*12:17* [Pub][ePrint]
Forging Attacks on two Authenticated Encryptions COBRA and POET, by Mridul Nandi
In FSE 2014, an authenticated encryption mode COBRA [4], based on pseudorandom permutation (PRP) blockcipher, and POET [3], based on Almost XOR-Universal (AXU) hash and strong pseudorandom permutation (SPRP), were proposed. Few weeks later, COBRA mode and a simple variant of the original proposal of POET (due to a forging attack [13] on the original proposal) with AES as an underlying blockcipher, were submitted in CAESAR, a competition [1] of authenticated encryption

(AE). In this paper we show a forging attack on the mode COBRA based on any n-bit blockcipher. Our attack on COBRA requires about O(n) queries with success probability about 1/2. This disproves the

claim proved in FSE 2014 paper. We also show both privacy and forging attack on the parallel version of POET, denoted POET-m. We can also recover some derived key of the construction. In case of the

modes POET or POE (the underlying modes for encryption), we show one query distinguishing attack when we instantiate the underlying AXU-hash function with some other AXU hash function, namely

uniform random involution. Thus, our result violates the designer\'s main claim (Theorem 8.1 in [1]). However, the attacks can not be extended directly for the specific choices of existing submitted versions to the CAESAR competition.

*12:17* [Pub][ePrint]
Deleting Secret Data with Public Verifiability, by Feng Hao and Dylan Clarke and Avelino Francisco Zorzo
The problem of secure data erasure has been extensively studied in the past with a rich body of literature available. All existing software-based solutions can be summarized as following the same one-bit-return protocol: the deletion program performs data erasure and returns either success or failure. However, such a one-bit-return protocol turns the data deletion system into a black box -- the user has to trust the outcome but cannot easily verify it. This is especially problematic when the deletion program is encapsulated within a Trusted Platform Module (TPM), and the user has no access to the code inside.In this paper, we initiate a study on how to delete secret data with public verifiability. This is a subject that has not been investigated before, partly because it seems intuitively impossible. In this paper, we show a solution is possible by applying appropriate cryptographic primitives. Based on combining DHIES, Chaum-Pedersen Zero Knowledge Proof and ECDSA, we present a Secure Storage and Erasure (SSE) protocol. The key idea in our solution is based on a ``trust-but-verify\'\' paradigm, which is generally applicable to many security problems but has been largely neglected in the field of secure data deletion. Finally, we present a concrete implementation of the SSE system to demonstrate its practical feasibility.

*18:33* [Job][New]
Post-Doc, *Cryptology Group, CWI, Amsterdam, The Netherlands*
The CWI Cryptology Group is opening a position for a research staff member (post-doc). We encourage candidates with an excellent research track-record in (theoretical) cryptology, preferably with substantial emphasis on its mathematical aspects, to apply. Excellent candidates whose research has emphasized the interface between theory of computation and discrete mathematics (e.g., (algorithmic) coding theory) may also consider to apply if active interests in pursuing cryptologic research can be shown.

The initial appointment is for 1 year, with a possible extension of (at least) 1 year. Review of applications starts immediately until the position is filled. The starting date is negotiable.

*09:17* [Pub][ePrint]
McEliece in the world of Escher, by Danilo Gligoroski and Simona Samardjiska and H{\\aa}kon Jacobsen and Sergey Bezzateev
We present a new family of linear binary codes of length $n$ and dimension $k$ accompanied with a fast list decoding algorithm that can correct up to $\\frac{n}{2}$ errors in a bounded channel with an error density $\\rho$. The decisional problem of decoding random codes using these generalized error sets is NP-complete. Next we use the properties of these codes to design both an encryption scheme and a signature scheme. Although in the open literature there have been several proposals how to produce digital signatures from the McEliece public key scheme, as far as we know, this is the first public key scheme based on codes where signatures are produced in a straightforward manner from the decryption procedure of the scheme. The security analysis of our scheme have two main parts:1. An extensive list of attacks using the Information Set Decoding techniques adopted for our codes; 2. An analysis of the cost of a distinguishing attack based on rank attacks on the generator matrix of the code or on its dual code. Based on this security analysis we suggest some concrete parameters for the security levels in the range of $2^{80} - 2^{128}$.