*16:17* [Pub][ePrint]
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures, by Masayuki Abe and Jens Groth and Miyako Ohkubo and Mehdi Tibouchi
We construct a structure-preserving signature scheme that is selectively randomizable and works in all types of bilinear groups. We give matching lower bounds showing that our structure-preserving signature scheme is optimal with respect to both signature size and public verification key size.

State of the art structure-preserving signatures in the asymmetric setting consist of 3 group elements, which is known to be optimal. Our construction preserves the signature size of 3 group elements and also at the same time minimizes the verification key size to 1 group element.

Depending on the application, it is sometimes desirable to have strong unforgeability and in other situations desirable to have randomizable signatures. To get the best of both worlds, we introduce the notion of selective randomizability where the signer may for specific signatures provide randomization tokens that enable randomization.

Our structure-preserving signature scheme unifies the different pairing-based settings since it can be instantiated in both symmetric and asymmetric groups. Since previously optimal structure-preserving signatures had only been constructed in asymmetric bilinear groups this closes an important gap in our knowledge. Having a unified signature scheme that works in all types of bilinear groups is not just conceptually nice but also gives a hedge against future cryptanalytic attacks. An instantiation of our signature scheme in an asymmetric bilinear group may remain secure even if cryptanalysts later discover an efficiently computable homomorphism between the source groups.

*16:17* [Pub][ePrint]
Tight security bounds for multiple encryption, by Yuanxi Dai, John Steinberger
Multiple encryption---the practice of composing a blockcipher severaltimes with itself under independent keys---has received considerable

attention of late from the standpoint of provable security. Despite

these efforts proving definitive security bounds (i.e., with matching

attacks) has remained elusive even for the special case of triple

encryption. In this paper we close the gap by improving both the best

known attacks and best known provable security, so that both bounds

match. Our results apply for arbitrary number of rounds and show that

the security of $\\ell$-round multiple encryption is precisely

$\\exp(\\kappa + \\min\\{\\kappa (\\ell\'-2)/2), n (\\ell\'-2)/\\ell\'\\})$ where

$\\exp(t) = 2^t$ and where $\\ell\' = 2\\lceil \\ell/2\\rceil$ is the even

integer closest to $\\ell$ and greater than or equal to $\\ell$, for all

$\\ell \\geq 1$. Our technique is based on Patarin\'s H-coefficient

method and reuses a combinatorial result of Chen and Steinberger

originally required in the context of key-alternating ciphers.

*16:17* [Pub][ePrint]
Towards Characterizing Complete Fairness in Secure Two-Party Computation, by Gilad Asharov
The well known impossibility result of Cleve (STOC 1986) implies that in general it is impossible to securely compute a function with \\emph{complete fairness} without an honest majority. Since then, the accepted belief has been that \\emph{nothing} non-trivial can becomputed with complete fairness in the two party setting. The surprising work of Gordon, Hazay, Katz and Lindell (STOC 2008) shows that this belief is false, and that there exist \\emph{some} non-trivial (deterministic, finite-domain) boolean functions that can be computed fairly. This raises the fundamental question of characterizing complete fairness in secure two-party computation.

In this work we show that not only that some or few functions can be computed fairly, but rather an \\emph{enormous number} of functions can be computed fairly. In fact, \\emph{almost all} boolean functions with distinct domain sizes can be computed with complete fairness (for instance, more than $99.999\\%$ of the boolean functions with domain sizes $31 \\times 30$). The class of functions that is shown to be possible includes also rather involved and highly non-trivial tasks, such as set-membership, evaluation of a private (boolean) function, private matchmaking and set-disjointness.

In addition, we demonstrate that fairness is not restricted to the class of symmetric boolean functions where both parties get the same output, which is the only known feasibility result. Specifically, we show that fairness is also possible for asymmetric boolean functions where the output of the parties is not necessarily the same. Moreover, we consider the class of functions with \\emph{non-binary} output, and show that fairness is possible \\emph{for any finite range}.

The constructions are based on the protocol of Gordon et.~al, and its analysis uses tools from convex geometry.

*16:17* [Pub][ePrint]
Indistinguishability Obfuscation and UCEs: The Case of Computationally Unpredictable Sources, by Christina Brzuska and Pooya Farshim and Arno Mittelbach
Random oracles are powerful cryptographic objects. They facilitate the security proofs of an impressive number of practical cryptosystems ranging from KDM-secure and deterministic encryption to point-function obfuscation and many more. However, due to an uninstantiability result of Canetti, Goldreich, and Halevi (STOC 1998) random oracles have become somewhat controversial. Recently, Bellare, Hoang, and Keelveedhi (BHK; CRYPTO 2013 and ePrint 2013/424, August 2013) introduced a new abstraction called Universal Computational Extractors (UCEs), and showed that they suffice to securely replace random oracles in a number of prominent applications, including all those mentioned above, without suffering from the aforementioned uninstantiability result. This, however, leaves open the question of constructing UCEs in the standard model.We show that the existence of indistinguishability obfuscation (iO) implies (non-black-box) attacks on all the definitions that BHK proposed within their UCE framework in the original version of their paper, in the sense that no concrete hash function can satisfy them. We also show that this limitation can be overcome, to some extent, by restraining the class of admissible adversaries via a statistical notion of unpredictability. Following our attack, BHK (ePrint 2013/424, September 2013), independently adopted this approach in their work.

