*15:17* [Pub][ePrint]
Succinct Randomized Encodings and their Applications, by Nir Bitansky and Sanjam Garg and Sidharth Telang
A {\\em randomized encoding} allows to represent a ``complex\'\' function $f(x)$ by a ``simpler\'\' randomized function $\\hat{f}(x;r)$ whose output distribution encodes $f(x)$, while revealing nothing else regarding $x$. Existing randomized encodings, geared mostly to allow encoding with low parallel complexity, have proven instrumental in various strong applications such as multiparty computation and parallel cryptography.This work focuses on another natural complexity measure: {\\em the time required to encode}. We construct {\\em succinct randomized encodings} where a computation given by a (Turing or random-access) machine $M$, and input $x$, requiring time $t$ and space $s$, can be encoded roughly in time $\\poly(|x|,\\log t,s)$, thus inducing significant savings in time when $s \\ll t$. The scheme guarantees computational input-privacy and is based on indistinguishability obfuscation for a relatively simple circuit class, which can in turn be based on a polynomial version of the subgroup elimination assumption on multilinear graded encodings.

We then invoke succinct randomized encodings to obtain several strong applications, including:

\\begin{itemize}

\\item

Indistinguishability obfuscation for uniform (Turing or random-access) machines, where the obfuscated machine $\\iO(M)$ computes the same function as $M$ for inputs $x$ of apriori-fixed maximal size $n$, and is computed in time $\\poly(n,\\log t,s)$.

\\item

Functional encryption for uniform machines, where a functional decryption key corresponding to $M$ allows decrypting $M(x)$ from encryptions of $x$. As in the previous case, inputs $x$ are of apriori-fixed maximal size $n$, and key derivation time is roughly $\\poly(n,\\log t,s)$.

\\item

Publicly-verifiable 2-message delegation where verification time is roughly $\\poly(n,\\log t,s)$. We also show how to transform any 2-message delegation scheme to an essentially non-interactive system where the verifier message is reusable.

\\end{itemize}

For the first application, we also require subexponentially-secure indistinguishability obfuscation for circuits, and for the second polynomial indistinguishability obfuscation, which can be replaced by more concrete polynomial hardness assumptions on multilinear graded-encodings. Previously, both applications were only known based on various non-standard knowledge assumptions.

*14:42* [Job][New]
Ph.D. student (3 positions), *Universitat Rovira i Virgili, Tarragona, Catalonia*
What we offer:We offer three predoctoral grants motivated by the start of two large research projects related to security, privacy, cryptography and the economics of privacy.

The candidates\' primary job will be to do research within the project. Additionally, they are expected to submit a PhD thesis based on the research carried out.

What we require:

Candidates should have a Master\'s degree in Computer Science. Also acceptable is a Master\'s degree in Economics or Social Sciences, as long as the candidate\'s skills in mathematics and computer science are demonstrably good. Knowledge of cryptographic protocols, game theory and/or behavioural economics will be regarded as an additional merit.

Where we are:

Universitat Rovira i Virgili (URV) is based in Tarragona (Catalonia), which is a coastal city 90 km south of Barcelona. URV has been ranked by Times Higher Education 2014 as the world´s 66th best university under 50 years of age. Also, according to the CWTS Leiden 2014 ranking, URV has the second highest research impact on ``Math., Comp. Sci. and Engineering´´ among European universities. According to the Shanghai ARWU ranking, URV is one of the world\'s top 200 universities in computer science.

What candidates should send:

Send your CV and publication record, plus two recommendation letters to

Prof. Josep Domingo-Ferrer ( josep.domingo (at) urv.cat ).

*09:17* [Pub][ePrint]
Hardware Trojan Horses in Cryptographic IP Cores, by Shivam Bhasin and Jean-Luc Danger and Sylvain Guilley and Xuan Thuy Ngo and Laurent Sauvage
Detecting hardware trojans is a difficult task in general.In this article we study hardware trojan horses insertion and detection in cryptographic intellectual property (IP) blocks.

The context is that of a fabless design house that sells IP blocks as GDSII hard macros, and wants to check that final products have not been infected by trojans during the foundry stage.

First, we show the efficiency of a medium cost hardware trojans detection method if the placement or the routing have been redone by the foundry.

It consists in the comparison between optical microscopic pictures of the silicon product and the original view from a GDSII layout database reader.

Second, we analyze the ability of an attacker to introduce a hardware trojan horse without changing neither the placement nor the routing of the cryptographic IP logic.

On the example of an AES engine, we show that if the placement density is beyond $80$\\%, the insertion is basically impossible.

Therefore, this settles a simple design guidance to avoid trojan horses insertion in cryptographic IP blocks:

have the design be compact enough, so that any functionally discreet trojan necessarily requires a complete re-place and re-route, which is detected by mere optical imaging (and not complete chip reverse-engineering).

*09:17* [Pub][ePrint]
Online Deniability for Multiparty Protocols with Applications to Externally Anonymous Authentication, by Alonso Gonzalez-Ulloa and Alejandro Hevia
In the problem of anonymous authentication (Boneh et al. CCS 1999), a sender wishes to authenticate a message to a given recipient in a way that preserves anonymity: the recipient does not know the identity of the sender and only is assured that the sender belongs to some authorized set. Although solutions for the problem exist (for example, by using ring signatures, e.g. Naor, Crypto 2002), they provide no security when the anonymity set is a singleton. This work is motivated by the question of whether there is any type of anonymity possible in this scenario. It turns out that we can still protect the identity of all senders (authorized or not) if we shift our concern from preventing the identity information be revealed to the recipient to preventing it could be revealed to an external entity, other than the recipient. We define a natural functionality which provides such guarantees and we denote it by F_{eaa} for externally anonymous authenticated channel.We argue that any realization of F_{eaa} must be deniable in the sense of Dodis et al. TCC 2009. To prove the deniability of similar primitives, previous work defined ad hoc notions of deniability for each task, and then each notion was showed equivalent to realizing the primitive in the Generalized Universal Composability framework (GUC, Canetti et al. TCC 2007). Instead, we put forward the question of whether deniability can be defined independently from any particular task. We answer this question in the affirmative providing a natural extension of the definition of Dodis et al. for arbitrary multiparty protocols. Furthermore, we show that a protocol satisfies this definition if an only if it realizes the ideal functionality F_{eaa} in the GUC framework. This result enables us to prove that most GUC functionalities we are aware of (and their realizations) are deniable.

We conclude by applying our results to the construction of a deniable protocol that realizes F_{eaa}.