*00:07* [Job][New]
Post-Doc, *University of Waterloo, Canada*
The Cryptography, Security, and Privacy (CrySP) research group at the University of Waterloo is seeking applications for a postdoctoral research position in the field of security and privacy for location-based or mobile systems and applications. This position will be held in the Cheriton School of Computer Science, and there will be the possibility for collaboration with Google Waterloo.Applicants must hold a PhD in a related field and should have a convincing publication record.

The start date of the position is negotiable. The position may be for one or two years.

Applicants should submit a CV, a research plan, two or three selected papers, and the names and contact information of three references.

*15:25* [Job][New]
Ph.D. student, *Radboud University Nijmegen, the Netherlands, European Union*
The Digital Security (DS) group of RU Nijmegen has a PhD position in side-channel analysis and countermeasure design and implementation.Candidates should have a Master’s degree in computer science, applied mathematics or engineering with strong interest in algorithms and signal processing. Prior experience in side-channel analysis and embedded software or hardware design is an asset.

This research addresses potential threats within the scope of side-channel analysis and fault injection. The successful candidate will contribute to a research project entitled Side-channel resistant devices for pervasive security (SIDES), which is funded by STW. The project is a joint collaboration with Riscure.

Conditions of employment

The position is for 4 years, the expected starting date is flexible, preferably not later than September. Salary is 2042-2612 euro/month.

Candidates moving to the Netherlands from abroad may qualify for a tax incentive scheme, where 30% of your income is tax free.

For additional information about the DS group, see http://www.ru.nl/ds

*15:24* [Job][New]
Integrated circuit designer, PhD, *INVIA, Aix en Provence, France*
INVIA provides security-related semiconductor design IP and embedded software to ASIC and FPGA designers. Our customers are semiconductor vendor and OEM addressing markets where security is a key requirement.Description

The integrated circuit designer will work in the R&D digital team and will contribute to the development of innovative IP for secure products. Main activities include various technical aspects as target specifications, technology survey, architecture, concept, IP development and validation, prototyping, IP packaging, documentation, etc.

He could be also visible from customers side in relationship with Invia marketing through market needs enquiries, technical meeting, deliveries to the customer, field support, etc.

Qualifications

PhD Degree in digital IC design, cryptography, MSc Degree in electrical engineering or equivalent.

Permanent position. The gross income depends on the experience level. Min package is about 40,000 EUR per year.

*13:17* [Pub][ePrint]
An Attack Against Fixed Value Discrete Logarithm Representations, by Gergely Alp\\\'ar and Jaap-Henk Hoepman and Wouter Lueks
Attribute-based credentials (ABCs) are an important building block of privacy-enhancing identity management. Since non-identifying attributes can easily be abused as the anonymity they provide hides the perpetrator, cryptographic mechanisms need to be introduced to make them revocable. However, most of these techniques are not efficient enough in practice.

ABCs with practical revocation have recently been proposed by Hajny and Malina~\\cite{Hajny-Malina-2012}. Their ABCs make use of different discrete logarithm representations of a fixed value. Although this technique is attractive as the verification of a particular issuer\'s credentials is easy, it has an intrinsic weakness. Colluding users can efficiently forge new credentials that are indistinguishable from legally issued ones.

*13:17* [Pub][ePrint]
Practical collision attack on 40-step RIPEMD-128, by Gaoli Wang
RIPEMD-128 is an ISO/IEC standard cryptographic hash function proposedin 1996 by Dobbertin, Bosselaers and Preneel. There are two

different and independent parallel lines called $line1$ operation and

$line2$ operation, and each operation has 64 steps. The results of two

line operations are combined at the end of every application of the

compression function. In this paper, we present collision

differential characteristics for both $line1$ operation and $line2$ operation by choosing a proper message difference. By using message modification technique seriously, we improve the probabilities of the differential characteristics so that we can give a collision attack on 40-step RIPEMD-128 with a complexity of $2^{35}$ computations.

*13:17* [Pub][ePrint]
Analysis and Improvement of Lindell\'s UC-Secure Commitment Schemes, by Olivier Blazy and Céline Chevalier and David Pointcheval and Damien Vergnaud
In 2011, Lindell proposed an efficient commitment scheme, with a non-interactive opening algorithm, in the Universal Composability (UC) framework. He recently acknowledged a bug in its security analysis for the adaptive case. We analyze the proof of the original paper and propose a simple patch of the scheme.More interestingly, we then modify it and present a more efficient commitment scheme secure in the UC framework, with the same level of security as Lindell\'s protocol: adaptive corruptions, with erasures. The

security is proven in the standard model (with a Common Reference String) under the classical Decisional Diffie-Hellman assumption. Our proposal is the most efficient UC-secure commitment proposed to date (in

terms of computational workload and communication complexity).

