*10:17* [Pub][ePrint]
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries, by Yehuda Lindell
In the setting of secure two-party computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure two-party computation is that of Yao\'s garbled circuits (FOCS 1986). In the semi-honest model, where just one garbled circuit is constructed and evaluated, Yao\'s protocol has proven itself to be very efficient. However, a malicious adversary who constructs the garbled circuit may construct a garbling of a different circuit computing a different function, and this cannot be detected (due to the garbling). In order to solve this problem, many circuits are sent and some of them are opened to check that they are correct while the others are evaluated. This methodology, called \\emph{cut-and-choose}, introduces significant overhead, both in computation and in communication, and is mainly due to the number of circuits that must be used in order to prevent cheating.In this paper, we present a cut-and-choose protocol for secure computation based on garbled circuits, with security in the presence of malicious adversaries, that vastly improves on all previous protocols of this type. Concretely, for a cheating probability of at most $2^{-40}$, the best previous works send between 125 and 128 circuits. In contrast, in our protocol 40 circuits alone suffice (with some additional overhead). Asymptotically, we achieve a cheating probability of $2^{-s}$ where $s$ is the number of garbled circuits, in contrast to the previous best of $2^{-0.32s}$. We achieve this by introducing a new cut-and-choose methodology with the property that in order to cheat, \\emph{all} of the evaluated circuits must be incorrect, and not just the \\emph{majority} as in previous works.

*10:17* [Pub][ePrint]
An efficient attack of a McEliece cryptosystem variant based on convolutional codes, by Grégory Landais and Jean-Pierre Tillich
L\\\"ondahl and Johansson proposed last year a variant of the McEliece cryptosystem which replaces Goppa codes by convolutional codes. This modification is supposed to make

structural attacks more difficult since the public generator matrix of this scheme contains

large parts which are generated completely at random. They proposed two schemes of this

kind, one of them consists in taking a Goppa code and extending it by adding a generator matrix of

a time varying convolutional code. We show here that this scheme can be successfully attacked by looking

for low-weight codewords in the public code of this scheme and using it to unravel the convolutional part.

It remains to break the Goppa part of this scheme which can be done in less than a day of computation in

the case at hand.

*10:17* [Pub][ePrint]
Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose, by Yan Huang and Jonathan Katz and Dave Evans
Beginning with the work of Lindell and Pinkas, researchers have proposed several protocols for secure two-party computation based on the cut-and-choose paradigm. In existing instantiations of this paradigm, one party generates $\\kappa$ garbled circuits; some fraction of those are ``checked\'\' by the other party, and the remaining fraction are evaluated.We introduce here the idea of symmetric cut-and-choose protocols, in which each party generates $\\kappa$ circuits to be checked by the other party. The main advantage of our technique is that the number $\\kappa$ of garbled circuits can be reduced by a factor of 3 while attaining the same statistical security level as in prior work. Since the number of garbled circuits dominates the costs of the protocol, especially as larger circuits are evaluated, our protocol is expected to run up to 3 times faster than existing schemes. Preliminary experiments validate this claim.

*23:46* [Job][New]
Full-time Ph.D. or Postdoc Position, *University of Trier, Germany*
* The Chair for Information Security and Cryptography at University of Trier, Germany, offers a full-time PhD/Postdoc position. * The position involves both research and teaching in the area of cryptography/information security. The successful candidate is expected to contribute to research in applied cryptography.

* The position is available immediately and is fully funded. The salary scale for the position is TV-L E13. The gross income depends on the candidate\\\'s experience level. At the lowest level it corresponds to approx. 40,000 EUR per year.

* Contracts are initially offered for two years. An extension to a total duration of up to six years is possible.

* He or she is given the possiblity to carry out a Ph.D. or, for Postdocs, a Habilitation.

* The successful candidate should have a Master\\\'s degree or a Ph.D. (or should be very close to completion thereof) in Computer Science, Mathematics, Information Security, or a related field, with a strong background in Theoretical Computer Science/Mathematics. Knowledge in cryptography is an asset. Since teaching is mostly done in German, sufficient knowledge of German is required.

* The deadline for applications is March 17th, 2013. However, late applications will be considered until the position is filled.

* See http://infsec.uni-trier.de/job-openings.html for the official job announcement (in German).

*10:17* [Pub][ePrint]
Symbolic Universal Composability, by Florian Böhl and Dominique Unruh
We introduce a variant of the Universal Composability framework (UC; Canetti, FOCS 2001) that uses symbolic cryptography. Two salient properties of the UC framework are secure composition and the possibility of easily defining security by giving an ideal functionality as specification. These advantages are now also available in a symbolic modeling of cryptography, allowing for a modular analysis of complex protocols.We furthermore introduce a new technique for modular design of protocols that uses UC but avoids the need for powerful cryptographic primitives that often comes with UC protocols; this \"virtual primitives\" approach is unique to the symbolic setting and has no counterpart in the original computational UC framework.

*10:17* [Pub][ePrint]
A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol, by Christian L. F. Corniaux and Hossein Ghodosi
In the various 1-out-of-$n$ distributed oblivious transfer protocols (DOT) designed in an unconditionally secure environment, a receiver contacts $k$ out of $m$ servers to obtain one of the $n$ secrets held by a sender. After a protocol has been executed, the sender has no information on the choice of the receiver and the receiver has no information on the secrets she did not obtain. Likewise, a coalition of $k - 1$ servers is unable to infer any information, neither on the sender\'s secrets, nor on the receiver\'s choice.These protocols are based on a semi-honest model: no mechanism prevents a group of malicious servers from disrupting the protocol such that the secret obtained by the receiver does not correspond to the chosen secret. Actually, to verify the information transmitted by the servers seems to require some properties difficult to reconcile: on one hand the receiver has to collect more information from the servers to discard the incorrect data generated by the malicious servers; on the other hand, if the receiver is allowed to gather more information from the servers, the sender\'s security may be compromised.

We study the first unconditionally secure DOT protocol in the presence of an active adversary who may corrupt up to $k - 1$ servers. In addition to the active adversary, we also assume that the sender may (passively) corrupt up to $k - 1$ servers to learn the choice of the receiver. Similarly, the receiver may (passively) corrupt up to $k - 1$ servers to learn more than the chosen secret. However, we assume that the sender, receiver, and active adversary do not collaborate with each other. Our DOT protocol allows the receiver to contact $4k - 3$ servers to obtain one secret, while the required security is maintained.