International Association
for Cryptologic Research

The Cryptanalysis Taskforce research group at Nanyang Technological University in Singapore, led by Prof. Jian Guo, is seeking for candidates to fill one (senior) research fellow position (from fresh postdoc to senior researchers). The team focuses its research on symmetric-key cryptography, including but not limited to provable security, cryptanalysis, and design. It has done significant amount of work on cryptanalysis of SHA-3, Sboxes, security evaluation of AES, etc. Candidates are expected to dedicate their time on research, and have track-record of publications in IACR conferences/workshops.

NTU Singapore offers globally competitive salary package with extremely low income tax and an excellent environment for research. The contract will be initially for 2 years, and has the possibility to be extended subject to the availability of funding. The position will be open until filled, interested candidates are to send their CV and the contact information of 2 referees to Prof. Jian Guo.

Closing date for applications: 31 July 2019

Contact: Jian Guo, Assistant Professor, guojian (at) ntu.edu.sg

More information: http://catf.crypto.sg

The Katz School of Science and Health at Yeshiva University invites applications for tenure-track faculty in Artificial Intelligence, Machine Learning and Computer Science for its graduate programs. Given the multidisciplinary mission of the School, there will be opportunities to collaborate on research and initiatives with other fields and schools; for example, Biotech, Mathematics, Economics, CyberSecurity, Data and Privacy Law (at Cardozo School of Law), and YU’s Innovation Lab. This is an opportunity to take advantage of the University’s deep connections to Israel’s startup nation and groundbreaking work in Artificial Intelligence, Machine Learning, Computer Science, Biotech and Cybersecurity.

This is a tenure eligible position depending on experience and qualifications. We offer an excellent compensation package, and a broad range of employee benefits, including immediate participation in the University’s retirement plan. Compensation commensurate with experience. Relocation assistance may be provided.

Closing date for applications: 11 September 2019

More information: https://apptrkr.com/1418527

The Katz School of Science and Health at Yeshiva University seeks a dynamic leader to serve as academic and administrative head of its graduate initiatives in Artificial Intelligence and Machine Learning. This is a tenure eligible position depending on experience and qualifications.

Given the multidisciplinary mission of the Katz School, there will be opportunities to collaborate on research and initiatives with colleagues from other fields and schools; for example, Biotech, Mathematics, Economics, CyberSecurity, Data and Privacy Law (at Cardozo School of Law), and YU’s Innovation Lab. In particular, this is an opportunity for an entrepreneurial leader to take advantage of the University’s extensive connections to Israel’s startup community and groundbreaking work in Artificial Intelligence, Machine Learning, Computer Science, Biotech and Cybersecurity.

We offer an excellent compensation package, and a broad range of employee benefits, including immediate participation in the University’s retirement plan. Compensation commensurate with experience. Relocation assistance may be provided.

Closing date for applications: 11 September 2019

More information: https://apptrkr.com/1418515

Applications are invited for a PhD studentship in lattice-based cryptography, with a start date of October 2019. The work will be based within the Department of Electrical & Electronic Engineering at Imperial College London.

This position is funded by HM Government and is available only to UK citizens unfortunately. The studentship will last for 3.5 years and include tuition fees as a Home student and an attractive stipend of £24,000/year, plus a generous allowance for travel and subsistence.

Closing date for applications: 1 May 2019

Contact: Cong Ling (c.ling (at) imperial.ac.uk)

More information: https://www.jobs.ac.uk/job/BQT906/phd-studentship-in-post-quantum-cryptography

Consider sources that supply sensitive data to an aggregator. Standard encryption only hides the data from eavesdroppers, but using specialized encryption one can hope to hide the data (to the extent possible) from the aggregator itself. For flexibility and security, we envision schemes that allow sources to supply encrypted data, such that at any point a dynamically chosen subset of sources can allow an agreed-upon joint function of their data to be computed by the aggregator. A primitive called multi-input functional encryption (MIFE), due to Goldwasser et al. (EUROCRYPT 2014), comes close, but has two main limitations: – it requires trust in a third party, who is able to decrypt all the data, and – it requires function arity to be fixed at setup time and to be equal to the number of parties.

To drop these limitations, we introduce a new notion of ad hoc MIFE. In our setting, each source generates its own public key and issues individual, function-specific secret keys to an aggregator. For successful decryption, an aggregator must obtain a separate key from each source whose ciphertext is being computed upon. The aggregator could obtain multiple such secret keys from a user corresponding to functions of varying arity. For this primitive, we obtain the following results: – We show that standard MIFE for general functions can be bootstrapped to ad hoc MIFE for free, i.e. without making any additional assumption. – We provide a direct construction of ad hoc MIFE for the inner product functionality based on the Learning with Errors (LWE) assumption. This yields the first construction of this natural primitive based on a standard assumption.

At a technical level, our results are obtained by combining standard MIFE schemes and two-round secure multiparty computation (MPC) protocols in novel ways highlighting an interesting interplay between MIFE and two-round MPC in the construction of non interactive primitives.

