International Association
for Cryptologic Research

Event date: 25 September to 27 September 2019
Submission deadline: 8 April 2019
Notification: 10 June 2019

Event date: 31 May to 2 June 2019
Submission deadline: 1 April 2019
Notification: 22 April 2019

There is a vacancy for a Ph.D. position in cryptography and data security at the Secure and Reliable Communication group (https://www.uib.no/rg/selmer) in the Department of Informatics, University of Bergen. The position is for a fixed-term period of 3 years with the possibility of a 4th year, consisting of 25 % compulsory work (e.g. teaching responsibilities at the department) distributed across the employment period.

We are particularly interested in applicants who are highly motivated to contribute to cryptographic privacy-enhancing technologies, blockchain technology, lattice/code-based cryptography, and coding theory.

We can offer:

• a good and professionally challenging working environment
• salary at pay grade 51 (Code 1017/Pay range 20, alternative 9) in the state salary scale. This constitutes a gross annual salary of NOK 449 400. Further promotions are made according to the length of service in the position.
• enrolment in the Norwegian Public Service Pension Fund
• Good welfare benefits (https://www.uib.no/en/foremployees/30808/welfare)

Closing date for applications: 10 March 2019

Contact: Chunlei Li (chunlei.li (at) uib.no)

More information: https://www.jobbnorge.no/en/available-jobs/job/165213/phd-position-in-cryptography-and-data-security

Dr. Yang Zhang at CISPA Helmholtz Center for Information Security is looking for multiple fully-funded Ph.D. students working on machine learning security and privacy and biomedical privacy.

Yang (https://yangzhangalmo.github.io/) is a research group leader at CISPA Helmholtz Center for Information Security. Previously, he was a postdoc working with Michael Backes at CISPA from January 2017 to December 2018. CISPA located at Saarbruecken, Germany, is the newest member of the Helmholtz Association, the largest scientific organization in Germany fully committed to scientific excellence and to tackling the grand research challenges in their respective fields. CISPA as the first investment of Helmholtz in computer science is one of the top research centers in information security, it is constantly ranked top-3 in the field worldwide, see csrankings.org.

Requirements:

• A bachelor/master degree in Computer Science, Information Security, Mathematics with excellent grades
• Excellent programming skills
• Excellent English
• Good knowledge about machine learning

What we offer:

• Full-time working contract (E13 level salary)
• Excellent research environment
• Strong supervision

To apply, please send your CV to yang.zhang (at) cispa.saarland

Closing date for applications: 1 June 2019

Contact: Yang Zhang, research group leader, yang.zhang (at) cispa.saarland

The Information Security Group at Royal Holloway University of London is seeking to recruit a postdoctoral research assistant (PDRA) to work in the area of cryptography. The position is available for immediate start, for up to 26 months (until 31 March 2021).

The PDRA will work alongside Prof. Carlos Cid, Dr. Martin Albrecht and other cryptographic researchers at Royal Holloway on topics connected to the design and analysis of cryptographic key exchange protocols that support incorporating key material from diverse sources. This post is part of the AQuaSec project, a Innovate UK-funded research project with 17 partners from industry and academia, aiming to develop technologies for quantum-safe communications by integrating post-quantum cryptography with techniques from quantum cryptography.

Applicants for this role should have already completed, or be close to completing, a PhD in a relevant discipline, with an outstanding research track record in cryptography. Experience in cryptographic protocol design is a plus.

Established in 1990, the Information Security Group at Royal Holloway was one of the first dedicated academic groups in the world to conduct research and teaching in information security. The ISG is today a world-leading interdisciplinary research group with 20 full-time members of staff, several postdoctoral research assistants and over 50 PhD students working on a range of subjects in cyber security, in particular cryptography. The post is based in Egham, Surrey where Royal Holloway is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

Closing date for applications: 12 March 2019

Contact: Informal enquiries about this position can be made to Prof. Carlos Cid (carlos.cid AT rhul.ac.uk)

More information: https://jobs.royalholloway.ac.uk/vacancy.aspx?ref=0219-048

The Security and Privacy research division (https://secpriv.tuwien.ac.at) at the Vienna University of Technology (TU Wien) is seeking a candidate for a postdoc position of two years, ideally starting in Spring 2019. The successful applicant will enjoy full research independence and further contribute to the teaching activities in security and privacy at TU Wien.

