International Association
for Cryptologic Research

The Department of Computer Science at the University of Victoria is seeking applicants for up to four positions at the Assistant or Associate rank. Candidates with research in AI, Systems, Theory, or Interdisciplinary Areas, as broadly defined by csrankings.org, are encouraged to apply. Another position at the Assistant or Associate rank, with a preference for female applicants, is available.

Closing date for applications: 21 December 2018

Contact: search (at) csc.uvic.ca

More information: https://www.uvic.ca/engineering/computerscience/people/employment-opportunities/index.php

CryptoExperts is looking for highly motivated engineers / researchers to work on applied cryptographic topics.

The job would include

• conducting missions of {design, development, evaluation} of crypto {primitives, protocols, applications} for CryptoExperts customers,

• managing your own research and taking part to collaborative research projects,

• developing innovative crypto technologies and products.

CryptoExperts office is located in the center of Paris.

A PhD degree (preferably in crypto) and a previous experience in development are a strong plus.

To apply, please send your resume and a short statement (background and what you would like to achieve next) at jobs (at) cryptoexperts.com

Closing date for applications: 31 March 2019

Contact: jobs (at) cryptoexperts.com

More information: https://www.cryptoexperts.com/

Applications are invited for a Ph.D. position in the field of cryptography at the Department of Information and Communication Technologies at Universitat Pompeu Fabra in Barcelona, Spain, to be co-supervised by Dr. Vanesa Daza (UPF) and Dr. Alessandra Scafuro (NCSU). Research in Anonymity and Accountability in Blockchain technologies is expected. The starting date will be around September 2019.

Only outstanding candidates that satisfy international mobility criteria will be considered (i.e. the applicant should not have resided or carried out their main activity in Spain for more than 12 months in the 3 years immediately prior to the recruitment date).

The contract will be for 3 years with a gross salary of €34,800, plus other advantages.

The candidate should hold or be about to receive a master\'s degree by September 2019 in computer science, mathematics or a related area. Specialization in cryptography (demonstrated by a relevant MSc) will be positively evaluated.

The application must include: research interests and motivation for applying for the position, CV, the names of two referees, transcripts and diplomas, and a list of any scientific work (if any).

Further inquiries about the project and conditions should be sent to cryptophdapplications (at) upf.edu .

Closing date for applications: 3 January 2019

Contact: cryptophdapplications (at) upf.edu

Your Responsibilities:

- Definition of IoT end-to-end security architecture

- Creation of innovative and disruptive security solutions

- Specification / Design / Review of embedded security architectures

- Risk and threats analysis of security systems

- Root cause analysis of security defects and creation of counter measures

-Technical interface to customers and to the product development team

Your Profile:

- Have a Master degree or PhD in Cryptography, Security, Software Engineering, Electronics, Mathematics

- Have experience in the design and development of Embedded Secure Systems

- Knowledge of SoCs and/or Smartcard/Secure Element products

- Have a security background

- Independent working style, but willingness to listen and to adapt

- Very good communication skills

- Strong team player

- Willingness to travel

Closing date for applications: 31 December 2018

Contact: Veronika von Hepperger, Senior Recruiter, (Email: Veronika.vonhepperger (at) nxp.com)

More information: https://nxp.wd3.myworkdayjobs.com/careers/job/Hamburg/SoC-IC-Security-Hardware-Architect_R-10010354

Project

The cryptography group at AIT is looking for a Ph.D. student to work on the PROFET (Cryptographic Foundations for Future-proof Internet Security) project, led by Dr. Daniel Slamanig (AIT) in cooperation with the Security and Privacy group at TU Wien (Prof. Matteo Maffei). The project is planned to start in Q1 2019 and has a duration of 3 years.

The project targets at designing public-key cryptography capable to secure tomorrow\'s Internet which will encompass paradigms such as cloud computing, the IoT or distributed ledgers as essential ingredients. It specifically puts a focus on: (1) designing security models and schemes that are surveillance and subversion resilient by design (forward and post-compromise security), and 2) designing cryptographic schemes that provide post-quantum security (either via generic or direct constructions). The project covers foundational as well as applied aspects.

Research group

The applicant will have a 30h/week employment at AIT in Vienna working in close collaboration with other members of the cryptography group. There will also be a strong interaction with the Security and Privacy group at TU Wien (and in particular with another PhD student ).

Profile

Eligible candidates will hold a Master\'s degree in Mathematics, Computer Science, Information Security or similar discipline. Students who are expected to receive their MSc degree by the end of 2018 are also encouraged to apply. We prefer candidates who can demonstrate that they have developed their research skills during their studies. Adequate English (written and verbal communication) for scientific interactions is required.

