*18:03* [Job][New]
PhD student, *Swedish Institute of Computer Science, Security Lab and Lund University*
We are looking for an excellent, motivated, self-driven PhD student to work in the area of cloud computing with a focus on security, privacy and trusted computing. The position is for four years and the main aim of the PhD project is to develop security protocols for cloud environments and specifically for IaaS and PaaS. The successful candidate is expected to perform research on the aforementioned areas based on their experience and research interests. They must have strong background in Computer Science and/or Mathematics. They are expected to publish articles in well-known security related conferences and journals. Although all applications will be carefully evaluated, candidates with prior publications as well as research experience in the following areas are specifically encouraged to apply: cloud computing, security and privacy in cloud environments, trusted computing and applied cryptography.

Candidates should fulfill the following requirements:

- A Master degree in Computer Science;

- Knowledge of Cryptographic Protocols;

- Trusted Computing;

- Cloud Computing Architecture;

- Good Academic Writing and Presentation Skills;

- Good Social and Organizational Skills;

Publications in security and privacy will be regarded as an additional merit.

The Security Lab in SICS intends to increase the number of women in those areas where they are underrepresented. Therefore women are explicitly encouraged to apply.

Details about Employment

PhD student positions are limited to four years and the starting salary is 27.000 SEK a month before taxes.

*07:17* [Pub][ePrint]
The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically, by Prabhanjan Ananth, Zvika Brakerski, Gil Segev, Vinod Vaikuntanathan
In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages that are fixed ahead of time (i.e., before the adversary even interacts with the system). This is called selective security, which is too restrictive for many realistic applications. Achieving adaptive security (also called full security), where security is guaranteed even for messages that are adaptively chosen at any point in time, seems significantly more challenging. The handful of known fully-secure schemes are based on specifically tailored techniques that rely on strong assumptions (such as obfuscation assumptions or multilinear maps assumptions).In this paper we show that any sufficiently expressive selectively-secure FE scheme can be transformed into a fully secure one without introducing any additional assumptions. We present a direct black-box transformation, making novel use of hybrid encryption, a classical technique that was originally introduced for improving the efficiency of encryption schemes, combined with a new technique we call the Trojan Method. This method allows to embed a secret execution thread in the functional keys of the underlying scheme, which will only be activated within the proof of security of the resulting scheme.As another application of the Trojan Method, we show how to construct functional encryption schemes for arbitrary circuits starting from ones for shallow circuits (NC1 or even TC0).

*07:17* [Pub][ePrint]
Batch NFS, by Daniel J. Bernstein and Tanja Lange
This paper shows, assuming standard heuristics regarding the number-field sieve, that a \"batch NFS\" circuit of area L^{1.181...+o(1)} factors L^{0.5+o(1)} separate B-bit RSA keys in time L^{1.022...+o(1)}. Here L=exp((log 2^B)^{1/3}(log log 2^B)^{2/3}). The circuit\'s area-time product (price-performance ratio) is just L^{1.704...+o(1)} per key. For comparison, the best area-time product known for a single key is L^{1.976...+o(1)}.This paper also introduces new \"early-abort\" heuristics implying that \"early-abort ECM\" improves the performance of batch NFS by a superpolynomial factor, specifically exp((c+o(1))(log 2^B)^{1/6}(log log 2^B)^{5/6}) where c is a positive constant.

*17:32* [Job][New]
Senior Cryptographic/Software Obfuscation Engineer, *DARPA-i_SW Arlington, VA*
i_SW is looking for a Staff Scientist with a background in mathematics and cryptography to support a DARPA program focused on program obfuscation to protect DoD assets. Candidate will provide Scientific, Engineering and Technical Assistance (SETA) support to assist in the management and evaluation of the research underlying this effort. Candidate should have experience planning and developing technical projects of a research and development (R&D) nature, concerned with unique or controversial problems which have an important effect on major Department of Defense programs.This work will be collaborative with DARPA and i_SW corporation located in Arlington, VA

Required Skills

• Demonstrated skill in successfully performing technical assignments including conducting research in problem areas of considerable scope and complexity requiring unconventional or novel approaches and sophisticated research techniques, risk analysis and resolution, tracking technical milestones, and report preparations

• Research focus on the theoretical sides of cryptography

• Demonstrated skill in conceiving, planning, and conducting research in problem areas of considerable scope and complexity requiring unconventional or novel approaches and sophisticated research techniques.

