International Association
for Cryptologic Research

Attribute-based Signatures (ABS) are a powerful tool allowing users with attributes issued by authorities to sign messages while also proving that their attributes satisfy some policy. ABS schemes provide flexible and privacy-preserving approach to authentication since the signer's identity and attributes remain hidden within the anonymity set of users sharing policy-conform attributes. Current ABS schemes exhibit some limitations when it comes to the management and issue of attributes. In this paper we address the lack of support for hierarchical attribute management, a property that is prevalent in traditional PKIs where certification authorities are organised into hierarchies and signatures are verified along roots of trust.

Hierarchical Attribute-based Signatures (HABS) introduced in this work support delegation of attributes along paths from the top-level authority down to the users while also ensuring that signatures produced by these users do not leak their delegation paths, thus extending the original privacy guarantees of ABS schemes. Our generic HABS construction also ensures unforgeability of signatures in the presence of collusion attacks and contains an extended tracebility property allowing a dedicated tracing authority to identify the signer and reveal its attribute delegation paths. We include public verification procedure for the accountability of the tracing authority.

We anticipate that HABS will be useful for privacy-preserving authentication in applications requiring hierarchical delegation of attribute-issuing rights and where knowledge of delegation paths might leak information about signers and their attributes, e.g., in intelligent transport systems where vehicles may require certain attributes to authenticate themselves to the infrastructure but remain untrackable by the latter.

We revisit the factoring with known bits problem on general RSA moduli in the forms of $N=p^r q^s$ for $r,s\ge 1$, where two primes $p$ and $q$ are of the same bit-size. The relevant moduli are inclusive of $pq$, $p^r q$ for $r>1$, and $p^r q^s$ for $r,s>1$, which are used in the standard RSA scheme and other RSA-type variants. Previous works acquired the results mainly by solving univariate modular equations. In contrast, we investigate how to efficiently factor $N=p^r q^s$ with given leakage of the primes by the integer method using the lattice-based technique in this paper. More precisely, factoring general RSA moduli with known most significant bits (MSBs) of the primes can be reduced to solving bivariate integer equations, which was first proposed by Coppersmith to factor $N=pq$ with known high bits. Our results provide a unifying solution to the factoring with known bits problem on general RSA moduli. Furthermore, we reveal that there exists an improved factoring attack via the integer method for particular RSA moduli like $p^3 q^2$ and $p^5 q^3$.

Post Quantum Lattice-Based Cryptography (LBC) schemes are increasingly gaining attention in traditional and emerging security problems, such as encryption, digital signature, key exchange, homomorphic encryption etc, to address security needs of both short and long-lived devices — due to their foundational properties and ease of implementation. However, LBC schemes induce higher computational demand compared to classic schemes (e.g., DSA, ECDSA) for equivalent security guarantees, making domain-specific acceleration a viable option for improving security and favor early adoption of LBC schemes by the semiconductor industry. In this paper, we present a workflow to explore the design space of domain-specific accelerators for LBC schemes, to target a diverse set of host devices, from resource-constrained IoT devices to high-performance computing platforms. We present design exploration results on workloads executing NewHope and BLISSB-I schemes accelerated by our domain-specific accelerators, with respect to a baseline without acceleration. We show that achieved performance with acceleration makes the execution of NewHope and BLISSB-I comparable to classic key exchange and digital signature schemes while retaining some form of general purpose programmability. In addition to 44% and 67% improvement in energy-delay product (EDP), we enhance performance (cycles) of the sign and verify steps in BLISSB-I schemes by 24% and 47%, respectively. Performance (EDP) improvement of server and client side of the NewHope key exchange is improved by 37% and 33% (52% and 48%), demonstrating the utility of the design space exploration framework.

The aim of the PhD project is to carry out quantum cryptanalysis of the most promising schemes in the NIST competition for post-quantum cryptography. The objective ranges from identifying potential vulnerabilities in the design to possibly discovering complete breaks, but also considers the question of finding the right choice of parameters for schemes that (seem to) withstand quantum attacks.

Supervision will be shared between QuSoft and Mathematisch Instituut (MI) Leiden, with Christian Schaffner (University of Amsterdam / QuSoft) and Peter Stevenhagen (MI Leiden) as main supervisors and Serge Fehr (CWI / MI Leiden / QuSoft) and Peter Bruin (MI Leiden) as co-supervisors.

You should hold a Master\'s degree (or expect to obtain this by the end of the academic year 2017/18) in computer science, mathematics or physics, with excellent grades and outstanding results, or a comparable degree.

