*10:43* [Job][New]
Ph.D. students, *TELECOM-ParisTech*
TELECOM-ParisTech crypto group seeks 4 PhD studentsTELECOM-ParisTech crypto group develops prototype solutions to fight against cyber and physical penetration of embedded devices.

Our contributions in this field of research are:

We seek four PhD candidates on those subjects:

- \\\"Calculer dans les codes comme contremesure aux attaques physiques\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10213751
- \\\"Native Protection of Processors against Cyber-Attacks\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10253861
- \\\"Insertion automatique de contre-mesures dans des circuits de sécurité\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10213779
- \\\"Attaques FIRE : Rétroconception de cryptographie secrète\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10166999

Working language is French or English.

Positions are open until Aug 2014.

To ap

*21:17* [Pub][ePrint]
A Second Look at Fischlin\'s Transformation, by Özgür Dagdelen and Daniele Venturi
Fischlin\'s transformation is an alternative to the standard Fiat-Shamir transform to turn a certain class of public key identification schemes into digital signatures (in the random oracle model).We show that signatures obtained via Fischlin\'s transformation are existentially unforgeable even in case the adversary is allowed to get arbitrary (yet bounded) information on the entire state of the signer (including the signing key and the random coins used to generate signatures). A similar fact was already known for the Fiat-Shamir transform, however, Fischlin\'s transformation allows for a significantly higher leakage parameter than Fiat-Shamir.

Moreover, in contrast to signatures obtained via Fiat-Shamir, signatures obtained via Fischlin enjoy a tight reduction to the underlying hard problem. We use this observation to show (via simulations) that Fischlin\'s transformation, usually considered less efficient, outperforms the Fiat-Shamir transform in verification time for a reasonable choice of parameters. In terms of signing Fiat-Shamir is faster for equal signature sizes. Nonetheless, our experiments show that the signing time of Fischlin\'s transformation becomes, e.g., 22% of the one via Fiat-Shamir if one allows the signature size to be doubled.

*21:17* [Pub][ePrint]
Practical Receipt-Free Sealed-Bid Auction in the Coercive Environment, by Jaydeep Howlader, Sanjit Kumar Roy, Ashis Kumar Mal
Sealed-Bid auction is an efficient and rational method toestablish the price in open market. However sealed-bid auctions are sub-

ject to bid-rigging attack. Receipt-free mechanisms were proposed to

prevent bid-rigging. The prior receipt-free mechanisms are based on two

assumptions; firstly, existence of untappable channel between bidders

and auction authorities. Secondly, mechanisms assume the authorities

to be honest (not colluding). Moreover the bandwidth required to com-

municate the receipt-free bids is huge. This paper presents a sealed-bid

auction mechanism to resist bid-rigging. The proposed method does not

assume untappable channel nor consider the authorities to be necessarily

honest. The proposed mechanism also manages the bandwidth efficiently,

and improves the performance of the system.

*21:17* [Pub][ePrint]
Two-sources Randomness Extractors for Elliptic Curves, by Abdoul Aziz Ciss
This paper studies the task of two-sources randomness extractors for elliptic curves defined over finite fields $K$, where $K$ can be a prime or a binary field. In fact, we introduce new constructions of functions over elliptic curves which take in input two random points from two differents subgroups. In other words, for a ginven elliptic curve $E$ defined over a finite field $\\mathbb{F}_q$ and two random points $P \\in \\mathcal{P}$ and $Q\\in \\mathcal{Q}$, where $\\mathcal{P}$ and $\\mathcal{Q}$ are two subgroups of $E(\\mathbb{F}_q)$, our function extracts the least significant bits of the abscissa of the point $P\\oplus Q$ when $q$ is a large prime, and the $k$-first $\\mathbb{F}_p$ coefficients of the asbcissa of the point $P\\oplus Q$ when $q = p^n$, where $p$ is a prime greater than $5$. We show that the extracted bits are close to uniform. Our construction extends some interesting randomness extractors for elliptic curves, namely those defined in \\cite{op} and \\cite{ciss1,ciss2}, when $\\mathcal{P} = \\mathcal{Q}$. The proposed constructions can be used in any cryptographic schemes which require extraction of random bits from two sources over elliptic curves, namely in key exchange protole, design of strong pseudo-random number generators, etc.

*15:17* [Pub][ePrint]
AES-Based Authenticated Encryption Modes in Parallel High-Performance Software, by Andrey Bogdanov and Martin M. Lauridsen and Elmar Tischhauser
Authenticated encryption (AE) has recently gained renewed interest due to the ongoing CAESAR competition. This paper deals with the performance of block cipher modes of operation for AE in parallel software. We consider the example of the AES on Intel\'s new Haswell microarchitecture that has improved intructions for AES rounds and finite field multiplication.As opposed to most previous high-performance software implementations of operation modes -- that have considered the encryption of single messages -- we propose to process multiple messages in parallel. We demonstrate that this message scheduling is of significant advantage for most modes. As a baseline for longer messages, the performance of AES-CBC encryption on a single core increases by factor 6.8 when adopting this approach.

For the first time, we report optimized AES-NI implementations of the novel AE modes OTR, McOE-G, COBRA, and POET -- both with single and multiple messages. For almost all AE modes considered, we obtain a consistent speed-up when processing multiple messages in parallel. Notably, among the nonce-based modes, AES-CCM gets by factor 3.5 faster and its performance is about 1.2 cpb which is close to that of AES-GCM (the latter, however, possessing classes of weak keys), with AES-OCB3 still performing at only 0.69 cpb. Among the nonce-misuse resistant modes, AES-McOE-G receives a speed-up by factor 4 and its performance is about 1.44 cpb, which is faster than AES-COBRA with its 1.55 cpb but slower than AES-COPA with 1.29 cpb.

*07:04* [Job][New]
Ph.D. student in Quantum Cryptography, *University of and CWI Amsterdam, the Netherlands, Europe*
The Institute for Logic, Language & Computation (ILLC) at the University of Amsterdam, and the Centrum Wiskunde & Informatica (CWI) are looking for a PhD candidate in the area of quantum cryptography under the supervision of Dr. Christian Schaffner.The aim of the PhD project is to develop new quantum-cryptographic protocols (beyond the task of key distribution) and explore their possibilities and limitations. An example of an active research topic is position-based quantum cryptography. Another aspect is to investigate the security of classical cryptographic schemes against quantum adversaries (post-quantum cryptography).

Full-time appointment is on a temporary basis for a period of four years. For the first two years the PhD candidate will be appointed at the ILLC, University of Amsterdam, initially for a period of 18 months and then, on positive evaluation, for a further six months. During the final two years, the PhD candidate will be employed by the Centrum Wiskunde and Informatica (CWI). On the basis of a full-time appointment (38 hours per week), the gross monthly salary amounts to €2,083 during the first year, rising to €2,664 during the fourth year.

Requirements:

- A Master\\\'s degree with excellent grades in computer science, mathematics or physics with outstanding results or a comparable degree;
- candidates with a strong background in cryptography or quantum information processing are preferred;
- good academic writing and presentation skills;
- good social and organisational skills.

Preferred starting date is 1 September 2014 (or earlier if possible).