International Association
for Cryptologic Research

Fully homomorphic encryption schemes (FHE) allow to apply arbitrary efficient computation to encrypted data without decrypting it first. In Quantum FHE (QFHE) we may want to apply an arbitrary quantumly efficient computation to (classical or quantum) encrypted data.

We present a QFHE scheme with classical key generation (and classical encryption and decryption if the encrypted message is itself classical) with comparable properties to classical FHE. Security relies on the hardness of the learning with errors (LWE) problem with polynomial modulus, which translates to the worst case hardness of approximating short vector problems in lattices to within a polynomial factor. Up to polynomial factors, this matches the best known assumption for classical FHE. Similarly to the classical setting, relying on LWE alone only implies leveled QFHE (where the public key length depends linearly on the maximal allowed evaluation depth). An additional circular security assumption is required to support completely unbounded depth. Interestingly, our circular security assumption is the same assumption that is made to achieve unbounded depth multi-key classical FHE.

Technically, we rely on the outline of Mahadev (arXiv 2017) which achieves this functionality by relying on super-polynomial LWE modulus and on a new circular security assumption. We observe a connection between the functionality of evaluating quantum gates and the circuit privacy property of classical homomorphic encryption. While this connection is not sufficient to imply QFHE by itself, it leads us to a path that ultimately allows using classical FHE schemes with polynomial modulus towards constructing QFHE with the same modulus.

Sanitizable signature schemes are signature schemes which support the delegation of modification rights. The signer can allow a sanitizer to perform a set of admissible operations on the original message and then to update the signature, in such a way that basic security properties like unforgeability or accountability are preserved. Recently, Camenisch et al. (PKC 2017) devised new schemes with the previously unattained invisibility property. This property says that the set of admissible operations for the sanitizer remains hidden from outsiders. Subsequently, Beck et al. (ACISP 2017) gave an even stronger version of this notion and constructions achieving it. Here we characterize the invisibility property in both forms by showing that invisible sanitizable signatures are equivalent to IND-CPA-secure encryption schemes, and strongly invisible signatures are equivalent to IND-CCA2-secure encryption schemes. The equivalence is established by proving that invisible (resp. strongly invisible) sanitizable signature schemes yield IND-CPA-secure (resp. IND-CCA2-secure) public-key encryption schemes and that, vice versa, we can build (strongly) invisible sanitizable signatures given a corresponding public-key encryption scheme.

The Supersingular Isogeny Diffie-Hellman protocol (SIDH) has recently been the subject of increased attention in the cryptography community. Conjecturally quantum-resistant, SIDH has the feature that it shares the same data flow as ordinary Diffie-Hellman: two parties exchange a pair of public keys, each generated from a private key, and combine them to form a shared secret. To create a potentially quantum-resistant scheme, SIDH depends on a new family of computational assumptions involving isogenies between supersingular elliptic curves which replace both the discrete logarithm problem and the computational and decisional Diffie-Hellman problems. Like in the case of ordinary Diffie-Hellman, one is interested in knowing if these problems are related. In fact, more is true: there is a rich network of reductions between the isogeny problems securing the private keys of the participants in the SIDH protocol, the computational and decisional SIDH problems, and the problem of validating SIDH public keys. In this article we explain these relationships, which do not appear elsewhere in the literature, in hopes of providing a clearer picture of the SIDH problem landscape to the cryptography community at large.

Modular exponentiation represents a signicant workload for public key cryptosystems. Examples include not only the classical RSA, DSA, and DH algorithms, but also the partially homomorphic Paillier encryption. As a result, efficient software implementations of modular exponentiation are an important target for optimization. This paper studies methods for using Intel's forthcoming AVX512 Integer Fused Multiply Accumulate (AVX512IFMA) instructions in order to speed up modular (Montgomery) squaring, which dominates the cost of the exponentiation. We further show how a minor tweak in the architectural definition of AVX512IFMA has the potential to further speed up modular squaring.