Candidates with a research background in the following areas are particularly invited to apply:

- Formal methods for security and privacy;

- Intersection between Machine Learning and security and privacy;

- Blockchain technologies;

- Web security.

TU Wien has about 20,000 students and a heavy emphasis on research. The Faculty of Informatics comprises about 3,000 students and is the largest one in Austria. Vienna hosts several outstanding research institutes (including IST Austria, AIT, SBA, RIAT) with a strong focus on security and privacy and a long-standing collaboration track.

The postdoctoral researcher salary is highly competitive and ruled by level B1 of the Austrian Collective Agreement for the university staff, currently amounting to EUR 3.711,10 per/month/gross (14 times a year).

Finally, Vienna has repeatedly been ranked number 1 worldwide in the Mercer Quality of Living Survey.

TU Wien is committed to increasing female employment in leading scientific positions. Female applicants are explicitly encouraged to apply, and preference will be given to female applications when scientifically equally qualified.

Expressions of interest should be submitted by e-mail to christopher.vomastek (at) tuwien.ac.at and include in a single pdf

• A cover letter stating the candidate\'s motivation to apply, and the reason(s) why they should be selected for the position;

• A CV;

• A short research statement;

• Three most significant publications;

• The contact details of two referees.

Expressions of interest submitted by February 25, 2019 will receive full consideration.

Closing date for applications: 25 February 2019

Contact: Univ.-Prof. Dr. Matteo Maffei, matteo.maffei (at) tuwien.ac.at

The boomerang attack is a variant of differential cryptanalysis which regards a block cipher $E$ as the composition of two sub-ciphers, i.e., $E=E_1\circ E_0$, and which constructs distinguishers for $E$ with probability $p^2q^2$ by combining differential trails for $E_0$ and $E_1$ with probability $p$ and $q$ respectively. However, the validity of this attack relies on the dependency between the two differential trails. Murphy has shown cases where probabilities calculated by $p^2q^2$ turn out to be zero, while techniques such as boomerang switches proposed by Biryukov and Khovratovich give rise to probabilities greater than $p^2q^2$. To formalize such dependency to obtain a more accurate estimation of the probability of the distinguisher, Dunkelman et al. proposed the sandwich framework that regards $E$ as $\tilde{E_1}\circ E_m \circ \tilde{E_0}$, where the dependency between the two differential trails is handled by a careful analysis of the probability of the middle part $E_m$. Recently, Cid et al. proposed the Boomerang Connectivity Table (BCT) which unifies the previous switch techniques and incompatibility together and evaluates the probability of $E_m$ theoretically when $E_m$ is composed of a single S-box layer. In this paper, we revisit the BCT and propose a generalized framework which is able to identify the actual boundaries of $E_m$ which contains dependency of the two differential trails and systematically evaluate the probability of $E_m$ with any number of rounds. To demonstrate the power of this new framework, we apply it to two block ciphers SKNNY and AES. In the application to SKNNY, the probabilities of four boomerang distinguishers are re-evaluated. It turns out that $E_m$ involves 5 or 6 rounds and the probabilities of the full distinguishers are much higher than previously evaluated. In the application to AES, the new framework is used to exclude incompatibility and find high probability distinguishers of AES-128 under the related-subkey setting. As a result, a 6-round distinguisher with probability $2^{-109.42}$ is constructed. Lastly, we discuss the relation between the dependency of two differential trails in boomerang distinguishers and the properties of components of the cipher.

One way of investigating how genes affect human traits would be with a genome-wide association study (GWAS). Genetic markers, known as single-nucleotide polymorphism (SNP), are used in GWAS. This raises privacy and security concerns as these genetic markers can be used to identify individuals uniquely. This problem is further exacerbated by a large number of SNPs needed, which produce reliable results at a higher risk of compromising the privacy of participants.

We describe a method using homomorphic encryption (HE) to perform GWAS in a secure and private setting. This work is based on a semi-parallel logistic regression algorithm proposed to accelerate GWAS computations. Our solution involves homomorphically encrypted matrices and suitable approximations that adapts the original algorithm to be HE-friendly. Our best implementation took $24.70$ minutes for a dataset with $245$ samples, $4$ covariates and $10643$ SNPs.

We demonstrate that it is possible to achieve GWAS with homomorphic encryption with suitable approximations.

