International Association
for Cryptologic Research

Modern web applications using advanced cryptographic methods may need to calculate a large number of modular exponentiations. Performing such calculations in the web browser efficiently is a known problem. We propose a solution to this problem based on outsourcing the computational effort to untrusted exponentiation servers. We present several efficient outsourcing protocols for different settings and a practical implementation consisting of a JavaScript client library and a server application. Compared to browser-only computation, our solution improves the overall computation time by an order of magnitude.

This is an extended version of a paper accepted and presented at the Voting’18 workshop of the Financial Cryptography and Data Security 2018 conference. It will be included in the conference’s LNCS proceedings and available on the Springer web site.

The cryptography group at the Institute of Computer Science of the University of Tartu seeks 1-2 postdoctoral researchers in cryptography. The positions will be supporting an EU H2020 project on privacy-enhancing cryptography for distributed ledgers (PRIViILEDGE). The candidate(s) should have a strong track record in cryptography, and in particular in the design of efficient privacy-preserving protocols (e.g., zero-knowledge proofs) and/or blockchain.

We expect candidates to be able to develop and devote significant time to their own research agenda around the theme of the project. Successful candidates will help to design and evaluate privacy-enhancing cryptographic techniques for blockchains (e.g., SNARKs) and perform other research duties to help with the project, collaborate with partners and ensure the smooth administration of the project including the timely delivery of research output.

The EU H2020 project PRIViLEDGE requires travel to and collaboration with colleagues throughout the European Union. Full travel and equipment budget is available to support the activities of the project.

For any inquiries or to apply for the positions, submit a full research curriculum-vitae (cv), names of two references, and a research statement to Prof Helger Lipmaa (firstname.lastname (at) ut.ee) clearly indicating the position sought. This is crucial since we have several open positions.

The project started from January 1, 2018, and will last for three years. In the case of interest, the candidates may later seek further employment but this is not necessarily guaranteed. The position will stay open until we find a suitable candidate; please apply early.

Closing date for applications: 1 May 2018

Contact: Helger Lipmaa

More information: https://crypto.cs.ut.ee/index.php/Projects/PRIViLEDGE

Event date: 7 December to 8 December 2018
Submission deadline: 15 June 2018

Event date: 8 July to 15 July 2018

Event date: 13 September 2018
Submission deadline: 18 June 2018
Notification: 20 July 2018

Event date: 12 November to 14 November 2018
Submission deadline: 13 July 2018
Notification: 14 September 2018

Event date: 28 November to 30 November 2018
Submission deadline: 10 August 2018
Notification: 10 September 2018

This article describes a survey of long-term cryp- tographic public keys observed in real deployments of secure- shell, e-mail and web protocols in two similarly-sized countries – Ireland and Estonia. We find that keys are very widely re- used across multiple IP addresses, and even autonomous systems. From one run scanning 18,268 hosts in Ireland that run at least one TLS or SSH service, approximately 53% of the hosts involved are using keys that are also seen on some other IP address. For each key, if two IP addresses share that key, then those two IP addresses are considered members of the same cluster. In the same scan we find a maximum cluster size of 1,991 hosts and a total of 1,437 clusters, mostly with relatively few hosts per cluster (median cluster size was 26.5, most common cluster size is two). In that scan, of the 54,447 host/port combinations running cryptographic protocols, we only see 20,053 unique keys (36%), indicating significant key re-use across hosts and ports. We describe the methodology followed and the published source code and public data sources that enable researchers to replicate, validate and extend these results. Clearly, such key sharing can create undesirable security and privacy dependencies between cluster members. The author is currently starting the process of contacting local (Irish) asset-owners to try establish the reasons for this key sharing and to possibly assist with improving network posture.

Singapore University of Technology and Design (SUTD) is a young university which was established in collaboration with MIT. iTrust is a Cyber Security Research Center with about 15 inter-disciplinary faculty members from SUTD. It has the world\'s best facilities in cyber-physical systems (CPS) including testbeds for Secure Water Treatment (SWaT), Water Distribution (WADI), Electric Power and Intelligent Control (EPIC), and IoT. (See more info at https://itrust.sutd.edu.sg/research/testbeds/.)

