International Association
for Cryptologic Research

Along with blockchain technology, smart contracts have found intense interest in lots of practical applications. A smart contract is a mechanism involving digital assets and some parties, where the parties deposit assets into the contract and the contract redistributes the assets among the parties based on provisions of the smart contract and inputs of the parties. Recently, several smart contract systems are constructed that use zk-SNARKs to provide privacy-preserving payments and interconnections in the contracts (e.g. Hawk [IEEE S&P, 2016] and Gyges [ACM CCS, 2016]). Efficiency of such systems severely are dominated by efficiency of the underlying UC-secure zk-SNARK that is achieved using COCO framework [Kosba et al., 2015] applied on a non-UC-secure zk-SNARK. In this paper, we show that recent progresses on zk-SNARKs, allow one to simplify the structure and also improve the efficiency of both systems with a UC-secure zk-SNARK that has simpler construction and better efficiency in comparison with the currently used ones. More precisely, with minimal changes, we present a variation of Groth and Maller's zk-SNARK from Crypto 2017, and show that it achieves UC-security and has better efficiency than the ones that currently are used in Hawk and Gyges. We believe, new variation can be of independent interest.

LoRaWAN is an IoT protocol deployed worldwide. Whereas the first version 1.0 has been shown to be weak against several types of attacks, the new version 1.1 has been recently released, and aims, in particular, at providing corrections to the previous release. It introduces also a third entity, turning the original 2-party protocol into a 3-party protocol. In this paper, we provide the first security analysis of LoRaWAN 1.1 in its 3-party setting using a provable approach, and show that it suffers from several flaws. Based on the 3(S)ACCE model of Bhargavan et al., we then propose an extended framework that we use to analyse the security of LoRaWAN-like 3-party protocols, and describe a generic 3-party protocol provably secure in this extended model. We use this provable security approach to propose a slightly modified version of LoRaWAN 1.1. We show how to concretely instantiate this alternative, and formally prove its security in our extended model.

Post-quantum cryptography is an important and growing area of research due to the threat of quantum computers, as recognised by the National Institute of Standards and Technology (NIST) recent call for standardisation. Lattice-based signatures have been shown in the past to be susceptible to side-channel attacks. Falcon is a lattice-based signature candidate submitted to NIST, which has good performance but lacks in research with respect to implementation attacks and resistance. This research proposes the first fault attack analysis on Falcon and finds its lattice trapdoor sampler is as vulnerable to fault attacks as the GPV sampler used in alternative signature schemes. We simulate the post-processing component of this fault attack and achieve a 100% success rate at retrieving the private-key. This research then proposes an evaluation of countermeasures to prevent this fault attack and timing attacks on Falcon. We provide cost evaluations on the overheads of the proposed countermeasures which shows that Falcon has only up to 30% deterioration in performance of its key generation, and only 5% in its signing, compared to without countermeasures.

In the context of the excellence research project “Dependable Internet of Things in Adverse Environments” of Graz University of Technology, we offer nine new PhD positions. One of the core topics of the research of this project is information security.

Graz University of technology offers a very active research environment with more than 70 researchers on all aspects of information security.

Candidates for a PhD in information security should have experience/interest in at least one of the following fields:

* Side Channels

* Operating system security

* Software isolation techniques

* Applied Cryptography

* Formal methods

* Code analysis and compilers

For details on the position and the application process see: https://www.tugraz.at/projekte/dependablethings/jobs/

Closing date for applications: 9 June 2019

Contact: Stefan Mangard, Email: Stefan.Mangard (at) iaik.tugraz.at

More information: https://www.tugraz.at/projekte/dependablethings/jobs/

IOHK is looking for a talented, specialized cryptographic engineer to join our growing in-house cryptography team. You’ll be responsible for cryptographic implementations and their use.

You will have a good understanding of cryptography (e.g. mathematics, information theory, primitives, implementations) and the ability to deliver working implementation related to these domains. The ideal candidate should understand and follow best engineering processes and practices and should demonstrate a working knowledge of a functional programming language (preference is for Haskell), and system languages (preferably Rust or C).

