Zero-Knowledge Password Policy Checks and Verifier-Based PAKE, by Franziskus Kiefer and Mark Manulis
We propose the concept of Zero-Knowledge Password Policy Checks (ZKPPC) to enable remote registration of client passwords without their actual transmission to the server. The ZKPPC protocol executed as part of the client registration process allows the client to prove compliance of the chosen password with the password policy defined by the server. The main benefit of ZKPPC-based password registration is that it guarantees that passwords can never be processed nor stored in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocols.
To this end, we first formalize the requirements of ZKPPC protocols and propose a general framework for their construction in the standard model using randomised password hashing and set membership proofs. We design a suitable encoding scheme for password characters and show how to express password policies to allow the adoption of set membership proofs. Finally, we present a concrete ZKPPC-based registration protocol that is based on efficient Pedersen commitments and corresponding proofs, and analyse its performance.
To complete the ZKPPC-based registration and authentication framework we propose a concrete VPAKE protocol, where the server can use the obtained verification information from the ZKPPC-based registration phase to subsequently setup secure communication sessions with the client. Our VPAKE protocol follows the recent framework for the construction of such protocols and is secure in the standard model.
Key Derivation From Noisy Sources With More Errors Than Entropy, by Ran Canetti and Benjamin Fuller and Omer Paneth and Leonid Reyzin
Fuzzy extractors convert a noisy source of entropy into a consistent uniformly-distributed key. In the process of eliminating noise, they lose some of the entropy of the original source---in the worst case, as much as the logarithm of the number of correctable error patterns. We call what is left after this worst-case loss the minimum usable entropy. Unfortunately, this quantity is negative for some sources that are important in practice. Most known approaches for building fuzzy extractors work in the worst case and cannot be used when the minimum usable entropy is negative.
We construct the first fuzzy extractors that work for a large class of distributions that have negative minimum usable entropy. Their security is computational. They correct Hamming errors over a large alphabet. In order to avoid the worst-case loss, they necessarily restrict distributions for which they work.
Our first construction requires high individual entropy of a constant fraction of symbols, but permits symbols to be dependent. Our second construction requires a constant fraction of symbols to have a constant amount of entropy conditioned on prior symbols. The constructions can be implemented efficiently based on number-theoretic assumptions or assumptions on cryptographic hash functions.
bitcoin.BitMint: Reconciling Bitcoin with Central Banks, by Gideon Samid
The sweeping success of the original (2008) bitcoin protocol proves that digital currency has arrived. The mounting opposition from the financial establishment indicates an overshoot. We propose to tame bitcoin into bitcoin.BitMint: keeping the bitcoin excitement -- fitted into real world security, stability and fraud concerns.
The basic idea is to excise the bitcoin money generation formula, and otherwise apply bitcoin essentially \"as is\" over digital coins which are redeemable by the mint that minted them. This will preserve the bitcoin assured anonymity. The new bitcoin.BitMint solution will benefit from bitcoin\'s double-spending prevention, and would otherwise enjoy all the benefits associated with money in a digital form.
bitcoin.BitMint will allow traders to invest in US$, gold, or any other commodity while practicing their trade in cyberspace, anonymously, securely, and non-speculatively.
This \"mint-in-the-middle\" protocol will allow law enforcement authorities to execute a proper court order to enforce the disclosure of a suspected fraudster, but the community of honest traders will trade with robust privacy as offered by the original bitcoin protocol.
We envision interlinked bitcoin.BitMint trading environments, integrated via an InterMint protocol: a framework for the evolution of a cascaded super currency - global and highly stable.
PhD Student, PhD positions at CTIC, Aarhus University, Denmark, Northern Europe
A number of attractive PhD grants is available at Center for the Theory of Interactive Computation (CTIC), which is a Sino-Danish research center. The center is a collaboration between the Computer Science Department at Aarhus University, Denmark and IIIS, Tsinghua University, Beijing, China, and is led by Professor Andrew Chi-Chih Yao, Tsinghua University, and Professor Peter Bro Miltersen, Aarhus University. The positions are within the focus areas of the center which are computational complexity theory, cryptography, quantum informatics, and algorithmic game theory. See also http://ctic.au.dk/.
The successful candidates will obtain their degrees from Aarhus University and are expected to do most of their studies there, but also do stays at IIIS.
To be admitted as a PhD student at Aarhus University Graduate School of Science and Technology PhD program requires between 3 and 5 years of study, depending on the background of the candidate. The minimum requirement for applying is a Bachelor\\\'s degree. Applications should be entered at the Aarhus Graduate School of Science and Technology (GSST) web interface, where PhD applicants will also find detailed and relevant information about the application process, deadlines, financing etc.: http://talent.au.dk/phd/scienceandtechnology/.
To obtain further information before applying, please email ctic (at) cs.au.dk. The next application deadline is May 1st, 2014.
Ph.D. Scholarship in Computer Science (3 years full time), University of Wollongong, Australia
The Centre for Computer and Information Security Research (CCISR) at the University of Wollongong, Australia, is looking for a high caliber PhD student to work in the topic of \\\"Post-quantum Cryptography\\\".
The topic includes the following sub-topics:
- lattice-based cryptography,
- multivariate cryptography,
- code-based cryptography,
- quantum computing.
Candidates are required to have a good background in mathematics.
All the decisions made will be final and there is no appeal procedure.
Ideally, it is expected that the candidate will start the PhD candidature by August 2014.
Interested candidates should send their complete CV, which includes their research experience and publication to Dr. Thomas Plantard (thomaspl (at) uow.edu.au).
Any questions regarding this position should be directed to
Prof. Willy Susilo (wsusilo (at) uow.edu.au) or Dr. Thomas Plantard (thomaspl (at) uow.edu.au).