I am looking for PhD interns with interest in cyber-physical system security (IoT, water, power grid, transportation, and autonomous vehicle etc.). The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Closing date for applications: 30 May 2018

Contact: Prof. Jianying Zhou

Email: jianying_Zhou (at) sutd.edu.sg

More information: http://jianying.space/

We survey elliptic curve implementations from several vantage points. We perform internet-wide scans for TLS on a large number of ports, as well as SSH and IPsec to measure elliptic curve support and implementation behaviors, and collect passive measurements of client curve support for TLS. We also perform active measurements to estimate server vulnerability to known attacks against elliptic curve implementations, including support for weak curves, invalid curve attacks, and curve twist attacks. We estimate that 0.77% of HTTPS hosts, 0.04% of SSH hosts, and 4.04% of IKEv2 hosts that support elliptic curves do not perform curve validity checks as specified in elliptic curve standards. We describe how such vulnerabilities could be used to construct an elliptic curve parameter downgrade attack called CurveSwap for TLS, and observe that there do not appear to be combinations of weak behaviors we examined enabling a feasible CurveSwap attack in the wild. We also analyze source code for elliptic curve implementations, and find that a number of libraries fail to perform point validation for JSON Web Encryption, and find a flaw in the Java and NSS multiplication algorithms.

This paper initiates a study of Fine Grained Secure Computation: i.e. the construction of secure computation primitives against ``moderately complex" adversaries. We present definitions and constructions for Fully Homomorphic Encryption and Verifiable Computation secure against (non-uniform) $\mathsf{NC}^1$ adversaries. We also present two application scenarios for our model: (i) hardware chips that prove their own correctness, and (ii) protocols against rational adversaries potentially relevant to the Verifier's Dilemma in smart-contracts transactions such as Ethereum.

Ratcheted key exchange (RKE) is a cryptographic technique used in instant messaging software like Signal and the WhatsApp messenger for attaining strong security in the face of state exposure attacks (including automatic healing from the latter). RKE received first academic attention in the recent works of Cohn-Gordon et al. (EuroS&P 2017) and Bellare et al. (CRYPTO 2017). While the former is analytical in the sense that it aims primarily at assessing the security that one particular protocol does achieve, rather than looking for a strong notion of security that it could achieve, the authors of the latter follow a different approach in that they first develop a notion of security they want to achieve, and then securely instantiate it. Unfortunately, however, their model is too restricted to serve for the analysis of real-world messenger apps, for considering exclusively unidirectional communication, and for considering only the exposure of the state of only one party.

In this article we resolve the limitations of prior work by developing alternative security definitions, for unidirectional RKE as well as for RKE where both parties can contribute. We follow a purist approach, aiming at finding strong yet convincing notions that cover a realistic communication model; in particular, and in contrast to prior work, our models support fully concurrent operation of both participants.

We further propose secure instantiations (as the protocols analyzed or proposed by Cohn-Gordon et al. and Bellare et al. turn out to be weak in our models). While our scheme for the unidirectional case builds on a generic KEM as the main building block (differently to prior work that requires explicitly Diffie-Hellman), our schemes for bidirectional communication require, perhaps surprisingly, considerably stronger tools.

Malicious exploitation of faults for extracting secrets is one of the most practical and potent threats to modern cryptographic primitives. Interestingly, not every possible fault for a cryptosystem is maliciously exploitable, and evaluation of the exploitability of a fault is nontrivial. In order to devise precise defense mechanisms against such rogue faults, a comprehensive knowledge is required about the exploitable part of the fault space of a cryptosystem. Unfortunately, the fault space is diversified and of formidable size even while a single crypto-primitive is considered and traditional manual fault analysis techniques may often fall short to practically cover such a fault space within reasonable time. An automation for analyzing individual fault instances for their exploitability is thus inevitable. Such an automation is supposed to work as the core engine for analyzing the fault spaces of cryptographic primitives. In this paper, we propose an automation for evaluating the exploitability status of fault instances from block ciphers, mainly in the context of Differential Fault Analysis (DFA) attacks. The proposed framework is generic and scalable, which are perhaps the two most important features for covering diversified fault spaces of formidable size originating from different ciphers. As a proof-of-concept, we reconstruct some known attack examples on AES and PRESENT using the framework and finally analyze a recently proposed cipher GIFT [21] for the first time. It is found that the secret key of GIFT can be uniquely determined with 1 nibble fault instance injected at the beginning of the 25th round with a reasonable computational complexity of 2^14 .