Furthermore you should also possess:

• a strong background in cryptography, quantum algorithms and/or mathematics (relevant to post-quantum cryptography);

• demonstrated research abilities, e.g. by completion of an (undergraduate) research project;

• good academic writing and presentation skills;

• good social and organisational skills;

• full professional proficiency in spoken and written English.

See the link below for further information and for the application procedure.

Closing date for applications: 15 July 2018

Contact: Dr Christian Schaffner (c.schaffner (at) uva.nl)

More information: http://www.uva.nl/en/content/vacancies/2018/06/18-371-phd-candidate-in-quantum-cryptanalysis.html

Description available at https://careers.microsoft.com/us/en/job/391591/SENIOR-RSDE

Closing date for applications: 1 August 2018

Contact: Kristin Lauter

Email: klauter (at) microsoft.com

The Institute for IT Security at the University of Lübeck invites applications for an open position as

Professor for Secure Software Systems (W2)

As future holder of the position, you should bring a proven scientific track record in IT Security, especially in at least one of the following areas:

• Security of Complex and Networked Software Systems
• Anonymity and Privacy
• Operating Systems Security
• Computer Forensics

You bring along a high potential for strengthening the profile of the new Institute for IT Security through research work, project management, and the acquisition of third party funds in the field of IT Security.

Your teaching tasks include participation in the courses of the degree programs of the Department of Computer Science/Engineering, especially in the new Bachelor’s and Master’s program in IT Security.

University of Lübeck offers excellent opportunities for interdisciplinary cooperation in the key areas of Computer Science, Medical Engineering, Robotics, e-Government, Data Science, as well as the Life Sciences and Medicine. In addition, the university supports activities in technology transfer.

For a detailed description of the position as well as necessary templates and further information on the application process, please visit the link below.

Closing date for applications: 18 July 2018

Contact: Susanne Markmann,

Büro der MINT-Sektionen

Email: mint.buero (at) uni-luebeck.de

More information: https://www.uni-luebeck.de/structure/sektionen/sektionen-mint/berufungsverfahren-stellen.html

Applications are invited for two full-time Pre-doc positions in the Security in Information Technology (SIT) Research Group at Technische Universität Darmstadt, Germany, under the direction of Prof. Dr. Michael Waidner.

We are looking for candidates interested in working at the intersection of privacy engineering, and applied cryptography. This project addresses two central challenges in the provision of cloud services: (1) client privacy, and (2) verifiable metering and billing. For challenge (1), we design and develop anonymous communication mechanisms for the cloud. For challenge (2), we build techniques for service verification and design an infrastructure for verifiable metering and billing, enabling clients to verify in real-time their service consumption and corresponding charges. By solving and combining both challenges we obtain privacy-preserving verifiable metering and billing. Further details on the project can be found here.

The vacancy is within the Collaborative Research Center CROSSING, funded by DFG, the German Research Foundation. Collaborative Research Centers are institutions funded by the German Research Foundation (DFG) and are established at universities to pursue a scientifically ambitious, complex, longterm research program. The goal of the center CROSSING is to provide cryptography-based security solutions enabling trust in new and next generation computing environments. For more information about CROSSING please visit www.crossing.tu-darmstadt.de.

As part of its research program CROSSING will develop an opensource software called OpenCCE which will allow users to deploy the developed solutions in a secure and easy way.

Applications will be considered until the positions are filled.

Closing date for applications: 30 September 2018

Contact: Applicants are kindly requested to send their applications to staff-sit (at) crisp-da.de with the subject “Funded PhD position in CRC CROSSING” and a single pdf (< 10MB).

More information: https://www.sit.informatik.tu-darmstadt.de

Event date: 15 October 2018
Submission deadline: 25 July 2018
Notification: 15 August 2018

Applications are invited for a one-year Post-Doc position in the Quality and Computer Security Research Lab and the Algorithmic Group of the Université Libre de Bruxelles.

The successful applicant will work on the analysis and design of searchable encryption schemes and on data structures enabling efficient search operations on encrypted data.

Candidates shall hold a PhD degree in Computer Science or related field, should have experience in the research field of the position and should be fluent in English.

Applications must include:

- A Curriculum Vitae

- A motivation letter

- The list of publications and a copy of three selected publications

- The copies of diplomas and certificates

- Two (or more) reference letters

- The date from which the applicant will be available

Applications must be sent to olivier.markowitch (at) ulb.ac.be and stefan.langerman (at) ulb.ac.be

Closing date for applications: 1 October 2018

Contact: Olivier Markowitch, Universite Libre de Bruxelles, Computer Science Department, olivier.markowitch (at) ulb.ac.be

More information: https://qualsec.ulb.ac.be/about-2/post-doc-position/

The successful candidate will join the APSIA group led by Prof. Peter Y. A. Ryan. The candidate will be part of the Eureopean H2020 project “FutureTPM”, and will conduct research on the design and analysis of quantum-safe Trusted Platform Modules (TPM). The candidate will be supervised by Prof. Peter Y. A. Ryan and Dr. Alfredo Rial. The candidate’s tasks include the following:

Shaping research directions and producing results in one or more of the following topics:

Develop and analyse quantum-safe algorithms and protocols.

