International Association
for Cryptologic Research

Recently, Chotard et al. proposed a variant of functional encryption for Inner Product, where several parties can independently encrypt inputs, for a specific time-period or label, such that functional decryption keys exactly reveal the aggregations for the specific functions they are associated with. This was introduced as Multi-Client Functional Encryption (MCFE). In addition, they formalized a Decentralized version (DMCFE), where all the clients must agree and contribute to generate the functional decryption keys: there is no need of central authority anymore, and the key generation process is non-interactive between the clients. Eventually, they designed concrete constructions, for both the centralized and decentralized settings, for the inner-product function family. Unfortunately, there were a few limitations for practical use, in the security model: (1) the clients were assumed not to encrypt two messages under the same label. Then, nothing was known about the security when this restriction was not satisfied; (2) more dramatically, the adversary was assumed to ask for the ciphertexts coming from all the clients or none, for a given label. In case of partial ciphertexts, nothing was known about the security either. In this paper, our contributions are three-fold: we describe two conversions that enhance any MCFE or DMCFE for Inner Product secure in their security model to (1) handle repetitions under the same label and (2) deal with partial ciphertexts. In addition, these conversions can be applied sequentially in any order. The latter conversion exploits a new tool, which we call Secret Sharing Layer (SSL). Eventually, we propose a new efficient technique to generate the functional decryption keys in a decentralized way, in the case of Inner Product, solely relying on plain DDH, as opposed to prior work of Chotard et al. which relies on pairings. As a consequence, from the weak MCFE for Inner Product proposed by Chotard et al., one can obtain an efficient Decentralized MCFE for Inner Product that handles repetitions and partial ciphertexts. Keywords. Functional Encryption, Inner Product, Multi-Client, Decentralized.

The notion of non-interactive secure computation (NISC) first introduced in the work of Ishai et al. [EUROCRYPT 2011] studies the following problem: Suppose a receiver R wishes to publish an encryption of her secret input y so that any sender S with input x can then send a message m that reveals f(x,y) to R (for some function f). Here, m can be viewed as an encryption of f(x,y) that can be decrypted by R. NISC requires security against both malicious senders and receivers, and also requires the receiver's message to be reusable across multiple computations (w.r.t. a fixed input of the receiver).

All previous solutions to this problem necessarily rely upon OT (or specific number-theoretic assumptions) even in the common reference string model or the random oracle model or to achieve weaker notions of security such as super-polynomial-time simulation.

In this work, we construct a NISC protocol based on the minimal assumption of one way functions, in the stateless hardware token model. Our construction achieves UC security and requires a single token sent by the receiver to the sender.

Machine learning and group testing are quite useful methods for many different fields such as finance, banks, biology, medicine, etc. These application domains use quite sensitive data, and huge amounts of data. As a consequence, one would like to be able to both privately and efficiently compute on big data. While fully homomorphic encryption can be seen as a very powerful tool for such a task, it might not be efficient enough, and namely because of the very large ciphertexts. In addition, the result being encrypted, efficient distributed decryption is important to control who can get the information. For our applications, we first remark that 2-DNF formulae evaluation is enough, but efficient multiparty decryption is still required to guarantee privacy. Boneh-Goh-Nissim proposed a nice encryption scheme that supports additions, one multiplication layer, and additions, by using a bilinear map on a composite-order group: this is perfectly suited for 2-DNF formulae evaluation. However, computations on such elliptic curves with composite order turned out to be quite inefficient, and namely when multi-party decryption is required. Fortunately, Freeman proposed a generalization, based on prime-order groups, with the same properties, but better efficiency. Whereas the BGN cryptosystem relies on integer factoring for the trapdoor in the composite-order group, and thus possesses one public/secret key only, our first contribution is to show how the Freeman cryptosystem can handle multiple users with one general setup that just needs to define a pairing-based algebraic structure. Users’ keys are efficient to generate and can also support efficient multi-party decryption, without a trusted server, hence in a fully decentralized setting. Fortunately, it helps to efficiently address some machine learning models and the group testing on encrypted data, without central authority.

In this paper we optimize multiplication of polynomials in $\mathbb{Z}_{2^m}[x]$ on the ARM Cortex-M4 microprocessor. We use these optimized multiplication routines to speed up the NIST post-quantum candidates RLizard, NTRU-HRSS, NTRUEncrypt, Saber, and Kindi. For most of those schemes the only previous implementation that executes on the Cortex-M4 is the reference implementation submitted to NIST; for some of those schemes our optimized software is more than factor of 20 faster. One of the schemes, namely Saber, has been optimized on the Cortex-M4 in a CHES 2018 paper; the multiplication routine for Saber we present here outperforms the multiplication from that paper by 37%, yielding speedups of 17% for key generation, 15% for encapsulation and 18% for decapsulation. Out of the five schemes optimized in this paper, the best performance for encapsulation and decapsulation is achieved by NTRU-HRSS. Specifically, encapsulation takes just over 430 000 cycles, which is more than twice as fast as for any other NIST candidate that has previously been optimized on the ARM Cortex-M4.