The College of Computer Science at King Khalid University is seeking applicants for full

time positions of Professor, Associate Professor and Assistant Professor in the following

fields:

Network Security

Information security

Computer Security

Hardware Security

Salary:

The University offers a competitive salary based on qualification, professional

experience, and the position offered, as follows:

Professor: $52,500 - $88,500 per annum.

Associate professor: $43,000- $73,000 per annum.

Assistant professor: $35,500 - $60,000 per annum.

Common Benefits:

? Free visa.

? Tax-free salary.

? Around 2-week vacation on each Islamic Eid.

? 60-days annually paid vacation.

? Annual air tickets for up to 4 family members to home country.

? Free Medical Services for all family members at all government hospitals.

? Children Education Allowance (Terms and Conditions apply).

? Annual housing allowance (Terms and Conditions apply).

? Furniture allowance upon arrival (Terms and Conditions apply).

? Weekends (Thursday and Friday) are off.

Closing date for applications:

Contact: Sarah Abu Ghazalah sabugazalah (at) kku.edu.sa

Also, all the documents should be sent via email to: ccs (at) kku.edu.sa

More information: http://www.cs.kku.edu.sa/en

Company Description

The Bosch Group operates in most countries in the world. With over 390,000 associates, a career at Bosch offers a chance to grow an exceptional career in an environment that values diversity, initiative and a drive for results.

Job Description

Ideal candidates for this position should have experience in at least one, preferably two or more of the following:

-(Distributed) system security and cloud computing, with emphasis on fault-tolerance, secure computation, secure function evaluation, implementation aspects of the above, knowledge of the blockchain and crypto currency architectures and applications thereof.

-System Security, network security, embedded security, trusted computing, hardware security

-Applied cryptography, privacy enhancing technologies

-Security and machine learning, applications of data miniing to security, intrusion detection, anomaly detection,

network security, applications of data mining to constrained environments (e.g., automotive networks)

-Software security, static and dynamic program analysis, automated vulnerability detection and patching, reverse engineering of software binaries, hardening techniques to protect software against reverse engineering, formal modelling, etc.

The candidate should have expert knowledge (evidenced by significant contributions in the form of publications and/or patents or patent applications) in at least one of the listed areas and be familiar with at least one other area (should be able to understand and contribute in deep technical discussions in the area). The candidate will be expected to be an active contributor, should have good written and oral communication skills, cross-team collaboration skills, and should be open to acquiring and applying new skills.

Closing date for applications: 31 December 2018

Contact: Contact: Dr. Jorge Guajardo Merchan (jorge DOT guajardomerchan AT us DOT bosch DOT com)

More information: https://jobs.smartrecruiters.com/BoschGroup/743999666848005-research-engineer?trid=eaeb2bda-02a4-4e9f-b357-957d3b6da7d7

The Faculty of Informatics at the Vienna University of Technology is looking for outstanding young researchers from abroad to set up and manage an independent research group as part of the Vienna Science and Technology Fund’s (WWTF) Vienna Research Groups for Young Investigators (VRG) Call 2018 - Information and Communication Technologies.

Expressions of interest are sought from researchers who have recently completed their PhD (2 – 8 years ago) with an excellent research track record. Selected candidates will, together with an experienced researcher of the Faculty of Informatics as a proponent, prepare a proposal to be submitted to the WWTF. Should this proposal be successful, the proposed project will be funded to the amount of 1.6 million euro by the WWTF for a period of 6 – 8 years. The Vienna University of Technology will also contribute to the funding of the project: during this time the successful candidate(s) will set up and manage his or her own research group as a group leader, and she or he will receive a tenure-track position (assistant professor), which will be later transformed into a tenured position (associate professor) subject to a positive overall assessment, with subsequent possibility of promotion to full professor.

