International Association
for Cryptologic Research

We present new protocols for Byzantine agreement in the synchronous and authenticated setting, tolerating the optimal number of $f$ faults among $n=2f+1$ parties. Our protocols achieve an expected $O(1)$ round complexity and an expected $O(n^2)$ communication complexity. The exact round complexity in expectation is 10 for a static adversary and 16 for a strongly rushing adaptive adversary. For comparison, previous protocols in the same setting require expected 29 rounds and expected $\Omega(n^4)$ communication. We also give a lower bound showing that expected $\Omega(n^2)$ communication is necessary against a strongly rushing adaptive adversary.

Inspired by Maurer's universal zero knowledge (UZK) abstract perspective and building on legally fair contract signing protocols without keystones, we propose and analyze the security of the first UZK class of co-signing protocols. We construct our main idea considering the stringent issue of scheme compatibility which characterizes communication systems. Typical examples are the cases of certificates in a public key infrastructure and the general issue of upgrading the version of a system. Thus, working in a general framework may reduce implementation errors and save application development and maintenance time.

This paper presents ecient formulas to compute Miller doubling and Miller addition utilizing degree-3 twists on curves with j-invariant 0 written in Hessian form. We give the formulas for both odd and even embedding degrees and for pairings on both $\mathbb{G}_1\times\mathbb{G}_2$ and $\mathbb{G}_2\times\mathbb{G}_1$. We propose the use of embedding degrees 15 and 21 for 128-bit and 192-bit security respectively in light of the NFS attacks and their variants. We give a comprehensive comparison with other curve models; our formulas give the fastest known pairing computation for embedding degrees 15, 21, and 24.

We construct an integer matrices encryption scheme based on binary matrices encryption scheme proposed in [9], and support homomorphic addition and multiplication operations, we prove the correctness and analyze the security. Besides, we implement four encryption schemes in- cluding public-key and symmetric-key binary matrices encryption schemes from [9], and public-key and symmetric-key integer matrices encryption schemes from this work. The experimental results show that the running time of homomorphic multiplycation just costs 0.32sec for 40 times 40 integer matrices, it provides a promising prospect for application. Finally,we apply integer matrices encryption into graph theory to homomorphiclly solve a problem that the number of length-k walks between any two vertices, the algorithm shows the effectiveness.

Cryptocurrencies record transactions between parties in a blockchain maintained by a peer-to-peer network. In most cryptocurrencies, transactions explicitly identify the previous transaction providing the funds they are spending, revealing the amount and sender/recipient pseudonyms. This is a considerable privacy issue. Zerocash resolves this by using zero-knowledge proofs to hide both the source, destination and amount of the transacted funds. To receive payments in Zerocash, how- ever, the recipient must scan the blockchain, testing if each transaction is destined for them. This is not practical for mobile and other bandwidth constrained devices. In this paper, we build ZLiTE, a system that can support the so called "light clients", which can receive transactions aided by a server equipped with a Trusted Execution Environment. Even with the use of a TEE, this is not a trivial problem. First, we must ensure that server processing the blockchain does not leak sensitive information via side channels. Second, we need to design a bandwidth efficient mechanism for the client to keep an up-to-date version of the witness needed in order to spend the funds they previously received.

Profiled side-channel attacks based on deep learning, and more precisely Convolutional Neural Networks, is a paradigm showing significant potential. The results, although scarce for now, suggest that such techniques are even able to break cryptographic implementations protected with countermeasures. In this paper, we start by proposing a new Convolutional Neural Network instance that is able to reach high performance for a number of considered datasets. Additionally, for a dataset protected with the random delay countermeasure, our neural network is able to break the implementation by using only 2 traces in the attack phase. We compare our neural network with the one designed for a particular dataset with masking countermeasure and we show how both are good designs but also how neither can be considered as a superior to the other one. Next, we address how the addition of artificial noise to the input signal can be actually beneficial to the performance of the neural network. Such noise addition is equivalent to the regularization term in the objective function. By using this technique, we are able to improve the number of measurement needed to reveal the secret key by orders of magnitude in certain scenarios for both neural networks. To strengthen our experimental results, we experiment with a number of datasets which differ in the levels of noise (and type of countermeasure) where we show the viability of our approaches.