QARMA is a family of lightweight tweakable block ciphers, which is used to support a software protection feature in the ARMv8 architecture. In this paper, we study the security of QARMA family against the impossible differential attack. First, we generalize the concept of truncated difference. Then, based on the generalized truncated difference, we construct the first 6-round impossible differential dinstinguisher of QARMA. Using the 6-round distinguisher and the time-and-memory trade-off technique, we present 10-round impossible differential attack on QARMA. This attack requires $2^{119.3}$ (resp. $2^{237.3}$) encryption units, $2^{61}$ (resp. $2^{122}$) chosen plaintext and $2^{72}$ 72-bit (resp. $2^{144}$ 144-bit) space for QARMA-64 (resp. QARMA-128). Further, if allowed with higher memory complexity (about $2^{116}$ 120-bit and $2^{232}$ 240-bit space for QARMA-64 and QARMA-128, respectively), our attack can break up 11 rounds of QARMA. To the best of our knowledge, these results are currently the best results with respect to attacked rounds.

We study secret sharing schemes for general (non-threshold) access structures. A general secret sharing scheme for $n$ parties is associated to a monotone function $\mathsf F:\{0,1\}^n\to\{0,1\}$. In such a scheme, a dealer distributes shares of a secret $s$ among $n$ parties. Any subset of parties $T \subseteq [n]$ should be able to put together their shares and reconstruct the secret $s$ if $\mathsf F(T)=1$, and should have no information about $s$ if $\mathsf F(T)=0$. One of the major long-standing questions in information-theoretic cryptography is to minimize the (total) size of the shares in a secret-sharing scheme for arbitrary monotone functions $\mathsf F$.

There is a large gap between lower and upper bounds for secret sharing. The best known scheme for general $\mathsf F$ has shares of size $2^{n-o(n)}$, but the best lower bound is $\Omega(n^2/\log n)$. Indeed, the exponential share size is a direct result of the fact that in all known secret-sharing schemes, the share size grows with the size of a circuit (or formula, or monotone span program) for $\mathsf F$. Indeed, several researchers have suggested the existence of a {\em representation size barrier} which implies that the right answer is closer to the upper bound, namely, $2^{n-o(n)}$.

In this work, we overcome this barrier by constructing a secret sharing scheme for any access structure with shares of size $2^{0.994n}$ and a linear secret sharing scheme for any access structure with shares of size $2^{0.999n}$. As a contribution of independent interest, we also construct a secret sharing scheme with shares of size $2^{\tilde{O}(\sqrt{n})}$ for $2^{{n\choose n/2}}$ monotone access structures, out of a total of $2^{{n\choose n/2}\cdot (1+O(\log n/n))}$ of them. Our construction builds on recent works that construct better protocols for the conditional disclosure of secrets (CDS) problem.

\"Backside shieldings and protections for integrated ciruits against physical attacks\"

Summary : Secure chip manufacturers must ensure the protection of the confidential information contained in their component. This involves software countermeasures (data encryption by a crypto-processor) as well as hardware protections since attackers are now able to access information by attacking the chip with physical methods. Unlike the active side which already includes countermeasures, the back side of the chips remains a preferred target because it is more vulnerable and closer to the active layers of the circuit.

CEA-Leti is working on the development of an efficient, low cost and low power protection using technologies derived from 3D integration. An innovative backside shield, designed and patented by the Leti / DCOS packaging laboratory, was fabricated and showed its effectiveness against fault injection and other typical attacks. Some improvements in the design and structure of the shield have been identified to make it even more difficult to attack. Finally, an extension of the concept to a whole system has been considered in order to collectively protect the back side of several chips.

As part of this thesis, the improvement of the structure and its extension to a system will be studied, in order to propose an optimized design and to lead the technological developments necessary to its implementation on a demonstrator. The PhD student will conduct thermo-mechanical simulation work to size the protection elements for optimal efficiency, then he will participate in the design of the masks necessary for their realization. He will follow the process developments in the clean room and will take part in the physical and / or electrical characterizations. Throughout these processes, he will interact with Leti\'s security experts to ensure that the developments are consistent with the state of the art in terms of attacks and countermeasures.