In the era of lightweight cryptography, designing cryptographically good and power efficient 4x4 S-boxes is a challenging problem. While the optimal cryptographic properties are easy to determine, verifying the power efficiency of an S-box is non-trivial. The conventional approach of determining the power consumption using commercially available CAD-tools is highly time consuming, which becomes formidable while dealing with a large pool of S-boxes. This mandates development of an automation that should quickly characterize the power efficiency from the Boolean function representation of an S-box. In this paper, we present a supervised machine learning assisted automated framework to resolve the problem for 4x4 S-boxes, which turns out to be 14 times faster than traditional approach. The key idea is to extrapolate the knowledge of literal counts, AND-OR-NOT gate counts in SOP form of the underlying Boolean functions to predict the dynamic power efficiency. The experimental results and performance of our novel technique depicts its superiority with high efficiency and low time overhead. We demonstrate effectiveness of our framework by reporting a set of power efficient optimal S-boxes from a large set of S-boxes. We also develop a deterministic model using results obtained from supervised learning to predict the dynamic power of an S-box that can be used in an evolutionary algorithm to generate cryptographically strong and low power S-boxes.

Deep Neural Networks (DNNs) have recently received significant attention in the side-channel community due to their state-of-the-art performance in security testing of embedded systems. However, research on the subject mostly focused on techniques to improve the attack efficiency in terms of the number of traces required to extract secret parameters. What has not been investigated in detail is a constructive approach of DNNs as a tool to evaluate and improve the effectiveness of countermeasures against side-channel attacks. In this work, we try to close this gap by applying attribution methods that aim for interpreting DNN decisions, in order to identify leaking operations in cryptographic implementations. In particular, we investigate three different approaches that have been proposed for feature visualization in image classification tasks and compare them regarding their suitability to reveal Points of Interests (POIs) in side-channel traces. We show by experiments with three separate data sets that Layer-wise Relevance Propagation (LRP) proposed by Bach et al. provides the best result in most cases. Finally, we demonstrate that attribution can also serve as a powerful side-channel distinguisher in DNN-based attack setups.

We study the problem of building SNARKs modularly by linking small specialized "proof gadgets" SNARKs in a lightweight manner. Our motivation is both theoretical and practical. On the theoretical side, modular SNARK designs would be flexible and reusable. In practice, specialized SNARKs have the potential to be more efficient than general-purpose schemes, on which most existing works have focused. If a computation naturally presents different "components" (e.g. one arithmetic circuit and one boolean circuit), a general-purpose scheme would homogenize them to a single representation with a subsequent cost in performance. Through a modular approach one could instead exploit the nuances of a computation and choose the best gadget for each component.

Our contribution is LegoSNARK, a "toolbox" (or framework) for commit-and-prove zkSNARKs (CP-SNARKs) that includes:

1) General composition tools: build new CP-SNARKs from proof gadgets for basic relations simply. 2) A "lifting" tool: add commit-and-prove capabilities to a broad class of existing zkSNARKs efficiently. This makes them interoperable (linkable) within the same computation. For example, one QAP-based scheme can be used prove one component; another GKR-based scheme can be used to prove another. 3) A collection of succinct proof gadgets for a variety of relations.

Additionally, through our framework and gadgets, we are able to obtain new succinct proof systems. Notably:

– LegoGro16, a commit-and-prove version of Groth16 zkSNARK, that operates over data committed with a classical Pedersen vector commitment, and that achieves a 5000X speed in proving time. – LegoUAC, a pairing-based SNARK for arithmetic circuits that has a universal, circuit-independent, CRS, and proving time linear in the number of circuit gates (vs. the recent scheme of Groth et al. (CRYPTO'18) with quadratic CRS and quasilinear proving time).

In this paper, a new framework is developed for proving and adapting the recently proposed multiple-of-8 property and mixture-differential distinguishers. The above properties are formulated as immediate consequences of an equivalence relation on the input pairs, under which the difference at the output of the round function is invariant. This approach provides a further understanding of these newly developed distinguishers. For example, it clearly shows that the branch number of the linear layer does not influence the validity of the property, on the contrary of what was previously believed. We further provide an extension of the mixture-differential distinguishers and multiple-of-8 property to any SPN and to a larger class of subspaces. These adapted properties can then be exhibited in a systematic way for other ciphers than the AES. We illustrate this with the examples of Midori, Klein, LED and Skinny.

