*14:48* [Job][New]
Postdoc in Cryptology, *Technical University of Denmark, DTU*
Department of Applied Mathematics and Computer Science, Technical University of Denmark, would like to invite applications for a Postdoc position of 18 months, starting 1 April 2014 or soon thereafter. The topic of the project is lightweight cryptology, which regards scenarios involving strongly resource-constrained devices.Candidates for the position should have a solid background in hardware design and automation and be able to work on the physical constraints and optimization of the hardware implementations or, alternatively, we will consider candidates with a strong cryptanalytic and mathematical background who are able to analyse the security of ciphers to be designed.

*14:44* [Job][New]
Post-Doc in Applied Cryptography, *University of Trier, Germany*
The Chair for Information Security and Cryptography at the University of Trier, Germany, offersa full-time position for a postdoctoral researcher

in a project funded by the German Research Foundation (DFG). The goal of the project is to develop methods for the modular analysis of real-world cryptographic protocols, such as TLS, SSH, WPA2, etc., based on the approach of universal composability, and to apply the developed methods to such protocols.

The position is available immediately, with an internationally competitive salary. The starting date is negotiable. Contracts can initially be offered for up to three years, with the perspective of an extension.

There are no teaching obligations.

The successful candidate must have a Master`s degree (or an equivalent degree) in Computer Science, Mathematics, or a related discipline, and have completed, or be near completion of a PhD degree relevant to the research area of the project. You should have a proven high level of analytical capability and mathematical skills. Good English skills are expected; knowledge of German is not required.

Applications will be considered until the position is filled.

*10:17* [Pub][ePrint]
Cryptanalysis of FIDES, by Itai Dinur and Jérémy Jean
FIDES is a lightweight authenticated cipher, presented at CHES 2013.The cipher has two version, providing either 80-bit or 96-bit

security. In this paper, we describe internal state-recovery attacks

on both versions of FIDES, and show that once we recover the internal

state, we can use it to immediately forge any message. Our attacks are

based on a guess-and-determine algorithm, exploiting the slow

diffusion of the internal linear transformation of FIDES. Our most

basic attacks have time complexities of 2^{75} and 2^{90} for FIDES-80

and FIDES-96, respectively, use a very small amount of memory, and

their most distinctive feature is their very low data complexity: the

attacks require at most 24 bytes of an arbitrary plaintext and its

corresponding ciphertext, in order to break the cipher with

probability 1. In addition to the basic attacks, we describe optimized

attacks which exploit additional data in order to reduce the time

complexities to 2^{73} and 2^{88} for FIDES-80 and FIDES-96,

respectively.

*01:17* [Pub][ePrint]
Computing Discrete Logarithms in F_{3^{6*137}} using Magma , by Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodríguez-Henríquez
We show that a Magma implementation of Joux\'s new L[1/4] algorithmcan be used to compute discrete logarithms in the 1303-bit finite field

F_{3^{6*137}} with very modest computational resources.

Our implementation illustrates the effectiveness of Joux\'s algorithm

for computing discrete logarithms in small-characteristic finite

fields which are not Kummer or twisted-Kummer extensions.

*22:17* [Pub][ePrint]
Masking and Leakage-Resilient Primitives: One, the Other(s) or Both?, by Sonia Belaïd, and Vincent Grosso and François-Xavier Standaert
Securing cryptographic implementations against side-channel attacks is one of the most important challenges in modern cryptography. Many countermeasures have been introduced for this purpose, and analyzed in specialized security models. Formal solutions have also been proposed to extend the guarantees of provable security to physically observable devices. Masking and leakage-resilient cryptography are probably the most investigated and best understood representatives of these two approaches. Unfortunately, claims whether one, the other or their combination provides better security at lower cost remained vague so far. In this paper, we provide the first comprehensive treatment of this important problem. For this purpose, we analyze whether cryptographic implementations can be security-bounded, in the sense that the time complexity of the best side-channel attack is lower-bounded, independent of the number of measurements performed. Doing so, we first put forward a significant difference between stateful primitives such as leakage-resilient PRGs (that easily ensure bounded security), and stateless ones such as leakage-resilient PRFs (that hardly do). We then show that in practice, leakage-resilience alone provides the best security vs. performance tradeoff when bounded security is achievable, while masking alone is the solution of choice otherwise. That is, we highlight that~one (x)or the other approach should be privileged, which contradicts the usual intuition that physical security is best obtained by combining countermeasures. Besides, our experimental results underline that despite defined in exactly the same way, the bounded leakage requirement in leakage-resilient PRGs and PRFs imply significantly different challenges for hardware designers. Namely, such a bounded leakage is much harder to guarantee for stateless primitives (like PRFs) than for statefull ones (like PRGs). As a result, constructions of leakage-resilient PRGs and PRFs proven under the same bounded leakage assumption, and instantiated with the same AES implementation, may lead to different practical security levels.

*22:17* [Pub][ePrint]
Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128, by Sareh Emami and San Ling and Ivica Nikolic and Josef Pieprzyk and Huaxiong Wang
So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential attacks. To achieve the resistance, it is believed that for cipher with $k$-bit key it suffices the upper bound on the probability to be $2^{-k}$. Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than $2^{-k}$. Our counter example is a related-key differential analysis of the block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than $2^{-128}$, the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as $2^{-128}$. CLEFIA-128 has $2^{14}$ such differentials, which translate to $2^{14}$ pairs of weak keys. The probability of each differential is too low for attacks, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain advantage of $2^7$ over generic attacks. We exploit the advantage and give a membership test for the weak-key class, provide analysis in the hashing mode, and show the importance for the secret-key mode. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128.

Our results do not threaten the practical use of CLEFIA.

*14:59* [PhD][New]
Constantin Catalin Dragan: Security of CRT-based Secret Sharing Schemes
Name: Constantin Catalin Dragan

Topic: Security of CRT-based Secret Sharing Schemes

Category: (no category)

Description: The Chinese Remainder Theorem (CRT) is a very useful tool in many areas of theoretical and practical cryptography. One of these areas is the theory of threshold secret sharing schemes. A *(t+1,n)*-threshold secret sharing scheme is a method of partitioning a secret among *n* users by providing each user with a share of the secret such that any *t+1* users can uniquely reconstruct the secret by pulling together their shares. Several threshold schemes based on CRT are known. These schemes use sequences of pairwise co-prime positive integers with special properties. The shares are obtained by dividing the secret or a secret-dependent quantity by the numbers in the sequence and collecting the remainders. The secret can be reconstructed by some sufficient number of shares by using CRT. It is well-known that the CRT-based threshold secret sharing schemes are not perfect (and, therefore, not ideal) but some of them are asymptotically perfect and asymptotically ideal and perfect zero-knowledge if sequences of consecutive primes are used for defining them.

\r\n\r\n\r\nIn this thesis we introduce *(k-)compact sequences of co-primes* and their applications to the security of CRT-based threshold secret sharing schemes is thorough investigated. Compact sequences of co-primes may be significantly denser than sequences of consecutive primes of the same length, and their use in the construction of CRT-based threshold secret sharing schemes may lead to better security properties. Concerning the asymptotic idealness property for CRT-based threshold schemes, we have shown there exists a necessary and sufficient condition for the Goldreich-Ron-Sudan (GRS) scheme and Asmuth-Bloom scheme if and only if *(1-)compact sequences of co-primes* are used. Moreover, the GRS and Asmuth-Bloom schemes based on *k*-compact sequences of co-primes are asymptotically perfect and perfect zero-knowledge. The Mignotte scheme is far from being asymptotically perfect [...]