Closing date for applications: 31 May 2018

Contact: Dr Stefan Borel

stephan.borel (at) cea.fr

Several PhD positions currently open on hardware security at the CEA Leti (please note that for the first three subjects, nationality restrictions might apply):

- \"On the use of wavelets for side-channel analysis\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/ondelettes-pour-le-traitement-des-signaux-compromettants,18-0769.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/wavelets-applied-to-side-channel-analysis,18-0769/pdf.html

- \"Integrated circuit modification with focalized X-Ray beams and a FIB\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/modification-de-circuits-electroniques-avec-lutilisation-de-rayons-x-et-dun-fib,18-0633.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/integrated-circuit-modification-with-focalized-xrays-beam-and-fib,18-0633/pdf.html

- \"Symbolic execution methods on binary codes to detect perturbations attacks vulnerabilities\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/methodes-d-execution-symbolique-de-code-binaire-pour-detections-de-vulnerabilites-contre-les,18-0767.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/symbolic-execution-methods-on-binary-codes-to-detect-perturbations-attacks-vulnerabilities,18-0767/pdf.html

- \"Secure implementation of stream ciphers\"

French : http://www-instn.cea.fr/formations/formation-par-la-recherche/doctorat/liste-des-sujets-de-these/securisation-de-l-implementation-des-mecanismes-de-chiffrements-par-flot,18-0762.html

English : http://www-instn.cea.fr/en/education-and-training/research-training/phd-programs/list-of-thesis-subjects/secure-implementation-of-stream-ciphers,18-0762/pdf.html

Closing date for applications: 31 May 2018

Contact: Jacques Fournier, PhD, HDR

Senior Scientist

jacques.fournier (at) cea.fr

The University of Luxembourg seeks to hire an outstanding post-doctoral researcher at its Interdisciplinary Centre for Security, Reliability and Trust (SnT). The successful candidate will participate in the activities of the Security and Trust of Software Systems (SaToSS) research group (http://satoss.uni.lu/), led by Prof. Dr. Sjouke Mauw.

The position is within the national project PrivDA, whose goal is to develop models and techniques for privacy-preserving data publication from dynamic social networks, accounting for the presence of active adversaries (adversaries with the ability to alter the network structure).

We welcome applications from candidates who have completed a Ph. D. degree in Computer Science or Mathematics by May 2018.

Preference will be given to applicants with proven interest in graph theory and/or data privacy and/or social network analysis.

The intended start day is June 1st, 2018.

The University offers a two-year employment contract, which may be extended up to five years.

Closing date for applications: 30 April 2018

Contact: Yunior Ramirez-Cruz, e-mail: yunior.ramirez (at) uni.lu

Sjouke Mauw, e-mail: sjouke.mauw (at) uni.lu

More information: http://emea3.mrted.ly/1rxbi

In recent years, awareness of communication security has vastly increased. In Web communication for example, TLS usage has become ubiquitous. TLS is, however, not always the only or best method. Sometimes more lightweight or message oriented security methods are preferable. This applies especially in the Internet of Things (IoT) or in industrial networks, but also for communication in Cloud environments or service-oriented architectures. However, using these alternative security methods still require manual and error-prone configuration.

The successful candidate for this PhD fellowship position will contribute to a flexible security framework, which assists developers in creating secure services, but also supports automatic service-usage in machine-to-machine communication.

One focus of this PhD project might be: lightweight security mechanisms, security specification languages, security negotiation protocols, code generation for secure communication stubs etc.