Explore the incorporation of quantum-safe algorithms in a TPM architecture.

Define security properties and models for a TPM against quantum adversaries.

Coordinating research projects and delivering outputs

Collaborating with partners in the FutureTPM project

Providing guidance to PhD and MSc students

Disseminating results through scientific publications

Closing date for applications: 6 July 2018

Contact: Peer Y A Ryan, peter.ryan (at) uni.lu or Alfredo Rial, alfredo.rial (at) uni.lu

More information: http://emea3.mrted.ly/1vbm4

The successful candidate will join the APSIA group led by Prof. Peter Y. A. Ryan. The candidate will be part of the Luxembourg National Research Fund (FNR) funded project “Quantum Communication with Deniability”, which starts 1st July 2018 and will conduct research on enabling “deniability” using both classical and quantum mechanisms. The candidate will be supervised by Prof. Peter Y. A. Ryan and Dr. Peter Roenne. The candidate’s tasks include the following:

Research on the following topics in quantum cryptography and information theory:

Exploring formal definitions of the notion of deniability against various threat models.

Exploring the limits of what is achievable in terms of deniability using both classical and quantum mechanisms.

Designing and analysing novel protocols and mechanisms to achieve stronger forms of deniability.

Providing guidance to M.Sc. students

Closing date for applications: 6 July 2018

Contact: P Y A Ryan, peter.ryan (at) uni.lu

More information: http://emea3.mrted.ly/1vblq

In recent years, some of the most popular online chat services such as iMessage and WhatsApp have deployed end-to-end encryption to mitigate some of the privacy risks to the transmitted messages. But facilitating end-to-end encryption requires a Public Key Infrastructure (PKI), so these services still require the service provider to maintain a centralized directory of public keys. A downside of this design is placing a lot of trust in the service provider; a malicious or compromised service provider can still intercept and read users' communication just by replacing the user's public key with one for which they know the corresponding secret. A recent work by Melara et al. builds a system called CONIKS where the service provider is required to prove that it is returning a consistent for each user. This allows each user to monitor his own key and reduces some of the risks of placing a lot of trust in the service provider. New systems [EthIKS,Catena] are already being built on CONIKS. While these systems are extremely relevant in practice, the security and privacy guarantees of these systems are still based on some ad-hoc analysis rather than on a rigorous foundation. In addition, without modular treatment, improving on the efficiency of these systems is challenging. In this work, we formalize the security and privacy requirements of a verifiable key service for end-to-end communication in terms of the primitive called {\em Verifiable Key Directories} (VKD). Our abstraction captures the functionality of all three existing systems: CONIKS, EthIKS and Catena. We quantify the leakage from these systems giving us a better understanding of their privacy in concrete terms. Finally, we give a VKD construction (with concrete efficiency analysis) which improves significantly on the existing ones in terms of privacy and efficiency. Our design modularly builds from another primitive that we define as append-only zero knowledge sets (aZKS) and from append-only Strong Accumulators. By providing modular constructions, we allow for the independent study of each of these building blocks: an improvement in any of them would directly result in an improved VKD construction. Our definition of aZKS generalizes the definition of the zero knowledge set for updates, which is a secondary contribution of this work, and can be of independent interest.

Non-malleable codes for the split-state model allow to encode a message into two parts, such that arbitrary independent tampering on each part, and subsequent decoding of the corresponding modified codeword, yields either the same as the original message, or a completely unrelated value. Continuously non-malleable codes further allow to tolerate an unbounded (polynomial) number of tampering attempts, until a decoding error happens. The drawback is that, after an error happens, the system must self-destruct and stop working, otherwise generic attacks become possible.

In this paper we propose a solution to this limitation, by leveraging a split-state refreshing procedure. Namely, whenever a decoding error happens, the two parts of an encoding can be locally refreshed (i.e.,\ without any interaction), which allows to avoid the self-destruct mechanism in some applications. Additionally, the refreshing procedure can be exploited in order to obtain security against continual leakage attacks. We give an abstract framework for building refreshable continuously non-malleable codes in the common reference string model, and provide a concrete instantiation based on the external Diffie-Hellman assumption.