Recently there has been a significant progress on the tower number field sieve (TNFS) method, reducing the complexity of the discrete logarithm problem (DLP) in finite field extensions of composite degree. These new variants of the TNFS attacks have a major impact on pairing-based cryptography and particularly on the selection of the underlying elliptic curve groups and extension fields. In this paper we revise the criteria for selecting pairing-friendly elliptic curves considering these new TNFS attacks in finite extensions of composite embedding degree. Additionally we update the criteria for finite extensions of prime degree in order to meet today’s security requirements.

In this paper, we focus on the design of a novel authentication protocol that preserves the privacy of embedded devices. A Physically Unclonable Function (PUF) generates challenge-response pairs that form the source of authenticity between a server and multiple devices. We rely on Authenticated Encryption (AE) for confidentiality, integrity and authenticity of the messages. A challenge updating mechanism combined with an authenticate-before-identify strategy is used to provide privacy. The major advantage of the proposed method is that no shared secrets need to be stored into the device’s non-volatile memory. We design a protocol that supports server authenticity, device authenticity, device privacy, and memory disclosure. Following, we prove that the protocol is secure, and forward and backward privacy-preserving via game transformations. Moreover, a proof of concept is presented that uses a 3-1 Double Arbiter PUF, a concatenation of repetition and BCH error-correcting codes, and the AE-scheme Ketje. We show that our device implementation utilizes 8,305 LUTs on a 28 nm Xilinx Zynq XC7Z020 System on Chip (SoC) and takes only 0.63 ms to perform an authentication operation.

We construct efficient non-malleable codes (NMC) that are (computationally) secure against tampering by functions computable in any fixed polynomial time. Our construction is in the plain (no-CRS) model and requires the assumptions that (1) $\mathbf{E}$ is hard for $\mathbf{NP}$ circuits of some exponential $2^{\beta n}$ ($\beta>0$) size (widely used in the derandomization literature), (2) sub-exponential trapdoor permutations exist, and (3) $\mathbf{P}$ certificates with sub-exponential soundness exist.

While it is impossible to construct NMC secure against arbitrary polynomial-time tampering (Dziembowski, Pietrzak, Wichs, ICS '10), the existence of NMC secure against $O(n^c)$-time tampering functions (for any fixed $c$), was shown (Cheraghchi and Guruswami, ITCS '14) via a probabilistic construction. An explicit construction was given (Faust, Mukherjee, Venturi, Wichs, Eurocrypt '14) assuming an untamperable CRS with length longer than the runtime of the tampering function. In this work, we show that under computational assumptions, we can bypass these limitations. Specifically, under the assumptions listed above, we obtain non-malleable codes in the plain model against $O(n^c)$-time tampering functions (for any fixed $c$), with codeword length independent of the tampering time bound.

Our new construction of NMC draws a connection with non-interactive non-malleable commitments. In fact, we show that in the NMC setting, it suffices to have a much weaker notion called quasi non-malleable commitments---these are non-interactive, non-malleable commitments in the plain model, in which the adversary runs in $O(n^c)$-time, whereas the honest parties may run in longer (polynomial) time. We then construct a 4-tag quasi non-malleable commitment from any sub-exponential OWF and the assumption that $\mathbf{E}$ is hard for some exponential size $\mathbf{NP}$-circuits, and use tag amplification techniques to support an exponential number of tags.

Bilinear pairings on elliptic curves are an active research field in cryptography. First cryptographic protocols based on bilinear pairings were proposed by the year 2000 and they are promising solutions to security concerns in different domains, as in Pervasive Computing and Cloud Computing. The computation of bilinear pairings that relies on arithmetic over finite fields is the most time-consuming in Pairing-based cryptosystems. That has motivated the research on efficient hardware architectures that improve the performance of security protocols. In the literature, several works have focused in the design of custom hardware architectures for pairings, however, flexible designs provide advantages due to the fact that there are several types of pairings and algorithms to compute them. This work presents the design and implementation of a novel programmable cryptoprocessor for computing bilinear pairings over binary fields in FPGAs, which is able to support different pairing algorithms and parameters as the elliptic curve, the tower field and the distortion map. The results show that high flexibility is achieved by the proposed cryptoprocessor at a competitive timing and area usage when it is compared to custom designs for pairings defined over singular/supersingular elliptic curves at a 128-bit security level.