In the updated version of their paper, BHK (ePrint 2013/424, September 2013) also introduce two other novel source classes, called bounded parallel sources and split sources, which aim at recovering the computational applications of UCEs that fall outside the statistical fix. These notions keep to a computational notion of unpredictability, but impose structural restrictions on the adversary so that our original iO attack no longer applies. We extend our attack to show that indistinguishability obfuscation is sufficient to also break the UCE security of any hash function against bounded parallel sources. Towards this goal, we use the randomized encodings paradigm of Applebaum, Ishai, and Kushilevitz (STOC 2004) to parallelize the obfuscated circuit used in our attack, so that it can be computed by a bounded parallel source whose second stage consists of constant-depth circuits. We conclude by discussing the composability and feasibility of hash functions secure against split sources.

*05:56* [Job][New]
Research Scientists, PhD, *Institute for Infocomm Research, Singapore*
We are looking for research scientists on cyber-physical security, mobile security, and web security. The candidates should have PhD in computer science or computer engineering, and preferably on infocomm security, be highly motivated with strong R&D capability and also a good team player, have good presentation and communication skills, be able to perform deep system-level investigations of security mechanisms. The candidates are expected to create valuable intellectual properties, publish papers at top security conferences, and produce project deliverables in time.Interested candidates please send CV to Jianying Zhou {jyzhou (at) i2r.a-star.edu.sg}. Fresh PhD is welcome to apply. Review of applications will begin immediately and will continue until the positions are filled. Short-listed candidates will be contacted for interview.

*09:02* [Job][Update]
1 PhD student in Information Security, *Chalmers University of Technology, Gothenburg, Sweden*
We are looking for an excellent PhD candidate to work in the area of information and communication security with a focus on authentication problems in constrained settings. This is particularly important for applications involving mobile phones, wireless communication and RFID systems, which suffer from restrictions in terms of power resources, network connectivity, computational capabilities, as well as potential privacy issues. The overall aim of the project will be to develop nearly optimal algorithms for achieving security and privacy while minimising resource use.More concretely, part of the research will involve the analysis and development of authentication protocols in specific settings. This will include investigating resistance of both existing and novel protocols against different types of attacks, theoretically and experimentally. In addition to investigating established settings, such as RFID authentication, the research will also explore more general authentication problems, such as those that arise in the context of trust in social networks, smartphone applications and collaborative data processing. This will be done by grounding the work in a generalised decision-making framework. The project should result in the development of theory and authentication mechanisms for noisy, constrained settings that strike an optimal balance between reliable authentication, privacy-preservation and resource consumption. Some previous research related to this research project can be found here: http://lasecwww.epfl.ch/~katerina/Publications.html

Applicants for the position shall have a Masterâ€™s Degree or corresponding in Computer Science, Informatics, Telecommunications or in a related discipline. A master\\\'s degree in information security or cryptography is a bonus.

*16:17* [Pub][ePrint]
A Bound For Multiparty Secret Key Agreement And Implications For A Problem Of Secure Computing, by Himanshu Tyagi and Shun Watanabe
We consider secret key agreement by multiple parties observing correlated data and communicating interactively over an insecure communication channel. Our main contribution is a single-shot upper bound on the length of the secret keys that can be generated, without making any assumptions on the distribution of the underlying data. Heuristically, we bound the secret key length in terms of ``how far\" is the joint distribution of the initial observations of the parties and the eavesdropper from a distribution that renders the observations of the parties conditionally independent across some partition, when conditioned on the eavesdropper\'s side information.The closeness of the two distributions is measured in terms of the exponent of the probability of error of type II for a binary hypothesis testing problem, thus bringing out a structural connection between secret key agreement and binary hypothesis testing. When the underlying data consists of an independent and identically distributed sequence, an application of our bound recovers several known upper bounds for the asymptotic rate of a secret key that can be generated, without requiring the agreement error probability or the security index to vanish to 0 asymptotically.

Also, we consider the following problem of secure function computation with trusted parties: Multiple parties observing correlated data seek to compute a function of their collective data. To this end, they communicate interactively over an insecure communication channel. It is required that the value of the function be concealed from an eavesdropper with access to the communication. When is such a secure computation of a given function feasible? Using the aforementioned upper bound, we derive a necessary condition for the existence of a communication protocol that allows the parties to reliably recover the value of a given function, while keeping this value concealed from an eavesdropper with access to (only) the communication.