We explore how to build a blind certificate authority (CA). Unlike conventional CAs, which learn the exact identity of those registering a public key, a blind CA can simultaneously validate an identity and provide a certificate binding a public key to it, without ever learning the identity. Blind CAs would therefore allow bootstrapping truly anonymous systems in which no party ever learns who participates. In this work we focus on constructing blind CAs that can bind an email address to a public key.

To do so, we first introduce secure channel injection (SCI) protocols. These allow one party (in our setting, the blind CA) to insert a private message into another party's encrypted communications. We construct an efficient SCI protocol for communications delivered over TLS, and use it to realize anonymous proofs of account ownership for SMTP servers. Combined with a zero-knowledge certificate signing protocol, we build the first blind CA that allows Alice to obtain a X.509 certificate binding her email address alice@domain.com to a public key of her choosing without ever revealing ``alice'' to the CA. We show experimentally that our system works with standard email server implementations as well as Gmail.

Videos from CHES 2018 are now online at the IACR Youtube channel. See https://www.youtube.com/user/TheIACR

Applications are invited for the post of Professor to join our community and help us lead and develop our research and teaching in the areas of Applied Cybersecurity and/or Security Analytics within our Centre for Secure Information Technologies (www.csit.qub.ac.uk) as we seek to make a positive contribution to the global technical challenges of our age.

Our Centre is host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE: www.ukrise.org) and is recognised by NCSC as an Academic Centre of Excellence (ACE) in Cyber Security Research.

We are after a passionate and motivated academic with leadership experience in the areas of Cloud/Network Security, Hardware/Software Security and/or Security Analytics. We are particularly interested if you have a credible track record of technology transfer and delivering impact from your research. In return, you will have access to outstanding teaching and research facilities and opportunities to work with vibrant engineering and commercial teams to translate your research into impact.

We are seeking candidates with research experience (commensurate with career stage) in one or more of the following areas:

• Cloud/Network Security: security and privacy of cloud computing, application layer DDoS detection/mitigation, Web Application Firewall (WAF), network/cloud intrusion detection/prevention, malware and security models for trusted execution on the cloud.

• Software Security: Security protocol and crypto algorithm implementation, instruction set extensions for crypto, software analysis, and/or software vulnerability detection.

• Hardware Security: Micro-architectural security, SCA, Hardware Trojans, or PUF.

• Security Analytics: AI for Cybersecurity intelligence automation and threat response automation (data-fusion); or AI technologies for cyber-social-physical security. Including deep learning, particularly adversarial, graph mining, and reasoning with uncertainty.

Closing date for applications: 22 November 2018

Contact: Professor Máire O\'Neill, Email: m.oneill (at) ecit.qub.ac.uk

More information: https://hrwebapp.qub.ac.uk/tlive_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=862841AHAI&WVID=6273090Lgx&LANG=USA

Applications are invited for both entry level and senior academic posts to join our community and help us lead and develop our research and teaching in the areas of Applied Cybersecurity and/or Security Analytics within our Centre for Secure Information Technologies (www.csit.qub.ac.uk) as we seek to make a positive contribution to the global technical challenges of our age.

Our Centre is host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE: www.ukrise.org) and is recognised by NCSC as an Academic Centre of Excellence (ACE) in Cyber Security Research.

We are looking for passionate and motivated academics with experience in Cloud/Network Security, Hardware/Software Security and/or Security Analytics. We seek candidates who are interested in delivering impact from their research and have a record of technology transfer appropriate to career stage. In return, you will have access to outstanding teaching and research facilities and opportunities to work with vibrant engineering and commercial teams to translate your research into impact.