Skills

• High motivation for research work and ability to work independently.
• Good organisation and communication skills.
• Eager to disseminate research results through publications and presentations at top-tier conferences.

Closing date for applications: 28 February 2019

Contact:

Interested candidates should send their detailed CVs, cover letter and references. Only short-listed candidates will be contacted for interview.

Contact: Daniel Slamanig, daniel.slamanig (at) ait.ac.at

More information: https://profet.at/

Two (2) full-time research positions in Cyber

Security are available at either Research

Fellow or Senior Research Fellow level in the

School of Electrical Engineering and Computer

Science at QUT.

These positions will undertake research

projects funded by the Cyber Security

Cooperative Research Centre (CRC),

collaborating with its industry partners and

other participant universities throughout

Australia.

Specifically, QUT is host to the CRC’s Resilient

Systems research theme, which focusses on

technological solutions to cyber security

threats, especially those relating to computer

networks. Applicants with research experience

in computer network security, communications

protocols, industrial control systems,

communications log analysis, digital forensics,

complex system modelling, intrusion detection,

and related topics are especially welcome.

Closing date for applications: 13 January 2019

Contact: Professor Colin Fidge

Discipline Leader - Information Security

School of Electrical Engineering and Computer Science

More information: https://qut.nga.net.au/?jati=87681359-6C3D-B81A-144D-A4B8B24E7607

At the Faculty of Computer Science of the University of Vienna the position of a

University Professor of Security and Privacy

(full time, permanent position) is to be filled.

We are looking for outstanding scientists who are active in the core areas to be covered by this position: information and network security, including privacy. The position is envisioned to serve as a crystallization point in the faculty for security and privacy research and teaching, with the thematic focus on software and systems security. The candidate should demonstrate deep knowledge and have an excellent research record in the theory and practice of security and privacy, with documented outreach to application areas, for example (but not limited to) Cyber Physical Systems or Internet of Things, addressing the increasing demand for security and privacy solutions in research and industry.

Closing date for applications: 7 January 2019

More information: https://personalwesen.univie.ac.at/jobs-recruiting/professuren/detail-seite/news/security-and-privacy/?no_cache=1&tx_new

The security of today's widely used communication security protocols is based on trust in Certificate Authorities (CAs). However, the real security of this approach is debatable, since certificate handling is tedious and many recent attacks have undermined the trust in CAs. On the other hand, opportunistic encryption protocols such as Tcpcrypt, which are currently gaining momentum as an alternative to no encryption, have similar security to using untrusted CAs or self-signed certificates: they only protect against passive attackers.

In this paper, we present a key exchange protocol, Secure Multipath Key Exchange (SMKEX), that enables all the benefits of opportunistic encryption (no need for trusted third parties or pre-established secrets), as well as proven protection against some classes of active attackers. Furthermore, SMKEX can be easily extended to a trust-on-first-use setting and can be easily integrated with TLS, providing the highest security for opportunistic encryption to date while also increasing the security of standard TLS.

We show that SMKEX is made practical by the current availability of path diversity between different AS-es. We also show a method to create path diversity with encrypted tunnels without relying on the network topology. These allow SMKEX to provide protection against most adversaries for a majority of Alexa top 100 web sites.

We have implemented SMKEX using a modified Multipath TCP kernel implementation and a user library that overwrites part of the socket API, allowing unmodified applications to take advantage of the security provided by SMKEX.

Profiled side-channel attacks are the most powerful attacks and they consist of two steps. The adversary first builds a leakage model, using a device similar to the target one, then it exploits this leakage model to extract the secret information from the victim's device. These attacks can be seen as a classification problem, where the adversary needs to decide to what class (corresponding to the secret key) the traces collected from the victim's devices belong. For a number of years, the research community studied profiled attacks and proposed numerous improvements. Despite a large number of empirical works, a framework with strong theoretical foundations to address profiled side-channel attacks is still missing.

In this paper, we propose a framework capable of modeling and evaluating all profiled analysis attacks. This framework is based on the expectation estimation problem that has strong theoretical foundations. Next, we quantify the effects of perturbations injected at different points in our framework through robustness analysis. Finally, we experimentally validate our framework using publicly available traces, several classifiers, and performance metrics.