As fault based cryptanalysis is becoming more and more of a practical threat, it is imperative to make efforts to devise suitable countermeasures. In this regard, the so-called ``infective countermeasures'' have garnered particular attention from the community due to their ability in inhibiting differential fault attacks without explicitly detecting the fault. We observe that despite being adopted over a decade ago, a systematic study is missing from the literature. Moreover, there seems to be a lack of proper security analysis of the schemes proposed, as quite a few of them have been broken promptly. Our first contribution comes in the form of a generalization of infective schemes which aids us with a better insight into the vulnerabilities, scopes for cost reduction and possible improvements. This way, we are able to propose lightweight alternatives of two existing schemes, propose new design based on already established standards, refute a security claim made by a scheme proposed in CHES'14 and re-instantiate another scheme which is deemed broken by proposing a simple patch.

Event date: 22 March to 26 March 2020
Submission deadline: 23 November 2019
Notification: 23 January 2020

Event date: 22 March to 26 March 2020
Submission deadline: 1 September 2019
Notification: 1 November 2019

Event date: 22 March to 26 March 2020
Submission deadline: 1 June 2019
Notification: 1 August 2019

Event date: 22 March to 26 March 2020

In this work, we examine the efficiency of protocols for secure evaluation of basic mathematical functions ($\mathtt{sqrt}, \mathtt{sin}, \mathtt{arcsin}$, amongst others), essential to various application domains. e.g., Artificial Intelligence. Furthermore, we have incorporated our code in state-of-the-art Multiparty Computation (MPC) software, so we can focus on the algorithms to be used as opposed to the underlying MPC system. We make use of practical approaches that, although, some of them, theoretically can be regarded as less efficient, can, nonetheless, be implemented in such software libraries without further adaptation. We focus on basic scientific operations, and introduce a series of data-oblivious protocols based on fixed point representation techniques. Our protocols do not reveal intermediate values and do not need special adaptations from the underlying MPC protocols. We include extensive computational experimentation under various settings and MPC protocols.

At ASIACRYPT 2018, Castryck, Lange, Martindale, Panny and Renes proposed CSIDH, which is a key-exchange protocol based on isogenies between elliptic curves, and a candidate for post-quantum cryptography. However, the implementation by Castryck et al. is not constant-time. Specifically, a part of the secret key could be recovered by the side-channel Attacks. Recently, Meyer, Campos and Reith proposed a constant-time implementation of CSIDH by introducing dummy isogenies and taking secret exponents only from intervals of non-negative integers. Their non-negative intervals make the calculation cost of their implementation of CSIDH twice that of the worst case of the standard (variable-time) implementation of CSIDH. In this paper, we propose a more efficient constant-time algorithm that takes secret exponents from intervals symmetric with respect to the zero. For using these intervals, we need to keep two torsion points in an elliptic curve and calculation for these points. We evaluate the costs of our implementation and that of Meyer et al. in terms of the number of operations on a finite prime field. Our evaluation shows that our constant-time implementation of CSIDH reduces the calculation cost by 28.23% compared with the implementation by Mayer et al. We also implemented our algorithm by extending the implementation in C of Meyer et al. (originally from Castryck et al.). Then our implementation achieved 172.4 million clock cycles, which is about 27.35% faster than that of Meyer et al. and confirms the above reduction ratio in our cost evaluation.

Blockchain based systems, in particular cryptocurrencies, face a serious limitation: scalability. This holds, especially, in terms of number of transactions per second. Several alternatives are currently being pursued by both the research and practitioner communities. One venue for exploration is on protocols that do not constantly add transactions on the blockchain and therefore do not consume the blockchain's resources. This is done using off-chain transactions, i.e., protocols that minimize the interaction with the blockchain, also commonly known as Layer-2 approaches. This work relates several existing off-chain channel methods, also known as payment and state channels, channel network constructions methods, and other components as channel and network management protocols, e.g., routing nodes. All these components are crucial to keep the usability of the channel, and are often overlooked. For the best of our knowledge, this work is the first to propose a taxonomy for all the components of the Layer-2. We provide an extensive coverage on the state-of-art protocols available. We also outline their respective approaches, and discuss their advantages and disadvantages.

Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the Find-then-Guess model of Bellare, Pointcheval and Rogaway (EUROCRYPT 2000), whether it satisfies some notion of forward secrecy remains an open question.

In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by Krawczyk (CRYPTO 2005). Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3.

Homomorphic encryption (HE)---the ability to perform computation on encrypted data---is an attractive remedy to increasing concerns about data privacy in deep learning (DL). However, building DL models that operate on ciphertext is currently labor-intensive and requires simultaneous expertise in DL, cryptography, and software engineering. DL frameworks and recent advances in graph compilers have greatly accelerated the training and deployment of DL models to various computing platforms. We introduce nGraph-HE, an extension of nGraph, Intel's DL graph compiler, which enables deployment of trained models with popular frameworks such as TensorFlow while simply treating HE as another hardware target. Our graph-compiler approach enables HE-aware optimizations-- implemented at compile-time, such as constant folding and HE-SIMD packing, and at run-time, such as special value plaintext bypass. Furthermore, nGraph-HE integrates with DL frameworks such as TensorFlow, enabling data scientists to benchmark DL models with minimal overhead.