More specifically, we are seeking candidates with research experience (commensurate with career stage) in one or more of the following areas:

• Cloud/Network Security: security and privacy of cloud computing, application layer DDoS detection/mitigation, Web Application Firewall (WAF), network/cloud intrusion detection/prevention, malware and security models for trusted execution on the cloud.

• Software Security: Security protocol and crypto algorithm implementation, instruction set extensions for crypto, software analysis, and/or software vulnerability detection.

• Hardware Security: Micro-architectural security, SCA, Hardware Trojans, or PUF.

• Security Analytics: AI for Cybersecurity intelligence automation and threat response automation (data-fusion); or AI technologies for cyber-social-physical security. Including deep learning, particularly adversarial, graph mining, and reasoning with uncertainty.

Closing date for applications: 22 November 2018

Contact: Professor Máire O\'Neill, Email:m.oneill (at) ecit.qub.ac.uk

More information: https://hrwebapp.qub.ac.uk/tlive_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=411772AHKd&WVID=6273090Lgx&LANG=USA

Applications are invited for a Post-Doctoral Research Fellow position to conduct research into the design and implementation of practical, robust and physically secure post-quantum cryptographic architectures. The research will be conducted as part of a collaborative project led by Toshiba Research Europe Limited.

Applicants must have at least a 2:1 Honours Degree in Electrical and Electronics Engineering, Computer Science, Mathematics or closely related discipline and a PhD, or expect, within 6 months, to obtain a PhD, in a relevant subject. At least 3 years relevant research experience in one or more of the following is essential: embedded systems design; FPGA or ASIC hardware design; integrated hardware/software design. Evidence of a strong publication record commensurate with career stage and experience is also essential.

Closing date for applications: 7 November 2018

Contact: Maire O\'Neill

More information: https://www.qub.ac.uk/sites/QUBJobVacancies/ResearchJobs/

The candidate should be interested to conduct research in the area of IoT Based Security Solutions. He/she should have interest and expertise in using various IoT based simulation tools, familiarity with various data analysis and machine learning technology and tools, experience with using virtual machine and cloud computing. The candidate should have excellent communication and writing skills. You would work within a multi-disciplinary team in the Department of Electronics, Computing and Mathematics at the University of Derby with expertise in both the mathematics and computing aspects of this challenge.

Closing date for applications: 18 November 2018

More information: https://www.derby.ac.uk/research/degrees/applicants/studentship-and-funding-opportunities/et-phd-studentship---iot-solut

Recently, Chotard et al. proposed a variant of functional encryption for Inner Product, where several parties can independently encrypt inputs, for a specific time-period or label, such that functional decryption keys exactly reveal the aggregations for the specific functions they are associated with. This was introduced as Multi-Client Functional Encryption (MCFE). In addition, they formalized a Decentralized version (DMCFE), where all the clients must agree and contribute to generate the functional decryption keys: there is no need of central authority anymore, and the key generation process is non-interactive between the clients. Eventually, they designed concrete constructions, for both the centralized and decentralized settings, for the inner-product function family. Unfortunately, there were a few limitations for practical use, in the security model: (1) the clients were assumed not to encrypt two messages under the same label. Then, nothing was known about the security when this restriction was not satisfied; (2) more dramatically, the adversary was assumed to ask for the ciphertexts coming from all the clients or none, for a given label. In case of partial ciphertexts, nothing was known about the security either. In this paper, our contributions are three-fold: we describe two conversions that enhance any MCFE or DMCFE for Inner Product secure in their security model to (1) handle repetitions under the same label and (2) deal with partial ciphertexts. In addition, these conversions can be applied sequentially in any order. The latter conversion exploits a new tool, which we call Secret Sharing Layer (SSL). Eventually, we propose a new efficient technique to generate the functional decryption keys in a decentralized way, in the case of Inner Product, solely relying on plain DDH, as opposed to prior work of Chotard et al. which relies on pairings. As a consequence, from the weak MCFE for Inner Product proposed by Chotard et al., one can obtain an efficient Decentralized MCFE for Inner Product that handles repetitions and partial ciphertexts. Keywords. Functional Encryption, Inner Product, Multi-Client, Decentralized.