The dramatic increase of data breaches in modern computing platforms has emphasized that access control is not sufficient to protect sensitive user data. Even in the case of honest parties, unknown software/hardware vulnerabilities and side-channels can enable data leakage, leading to the conclusion that as long as data exists decrypted, it can be leaked. Fortunately, recent advances on cryptographic schemes allow end-to-end processing of encrypted data, without any need for decryption. However, besides the reported impractical overheads, such schemes are particularly hard to use by non-crypto-savvy users, which further inhibits their applicability. In this work, we propose the first usability-oriented framework that enables programmers to incorporate comprehensive privacy protections in their programs, by automatically protecting user-annotated variables using encryption. As a proof of concept and without loss of generality, our E$^3$ framework incorporates three state-of-the-art FHE libraries. In our evaluation, we validate the usability of E$^3$ by employing various benchmarks written in C++, and directly compare the overhead of the core FHE libraries in terms of runtime performance, as well as memory and storage requirements. While FHE is used as a base study, E$^3$ can be used as the base for performance comparison of any encrypted computation methodology.

This note defines Kravatte-SANE and Kravatte-SANSE. Both are session authenticated encryption schemes and differ in their robustness with respect to nonce misuse. They are defined as instances of modes on top of the deck function Kravatte, where a deck function is a keyed function with variable-length input strings, an arbitrary-length output and certain incrementality properties.

NYUAD invites applications for a faculty position in Computer Science at the rank of associate professor or professor, each with tenure. Faculty in the Program in Computer Science contribute to the multidisciplinary research at NYU Abu Dhabi that is a hallmark of the institution’s mission, currently working with faculty from other programs in areas that include cyber-security, natural language processing, music, and data science.

Applicants from all areas of computer science are welcome to apply. However, specific areas of research interest include: (1) data science, with interest in interactive data analytics, big data systems and distributed systems, and database systems; (2) cyber-security, with experience building and deploying large-scale security solutions in the real world that focus on systems security, network security, privacy, cryptography, and formal methods; (3) artificial intelligence, with experience in machine learning research agendas, from statistical models to neural networks or research broadly applicable to language, robotics and imaging; and (4) bioinformatics and synthetic biology.

To obtain further information about research at NYU Abu Dhabi, visit http://nyuad.nyu.edu/en/research/faculty-research.html

To be considered, applicants should submit a complete curriculum vitae, statements of teaching and research interests that should not exceed three pages each, and no more than three representative publications. Applicants should also arrange for the submission of three letters of reference on their behalf, in PDF format.

To apply visit https://apply.interfolio.com/47185

If you have any questions, please e-mail nyuad.science (at) nyu.edu

Appointments can begin as soon as September 1, 2019, but later start dates are possible.

The University is an equal opportunity employer committed to equity, diversity and social inclusion.

Closing date for applications: 1 February 2019

Contact: Tasso Feldman

More information: https://apply.interfolio.com/47185

NYUAD invites applications for a faculty position in Computer Science at the rank of assistant professor, tenure track. Faculty in the Program in Computer Science contribute to the multidisciplinary research at NYU Abu Dhabi that is a hallmark of the institution’s mission, currently working with faculty from other programs in areas that include cyber-security, natural language processing, music, and data science.

Applicants from all areas of computer science are welcome to apply. However, specific areas of research interest include: (1) data science, with interest in interactive data analytics, big data systems and distributed systems, and database systems; (2) cyber-security, with experience building and deploying large-scale security solutions in the real world that focus on systems security, network security, privacy, cryptography, and formal methods; (3) artificial intelligence, with experience in machine learning research agendas, from statistical models to neural networks or research broadly applicable to language, robotics and imaging; and (4) bioinformatics and synthetic biology.

To obtain further information about research at NYU Abu Dhabi, visit http://nyuad.nyu.edu/en/research/faculty-research.html

To be considered, applicants should submit a complete curriculum vitae, statements of teaching and research interests that should not exceed three pages each, and no more than three representative publications. Applicants should also arrange for the submission of three letters of reference on their behalf, in PDF format. For full consideration, complete applications must be received by November 15, 2018.

To apply visit https://apply.interfolio.com/52873

If you have any questions, please e-mail nyuad.science (at) nyu.edu

Appointments can begin as soon as September 1, 2019, but later start dates are possible.

The University is an equal opportunity employer committed to equity, diversity and social inclusion.