The current paper improves the number of queries of the previous quantum multi-collision nding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let $l$-collision be $l$ distinct inputs that result in the same output of a target function. The previous algorithm finds $l$-collisions by recursively calling the algorithm for finding $(l-1)$-collisions, and it achieves the query complexity of $O(N^{(3^{l-1}-1) / (2 \cdot 3^{l-1})})$. The new algorithm removes the redundancy of the previous recursive algorithm so that computations among different recursive calls can share a part of computations. The new algorithm achieves the query complexity of $\tilde{O}(N^{(2^{l-1}-1) / (2^{l}-1)})$. Moreover, it finds multiclaws for random functions, which are harder to find than multicollisions.

ProtonMail is an online email service that claims to offer end-to-end encryption such that "even [ProtonMail] cannot read and decrypt [user] emails." The service, based in Switzerland, offers email access via webmail and smartphone applications to over five million users as of November 2018. In this work, we provide the first independent analysis of ProtonMail's cryptographic architecture. We find that for the majority of ProtonMail users, no end-to-end encryption guarantees have ever been provided by the ProtonMail service and that the "Zero-Knowledge Password Proofs" are negated by the service itself. We also find and document weaknesses in ProtonMail's "Encrypt-to-Outside" feature. We justify our findings against well-defined security goals and conclude with recommendations.

A cryptosystem for granting/rescinding access permission is proposed, based on elliptic curve cryptography. The `Organizational Cryptosystem' grants access permission not by giving secret (decription) key to the corresponding user but by converting the ciphertext so that the user can decript with their secret key. The `conversion key' for the document, which is created from the secret key which the ciphertext has been originally encrypted for, the public key of the member who shall be permitted to read the ciphertext, and a part of the ciphertext. Therefore it is not possible to decrypt the ciphertext with the conversion key. Nor, for the administrator who issues the conversion key, to obtain any information about the plaintext.

Two of the most significant challenges in the design of blockchain protocols is increasing their transaction processing throughput and minimising latency in terms of transaction settlement. In this work we put forth for the first time a formal execution model that enables to express transaction throughput while supporting formal security arguments regarding safety and liveness. We then introduce parallel-chains, a simple yet powerful non-black-box composition technique for blockchain protocols. We showcase our technique by providing two parallel-chains protocol variants, one for the PoS and one for PoW setting, that exhibit optimal throughput under adaptive fail-stop corruptions while they retain their resiliency in the face of Byzantine adversity assuming honest majority of stake or computational power, respectively. We also apply our parallel-chains composition method to improve settlement latency; combining parallel composition with a novel transaction weighing mechanism we show that it is possible to scale down the time required for a transaction to settle by any given constant while maintaining the same level of security.

We construct non-interactive non-malleable commitments without setup in the plain model, under well-studied assumptions.

First, we construct non-interactive non-malleable commitments with respect to commitment for $\epsilon \log \log n$ tags for a small constant $\epsilon > 0$, under the following assumptions:

- Sub-exponential hardness of factoring or discrete log.

- Quantum sub-exponential hardness of learning with errors (LWE).

Second, as our key technical contribution, we introduce a new tag amplification technique. We show how to convert any non-interactive non-malleable commitment with respect to commitment for $\epsilon\log \log n$ tags (for any constant $\epsilon>0$) into a non-interactive non-malleable commitment with respect to replacement for $2^n$ tags. This part only assumes the existence of sub-exponentially secure non-interactive witness indistinguishable (NIWI) proofs, which can be based on sub-exponential security of the decisional linear assumption.

Interestingly, for the tag amplification technique, we crucially rely on the leakage lemma due to Gentry and Wichs (STOC 2011). For the construction of non-malleable commitments for $\epsilon \log \log n$ tags, we rely on quantum supremacy. This use of quantum supremacy in classical cryptography is novel, and we believe it will have future applications. We provide one such application to two-message witness indistinguishable (WI) arguments from (quantum) polynomial hardness assumptions.

Recently, Gross et al. demonstrated a first-order probing-secure implementation of AES using only two bits of randomness for both the initial sharing and the entire computation of AES. In this note, we recall that first-order probing security may not be sufficient for practical first-order security when randomness is re-cycled. We demonstrate that without taking the transitional leakage into account, the expected security level in a serialized design based on their concept might not be achieved in practice.

We present an efficient implementation of FrodoKEM-640 on an ARM Cortex-M4 core. We leverage the single instruction, multiple data paradigm, available in the instruction set of the ARM Cortex-M4, together with a careful analysis of the memory layout of matrices to considerably speed up matrix multiplications. Our implementations take up to 79.4% less cycles than the reference. Moreover, we challenge the usage of a cryptographically secure pseudorandom number generator for the generation of the large public matrix involved. We argue that statistically good pseudorandomness is enough to achieve the same security goal. Therefore, we propose to use xoshiro128** as a PRNG instead: its structure can be easily integrated in FrodoKEM-640, it passes all known statistical tests and greatly outperforms previous choices. By using xoshiro128** we improve the generation of the large public matrix, which is a considerable bottleneck for embedded devices, by up to 96%.