The notion of non-interactive secure computation (NISC) first introduced in the work of Ishai et al. [EUROCRYPT 2011] studies the following problem: Suppose a receiver R wishes to publish an encryption of her secret input y so that any sender S with input x can then send a message m that reveals f(x,y) to R (for some function f). Here, m can be viewed as an encryption of f(x,y) that can be decrypted by R. NISC requires security against both malicious senders and receivers, and also requires the receiver's message to be reusable across multiple computations (w.r.t. a fixed input of the receiver).

All previous solutions to this problem necessarily rely upon OT (or specific number-theoretic assumptions) even in the common reference string model or the random oracle model or to achieve weaker notions of security such as super-polynomial-time simulation.

In this work, we construct a NISC protocol based on the minimal assumption of one way functions, in the stateless hardware token model. Our construction achieves UC security and requires a single token sent by the receiver to the sender.

Machine learning and group testing are quite useful methods for many different fields such as finance, banks, biology, medicine, etc. These application domains use quite sensitive data, and huge amounts of data. As a consequence, one would like to be able to both privately and efficiently compute on big data. While fully homomorphic encryption can be seen as a very powerful tool for such a task, it might not be efficient enough, and namely because of the very large ciphertexts. In addition, the result being encrypted, efficient distributed decryption is important to control who can get the information. For our applications, we first remark that 2-DNF formulae evaluation is enough, but efficient multiparty decryption is still required to guarantee privacy. Boneh-Goh-Nissim proposed a nice encryption scheme that supports additions, one multiplication layer, and additions, by using a bilinear map on a composite-order group: this is perfectly suited for 2-DNF formulae evaluation. However, computations on such elliptic curves with composite order turned out to be quite inefficient, and namely when multi-party decryption is required. Fortunately, Freeman proposed a generalization, based on prime-order groups, with the same properties, but better efficiency. Whereas the BGN cryptosystem relies on integer factoring for the trapdoor in the composite-order group, and thus possesses one public/secret key only, our first contribution is to show how the Freeman cryptosystem can handle multiple users with one general setup that just needs to define a pairing-based algebraic structure. Users’ keys are efficient to generate and can also support efficient multi-party decryption, without a trusted server, hence in a fully decentralized setting. Fortunately, it helps to efficiently address some machine learning models and the group testing on encrypted data, without central authority.

In this paper we optimize multiplication of polynomials in $\mathbb{Z}_{2^m}[x]$ on the ARM Cortex-M4 microprocessor. We use these optimized multiplication routines to speed up the NIST post-quantum candidates RLizard, NTRU-HRSS, NTRUEncrypt, Saber, and Kindi. For most of those schemes the only previous implementation that executes on the Cortex-M4 is the reference implementation submitted to NIST; for some of those schemes our optimized software is more than factor of 20 faster. One of the schemes, namely Saber, has been optimized on the Cortex-M4 in a CHES 2018 paper; the multiplication routine for Saber we present here outperforms the multiplication from that paper by 37%, yielding speedups of 17% for key generation, 15% for encapsulation and 18% for decapsulation. Out of the five schemes optimized in this paper, the best performance for encapsulation and decapsulation is achieved by NTRU-HRSS. Specifically, encapsulation takes just over 430 000 cycles, which is more than twice as fast as for any other NIST candidate that has previously been optimized on the ARM Cortex-M4.

Recently there has been a significant progress on the tower number field sieve (TNFS) method, reducing the complexity of the discrete logarithm problem (DLP) in finite field extensions of composite degree. These new variants of the TNFS attacks have a major impact on pairing-based cryptography and particularly on the selection of the underlying elliptic curve groups and extension fields. In this paper we revise the criteria for selecting pairing-friendly elliptic curves considering these new TNFS attacks in finite extensions of composite embedding degree. Additionally we update the criteria for finite extensions of prime degree in order to meet today’s security requirements.