Closing date for applications: 15 April 2018

Contact: Nils Gruschka, +47 22840858, nils.gruschka (at) ifi.uio.no

More information: https://www.jobbnorge.no/en/available-jobs/job/149459/phd-research-fellowship-in-cybersecurity

This position is available immediately in Professor Mosca’s Research group. You will be working with a team of researchers and developers from academia and industry on the Open Quantum Safe project You will help integrate new post-quantum cryptographic algorithms into the libOQS open-source library, and design and implement techniques for evaluating and benchmarking these cryptographic algorithms in a variety of contexts. You will be required to participate in weekly sprint meetings and perform software development tasks assigned by the project team lead, ensuring that all code contributions developed by self or integrated from 3rd party contribution sources adhere to a cohesive design and framework. In addition to algorithm research, tasks cover all aspects of the software development lifecycle and include design, programming cryptographic algorithms, integrating other cryptographic implementations into the libOQS framework, integrating libOQS into 3rd party opensource projects, testing, benchmarking and documentation.

Qualifications:

• Undergraduate or Graduate degree in Mathematics, Computer Science or Electrical and Computer Engineering

• Essential: C and C++ programming experience, at least 3 years.

• Essential: Familiarity with cryptographic algorithms including public key and symmetric key cryptography, digital signatures, message digest and hashing algorithms

• Essential: Familiarity with version control systems (Git & Github workflow)

The Institute for Quantum Computing (IQC) is a world-leading institute for research in quantum information at the University of Waterloo.

The appointment will be for 12 months with the possibility of extension, pending on research funding. The salary is competitive and commensurate with experience. The University of Waterloo respects, appreciates and encourages diversity. All qualified candidates are encouraged to apply; however, Canadian citizens and permanent residents will be given priority

Closing date for applications: 24 August 2018

Contact: Michele Mosca

michele.mosca (at) uwaterloo.ca

More information: https://services.iqc.uwaterloo.ca/applications/positions/open-quantum-safe-liboqs-cryptographi-x9y4/

Sparx is a family of ARX-based block ciphers designed according to the long-trail strategy (LTS) that were both introduced by Dinu et al. at ASIACRYPT'16. Similar to the wide-trail strategy, the LTS allows provable upper bounds on the length of differential characteristics and linear paths. Thus, the cipher is a highly interesting target for third-party cryptanalysis. However, the only third-party cryptanalysis on Sparx-64/128 to date was given by Abdelkhalek et al. at AFRICACRYPT'17 who proposed impossible-differential attacks on 15 and 16 (out of 24) rounds.

In this paper, we present chosen-ciphertext differential attacks on 16 rounds of Sparx-64/128. First, we show a truncated-differential analysis that requires $2^{32}$ chosen ciphertexts and approximately $2^{93}$ encryptions. Second, we illustrate the effectiveness of boomerangs on Sparx by a rectangle attack that requires approximately $2^{59.6}$ chosen ciphertexts and about $2^{122.2}$ encryption equivalents. Finally, we also considered a yoyo attack on 16 rounds that, however, requires the full codebook and approximately $2^{126}$ encryption equivalents.

We consider all LWE- and NTRU-based encryption, key encapsulation, and digital signature schemes proposed for standardisation as part of the Post-Quantum Cryptography process run by the US National Institute of Standards and Technology (NIST). In particular, we investigate the impact that different estimates for the asymptotic runtime of (block-wise) lattice reduction have on the predicted security of these schemes. Relying on the ``LWE estimator'' of Albrecht et al., we estimate the cost of running primal and dual lattice attacks against every LWE-based scheme, using every cost model proposed as part of a submission. Furthermore, we estimate the security of the proposed NTRU-based schemes against the primal attack under all cost models for lattice reduction.

In this paper, we propose an efficient revocable Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme. We base on the direct revocation approach, by embedding the revocation list into ciphertext. However, since the revocation list will grow longer as time goes by, we further leverage this by proposing a secret key time validation technique so that users will have their keys expired on a date and the revocation list only needs to include those user keys revoked before their intended expired date (e.g. those user keys which have been stolen before expiry). These keys can be removed from the revocation list after their expiry date in order to keep the revocation list short, as these keys can no longer be used to decrypt ciphertext generated after their expiry time. This technique is derived from Hierarchical Identity-based Encryption (HIBE) mechanism and thus time periods are in hierarchical structure: year, month, day. Users with validity of the whole year can decrypt any ciphertext associated with time period of any month or any day within the year. By using this technique, the size of public parameters and user secret key can be greatly reduced. A bonus advantage of this technique is the support of discontinuity of user validity (e.g. taking no-paid leave).

