*15:17* [Job][New]
Lecturer, *Royal Holloway, University of London*
Applications are invited for the post of Lecturer in the Information Security Group at Royal Holloway, University of LondonApplications are invited from researchers whose interests are related to, or complement, current strengths of the ISG. We are particularly interested in applicants who will be able to interact with our research groups in cryptography and systems security. However, applications from strong candidates working in other cyber security fields will also be given serious consideration.

Applicants should have a Ph.D. in a relevant subject or equivalent, be a self-motivated researcher, and have a strong publication record. Applicants should be able to demonstrate an enthusiasm for teaching and communicating with diverse audiences, as well as show an awareness of contemporary issues relating to cyber security.

This is a full time and permanent post, available from 1st September, 2015, or as soon as possible thereafter. This post is based in Egham, Surrey, where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

*09:17* [Pub][ePrint]
Time-release Protocol from Bitcoin and Witness Encryption for SAT, by Jia Liu and Flavio Garcia and Mark Ryan
We propose a new time-release protocol based on the bitcoin protocol and witness encryption. We derive a ``public key\'\' from the bitcoin block chain for encryption. The decryption key are the unpredictable information in the future blocks (e.g., transactions, nonces)that will be computed by the bitcoin network. We build this protocol by witness encryption and encrypt with the bitcoin proof-of-work constraints. The novelty of our protocol is that the decryption key will be automatically and publicly available in the bitcoin block chain when the time is due.

Witness encryption was originally proposed by Garg, Gentry, Sahai and Waters. It provides a means to encrypt to an instance, $x$, of an NP language and to decrypt by a witness $w$ that $x$ is in the language.

Encoding CNF-SAT in the existing witness encryption schemes generate poly(n*k) group elements in the ciphertext where n is the number of variables and k is the number of clauses of the CNF formula.

We design a new witness encryption for CNF-SAT which achieves ciphertext size of 2n+2k group elements. Our witness encryption is based on an intuitive reduction from SAT to Subset-Sum problem. Our scheme uses the framework of multilinear maps, but it is independent of the implementation details of multilinear maps.

*21:17* [Pub][ePrint]
A Provably Secure Group Signature Scheme from Code-Based Assumptions, by Martianus Frederic Ezerman and Hyung Tae Lee and San Ling and Khoa Nguyen and Huaxiong Wang
We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than all of the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands ($\\approx 2^{24}$ users).The feasibility of the scheme is supported by implementation results.

Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.

*21:17* [Pub][ePrint]
Fully Homomorphic Encryption without bootstrapping, by Masahiro Yagisawa
Gentry\'s bootstrapping technique is the most famous method of obtaining fully homomorphic encryption. In this paper I propose a new fully homomorphic encryption scheme on non-associative octonion ring over finite field without bootstrapping technique. The security of the proposed fully homomorphic encryption scheme is based on computational difficulty to solve the multivariate algebraic equations of high degree while the almost all multivariate cryptosystems proposed until now are based on the quadratic equations avoiding the explosion of the coefficients. Because proposed fully homomorphic encryption scheme is based on multivariate algebraic equations with high degree or too many variables, it is against the Gröbner basis attack, the differential attack, rank attack and so on. The key size of this system and complexity for enciphering/deciphering become to be small enough to handle.

*21:17* [Pub][ePrint]
Randomizing Scalar Multiplication Using Exact Covering Systems of Congruences, by Eleonora Guerrini and Laurent Imbert and Théo Winterhalter
In this paper we present a generic, uniformly randomized scalar multiplication algorithm based on covering systems of congruences, with built-in protections against various side-channel attacks. It has been tailored to resist a recent class of attacks called horizontal attacks. These very powerful attacks exploit some unsuspected weaknesses hidden in most, if not all, highly regular and constant time algorithms.We provide a thorough complexity analysis, several arguments to support its robustness and some encouraging numerical experiments.

*21:17* [Pub][ePrint]
XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees, by Bart Mennink
We present XPX, a tweakable blockcipher based on a single permutation P. On input of a tweak (t_{11},t_{12},t_{21},t_{22}) in mathcal{T} and a message m, it outputs ciphertext c=P(m xor Delta_1) xor Delta_2, where Delta_1=t_{11}k xor t_{12}P(k) and Delta_2=t_{21}k xor t_{22}P(k). Here, the tweak space mathcal{T} is required to satisfy a certain set of trivial conditions (such as (0,0,0,0) not in mathcal{T}). We prove that XPX with any such tweak space is a strong tweakable pseudorandom permutation. Next, we consider the security of XPX under related-key attacks, where the adversary can freely select a key-deriving function upon every evaluation. We prove that XPX achieves various levels of related-key security, depending on the set of key-deriving functions and the properties of mathcal{T}. For instance, if t_{12},t_{22} neq 0 and (t_{21},t_{22}) neq (0,1) for all tweaks, XPX is XOR-related-key secure.XPX generalizes Even-Mansour (EM), but also Rogaway\'s XEX based on EM, and tweakable EM used in Minalpher. As such, XPX finds a wide range of applications. We show how our results on XPX directly imply related-key security of the authenticated encryption schemes Pr{\\o}st-COPA and Minalpher, and how a straightforward adjustment to the MAC function Chaskey and to keyed Sponges makes them provably related-key secure.