Finally, we explore applications in which our notion turns out to be essential. The first application is a signature scheme tolerating an arbitrary polynomial number of split-state tampering attempts, without requiring a self-destruct capability, and in a model where refreshing of the memory happens only after an invalid output is produced. This circumvents an impossibility result from a recent work by Fuijisaki and Xagawa (Asiacrypt 2016). The second application is a compiler for tamper-resilient read-only RAM programs. In comparison to other tamper-resilient RAM compilers, ours has several advantages, among which the fact that, in some cases, it does not rely on the self-destruct feature.

In this paper, we propose a new type of non-recursive Mastrovito multiplier for $GF(2^m)$ using a $n$-term Karatsuba algorithm (KA), where $GF(2^m)$ is defined by an irreducible trinomial, $x^m+x^k+1, m=nk$. We show that such a type of trinomial combined with the $n$-term KA can fully exploit the spatial correlation of entries in related Mastrovito product matrices and lead to a low complexity architecture. The optimal parameter $n$ is further studied. As the main contribution of this study, the lower bound of the space complexity of our proposal is about $O(\frac{m^2}{2}+m^{3/2})$. Meanwhile, the time complexity matches the best Karatsuba multiplier known to date. To the best of our knowledge, it is the first time that Karatsuba-based multiplier has reached such a space complexity bound while maintaining relatively low time delay.

We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication).

We present a heuristic algorithm that allows a passive eavesdropper to recover Alice's private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Our implementation of the attack is available on GitHub.

We consider recent constructions of $1$-out-of-$N$ OT-extension from Kolesnikov and Kumaresan (CRYPTO 2013) and from Orrú et al. (CT-RSA 2017), based on binary error-correcting codes. We generalize their constructions such that $q$-ary codes can be used for any prime power $q$. This allows to reduce the number of base $1$-out-of-$2$ OT's that are needed to instantiate the construction for any value of $N$, at the cost of increasing the complexity of the remaining part of the protocol. We analyze these trade-offs in some concrete cases.

OpenStack is the prevalent open-source, non-proprietary package for managing cloud services and data centers. It is highly complex and consists of multiple inter-related components which are developed by separate, loosely coordinated groups. We initiate an effort to provide a rigorous and holistic security analysis of OpenStack. Our analysis has the following key features:

-It is user-centric: It stresses the security guarantees given to users of the system, in terms of privacy, correctness, and timeliness of the services.

-It provides defense in depth: It considers the security of OpenStack even when some of the components are compromised. This departs from the traditional design approach of OpenStack, which assumes that all services are fully trusted.

-It is modular: It formulates security properties for individual components and uses them to assert security properties of the overall system.

We base our modeling and security analysis in the universally composable (UC) security framework, which has been so far used mainly for analyzing security of cryptographic protocols. Indeed, demonstrating how the UC framework can be used to argue about security-sensitive systems which are mostly non-cryptographic in nature is another main contribution of this work.

Our analysis covers only a number of core components of OpenStack. Still, it uncovers some basic and important security trade-offs in the design. It also naturally paves the way to a more comprehensive analysis of OpenStack.

We study the problem of building a verifiable delay function (VDF). A VDF requires a specified number of sequential steps to evaluate, yet produces a unique output that can be efficiently and publicly verified. VDFs have many applications in decentralized systems, including public randomness beacons, leader election in consensus protocols, and proofs of replication. We formalize the requirements for VDFs and present new candidate constructions that are the first to achieve an exponential gap between evaluation and verification time.

In this paper we proposed an ultra-lightweight cipher GRANULE. It is based on Feistel network which encrypts 64 bits of data with 80/128 bits of key. GRANULE needs very less memory space as compared to existing lightweight ciphers .GRANULE needs 1288 GEs for 80 bit and 1577 GEs for 128 bit key size. It also shows good resistance against linear and differential cryptanalysis. GRANULE needs very small footprint area and provides robust secure design which thwart attacks like biclique attack, zero correlation attack, meet in the middle attack ,key schedule attack and key collision attack. GRANULE is having a strong S-box which is the key designing aspect in any cipher design. In this paper GRANULE is proposed with 32 rounds which are enough to provide resistance against all possible types of attacks. GRANULE consumes very less power as compared to other modern lightweight ciphers. We believe GRANULE cipher is the best suited cipher for providing robust security in applications like IoT.

Sensitive data is often outsourced to cloud servers, with the server performing computation on the data. Computational correctness must be efficiently verifiable by a third party while the input data remains confidential. This paper introduces CHQS, a homomorphic signature scheme from bilinear groups fulfilling these requirements. CHQS is the first such scheme to be both context hiding and publicly verifiable for arithmetic circuits of degree two. It also achieves amortized efficiency: after a precomputation, verification can be faster than the evaluation of the circuit itself.