International Association
for Cryptologic Research

This paper presents the results of several successful profiled side-channel attacks against a secure implementation of the RSA algorithm. The implementation was running on a ARM Core SC 100 completed with a certified EAL4+ arithmetic co-processor. The analyses have been conducted by three experts' teams, each working on a specific attack path and exploiting information extracted either from the electromagnetic emanation or from the power consumption. A particular attention is paid to the description of all the steps that are usually followed during a security evaluation by a laboratory, including the acquisitions and the observations pre-processing which are practical issues usually put aside in the literature. Remarkably, the profiling portability issue is also taken into account and different device samples are involved for the profiling and testing phases. Among other aspects, this paper shows the high potential of deep learning attacks against secure implementations of RSA and raises the need for dedicated countermeasures.

Code-based signature has been believed to be a useful authentication tool for post-quantum cryptography. There have been some attempts to construct efficient code-based signatures; however, existing code-based signature schemes suffer from large public-key size, which has affected their applicability. It has been a challenging research task to construct efficient code-based signatures with a shorter public-key size. In this paper, we propose an efficient code-based signature scheme, which offers a short public key size. Our scheme is an analogue to the Schnorr signature where we utilize random rank double circulant codes and matrix-vector product used in the Rank Quasi-Cyclic (RQC) scheme introduced by Melchor et al. (NIST 2017).We provide the security proof of our signature scheme by reducing it to the Rank Quasi-Cyclic Syndrome Decoding (RQCSD) problem. Our work provides an example for the construction of code-based signatures for the applications which require short public keys.

The recent post-quantum cryptography standardization project launched by NIST increased the interest in generic key encapsulation mechanism (KEM) constructions in the quantum random oracle (QROM). Based on a OW-CPA-secure public-key encryption (PKE), Hofheinz, Hövelmanns and Kiltz (TCC 2017) first presented two generic constructions of an IND-CCA-secure KEM with quartic security loss in the QROM, one with implicit rejection (a pseudorandom key is return for an invalid ciphertext) and the other with explicit rejection (an abort symbol is returned for an invalid ciphertext). Both are widely used in the NIST Round-1 KEM submissions and the ones with explicit rejection account for 40%. Recently, the security reductions have been improved to quadratic loss under a standard assumption, and be tight under a nonstandard assumption by Jiang et al. (Crypto 2018) and Saito, Xagawa and Yamakawa (Eurocrypt 2018). However, these improvements only apply to the KEM submissions with implicit rejection and the techniques do not seem to carry over to KEMs with explicit rejection.

In this paper, we provide three generic constructions of an IND-CCA-secure KEM with explicit rejection, under the same assumptions and with the same tightness in the security reductions as the aforementioned KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018). Specifically, we develop a novel approach to verify the validity of a ciphertext in the QROM and use it to extend the proof techniques for KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018) to our KEM constructions with explicit rejection. Moreover, using an improved version of one-way to hiding lemma by Ambainis, Hamburg and Unruh (ePrint 2018/904), for two of our constructions, we present tighter reductions to the standard IND-CPA assumption. Our results directly apply to 9 KEM submissions with explicit rejection, and provide tighter reductions than previously known (TCC 2017).

There only exists one deterministic identity-based encryption (DIBE) scheme which is adaptively secure in the auxiliary-input setting, under the learning with errors (LWE) assumption. However, the master public key consists of $\mathcal{O}(\lambda)$ basic matrices. In this paper, we consider to construct adaptively secure DIBE schemes with more compact public parameters from the LWE problem. On the one hand, we gave a generic DIBE construction from lattice-based programmable hash functions with high min-entropy. On the other hand, when instantiating our generic DIBE construction with four LPHFs with high min-entropy, we can get four adaptively secure DIBE schemes with more compact public parameters. In one of our DIBE schemes, the master public key only consists of $\omega(\log \lambda)$ basic matrices.

Dodis and Yu (TCC 2013) studied how the security of cryptographic primitives that are secure in the "ideal" model in which the distribution of a randomness is the uniform distribution, is degraded when the ideal distribution of a randomness is switched to a "real-world" (possibly biased) distribution that has some lowerbound on its min-entropy or collision-entropy. However, in many constructions, their security is guaranteed only when a randomness is sampled from some non-uniform distribution (such as Gaussian in lattice-based cryptography), in which case we cannot directly apply the results by Dodis and Yu.

In this paper, we generalize the results by Dodis and Yu using the Rényi divergence, and show how the security of a cryptographic primitive whose security is guaranteed when the ideal distribution of a randomness is a general (possibly non-uniform) distribution $Q$, is degraded when the distribution is switched to another (real-world) distribution $R$. More specifically, we derive two general inequalities regarding the Rényi divergence of $R$ from $Q$ and an adversary's advantage against the security of a cryptographic primitive. As applications of our results, we show (1) an improved reduction for switching the distributions of distinguishing problems with public samplability, which is simpler and much tighter than the reduction by Bai et al. (ASIACRYPT 2015), and (2) how the differential privacy of a mechanism is degraded when its randomness comes from not an ideal distribution $Q$ but a real-world distribution $R$. Finally, we show methods for approximate-sampling from an arbitrary distribution $Q$ with some guaranteed upperbound on the Rényi divergence (of the distribution $R$ of our sampling methods from $Q$).

The automatic search method based on Mix-integer Linear Programming (MILP) is one of the most common tools to search the distinguishers of block ciphers. For differential analysis, the byte-oriented MILP model is usually used to count the number of differential active s-boxes and the bit-oriented MILP model is used to search the optimal differential characteristic. In this paper, we present the influences between the construction and solution of MILP models solved by Gurobi : 1). the number of variables; 2). the number of constraints; 3). the order of the constraints; 4). the order of variables in constraints. We carefully construct the MILP models according to these influences in order to find the desired results in a reasonable time. As applications, we search the differential characteristic of PRESENT,GIFT-64 and GIFT-128 in the single-key setting. We do a dual processing for the constraints of the s-box. It only takes 298 seconds to finish the search of the 8-round optimal differential characteristic based on the new MILP model. We also obtain the optimal differential characteristic of the 9/10/11-round PRESENT. With a special initial constraint, it only takes 4 seconds to obtain a 9-round differential characteristic with probability $2^{-42}$. We also get a 12/13-round differential characteristic with probability $2^{-58}/2^{-62}$. For GIFT-128, we improve the probability of differential characteristic of $9 \sim 21$ rounds and give the first attack on 26-round GIFT-128 based on a 20-round differential characteristic with probability $2^{-121.415}$.

Oblivious RAM (ORAM) is a cryptographic primitive that allows a client to securely execute RAM programs over data that is stored in an untrusted server. Distributed Oblivious RAM is a variant of ORAM, where the data is stored in $m>1$ servers. Extensive research over the last few decades have succeeded to reduce the bandwidth overhead of ORAM schemes, both in the single-server and the multi-server setting, from $O(\sqrt{N})$ to $O(1)$. However, all known protocols that achieve a sub-logarithmic overhead either require heavy server-side computation (e.g. homomorphic encryption), or a large block size of at least $\Omega(\log^3 N)$.

In this paper, we present a family of distributed ORAM constructions that follow the hierarchical approach of Goldreich and Ostrovsky [GO96]. We enhance known techniques, and develop new ones, to take better advantage of the existence of multiple servers. By plugging efficient known hashing schemes in our constructions, we get the following results:

1. For any number $m\geq 2$ of servers, we show an $m$-server ORAM scheme with $O(\log N/\log\log N)$ overhead, and block size $\Omega(\log^2 N)$. This scheme is private even against an $(m-1)$-server collusion. 2. A three-server ORAM construction with $O(\omega(1)\cdot\log N/\log\log N)$ overhead and a block size almost logarithmic, i.e. $\Omega(\log^{1+\epsilon}N)$.

We also investigate a model where the servers are allowed to perform a linear amount of light local computations, and show that constant overhead is achievable in this model, through a simple four-server ORAM protocol. From theoretical viewpoint, this is the first ORAM scheme with asymptotic constant overhead, and polylogarithmic block size, that does not use homomorphic encryption. Practically speaking, although we do not provide an implementation of the suggested construction, evidence from related work (e.g. [DS17]) confirms that despite the linear computational overhead, our construction is practical, in particular when applied to secure computation.

Experts forecast that quantum computers can break classical cryptographic algorithms. Scientists are developing post quantum cryptographic (PQC) algorithms, that are invulnerable to quantum computer attacks. The National Institute of Standards and Technology (NIST) started a public evaluation process to standardize quantum-resistant public key algorithms. The objective of our study is to provide a hardware comparison of the NIST PQC competition candidates. For this, we use a High-Level Synthesis (HLS) hardware design methodology to map high-level C specifications of selected PQC candidates into both FPGA and ASIC implementations.

We introduce a new technique for compressing the public keys of the UOV signature scheme that makes use of block-anti-circulant matrices. These matrices admit a compact representation as for every block, the remaining elements can be inferred from the first row. This space saving translates to the public key, which as a result of this technique can be shrunk by a small integer factor. We propose parameters sets that take into account several important attacks.

We propose new constructions of leakage-resilient public-key encryption (PKE) and identity-based encryption (IBE) schemes in the bounded retrieval model (BRM). In the BRM, adversaries are allowed to obtain at most $\ell$-bit leakage from a secret key and we can increase $\ell$ only by increasing the size of secret keys without losing efficiency in any other performance measure. We call $\ell/|\textsf{sk}|$ leakage-ratio where $|\textsf{sk}|$ denotes a bit-length of a secret key. Several PKE/IBE schemes in the BRM are known. However, none of these constructions achieve a constant leakage-ratio under a standard assumption in the standard model. Our PKE/IBE schemes are the first schemes in the BRM that achieve leakage-ratio $1-\epsilon$ for any constant $\epsilon>0$ under standard assumptions in the standard model. As previous works, we use identity-based hash proof systems (IB-HPS) to construct IBE schemes in the BRM. It is known that a parameter for IB-HPS called the universality-ratio is translated into the leakage-ratio of the resulting IBE scheme in the BRM. We construct an IB-HPS with universality-ratio $1-\epsilon$ for any constant $\epsilon>0$ based on any inner-product predicate encryption (IPE) scheme with compact secret keys. Such IPE schemes exist under the $d$-linear, subgroup decision, learning with errors, or computational bilinear Diffie-Hellman assumptions. As a result, we obtain IBE schemes in the BRM with leakage-ratio $1-\epsilon$ under any of these assumptions. Our PKE schemes are immediately obtained from our IBE schemes.

TOHA is Key Hardened Function designed in the general spirit of sequential memory- hard function which based on secure cryptographic hash function, the idea behind its design is to make it harder for an attacker to perform some generic attacks and to make it costly as well, TOHA can be used for deriving keys from a master password or generating keys with length of 256-bit to be used in other algorithm schemes, general approach is to use a password and a salt like a normal scheme plus other parameters, and you can think of the salt as an index into a large set of keys derived from the same password, and of course you don’t need to hide the salt to operate.

We propose a simple and general framework for constructing oblivious transfer (OT) protocols that are \emph{efficient}, \emph{universally composable}, and \emph{generally realizable} from a variety of standard number-theoretic assumptions, including the decisional Diffie-Hellman assumption, the quadratic residuosity assumption, and \emph{worst-case} lattice assumptions.

Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions. Furthermore, the protocols can provide \emph{statistical} security to either the sender or receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common \emph{random} string suffices.

Our key technical contribution is a simple abstraction that we call a \emph{dual-mode} cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call ``messy'' public keys, whose defining property is that a ciphertext encrypted under such a key carries \emph{no information} (statistically) about the encrypted message.

As a contribution of independent interest, we also provide a multi-bit version of Regev's lattice-based cryptosystem (STOC 2005) whose time and space efficiency are improved by a linear factor in the security parameter $n$. The amortized encryption and decryption time is only $\tilde{O}(n)$ bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.

We are looking for PhD interns with interest on blockchain and PKC. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou . Only short-listed candidates will be contacted for interview.

Closing date for applications: 31 March 2019

Contact: Prof. Jianying Zhou

More information: http://jianying.space/

Event date: 5 June to 7 June 2019
Submission deadline: 30 March 2019
Notification: 30 April 2019

Event date: 16 June 2019
Submission deadline: 1 March 2019
Notification: 1 April 2019

Event date: 23 September to 27 September 2019
Submission deadline: 22 April 2019
Notification: 21 June 2019

PhD and Postdoc positions are available in the new research group in Applied Cryptography being set up by Kenny Paterson in the Department of Computer Science at ETH Zurich, Switzerland.

Candidates for PhD positions should already have, or be near to completing, a Masters in Computer Science and/or Mathematics. They should have a demonstrable interest in Applied Cryptography.

Candidates for Postdoc positions should additionally be able to demonstrate creativity, independence and excellence in Applied Cryptography research. Applications from people with interests in all areas of the field are welcome.

Positions are available from Spring 2019. The selection process will run until suitable candidates have been found.

Initial enquiries should be sent by email, with subject line *Application for Postdoc* or *Application for PhD*, and addressed directly to Prof. Kenny Paterson.

Closing date for applications: 1 December 2019

Contact: Kenny Paterson - kenny.paterson (at) inf.ethz.ch

More information: https://www.inf.ethz.ch/

The Department of Computer Science at the University of Hong Kong is looking for Postdoc Research Fellow/Research Assistants. He/she should possess experience or interest in at least some of the following research areas:

• Public Key Cryptography

• Privacy-enhancing technologies

• Blockchain security and privacy

• Applied cryptography, especially in the area of Fintech

Job requirements:

• Strong publication record in cryptography and cyber security area

• Good communication skills, self-motivated and good team players

• Some experience in programming is a plus

The funding is available for one year with a flexible starting date, a very competitive salary and a possibility of extension upon successful performance. Doing research in Hong Kong, an international financial center, allows you to have more collaboration opportunities with the industry and to apply your knowledge in the real world.

To apply for the above position, please send a copy of your recent CV to “thyuen at cs dot hku dot hk” with an email subject “Application for PDF/RA”.

Closing date for applications: 30 June 2019

Contact: Name: John Yuen

Email: thyuen at cs dot hku dot hk

The Coding Theory and Cryptology (CC) group of the Discrete Mathematics (DM) section of the Department of Mathematics and Computer Science (M&CS) at Eindhoven University of Technology (TU/e) intends to fill a full-time position for a (tenure-track) assistant professor in Coding Theory.

Closing date for applications: 14 March 2019

Contact: Tanja Lange, TU/e, t.lange (at) tue.nl

More information: https://jobs.tue.nl/en/vacancy/tt-assistant-professor-coding-theory-449061.html

The symmetric crypto group at the Ruhr University Bochum is looking for Ph.D. students and postdoctoral researchers in the area of symmetric crypto.

The group is part of the Horst Görtz Institute for IT Security. It is regarded as one of the top research institutions, has Europe\'s largest IT security training programs, maintains extensive networks with the scientific communication and industry, and has produced numerous successful cyber security start-ups. This outstanding environment offers excellent working conditions in an extremely topical and exciting field.

The symmetric crypto group is looking for excellent M.Sc. graduates with outstanding grades and degrees in computer science, mathematics, or related disciplines.

In addition, we are looking for outstanding postdoctoral candidates with a strong track record in symmetric cryptography.

We offer three-year positions for M.Sc. graduates. Postdoctoral positions are limited to two years. The salary will be according to the remuneration group E 13 TV-L (full-time).

Are you interested?

Please send your complete application documents in one single pdf file (max. 10 MB) by January 31, 2019 to: gregor.leander (at) rub.de

Required documents are:

- Letter of motivation

- Curriculum vitae,

- Master\'s certificate,

- Doctoral certificate, if applicable.

At Ruhr University Bochum, we seek to promote the careers of women particularly in those areas in which they are underrepresented, and we are therefore particularly pleased to receive applications from female candidates. Applications by suitable candidates with severe disabilities and other applicants with equal legal status are likewise most welcome.

Closing date for applications: 31 January 2019