• Demonstrated the ability to independently conduct the appropriate analyses to offer recommendations, solutions, and alternatives to resolve R&D issues, concerns, problems, or methods.

Applicants must be US Citizens in order to obtain security clearances.

Education

MS/PhD Math or Computer Science

Some post-graduate work in mathematics and cryptography preferred.

*19:17* [Pub][ePrint]
Mind Your Coins: Fully Leakage-Resilient Signatures with Graceful Degradation, by Antonio Faonio and Jesper Buus Nielsen and Daniele Venturi
We construct new leakage-resilient signature schemes.Our schemes remain unforgeable against an adversary leaking arbitrary (yet bounded) information on the entire state of the signer (sometimes known as fully leakage resilience).

The main feature of our constructions, is that they offer a graceful degradation of security in situations where standard existential unforgeability is impossible. This property was recently put forward by Nielsen et al. (PKC 2014) to deal with settings in which the secret key is much larger than the size of a signature.

One remarkable such case is the so-called Bounded Retrieval Model (BRM), where one intentionally inflates the size of the secret key while keeping constant the signature size and the computational complexity of the scheme.

Our main constructions have leakage rate 1-o(1), and are proven secure in the standard model. We additionally give a construction in the BRM, relying on a random oracle.

All of our schemes are described in terms of generic building blocks, but also admit efficient instantiations under fairly standard number-theoretic assumptions.

Finally, we explain how to extend some of our schemes to the setting of noisy leakage, where the only restriction on the leakage functions is that the output does not decrease the min-entropy of the secret key by too much.

*19:17* [Pub][ePrint]
Cryptography with One-Way Communication, by Sanjam Garg and Yuval Ishai and Eyal Kushilevitz and Rafail Ostrovsky and Amit Sahai
There is a large body of work on using noisy communication channels for realizing different cryptographic tasks. In particular, it is known that secure message transmission can be achieved unconditionally using only {\\em one-way} communication from the sender to the receiver. In contrast, known solutions for more general secure computation tasks inherently require interaction, even when the entire input originates from the sender.We initiate a general study of cryptographic protocols over noisy channels in a setting where only one party speaks. In this setting, we show that the landscape of what a channel is useful for is much richer. Concretely, we obtain the following results.

[-] Relationships between channels. The binary erasure channel (BEC) and the binary symmetric channel (BSC), which are known to be securely reducible to each other in the interactive setting, turn out to be qualitatively different in the setting of one-way communication. In particular, a BEC cannot be implemented from a BSC, and while the erasure probability of a BEC can be manipulated in both directions, the crossover probability of a BSC can only be manipulated in one direction.

[-] Zero-knowledge proofs and secure computation of deterministic functions. One-way communication over BEC or BSC is sufficient for securely realizing any deterministic (possibly reactive) functionality which takes its inputs from a sender and delivers its outputs to a receiver. This provides the first truly non-interactive solutions to the problem of zero-knowledge proofs.

[-] Secure computation of randomized functions. One-way communication over BEC or BSC {\\em cannot} be used for realizing general randomized functionalities which take input from a sender and deliver output to a receiver. On the other hand, one-way communication over other natural channels, such as bursty erasure channels, can be used to realize such functionalities. This type of protocols can be used for distributing certified cryptographic keys without revealing the keys to the certification authority.

*19:17* [Pub][ePrint]
The Security of the Hanser-Slamanig Signature Scheme Revisited, by Yanbin Pan
At Asiacrypt 2014, Hanser and Slamanig presented a structure-preserving signatures and prove its EUF-CMA security. Very recently, Fuchsbauer gave a very surprising attack to point out their claim is flawed by showing how to generate a valid existential forgery with overwhelming probability with 4 chosen-message queries for $l=2$. However, we go further in this paper to show that the Hanser-Slamanig signature scheme is not unforgeable under the adaptive chosen message attack. We present a deterministic polynomial-time chosen-message attack which can forge the valid signature for any message with 3 ({\\it resp.} 4) chosen-message queries for $l=2$ ({\\it resp.} $l\\geq 3$ ).