocurrencies. To provide a formal treatment for the problem, we introduce and formalize a new signature variant, called Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key (PDPKS), which forms a convenient and robust cryptographic tool for building privacy-preserving cryptocurrencies. Specifically, PDPKS allows anyone to derive new signature verification keys for a user, say Alice, based on her long-term public-key, while only Alice can derive the signing keys corresponding to those verification keys. In terms of privacy, given a derived verification key and valid signatures with respect to it, an adversary is not able to link them to the underlying long-term public key; and given two verification keys and corresponding valid signatures, an adversary cannot tell whether the verification keys are derived from the same long-term public key. A distinguishing security feature of PDPKS, with the above functionality and privacy features, is that the derived keys are independent/insulated from each other, namely, compromising the signing key associated with a verification key does not allow an adversary to forge a valid signature for another verification key, even if both verification keys are derived from the same long-term public key.

We formalize the notion of PDPKS and propose a practical and proven secure construction, which fixes the identified security vulnerability in Monero and provides a more robust solution for implementing the so-called stealth addresses for cryptocurrencies. Also, our PDPKS scheme can be used to fix the similar vulnerability in the deterministic wallet algorithm for Bitcoin.

A Sparse Merkle tree is based on the idea of a complete Merkle tree of an intractable size. The assumption here is that as the size of the tree is intractable, there would only be a few leaf nodes with valid data blocks relative to the tree size, rendering the tree as sparse. We present a novel approach called Minimum distance path algorithm to simulate this Merkle tree of intractable size which gives us efficient space-time trade-offs. We provide the algorithms for insertion, deletion and (non -) membership proof for a leaf in this Compact Sparse Merkle tree.

In the era of mass surveillance and information breaches, privacy of Internet communication, and messaging in particular, is a growing concern. As secure messaging protocols are executed on the not-so-secure end-user devices, and because their sessions are long-lived, they aim to guarantee strong security even if secret states and local randomness can be exposed.

The most basic security properties, including forward secrecy, can be achieved using standard techniques such as authenticated encryption. Modern protocols, such as Signal, go one step further and additionally provide the so-called backward secrecy, or healing from state exposures. These additional guarantees come at the price of a slight efficiency loss (they require public-key primitives).

On the opposite side of the spectrum is the work by Jaeger and Stepanovs and by Poettering and Roesler, which characterizes the optimal security a secure-messaging scheme can achieve. However, their proof-of-concept constructions suffer from an extreme efficiency loss compared to Signal. Moreover, this caveat seems inherent.

In this paper, we explore the area in between. That is, our starting point are the basic, efficient constructions. We then ask the question: how far can we go towards the optimal security without losing too much efficiency? We present a construction with guarantees much stronger than those achieved by Signal, and slightly weaker than optimal, yet its efficiency is closer to that of Signal (we only use standard public-key cryptography).

On a technical level, achieving optimal guarantees inherently requires key-updating public-key primitives, where the update information is allowed to be public. We consider secret update information instead. Since a state exposure temporally breaks confidentiality, we carefully design such secretly-updatable primitives whose security degrades gracefully if the supposedly secret update information leaks.

Database query evaluation over encrypted data has received a lot of attention recently. Order Preserving Encryption (OPE) and Order Revealing Encryption (ORE) are two important encryption schemes that have been proposed in this area. These schemes can provide very efficient query execution but at the same time may leak some information to adversaries. In this paper, we present the first comprehensive comparison among a number of important OPE and ORE schemes using a framework that we developed. We evaluate protocols that are based on these schemes as well. We analyze and compare them both theoretically and experimentally and measure their performance over database indexing and query evaluation techniques using not only execution time but also {\IO} performance and usage of cryptographic primitive operations. Our comparison reveals some interesting insights concerning the relative security and performance of these approaches in database settings. Furthermore, we propose a number of improvements for some of these scheme and protocols. Finally, we provide a number of suggestions and recommendations that can be valuable to database researchers and users.

The Ring Learning with Errors (RLWE) problem over a cyclotomic ring has been the most widely used hardness assumption for the construction of practical homomorphic encryption schemes. However, this restricted choice of a base ring may cause a waste in terms of plaintext space usage. For example, the approximate homomorphic encryption scheme of Cheon et al. (ASIACRYPT'17) is able to store a complex number in each of the plaintext slots since its canonical embedding of a cyclotomic field has a complex image. The imaginary part of a plaintext is not underutilized at all when the computation is performed over the real numbers, which is required in most of the real-world applications such as machine learning.

In this paper, we propose a new approximate homomorphic encryption scheme which is optimized in the computation over real numbers. Our scheme is based on RLWE over a special subring of a cyclotomic ring, which is no easier than a standard lattice problem over ideal lattices by the reduction of Peikert et al. (STOC'17). Our scheme allows real numbers to be packed in a ciphertext without any waste of a plaintext space and consequently we can encrypt twice as many plaintext slots as the previous scheme while maintaining the same security level, storage, and computational costs.

In the area of card-based cryptography one devises small and easy to perform protocols for secure multiparty computation using a deck of physical playing cards with indistinguishable backs, which can be run if no trusted computer is available, or in classroom settings to illustrate privacy notions and secure computations.

Initiated by the “Five-Card Trick” of den Boer (EUROCRYPT 1989) for computing the AND of two players' bits, and the work of Crépeau and Kilian (CRYPTO 1993) introducing committed format protocols which can be used as building blocks in larger computations, this is a field with a growing number of simple protocols. This paper devises two new AND protocols which are card-minimal w.r.t. specific requirements, and shows the card-minimality of the COPY protocol (necessary in arbitrary circuits, due to the physical nature of card-encoded bits) of Mizuki and Sone (FAW 2009) and the AND protocol of Abe et al. (APKC 2018). By this, we completely determine the landscape of card-minimal protocols with respect to runtime requirements (finite runtime or Las Vegas behavior with/without restarts) and practicality demands on the shuffling operations.

Moreover, we systematize and extend techniques for proving lower bounds on the number of cards, which we believe is of independent interest.