*13:17* [Pub][ePrint]
Tamper Resilient Cryptography Without Self-Destruct, by Ivan Damgaard and Sebastian Faust and Pratyay Mukherjee and Daniele Venturi
We initiate a general study of schemes resilient to both tampering and leakage attacks. Tampering attacks are powerful cryptanalytic attacks where an adversary can change the secret state and observes the effect of such changes at the output. Our contributions are outlined below:(1) We propose a general construction showing that any cryptographic primitive where the secret key can be chosen as a uniformly random string can be made secure against bounded tampering and leakage. This holds in a restricted model where the tampering functions must be chosen from a set of bounded size after the public parameters have been sampled. Our result covers pseudorandom functions, and many encryption and signature schemes.

(2) We show that standard ID and signature schemes constructed from a large class of Sigma-protocols (including the Okamoto scheme, for instance) are secure even if the adversary can arbitrarily tamper with the prover\'s state a bounded number of times and/or obtain some bounded amount of leakage. Interestingly, for the Okamoto scheme we can allow also independent tampering with the public parameters.

(3) We show a bounded tamper and leakage resilient CCA secure public key cryptosystem based on the DDH assumption. We first define a weaker CPA-like security notion that we can instantiate based on DDH, and then we give a general compiler that yields CCA-security with tamper and leakage resilience. This requires a public tamper-proof common reference string.

(4) Finally, we explain how to boost bounded tampering and leakage resilience (as in 2. and 3. above) to continuous tampering and leakage resilience, in the so-called floppy model where each user has a personal floppy (containing leak- and tamper-free information) which can be used to refresh the secret key (note that if the key is not updated, continuous tamper resilience is known to be impossible). For the case of ID schemes, we also show that if the underlying protocol is secure in the bounded retrieval model, then our compiler remains secure, even if the adversary can tamper with the computation performed by the device.

In some earlier work, the implementation of the tamper resilient primitive was assumed to be aware of the possibility of tampering, in that it would switch to a special mode and, e.g., self-destruct if tampering was detected. None of our results require this assumption.

*13:17* [Pub][ePrint]
Deterministic Public-Key Encryption for Adaptively Chosen Plaintext Distributions, by Ananth Raghunathan and Gil Segev and Salil Vadhan
Bellare, Boldyreva, and O\'Neill (CRYPTO \'07) initiated the study of deterministic public-key encryption as an alternative in scenarios where randomized encryption has inherent drawbacks. The resulting line of research has so far guaranteed security only for adversarially-chosen plaintext distributions that are {\\em independent} of the public key used by the scheme. In most scenarios, however, it is typically not realistic to assume that adversaries do not take the public key into account when attacking a scheme.We show that it is possible to guarantee meaningful security even for plaintext distributions that depend on the public key. We extend the previously proposed notions of security, allowing adversaries to {\\em adaptively} choose plaintext distributions {\\em after} seeing the public key, in an {\\em interactive} manner. The only restrictions we make are that: (1) plaintext distributions are unpredictable (as is essential in deterministic public-key encryption), and (2) the number of plaintext distributions from which each adversary is allowed to adaptively choose is upper bounded by $2^{p}$, where $p$ can be any predetermined polynomial in the security parameter. For example, with $p = 0$ we capture plaintext distributions that are independent of the public key, and with $p = O(s \\log s)$ we capture, in particular, all plaintext distributions that are samplable by circuits of size $s$.

Within our framework we present both constructions in the random-oracle model based on any public-key encryption scheme, and constructions in the standard model based on lossy trapdoor functions (thus, based on a variety of number-theoretic assumptions). Previously known constructions heavily relied on the independence between the plaintext distributions and the public key for the purposes of randomness extraction. In our setting, however, randomness extraction becomes significantly more challenging once the plaintext distributions and the public key are no longer independent. Our approach is inspired by research on randomness extraction from seed-dependent distributions. Underlying our approach is a new generalization of a method for such randomness extraction, originally introduced by Trevisan and Vadhan (FOCS \'00) and Dodis (PhD Thesis, MIT, \'00).