Skills & Requirements:

Skills and Knowledge – - A solid understanding of cryptography: basic theory & use. System programming experience. Ability to translate specifications (e.g. cryptography research papers, RFCs) into working code. Know when and how to use basic cryptographic primitives. Can reason about complex & abstract problems

Responsibilities - Read & review cryptographic research papers and implement them as a prototype. Improve existing implementations of common cryptographic primitives and/or interface/translate them to a different programming language. Transform prototypes into production level projects. Interact and coordinate with research, engineering and product management teams

Completion of a relevant degree such as Computer Science, Software Engineering, Mathematics or a related technical discipline.

Desired competencies - We are particularly interested in at least one of them having the following profile: Familiarity and/or experience with privacy enhancing cryptographic technologies, e.g., zero-knowledge proofs and/or SNARKs, multi-party computation, and differential privacy. Functional programming experience (Preferably Scala or Haskell)

When you apply… Please include an up-to-date resume. We also strongly encourage you to include a cover letter explaining why you’re interested in working at IOHK.

Closing date for applications: 1 July 2019

Contact: David Rountree

david.rountree (at) iohk.io

More information: https://iohk.io/careers/#op-286193-specialized-cryptography-engineer-

Event date: 10 June to 14 June 2019

Cryptography, Security & Privacy Research Group at Koç University has multiple openings at every level. Accepted applicants will receive competitive scholarships including tuition waiver, housing, monthly stipend, computer, travel support, etc.

• For applying online, and questions about the application-process for M.Sc. and Ph.D. positions, visit

  https://gsse.ku.edu.tr/en/admissions/application-requirements/

  All applications must be completed online. Deadline is 7 June 2019.

• For postdoctoral researcher positions, contact Assoc. Prof. Alptekin Küpçü directly, including full CV, sample publications, a research proposal, and 2-3 reference letters sent directly by the referees.

  http://home.ku.edu.tr/~akupcu

  Dates are flexible.

Applications with missing documents will not be considered.

Closing date for applications: 15 September 2019

Contact: gsse (at) ku.edu.tr

More information: https://crypto.ku.edu.tr/work-with-us/

The Institute of Applied Mathematics (IAM), Middle East Technical University (METU) offers academic positions in Cryptography. To this aim, we invite all scholars who are interested in full-time faculty positions starting from Assistant Professor level based on the academic profile of the applicant. We encourage you to send us your information if you have a solid research history with a strong publication record in all areas of cryptography.

Members of the institute are expected to pursue a vigorous research program, attract external research funding, and contribute strongly to the institute\'s teaching program at graduate level. Interested candidates are invited to submit an application online with following documents:

- Curriculum Vitae;

- Research Statement;

- Teaching Statement;

- Name and address of three references.

Closing date for applications: 15 June 2019

More information: https://iam.metu.edu.tr/open-faculty-positions

We are looking for post-doctoral researchers in symmetric crypto, mainly to evaluate the security of lightweight ciphers recently submitted to the NIST but topics are open.

The position is for 1 year, renewable twice.

Requirements:

- PhD degree in computer sciences or mathematics

- good programming skill

- publications in top IACR conferences

Closing date for applications:

Contact: Patrick Derbez: patrick.derbez (at) irisa.fr

SIX academic posts in the Department of Computer Science, University of Surrey

Salary: 32,236 to 95,462 GBP, depending on Qualifications, Experience and Role applied for.

The Department of Computer Science wishes to appoint up to SIX posts to support its ambitious strategic growth in student numbers, strengthening of its research directions and collaborations with industry. We are looking to attract talented individuals who will inspire, lead, and make a significance impact in research and on the student experience. There is an opportunity for posts to be aligned in new research areas to increase diverse research activity within the Department.

The Department has an international reputation for research and teaching. Research in the department is currently focused on two main areas - Nature Inspired Computing and Engineering (NICE), and Secure Systems, with expertise in security by design, cryptography, authentication, verification, distributed ledger technologies, trusted systems, IoT security, program analysis and cloud security. Surrey is recognised by NCSC as an ACE-CSR: Academic Centre of Excellence in Cyber Security Research.

The teaching posts offer an opportunity to contribute to teaching on undergraduate and postgraduate programmes. The Department is launching a new MSc in Data Science which includes a year in industry. The Department is also building a new 200 seater computer science teaching lab to support student growth and this offers exciting opportunities to innovate in teaching and pedagogical approaches to teaching.