Expressions of interest from researchers working in any area of Security and Privacy are welcome. These should be sent in digital format (a single pdf file) to Univ. Prof. Matteo Maffei (matteo.maffei (at) tuwien.ac.at) by May 1st, 2018. The expression of interest should include

• CV
• List of publications
• Short abstract of the envisioned research project (about 1 page)

Important Dates:

• May 1st, 2018: deadline for expressions of interest
• Mid of May: notification of the first screening phase
• July 12th, 2018: deadline for the final proposal

Closing date for applications: 1 May 2018

Contact: Univ. Prof. Matteo Maffei (matteo.maffei (at) tuwien.ac.at)

More information: https://www.wwtf.at/programmes/vienna_research_groups/#VRG18

A role that operates in a fast-paced and demanding environment, you?ll draw extensively on your creativity. There?s no room for individuals happy to simply follow orders, as you use clean coding practices to test, refactor, and iteratively and incrementally develop constantly improved software.

Be encouraged to monitor and actively participate in external communities and forums in order to keep abreast of the latest developments, follow the constantly evolving requirements for Blockchain and permissioned ledgers within and across various market sectors, and expand DarkMatter?s positive presence in these communities.

Have a careful and critical eye to peer review and debug others code, and also to participate in automated deployments.

With many of our customers committed to putting all the resources necessary into developing and deploying the latest, most advanced Blockchain, cryptographic and other cyber security technologies, at DarkMatter you?ll have a chance to test your abilities, build your skills, and expand your horizons by designing for ‘impossible?, next-generation projects.

To bring your dream to life, you’ll need:

PhD or Master’s degree in Related Security field Cryptography, Applied Cryptography, Information Theory and Mathematics, IT, Computer Science

5+ years of experience working on large software projects (preferably including open-source projects)

Embedded Linux, baremetal / RTOS development and deployment

Ability to work with remote developers, leveraging git and other command-line based collaboration technologies

Comfortable developing with standard *nix toolchains (gcc, clang, perf, make, cmake, ASAN, TSAN, UBSAN)

Knowledge of symmetric and asymmetric cryptographic principles, hierarchical key management and identity management schemes

Familiarity with Financial Technology (FinTech) or related field is an added advantage

Deep understanding of Hyperledger, Ethereum or other Blockchain community technical issues

Closing date for applications: 19 December 2018

Contact: Sheila Morjaria - sheila.morjaria (at) darkmatter.ae

More information: https://grnh.se/uvwx8qo61

Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich-Goldwasser-Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev. Several heuristic countermeasures were also shown vulnerable to similar statistical attacks.

At PKC~2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that has been accepted in the round 1 of the NIST post-quantum cryptography project.

In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, dued to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis.

While we only recover partial information on the secret key, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that $100\,000$ signatures are available, the secret key may be recovered using BKZ-$138$ for first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below $80$-bits (maybe even $70$ bits), for an original claim of $128$-bits.

In this paper, we connect two interesting problems in the domain of Information-Theoretic Cryptography: "Non-malleable Codes" and "Privacy Amplification". Non-malleable codes allow for encoding a message in such a manner that any "legal" tampering will either leave the message in the underlying tampered codeword unchanged or unrelated to the original message. In the setting of Privacy Amplification, we have two users that share a weak secret $w$ guaranteed to have some entropy. The goal is to use this secret to agree on a fully hidden, uniformly distributed, key $K$, while communicating on a public channel fully controlled by an adversary.

While lot of connections have been known from other gadgets to NMCs, this is the first result to show an application of NMCs to any information-theoretic primitive (other than tamper resilient circuits). Specifically, we give a general transformation that takes any augmented non-malleable code and builds a privacy amplification protocol. This leads to the following results:

(a) Assuming the existence of constant rate, optimal error (we say an $\epsilon$-(augmented) NMC has optimal error if $\epsilon$ = $2^{-O(message\ length)}$), two-state augmented non-malleable code there exists a $8$-round privacy amplification protocol with optimal entropy loss and min-entropy requirement $\Omega(\log(n)+ \kappa)$ (where $\kappa$ is the security parameter). In fact, "non-malleable randomness encoders" suffice.

(b) Instantiating our construction with the current best known augmented non-malleable code for $2$-split-state family [Li17], we get a $8$-round privacy amplification protocol with entropy loss $O(\log(n)+ \kappa \log (\kappa))$ and min-entropy requirement $\Omega(\log(n) +\kappa\log (\kappa))$.

AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias $2^{-89}$ on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted $2^{188}$ times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds $i$ and $i+2$, although the biases would require $2^{140}$ data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher.