International Association
for Cryptologic Research

MDS matrices are important building blocks providing diffusion functionality for the design of many symmetric-key primitives. In recent years, continuous efforts are made on the construction of MDS matrices with small area footprints in the context of lightweight cryptography. Just recently, Duval and Leurent (ToSC 2018/FSE 2019) reported some $32 \times 32$ binary MDS matrices with branch number 5, which can be implemented with only 67 XOR gates, whereas the previously known lightest ones of the same size cost 72 XOR gates. In this article, we focus on the construction of lightweight {\it involutory} MDS matrices, which are even more desirable than ordinary MDS matrices, since the same circuit can be reused when the inverse is required. In particular, we identify some involutory MDS matrices which can be realized with only 78 XOR gates with depth 4, whereas the previously known lightest involutory MDS matrices cost 84 XOR gates with the same depth. Notably, the involutory MDS matrix we find is much smaller than the AES MixColumns operation, which requires 97 XOR gates with depth 8 when implemented as a block of combinatorial logic that can be computed in one clock cycle. However, with respect to latency, the AES MixColumns operation is superior to our 78-XOR involutory matrices, since the AES MixColumns can be implemented with depth 3 by using more XOR gates. We prove that the depth of a $32\times 32$ MDS matrix with branch number 5 ({e.g.}, the AES MixColumns operation) is at least 3. Then, we enhance Boyar's SLP-heuristic algorithm with circuit depth awareness, such that the depth of its output circuit is limited. Along the way, we give a formula for computing the minimum achievable depth of a circuit implementing the summation of a set of signals with given depths, which is of independent interest. We apply the new SLP heuristic to a large set of lightweight involutory MDS matrices, and we identify a depth 3 involutory MDS matrix whose implementation costs 88 \XOR gates, which is superior to the AES MixColumns operation with respect to both lightweightness and latency, and enjoys the extra involution property.

After two decades of research on signcryption, recently a new cryptographic primitive, named higncryption, was proposed at ACM CCS'16. Higncryption can be viewed as privacy-enhanced signcryption, which integrates public key encryption, digital signature and identity concealment (which is not achieved in signcryption) into a monolithic primitive. Here, identity concealment means that the transcript of protocol run should not leak participants' identity information.

In this work, we propose the first identity-based higncryption(IBHigncryption, for short). We present formal security model for IBHigncryption, under which security proof of the proposed scheme is conducted. The most impressive feature of IBHigncryption, besides other desirable properties it offers, is its simplicity and efficiency, which might be somewhat surprising in retrospect. Our IBHigncryption has a much simpler setup stage with smaller public parameters and particularly no need of computing master public key. It is essentially as efficient as (if not more than) the fundamental CCA-secure Boneh-Franklin identity-based encryption scheme, and has significant efficiency advantage over the IEEE 1363.3 standard of identity-based signcryption.

We revisit the concept of *non-malleable* secret sharing (Goyal and Kumar, STOC 2018) in the computational setting. In particular, under the assumption of one-to-one one-way functions, we exhibit a *computationally* private, *threshold* secret sharing scheme satisfying all of the following properties.

-) Continuous non-malleability: No computationally-bounded adversary tampering independently with all the shares can produce mauled shares that reconstruct to a value related to the original secret. This holds even in case the adversary can tamper *continuously*, for an *unbounded* polynomial number of times, with the same target secret sharing, where the next sequence of tampering functions, as well as the subset of shares used for reconstruction, can be chosen *adaptively* based on the outcome of previous reconstructions. -) Resilience to noisy leakage: Non-malleability holds even if the adversary can additionally leak information independently from all the shares. There is no bound on the length of leaked information, as long as the overall leakage does not decrease the min-entropy of each share by too much. -) Improved rate: The information rate of our final scheme, defined as the ratio between the size of the message and the maximal size of a share, asymptotically approaches 1 when the message length goes to infinity.

Previous constructions achieved information-theoretic security, sometimes even for arbitrary access structures, at the price of *at least one* of the following limitations: (i) Non-malleability only holds against one-time tampering attacks; (ii) Non-malleability holds against a bounded number of tampering attacks, but both the choice of the tampering functions and of the sets used for reconstruction is non-adaptive; (iii) Information rate asymptotically approaching zero; (iv) No security guarantee in the presence of leakage.

Migration of security applications to the cloud poses unique challenges in key management and protection: asymmetric keys which would previously have resided in tamper-resistant, on-premise Hardware Security Modules (HSM) now must either continue to reside in non-cloud HSMs (with attendant communication and integration issues) or must be removed from HSMs and exposed to cloud-based threats beyond an organization's control, e.g. accidental loss, warranted seizure, theft etc.

Threshold schemes offer a halfway house between traditional HSM-based key protection and native cloud-based usage. Threshold signature schemes allow a set of actors to share a common public key, generate fragments of the private key and to collaboratively sign messages, such that as long as a sufficient quorum of actors sign a message, the partial signatures can be combined into a valid signature.

However, threshold schemes, while being a mature idea, suffer from large protocol transcripts and complex communication-based requirements. This consequently makes it a more difficult task for a user to verify that a public key is, in fact, a genuine product of the protocol and that the protocol has been executed validly. In this work, we propose a solution to these auditability and verication problems, reporting on a prototype cloud-based implementation of a threshold RSA key generation and signing system tightly integrated with modern distributed ledger and consensus techniques.

Event date: 4 June to 6 June 2019
Submission deadline: 15 February 2019
Notification: 15 March 2019

We introduce models of computation that enable direct comparisons between classical and quantum algorithms. Incorporating previous work on quantum computation and error correction, we justify the use of the gate-count and depth-times-width cost metrics for quantum circuits. We demonstrate the relevance of these models to cryptanalysis by revisiting, and increasing, the security estimates for the Supersingular Isogeny Diffie--Hellman (SIDH) and Supersingular Isogeny Key Encapsulation (SIKE) schemes. Our models, analyses, and physical justifications have applications to a number of memory intensive quantum algorithms.

The Security & Privacy group at TU Wien (https://secpriv.tuwien.ac.at) in Vienna, Austria, is currently looking for outstanding PhD students in the area of applied security. The successful applicant should have recently completed (or is close to complete) a Master or Bachelor with Honors degree, and should have a strong background and interest in at least one of the following areas:

• systems security and privacy

• distributed systems

• malware and mobile app analysis

Research topics may cover (but are not limited to):

• detection and prevention of novel attacks against smartphones and users’ privacy

• large-scale static and dynamic analysis of mobile apps

For our previous research in this area see https://martina.lindorfer.in.

The employment is a full-time position (40 hrs/week) with an internationally competitive salary. The working language is English, knowledge of German is not required.

Interested candidates should provide:

• a motivation letter

• a transcript of records

• a curriculum vitae

• a publication list (if applicable)

• contact information for two referees

TU Wien offers an outstanding research environment and numerous professional development opportunities. The Faculty of Informatics is the largest of its kind in Austria and is consistently ranked among the best in Europe. The city of Vienna features a vibrant and excellence-driven research landscape. The candidate will have the opportunity to collaborate with several other leading research institutes (e.g., IST, AIT, SBA Research, ABC). Finally, Vienna has been consistently ranked by Mercer over the last years as the best city for quality of life worldwide.

Review of expressions of interest will start immediately and continue until the position is filled.

Closing date for applications: 31 March 2019

Contact: Martina Lindorfer (martina.lindorfer (at) tuwien.ac.at)

More information: https://secpriv.tuwien.ac.at/thesis_and_job_opportunities

From 2019 on, the DFG (German Research Foundation) will establish the Cluster of Excellence 2092 \"CASA - Cyber Security in the Age of Large-Scale Adversaries\" at Ruhr-Universität Bochum. With the support of approximately 30 million euros over the funding period 2019 - 2025, Bochum will become one of the leading international locations for IT security. The cluster pursues the goal of enabling sustainable security against large-scale adversaries, in particular nation-state attackers. The research is characterized by a strongly interdisciplinary approach which, in addition to technical questions, also investigates the interaction of human behavior and IT security. Researchers from the fields of computer science, cryptography, electrical engineering, mathematics and psychology work together in a constellation that is unique in Europe. This unparalleled holistic approach of CASA holds the potential for scientific breakthroughs. CASA is based at the Horst Görtz Institute for IT Security, one of the top research institutions, which has Europe\'s largest IT security training programs, maintains extensive networks with the scientific communication and industry, and has produced numerous successful cyber security start-ups. The Max Planck Society plans to establish the \"Max Planck Institute for Cyber Security and Protection of Privacy \" in the immediate vicinity of the cluster with a particularly stimulating effect on the CASA research. This environment offers excellent working conditions in an extremely topical and exciting field. In addition, CASA offers a friendly working atmosphere in a young and internationally highly respected research institution. We are looking for excellent M.Sc. graduates with outstanding grades and degrees in computer science, electrical engineering, mathematics and psychology (preferably with a relationship to technology) or related disciplines. In addition, we are looking for outstanding postdoctoral candidates from these fields.

Closing date for applications: 28 February 2019

Contact: Dr. Patrick Schulte

RUHR-UNIVERSITÄT BOCHUM

Exzellenzcluster CASA / Horst Görtz Institut für IT-Sicherheit

Geschäftsführer / General Manager

ID 2 / 142

Universitätsstr. 150

44780 Bochum, Germany

Tel: +49-(0)234-32-27722

Email: patrick.schulte (at) rub.de

More information: https://twitter.com/HGI_Bochum/status/1087703387343331329

The newly founded chair of IT Security at Brandenburg University of Technology (BTU) in Cottbus (just one hour drive away from Berlin and Dresden) conducts teaching and research in the field of IT security with a strong focus on network security and online privacy. In the field of teaching, our area of specialization is to educate qualified IT security professionals who are able to meet the growing demands of IT security in diverse areas of society. To strengthen our team, we are currently seeking a highly motivated Junior Researcher (PhD candidate). It is fully funded position according to E 13 TV-L scale and is limited to 5 years. Applicants need to have an outstanding Masters degree in Computer Science or related discipline.

Closing date for applications: 14 February 2019

Contact: Professor Dr.-Ing. Andriy Panchenko

Tel.: +49 355 69 2236

itsec-jobs.informatik@lists.b-tu.de

More information: https://www.informatik.tu-cottbus.de/~andriy/phd-ad-btu_en.pdf

The researchers will work on a project entitled Lightweight Cryptography for Future Smart Networks funded by the Norwegian Research Council. This project will address the challenge of securing the next generation of communications infrastructure against digital vulnerabilities. It will develop new primitives and protocols for lightweight cryptography fitting the needs of the two critical and strongly related future network architectures, IoT and 5G. The research will give advanced knowledge in cryptographic theory, provide new primitives and protocols for the needs of the emerging networks, and demonstrate that the new security schemes are practical.

Closing date for applications: 1 March 2019

Contact: Colin Boyd: colin.boyd (at) ntnu.no or Danilo Gligoroski: danilo.gligoroski (at) ntnu.no or Stig Frode Mjølsnes: stig.mjolsnes (at) ntnu.no

More information: https://www.jobbnorge.no/en/available-jobs/job/163765/

Event date: 5 December to 7 December 2019
Submission deadline: 1 May 2019
Notification: 31 July 2019

Event date: 16 September to 18 September 2019
Submission deadline: 28 June 2019
Notification: 31 July 2019

The wide deployment of tokens for digital assets on top of Ethereum implies the need for powerful trading platforms. Vickrey auctions have been known to determine the real market price of items as bidders are motivated to submit their own monetary valuations without leaking their information to the competitors. Recent constructions have utilized various cryptographic protocols such as ZKP and MPC, however, these approaches either are partially privacy-preserving or require complex computations with several rounds. In this paper, we overcome these limits by presenting Trustee as a Vickrey auction on Ethereum which fully preserves bids' privacy at a relatively much lower fees. Trustee consists of three components: a front-end smart contract deployed on Ethereum, an Intel SGX enclave, and a relay to redirect messages between them. Initially, the enclave generates an Ethereum account and ECDH key-pair. Subsequently, the relay publishes the account's address and ECDH public key on the smart contract. As a prerequisite, bidders are encouraged to verify the authenticity and security of Trustee by using the SGX remote attestation service. To participate in the auction, bidders utilize the ECDH public key to encrypt their bids and submit them to the smart contract. Once the bidding interval is closed, the relay retrieves the encrypted bids and feeds them to the enclave that autonomously generates a signed transaction indicating the auction winner. Finally, the relay submits the transaction to the smart contract which verifies the transaction's authenticity and the parameters' consistency before accepting the claimed auction winner. As part of our contributions, we have made a prototype for Trustee available on Github for the community to review and inspect it. Additionally, we analyze the security features of Trustee and report on the transactions' gas cost incurred on Trustee smart contract.

Background Privacy-preserving computations on genomic data, and more generally on medical data, is a critical path technology for innovative, life-saving research to positively and equally impact the global population. It enables medical research algorithms to be securely deployed in the cloud because operations on encrypted genomic databases are conducted without revealing any individual genomes. Methods for secure computation have shown significant performance improvements over the last several years. However, it is still challenging to apply them on large biomedical datasets.

Methods The HE Track of iDash 2018 competition focused on solving an important problem in practical machine learning scenarios, where a data analyst that has trained a regression model (both linear and logistic) with a certain set of features, attempts to find all features in an encrypted database that will improve the quality of the model. Our solution is based on the hybrid framework Chimera that allows for switching between different families of fully homomorphic schemes, namely TFHE and HEAAN.

Results Our solution is one of the finalist of Track 2 of iDash 2018 competition. Among the submitted solutions, ours is the only bootstrapped approach that can be applied for different sets of parameters without re-encrypting the genomic database, making it practical for real-world applications.

Conclusions This is the first step towards the more general feature selection problem across large encrypted databases.

We perform correlation power analysis on ideal-lattice-based cryptosystems featuring product scanning, for example the reference implementation of NTRU Prime, a Round 2 candidate in the NIST PQC Competition. We also discuss three corresponding countermeasures in detail. The proposed approach achieves full private-key recovery in a highly efficient way with few traces. For each defensive strategy, its effectiveness is validated, and its side-channel resistance is evaluated by the TVLA general tests. The correlation power analysis exploits the vulnerabilities in product-scanning-based polynomial multiplications. The statistical analysis program in C++ takes time linear in the input size on average and practically less than 8 seconds on an ordinary laptop to reveal all the coefficients of each private-key polynomial. The three countermeasures together demonstrate the tradeoff between security and performance. The predictions about their effectiveness, performance, and side-channel resistance are supported by the correlation power analysis and the TVLA general tests based on thousands of traces.

Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptocurrencies and other applications. In many systems each client downloads and verifies every new proof, and so proofs must be small and cheap to verify. The most practical schemes require either a trusted setup, as in (pre-processing) zk-SNARKs, or verification complexity that scales linearly with the complexity of the relation, as in Bulletproofs. The structured reference strings required by most zk-SNARK schemes can be constructed with multi-party computation protocols, but the resulting parameters are specific to an individual relation. Groth et al. discovered a zk-SNARK protocol with a universal and updateable structured reference string, however the string scales quadratically in the size of the supported relations.

Here we describe a zero-knowledge SNARK, Sonic, which supports a universal and continually updateable structured reference string that scales linearly in size. Sonic proofs are constant size, and in the batch verification context the marginal cost of verification is comparable with the most efficient SNARKs in the literature. We also describe a generally useful technique in which untrusted ``helpers'' can compute advice which allows batches of proofs to be verified more efficiently.

In this work, we propose the first post-quantum UC-commitment scheme in the Global Random Oracle Model, where only one non-programmable random oracle is available. The security of our proposal is based on two well-established post-quantum hardness assumptions from coding theory: The Syndrome Decoding and the Goppa Distinguisher. We prove that our proposal is perfectly hiding and computationally binding. The scheme is secure against static malicious adversaries.

Division property is a new cryptanalysis method introduced by Todo at Eurocrypt'15 that proves to be very efficient on block ciphers and stream ciphers. It can be viewed as a generalization or a more precise version of integral cryptanalysis, that allows to take into account bit properties. However, it is very cumbersome to study the propagation of a given division property through the layers of a block cipher. Fortunately, computer-aided techniques can be used to this end and many new results have been found. Nonetheless, we claim that the previous techniques do not consider the full search space. Indeed, we show that even if the previous techniques fail to find a distinguisher based on the division property over a given function $E$, we can find a distinguisher over a linearly equivalent function, \ie over $L_{out} \circ E \circ L_{in}$ with $L_{out}$ and $L_{in}$ being linear mappings, and such distinguisher is still relevant. We first show that the representation of the block cipher heavily influences the propagation of the division property, and exploiting this, we give an algorithm to efficiently search for such linear mappings $L_{out}$ and $L_{in}$. As a result, we are able to exhibit a new distinguisher over 10 rounds of RECTANGLE, while the previous best known distinguisher was over 9 rounds. Our algorithm also allows us to rule out such distinguisher over strictly more than 9 rounds of PRESENT, which is the highest known number of rounds on which we can build an integral distinguisher. Finally, we also give some insight about the construction of an S-box to strengthen a block cipher against our technique. As such, we exhibit some variant of RECTANGLE and PRESENT, on which we improve the maximum number of rounds we can distinguish by two.

Ever since the first candidate white-box implementations by Chow et al. in 2002, producing a secure white-box implementation of AES has remained an enduring challenge. Following the footsteps of the original proposal by Chow et al., other constructions were later built around the same framework. In this framework, the round function of the cipher is "encoded" by composing it with non-linear and affine layers known as encodings. However, all such attempts were broken by a series of increasingly efficient attacks that are able to peel off these encodings, eventually uncovering the underlying round function, and with it the secret key.

These attacks, however, were generally ad-hoc and did not enjoy a wide applicability. As our main contribution, we propose a generic and efficient algorithm to recover affine encodings, for any Substitution-Permutation-Network (SPN) cipher, such as AES, and any form of affine encoding. For AES parameters, namely 128-bit blocks split into 16 parallel 8-bit S-boxes, affine encodings are recovered with a time complexity estimated at $2^{32}$ basic operations, independently of how the encodings are built.

This algorithm is directly applicable to a large class of schemes. We illustrate this on a recent proposal due to Baek, Cheon and Hong, which was not previously analyzed. While Baek et al. evaluate the security of their scheme to 110 bits, a direct application of our generic algorithm is able to break the scheme with an estimated time complexity of only $2^{35}$ basic operations.

As a second contribution, we show a different approach to cryptanalyzing the Baek et al. scheme, which reduces the analysis to a standalone combinatorial problem, ultimately achieving key recovery in time complexity $2^{31}$. We also provide an implementation of the attack, which is able to recover the secret key in about 12 seconds on a standard desktop computer.

Differential attacks are one of the main ways to attack block ciphers. Hence, we need to evaluate the security of a given block cipher against these attacks. One way to do so is to determine the minimal number of active S-boxes, and use this number along with the maximal differential probability of the S-box to determine the minimal probability of any differential characteristic. Thus, if one wants to build a new block cipher, one should try to maximize the minimal number of active S-boxes. On the other hand, the related-key security model is now quite important, hence, we also need to study the security of block ciphers in this model.

In this work, we search how one could design a key schedule to maximize the number of active S-boxes in the related-key model. However, we also want this key schedule to be efficient, and therefore choose to only consider permutations. Our target is AES, and along with a few generic results about the best reachable bounds, we found a permutation to replace the original key schedule that reaches a minimal number of active S-boxes of 20 over 6 rounds, while no differential characteristic with a probability larger than $2^{-128}$ exists. We also describe an algorithm which helped us to show that there is no permutation that can reach 18 or more active S-boxes in 5 rounds. Finally, we give several pairs $(P_s, P_k)$, replacing respectively the ShiftRows operation and the key schedule of the AES, reaching a minimum of 21 active S-boxes over 6 rounds, while again, there is no differential characteristic with a probability larger than $2^{-128}$.