The effort in reducing the area of AES implementations has largely been focused on Application-Specific Integrated Circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on Field-Programmable Gate Arrays (FPGAs). A similar discrepancy holds for masking schemes - a well-known side-channel analysis countermeasure - which are commonly optimized to achieve minimal area in ASICs. In this paper we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction of the area footprint on FPGA devices. We present new AES implementations which improve on the state of the art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n-bit Boolean functions of degree t with protection order d. The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to-date.

A universal circuit (UC) can be programmed to simulate any circuit up to a given size n by specifying its program inputs. It provides elegant solutions in various application scenarios, e.g., for private function evaluation (PFE) and for improving the flexibility of attribute-based encryption (ABE) schemes. The asymptotic lower bound for the size of a UC is $\Omega(n \log n)$ and Valiant (STOC'76) provided two theoretical constructions, the so-called 2-way and 4-way UCs (i.e., recursive constructions with 2 and 4 substructures), with asymptotic sizes $5n \log_2n$ and $4.75n \log_2n$, respectively.

In this article, we present and extend our results published in (Kiss and Schneider, EUROCRYPT'16) and (Günther et al., ASIACRYPT'17). We validate the practicality of Valiant's UCs, by realizing the 2-way and 4-way UCs in our modular open-source implementations. We also provide an example implementation for PFE using these size-optimized UCs. We propose a 2/4-hybrid approach that combines the 2-way with the 4-way UC in order to minimize the size of the resulting UC. We realize that the bottleneck in universal circuit generation and programming becomes the memory consumption of the program since the whole structure of size $\mathcal{O}(n \log n)$ is handled by the algorithms in memory.

In this work, we overcome this by designing novel scalable algorithms for the UC generation and programming. We show that the generation, which involves topological ordering of the UC as well, can be designed to be performed block by block from top to bottom, while the programming can be performed subcircuit by subcircuit. Both algorithms use only $\mathcal{O}(n)$ memory at any point in time. We prove the practicality of our scalable design with a scalable proof-of-concept implementation for generating Valiant's 4-way UC. We note that this can be extended to work with optimized building blocks analogously. Moreover, we substantially improve the size of our UCs by including and implementing the recent optimization of Zhao et al. (ePrint 2018/943) that reduces the asymptotic size of the 4-way UC to $4.5n\log_2n$. Furthermore, we include their optimization in the implementation of our 2/4-hybrid UC which yields the smallest UC construction known so far.

TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed Pre Shared Key (PSK) is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency.

We identify a security vulnerability in this TLS 1.3 path, by showing a new reflection attack that we call ``Selfie''. The Selfie attack breaks the mutual authentication. It leverages the fact that TLS does not mandate explicit authentication of the server and the client in every message.

The paper explains the root cause of this TLS 1.3 vulnerability, demonstrates the Selfie attack on the TLS implementation of OpenSSL and proposes appropriate mitigation.

The attack is surprising because it breaks some assumptions and uncovers an interesting gap in the existing TLS security proofs. We explain the gap in the model assumptions and subsequently in the security proofs. We also provide an enhanced Multi-Stage Key Exchange (MSKE) model that captures the additional required assumptions of TLS 1.3 in its current state. The resulting security claims in the case of external PSKs are accordingly different.

SM3, the Chinese standard hash algorithm inspired from SHA2, can be attacker by similar means than SHA2 up to an adaptation to its differences. But this kind of attack is based on targeting point of interest of different kinds, some are end of computation results, that are stored when others are in intermediate computational data. The leakage effectiveness of the later could be subject to implementation choices, device type or device type of leakage. In this paper, we propose a new approach that targets only the first kind of intermediate data that are more susceptible to appear. As an example, we targeted the HMAC construction using SM3, where our method allows to recover the first half of the secret information. reducing the security of the HMAC protocol.

Second-order analyses have shown a great interest to defeat first level of masking protections. Their practical realization remains tedious in a lot of cases. This is partly due to the difficulties of achieving a fine alignment of two areas that are combined together afterward. Classical protections makes therefore use of random jitter or shuffling to make the alignment difficult or even impossible. This paper extends Scatter attack to high-order analyses. Processing the jointdistribution of two selection of points, it becomes possible to retrieve the secret key even when traces are not fully aligned. The results presented in this paper are validated through practical experimentation and compared with existing window-based techniques, such as the FFT. Scatter shows the best results when misalignment is significant. This illustrates that Scatter offers an alternative to existing high-order attacks and can target all kinds of cryptography implementations, regardless they are executed in hardware or software. With the ability to exploit several leakage points, it may be valuable also when applying a second-order attack on aligned traces.