In this paper, we focus on the design of a novel authentication protocol that preserves the privacy of embedded devices. A Physically Unclonable Function (PUF) generates challenge-response pairs that form the source of authenticity between a server and multiple devices. We rely on Authenticated Encryption (AE) for confidentiality, integrity and authenticity of the messages. A challenge updating mechanism combined with an authenticate-before-identify strategy is used to provide privacy. The major advantage of the proposed method is that no shared secrets need to be stored into the device’s non-volatile memory. We design a protocol that supports server authenticity, device authenticity, device privacy, and memory disclosure. Following, we prove that the protocol is secure, and forward and backward privacy-preserving via game transformations. Moreover, a proof of concept is presented that uses a 3-1 Double Arbiter PUF, a concatenation of repetition and BCH error-correcting codes, and the AE-scheme Ketje. We show that our device implementation utilizes 8,305 LUTs on a 28 nm Xilinx Zynq XC7Z020 System on Chip (SoC) and takes only 0.63 ms to perform an authentication operation.

We construct efficient non-malleable codes (NMC) that are (computationally) secure against tampering by functions computable in any fixed polynomial time. Our construction is in the plain (no-CRS) model and requires the assumptions that (1) $\mathbf{E}$ is hard for $\mathbf{NP}$ circuits of some exponential $2^{\beta n}$ ($\beta>0$) size (widely used in the derandomization literature), (2) sub-exponential trapdoor permutations exist, and (3) $\mathbf{P}$ certificates with sub-exponential soundness exist.

While it is impossible to construct NMC secure against arbitrary polynomial-time tampering (Dziembowski, Pietrzak, Wichs, ICS '10), the existence of NMC secure against $O(n^c)$-time tampering functions (for any fixed $c$), was shown (Cheraghchi and Guruswami, ITCS '14) via a probabilistic construction. An explicit construction was given (Faust, Mukherjee, Venturi, Wichs, Eurocrypt '14) assuming an untamperable CRS with length longer than the runtime of the tampering function. In this work, we show that under computational assumptions, we can bypass these limitations. Specifically, under the assumptions listed above, we obtain non-malleable codes in the plain model against $O(n^c)$-time tampering functions (for any fixed $c$), with codeword length independent of the tampering time bound.

Our new construction of NMC draws a connection with non-interactive non-malleable commitments. In fact, we show that in the NMC setting, it suffices to have a much weaker notion called quasi non-malleable commitments---these are non-interactive, non-malleable commitments in the plain model, in which the adversary runs in $O(n^c)$-time, whereas the honest parties may run in longer (polynomial) time. We then construct a 4-tag quasi non-malleable commitment from any sub-exponential OWF and the assumption that $\mathbf{E}$ is hard for some exponential size $\mathbf{NP}$-circuits, and use tag amplification techniques to support an exponential number of tags.

Bilinear pairings on elliptic curves are an active research field in cryptography. First cryptographic protocols based on bilinear pairings were proposed by the year 2000 and they are promising solutions to security concerns in different domains, as in Pervasive Computing and Cloud Computing. The computation of bilinear pairings that relies on arithmetic over finite fields is the most time-consuming in Pairing-based cryptosystems. That has motivated the research on efficient hardware architectures that improve the performance of security protocols. In the literature, several works have focused in the design of custom hardware architectures for pairings, however, flexible designs provide advantages due to the fact that there are several types of pairings and algorithms to compute them. This work presents the design and implementation of a novel programmable cryptoprocessor for computing bilinear pairings over binary fields in FPGAs, which is able to support different pairing algorithms and parameters as the elliptic curve, the tower field and the distortion map. The results show that high flexibility is achieved by the proposed cryptoprocessor at a competitive timing and area usage when it is compared to custom designs for pairings defined over singular/supersingular elliptic curves at a 128-bit security level.