The academic posts aim to strengthen the research of our existing research, especially at the interface between security and machine learning and in data science. We are also looking to diversify our research directions, for example in the areas of software engineering and programming language principles. There is an opportunity for posts to be aligned together to drive forward new research directions.

Closing date for applications: 9 June 2019

Contact: Dr Helen Treharne (h.treharne (at) surrey.ac.uk),

Head of Department

Professor Steve Schneider (s.schneider (at) surrey.ac.uk)

Director, Surrey Centre for Cyber Security

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=024919

Modern secure messaging protocols such as Signal can offer strong security guarantees, in particular Post-Compromise Security (PCS). The core PCS mechanism in these protocols is inherently pairwise, which causes bad scaling behaviour and makes PCS inefficient for large groups. To address this, two recently proposed designs for secure group messaging, ART and MLS Draft-04, use group keys derived from tree structures to efficiently enable PCS mechanisms in large groups.

In this work we highlight a previously unexplored difference between the pairwise and group-key based approaches. We show that without additional mechanisms, both ART and MLS Draft-04 offer significantly lower PCS guarantees than those offered by groups based on pairwise PCS channels. In particular, for MLS Draft-04, it seems that the protocol does not yet meet the informal PCS security guarantees described in the draft.

We explore the causes of this problem and lay out the design space to identify solutions. Optimizing security and minimizing overhead leads us to a promising solution based on (i) global updates and (ii) post-compromise secure signatures. While rotating signatures had been discussed before as options for both MLS and ART, our work indicates that combining specific update patterns for all groups with a post-compromise secure signature scheme, may be strictly necessary to achieve any reasonable PCS guarantee.

Using modular addition as a source of nonlinearity is frequently used in many symmetric-key structures such as ARX and Lai--Massey schemes. At FSE'16, Fu \etal proposed a Mixed Integer Linear Programming (MILP)-based method to handle the propagation of differential trails through modular additions assuming that the two inputs to the modular addition and the consecutive rounds are independent. However, this assumption does not necessarily hold. In this paper, we study the propagation of the XOR difference through the modular addition at the bit level and show the effect of the carry bit. Then, we propose a more accurate MILP model to describe the differential propagation through the modular addition taking into account the dependency between the consecutive modular additions. The proposed MILP model is utilized to launch a differential attack against Bel-T-256, which is a member of the Bel-T block cipher family that has been adopted recently as a national standard of the Republic of Belarus. In particular, we employ the concept of partial Differential Distribution Table to model the 8-bit S-Box of Bel-T using a MILP approach in order to automate finding a differential characteristic of the cipher. Then, we present a $4\frac{1}{7}$-round (out of 8) differential attack which utilizes a $3$-round differential characteristic that holds with probability $2^{-111}$. The data, time and memory complexities of the attack are $2^{114}$ chosen plaintexts, $ 2^{237.14} $ $4\frac{1}{7}$-round encryptions, and $2^{224}$ 128-bit blocks, respectively.

Two standard security properties of a non-interactive zero-knowledge (NIZK) scheme are soundness and zero-knowledge. But while standard NIZK systems can only provide one of those properties against unbounded adversaries, dual-mode NIZK systems allow to choose dynamically and adaptively which of these properties holds unconditionally. The only known dual-mode NIZK systems are Groth-Sahai proofs (which have proved extremely useful in a variety of applications), and the concurrent and independent FHE-based NIZK constructions of Canetti et al. and Peikert et al. However, all these constructions rely on specific algebraic settings.

Here, we provide a generic construction of dual-mode NIZK systems for all of NP. The public parameters of our scheme can be set up in one of two indistinguishable ways. One way provides unconditional soundness, while the other provides unconditional zero-knowledge. Our scheme relies on subexponentially secure indistinguishability obfuscation and subexponentially secure one-way functions, but otherwise only on comparatively mild and generic computational assumptions. These generic assumptions can be instantiated under any one of the DDH, k-LIN, DCR, or QR assumptions.

As an application, we reduce the required assumptions necessary for several recent obfuscation-based constructions of multilinear maps. Combined with previous work, our scheme can be used to construct multilinear maps from obfuscation and a group in which the strong Diffie-Hellman assumption holds. We also believe that our work adds to the understanding of the construction of NIZK systems, as it provides a conceptually new way to achieve dual-mode properties.