In this paper we describe symbolic side-channel analysis techniques for detecting and quantifying information leakage, given in terms of Shannon and Min Entropy. Measuring the precise leakage is challenging due to the randomness and noise often present in program executions and side-channel observations. We account for this noise by introducing additional (symbolic) program inputs which are interpreted probabilistically, using symbolic execution with parameterized model counting. We also explore an approximate sampling approach for increased scalability. In contrast to typical Monte Carlo techniques, our approach works by sampling symbolic paths, representing multiple concrete paths, and uses pruning to accelerate computation and guarantee convergence to the optimal results. The key novelty of our approach is to provide bounds on the leakage that are provably under- and over-approximating the real leakage. We implemented the techniques in the Symbolic PathFinder tool and we demonstrate them on Java programs.

Event date: 28 May to 1 June 2018
Submission deadline: 1 May 2018
Notification: 8 May 2018

Masking is a very common countermeasure against side channel attacks. When combining Boolean and arithmetic masking, one must be able to convert between the two types of masking, and the conversion algorithm itself must be secure against side-channel attacks. An efficient high-order Boolean to arithmetic conversion scheme was recently described at CHES 2017, with complexity independent of the register size. In this paper we describe a simplified variant with fewer mask refreshing, and still with a proof of security in the ISW probing model. In practical implementations, our variant is roughly 25% faster.

In 2006, Groth, Ostrovsky and Sahai designed one non-interactive zero-knowledge (NIZK) proof system [new version, J. ACM, 59(3), 1-35, 2012] for plaintext being zero or one using bilinear groups with composite order. Based on the system, they presented the first perfect NIZK argument system for any NP language and the first universal composability secure NIZK argument for any NP language in the presence of a dynamic/adaptive adversary. This resolves a central open problem concerning NIZK protocols. In this note, we remark that in their proof system the prover has not to invoke the trapdoor key to generate witnesses. The mechanism was dramatically different from the previous works, such as Blum-Feldman-Micali proof system and Blum-Santis-Micali-Persiano proof system. We would like to stress that the prover can cheat the verifier to accept a false claim if the trapdoor key is available to him.

In multi-prover interactive proofs, the verifier interrogates the provers and attempts to steal their knowledge. Other than that, the verifier's role has not been studied. Augmentation of the provers with non-local resources results in classes of languages that may not be NEXP. We have discovered that the verifier plays a much more important role than previously thought. Simply put, the verifier has the capability of providing non-local resources for the provers intrinsically. Therefore, standard MIPs may already contain protocols equivalent to one in which the prover is augmented non-locally. Existing MIPs' proofs of soundness implicitly depend on the fact that the verifier is not a non-local resource provider. The verifier's non-locality is a new unused tool and liability for protocol design and analysis. Great care should have been taken when claiming that ZKMIP = MIP and MIP = NEXP. For the former case, we show specific issues with existing protocols and revisit the proof of this statement. For the latter case, we exhibit doubts that we do not fully resolve. To do this, we define a new model of multi-prover interactive proofs which we call ``correlational confinement form'' (CCF-MIP).

Special purpose factoring algorithms have discouraged the adoption of multi-power RSA, even in a post-quantum setting. We revisit the known attacks and find that a general recommendation against repeated factors is unwarranted. We find that one-terabyte RSA keys of the form $n = p_1^2p_2^3p_3^5p_4^7\cdots p_i^{\pi_i}\cdots p_{20044}^{225287}$ are competitive with one-terabyte RSA keys of the form $n = p_1p_2p_3p_4\cdots p_i\cdots p_{2^{31}}$. Prime generation can be made to be a factor of 100000 times faster at a loss of at least $1$ but not more than $17$ bits of security against known attacks. The range depends on the relative cost of bit and qubit operations under the assumption that qubit operations cost $2^c$ bit operations for some constant $c$.