Closing date for applications: 15 November 2018

Contact: Tasso Feldman

More information: https://apply.interfolio.com/52873

We are hiring two postdocs to work on (acoustic) side channels, automotive security or cybercrime at Linköping University, Sweden.

Candidates with solid backgrounds in security or applied crypto are welcome to apply.

PI google scholar profile: https://scholar.google.com/citations?hl=en&user=rYhiAEUAAAAJ&view_op=list_works&sortby=pubdate

Closing date for applications: 10 December 2018

Contact: Prof Jeff Yan (jeff.yan (at) liu.se)

We give the first practical instance – BISON – of the Whitened Swap-Or-Not construction. After clarifying inherent limitations of the construction, we point out that this way of building block ciphers allows easy and very strong arguments against differential attacks.

In a (t_1,...,t_l)-multi-secret sharing scheme (MSSS), l independent secrets s_1,...,s_l are shared with n parties in such a way that at least t_i parties are required to recover the secret s_i (while s_i remains hidden with fewer shares). We consider the problem of minimizing the share size of MSSS in the challenging setting when there are many secrets to be shared among many parties. To circumvent the information-theoretic lower bound (e.g., Blundo [4]), we focus on the computational setting. A simple generalization of computational secret sharing (Krawczyk [17]) to multi-secret sharing yields a scheme with share size/overhead scaling linearly in l, the total number of secrets. To beat this linear scaling, we consider constructing MSSS based on a related notion of encryption|dynamic threshold public key encryption (DTPKE)|that enables a sender to dynamically specify a threshold for each ciphertext. None of the existing DTPKE is well-suited for our purpose. Thus, we propose a new construction of a dynamic threshold public key encryption scheme with improved efficiency characteristics. We then give a recursive application of our construction that yields an efficient MSSS with share size only logarithmic in the number of secrets (thuseffectively O(log l) as in the common cases, where l and n are polynomially related). Finally, we describe an application of our space efficient (1,2,...,n-1)-MSSS to a special tool called gradual verifiable secret sharing which is the fundamental building block for general multiparty computation (MPC) with n players that provides fairness without honest majority.

Lattice based cryptography is one of the leading candidates of the post quantum cryptography. A major obstacle of deployment, though, is that its payload is relatively larger than the classical solutions, such as elliptic curve Diffie-Hellman. In this paper, we investigate the approach of reducing the key size and ciphertext size by decreasing the size of the modulus, and propose the first instantiation to the family of ring learning with error based solutions where the modulus is at a byte level. The main technical contributions of this paper are around the implementation side of the algorithms. With the use of large-block error correction code, we are able to propose parameter sets with small moduli while achieving a negligible decryption error rate. We investigate best known attacks, and give a concrete security estimation of the proposed parameter sets. Since our parameter sets are no longer compatible with number theoretic transform (NTT), we also present optimizations for ring multiplications. As a result, our scheme is more compact and nearly as efficient as popular solutions in this domain, such as NewHope and Kyber.

The Mathematical Institute proposes to appoint an Associate Professor (or Professor) of Mathematical Cryptography from 1 October 2019 or as soon as possible thereafter. The successful candidate will be appointed to a Tutorial Fellowship at Lincoln College, under arrangements described in the job description.

The combined University and College salary scale has a minimum point of £47,263 per annum. In addition the College pays substantial additional benefits, including a housing allowance of £9,316 p.a. (or single accommodation if available); access to housing loan scheme (upon successful application); membership of a medical insurance scheme; and other allowances including tutor’s allowance of £3,000 p.a. An additional allowance of £2,754 p.a. would be payable upon award of Full Professor title.

The main duties of the post are to carry out, disseminate the results of, obtain funding for, and supervise research at a high international standard in mathematical cryptography, to teach a range of topics in mathematics via lectures, classes and tutorials, and to perform administrative and pastoral functions associated with teaching and research.

The successful candidate will have a PhD in mathematics or a closely related subject and will demonstrate the ability to carry out high-quality independent research at an international level in mathematical cryptography, broadly conceived but firmly rooted in advanced mathematics, along with the ability to teach effectively across a range of topics in mathematics. The duties and responsibilities of the post are set out in the job description.

Applications are particularly welcome from women and black and minority ethnic candidates, who are under-represented in academic posts in Oxford. The University is committed to equality and valuing diversity.

The department was awarded an Athena SWAN Silver Award in 2017 in recognition of its commitment to addressing gender inequalities, to tackling the unequal representation of women in science, and to improving career progression for female academics.