Group signature is a central tool for privacy-preserving protocols, ensuring authentication, anonymity and accountability. It has been massively used in cryptography, either directly or through variants such as direct anonymous attestations. However it remains a complex tool, especially in the standard model where each of its building blocks is quite costly to instantiate.

In this work, we propose a new group signature scheme proven secure in the standard model which significantly decreases the complexity with respect to the state-of-the-art. More specifically, we halve both the size and the computational cost compared to the most efficient alternative in the standard model. Moreover, our construction is also competitive against the most efficient ones in the random oracle model, thus closing the traditional efficiency gap between these two models.

Our construction is based on a tailored combination of two popular signatures, which avoids the explicit use of encryption schemes or zero-knowledge proofs. It is flexible enough to achieve security in different models and is thus suitable for most contexts.

The 2018 election has closed and 465 IACR members cast ballots to select three members of the Board of Directors.

The results are as follows.

Michel Abdalla 253
Nadia Heninger 203
Anna Lysyanskaya 178
Maria Naya Plasencia 170
Ran Canetti 155
Josh Benaloh 137
Satya Lokam 93

Congratulations to Michel, Nadia, and Anna, who will serve as IACR Directors for three-year terms commencing January 1, 2019, and thank you to Maria, Ran, Josh, and Satya for your contributions to the IACR and willingness to serve.

Audit info is available at the Helios election page.

In CHES 2017, Moradi et al. presented a paper on ``Bit-Sliding'' in which the authors proposed lightweight constructions for SPN based block ciphers like AES, Present and SKINNY. The main idea behind these constructions was to reduce the length of the datapath to 1 bit and to reformulate the linear layer for these ciphers so that they require fewer scan flip-flops (which have built-in multiplexer functionality and so larger in area as compared to a simple flip-flop). In this paper we take the idea forward: is it possible to construct the linear layer using only 2 scan flip-flops? Take the case of Present: in the language of mathematics, the above question translates to: can the Present permutation be generated by some ordered composition only two types of permutations? The question can be answered in the affirmative by drawing upon the theory of permutation groups. However straightforward constructions would require that the ``ordered composition'' consist of a large number of simpler permutations. This would naturally take a large number of clock cycles to execute in a flip-flop array having only two scan flip-flops and thus incur heavy loss of throughput.

In this paper we try to analyze SPN ciphers like Present and Gift that have a bit permutation as their linear layer. We tried to construct the linear layer of the cipher using as little clock cycles as possible. As an outcome we propose smallest known constructions for Present and Gift block ciphers for both encryption and combined encryption+decryption functionalities. We extend the above ideas to propose the first known construction of the Flip stream cipher.

Card-based protocols allow to evaluate an arbitrary fixed Boolean function $f$ on a hidden input to obtain a hidden output, without the executer learning anything about either of the two (e.g. Crépeau and Kilian, CRYPTO 1993). We explore the case where $f$ implements a universal function, i.e. $f$ is given the encoding $\langle P\rangle$ of a program $P$ and an input $x$ and computes $f(\langle P\rangle, x) = P(x)$. More concretely, we consider universal circuits, Turing machines, RAM machines, and branching programs, giving secure and conceptually simple card-based protocols in each case.

We argue that card-based cryptography can be performed in a setting that is only very weakly interactive, which we call the “surveillance” model. Here, when Alice executes a protocol on the cards, the only task of Bob is to watch that Alice does not illegitimately turn over cards and that she shuffles in a way that nobody knows anything about the total permutation applied to the cards. We believe that because of this very limited interaction, our results can be called program obfuscation.

As a tool, we develop a useful sub-protocol $\mathsf{sort}_{\Pi}X\mathop{\uparrow}Y$ that couples the two equal-length sequences $X, Y$ and jointly and obliviously permutes them with the permutation $\pi\in\Pi$ that lexicographically minimizes $\pi(X)$. We argue that this generalizes ideas present in many existing card-based protocols. In fact, AND, XOR, bit copy (Mizuki and Sone, FAW 2009), coupled rotation shuffles (Koch and Walzer, ePrint 2017) and the “permutation division” protocol of (Hashimoto et al., ICITS 2017) can all be expressed as “coupled sort protocols”.