How to train a machine learning model while keeping the data private and secure? We present CodedPrivateML, a fast and scalable approach to this critical problem. CodedPrivateML keeps both the data and the model information-theoretically private, while allowing efficient parallelization of training across distributed workers. We characterize CodedPrivateML's privacy threshold and prove its convergence for logistic (and linear) regression. Furthermore, via experiments over Amazon EC2, we demonstrate that CodedPrivateML can provide an order of magnitude speedup (up to $\sim 34\times$) over the state-of-the-art cryptographic approaches.

Stripped Function Logic Locking (SFLL) as the most advanced logic locking technique is robust against both the SAT-based and the removal attacks under the assumption of thorough resynthesis of the stripped function. In this paper, we propose a bit-coloring attack based on our discovery of a critical vulnerability in SFLL. In fact, we show that if only one protected input pattern is discovered, then the scheme can be unlocked with a polynomial number of queries to an activated circuit. As a remedy to this vulnerability, we also propose a provably secure general function that deregularizes the relation between the protected input patterns and the secret key. The mathematical proofs as well as the experiments confirm both the polynomiality of the bit-coloring attack on standard SFLL and the exponentiality of similar attacks on SFLL with general function.

Event date: 7 July 2019
Submission deadline: 10 March 2019
Notification: 15 April 2019

Event date: 16 December to 18 December 2019
Submission deadline: 14 July 2019
Notification: 5 September 2019

Event date: 5 May to 7 May 2019
Submission deadline: 21 March 2019

In the last decade, several works have focused on finding the best way to model the leakage in order to obtain provably secure implementations. One of the most realistic models is the noisy leakage model, introduced in [PR13,DDF14] together with secure constructions. These works suffer from various limitations, in particular the use of ideal leak-free gates in [PR13] and an important loss (in the size of the field) in the reduction in [DDF14].

In this work, we provide new strategies to prove the security of masked implementations and start by unifying the different noisiness metrics used in prior works by relating all of them to a standard notion in information theory: the pointwise mutual information. Based on this new interpretation, we define two new natural metrics and analyze the security of known compilers with respect to these metrics. In particular, we prove (1) a tighter bound for reducing the noisy leakage models to the probing model using our first new metric, (2) better bounds for amplification-based security proofs using the second metric.

To support that the improvements we obtain are not only a consequence of the use of alternative metrics, we show that for concrete representation of leakage (e.g, "Hamming weight + Gaussian noise''), our approach significantly improves the parameters compared to prior works. Finally, using the Rényi divergence, we quantify concretely the advantage of an adversary in attacking a block cipher depending on the number of leakage acquisitions available to it.

We propose TEDT, a new Authenticated Encryption with Associated Data (AEAD) mode leveraging Tweakable Block Ciphers (TBCs). TEDT provides the following features: (i) It offers asymptotically optimal security in the multi-user setting. (ii) It offers nonce misuse-resilience, that is, the repetition of nonces does not impact the security of ciphertexts produced with fresh nonces. (iii) It offers KDM security in the multi-user setting, that is, its security is maintained even if key-dependent messages are encrypted. (iv) It offers full leakage-resilience, that is, it limits the exploitability of physical leakages via side-channel attacks, even if these leakages happen during every message encryption and decryption operation. (v) It can be implemented with a remarkably low energy cost when strong resistance to side-channel attacks is needed, supports online encryption and handles static & incremental associated data efficiently. Concretely, TEDT encourages leveled implementations, in which two TBCs are implemented: one needs strong and energy demanding protections against side-channel attacks but is used in a limited way, while the other only requires weak and energy efficient protections and performs the bulk of the computation. As a result, TEDT leads to considerably more energy efficient implementations compared to traditional AEAD schemes, whose side-channel security requires to uniformly protect every (T)BC execution.

Electronic cash (e-cash) is the digital analogue of regular cash which aims at preserving users' privacy. Following Chaum's seminal work, several new features were proposed for e-cash to address the practical issues of the original primitive. Among them, divisibility has proved very useful to enable efficient storage and spendings. Unfortunately, it is also very difficult to achieve and, to date, only few constructions exist, all of them relying on complex mechanisms that can only be instantiated in one specific setting.

In this work, we study the links between divisible e-cash and constrained pseudo-random functions (PRFs), a primitive recently formalized. We show that one can construct divisible e-cash systems from constrained PRFs achieving some specific properties that we identify. Actually, we provide two frameworks for divisible e-cash that essentially differ in the kind of properties expected from the PRFs. We prove the security of our generic frameworks and provide examples of constrained PRFs satisfying our requirements. Finally, we exhibit a problem in many e-cash systems that invalidates some of their security proofs.