Closing date for applications: 19 November 2018

Contact: The Recruitment Administrator (email: vacancies (at) maths.ox.ac.uk; telephone: +44 (0) 1865 273518)

More information: https://www.maths.ox.ac.uk/node/30043

The post-doc will work in the Prosecco project (http://prosecco.inria.fr) of INRIA Paris (https://www.inria.fr/en/centre/paris).

He/she will work on improvements and extensions of CryptoVerif (http://cryptoverif.inria.fr). CryptoVerif is a computational security protocol verifier that generates proofs by sequences of games, like proofs manually written by cryptographers. It is implemented in OCaml.

Possible directions among which he/she will be able to choose include:

• new game transformations.

• reduce the size of games.

• specialized prover to simplify random oracle calls, based on indifferentiability lemmas.

• deal with mutable state and loops.

• improve the compatibility with the symbolic protocol verifier ProVerif (http://proverif.inria.fr).

• interface with EasyCrypt (https://www.easycrypt.info/), to delegate parts of proofs to EasyCrypt, in collaboration with some EasyCrypt authors (Pierre-Yves Strub, Benjamin Grégoire, Clément Sartori).

His/her own ideas of research directions will also be most welcome. His/her work will be both theoretical (design, soundness proofs) and practical (implementation, tests). He/she will publish his/her work in high quality computer science conferences. He/she will collaborate with members working on CryptoVerif (Bruno Blanchet, Benjamin Lipp, Karthikeyan Bhargavan).

We will also consider applications of research engineers; the engineer would focus on the implementation part.

• Required expertise:

  • knowledge in cryptography and/or in formal methods: program semantics, static analysis, program transformations

  • knowledge of OCaml (object part not required)

  • fluency in English

  • PhD in computer science

• Duration: initial contract 1 year, possibility of extensions.

• Start: beginning of 2019 (2 months hiring delay).

• Please send detailed curriculum vitae, motivation letter, and references to Bruno Blanchet, bruno.blanchet (at) inria.fr

Closing date for applications: 21 December 2018

Contact: Bruno Blanchet, bruno.blanchet (at) inria.fr

More information: http://prosecco.inria.fr/personal/bblanche/postdoc.html

The AriC team at ENS de Lyon is seeking to recruit one or several post-docs in the area of cryptography. One position is available now, and another is likely.

The post-doc will work with the cryptography researchers of ENS de Lyon. Topics covered by the group cover: protocols, functional encryption, foundations of lattice-based cryptography, lattice algorithms, cryptanalysis, pseudo-random functions.

Applicants should have already completed a PhD in a relevant area (or be very near PhD completion). They should have an outstanding research track record in cryptography or a relevant area (typically results published in top tier venues). They should demonstrate scientific creativity and research independence.

This is a full-time, fixed-term position based in Lyon. Duration is negotiable. Salary can be adapted based on experience.

Applications should be sent by email to benoit[dot]libert[at]ens-lyon[dot]fr, alain[dot]passelegue[at]ens-lyon[dot]fr, damien[dot]stehle[at]gmail[dot]com, fabien[dot]laguillaumie[at]ens-lyon[dot]fr. They should include a CV, a list of publications (with the top 3 ones highlighted) and contact information of two persons who are willing to give references.

Closing date for applications: 1 February 2019

IOHK is looking for a talented, specialized cryptographic engineer to join our growing in-house cryptography team. You’ll be responsible for cryptographic implementations and their use.

You will have a good understanding of cryptography (e.g. mathematics, information theory, primitives, implementations) and the ability to deliver working implementation related to these domains. The ideal candidate should understand and follow best engineering processes and practices and should demonstrate a working knowledge of a functional programming language (preference is for Haskell), and system languages (preferably Rust or C).

Skills & Requirements:

Skills and Knowledge – - A solid understanding of cryptography: basic theory & use. System programming experience. Ability to translate specifications (e.g. cryptography research papers, RFCs) into working code. Know when and how to use basic cryptographic primitives. Can reason about complex & abstract problems

Completion of a relevant degree such as Computer Science, Software Engineering, Mathematics or a related technical discipline.

Responsibilities - Read & review cryptographic research papers and implement them as a prototype. Improve existing implementations of common cryptographic primitives and/or interface/translate them to a different programming language. Transform prototypes into production level projects. Interact and coordinate with research, engineering and product management teams

Desired competencies - We are particularly interested in at least one of them having the following profile: Familiarity and/or experience with privacy enhancing cryptographic technologies, e.g., zero-knowledge proofs and/or SNARKs, multi-party computation, and differential privacy. Functional programming experience (Preferably Scala or Haskell)

Closing date for applications: 30 November 2018

Contact: david.rountree (at) iohk.io

More information: https://iohk.io/careers/#op-286193-specialized-cryptography-engineer-