This paper presents the results of a new approach to the cryptanalysis of SIMON-$32/64$, a cipher published by NSA in 2013. Our cryptanalysis essentially considers combinatorial properties. These properties allow us to recover a secret key from two plaintext/ciphertext pairs, in a time ranging from a few hours to a few days, with rather limited computing resources. The efficiency of our cryptanalysis technique compared to all known cryptanalyses (including key exhaustive search) is a justification for not revealing the cryptanalysis techniques used. We have adopted a zero-knowledge-inspired method of proof which was initiated in \cite{filiol_e0}.

Multivariate public key signature scheme has a good performance on speed and signature size. But most of them have a huge public key size. In this paper, we propose a new method to reduce the public key size of unbalance oil and vinegar (UOV) signature scheme. We can reduce the public key size of UOV scheme to about 4KB for 128 bits security level. This method can be used to reduce the public key sizes of other multivariate public key cryptosystems.

The Walnut Digital Signature Algorithm (WalnutDSA) brings together methods in group theory, representation theory, and number theory, to yield a public-key method that provides a means for messages to be signed and signatures to be verified, on platforms where traditional approaches cannot be executed. After briefly reviewing the various heuristic/practical attacks that have be posited by Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit, we detail the parameter choices that defeat each attack, ensure the security of the of the method, and demonstrate its continued utility.

Zero-knowledge SNARKs (zk-SNARKs) have recently found various applications in verifiable computation and blockchain applications (Zerocash), but unfortunately they rely on a common reference string (CRS) that has to be generated by a trusted party. A standard suggestion, pursued by Ben Sasson et al. [IEEE S&P, 2015], is to generate CRS via a multi-party protocol. We enhance their CRS-generation protocol to achieve UC-security. This allows to safely compose the CRS-generation protocol with the zk-SNARK in a black-box manner with the insurance that the security of the zk-SNARK is not influenced. Differently from the previous work, the new CRS-generation protocol also avoids the random oracle model which is typically not required by zk-SNARKs themselves. As a case study, we apply the protocol to the state-of-the-art zk-SNARK by Groth [EUROCRYPT, 2016].

We devise an efficient and \emph{data-oblivious} algorithm for solving a bounded integral linear system of arbitrary rank over the rational numbers via the Moore--Penrose pseudoinverse, using finite-field arithmetic. This particular problem setting stems from our goal to run the algorithm as a secure multiparty computation (MPC). Beyond MPC, our algorithm could be valuable in other scenarios, like secure enclaves in CPUs, where data-obliviousness is crucial for protecting secrets. We compute the Moore--Penrose inverse over a finite field of sufficiently large order, so that we can recover the rational solution from the solution over the finite field.

Previous work by Cramer, Kiltz and Padr\'o (\textsl{CRYPTO 2007}) proposes a constant-rounds protocol for computing the Moore--Penrose pseudoinverse over a finite field. The asymptotic complexity (counted as the number of secure multiplications) of their solution is $O(m^4 + n^2 m)$, where $m$ and $n$, $m\leq n$, are the dimensions of the linear system.

To reduce the number of secure multiplications, we sacrifice the constant-rounds property and propose a protocol for computing the Moore--Penrose pseudoinverse over the rational numbers in a linear number of rounds, requiring only $O(m^2n)$ secure multiplications.

To obtain the common denominator of the pseudoinverse, required for constructing an integer-representation of the pseudoinverse, we generalize a result by Ben-Israel for computing the squared volume of a matrix. Also, we show how to precondition a symmetric matrix to achieve generic rank profile while preserving symmetry and being able to remove the preconditioner after it has served its purpose. These results may be of independent interest.

Protecting a driver’s privacy is one of the major concerns in vehicular ad hoc networks (VANETs). Currently, Azees et al. has proposed an efficient anonymous authentication protocol (EAAP) for VANETs. The authors claim that their scheme can implement conditional privacy, and that it can provide resistance against impersonation attack and bogus message attack from an external attacker. In this paper, we show that their scheme fails to resist these two types of attack as well as forgery attack. By these attacks, an attacker can broadcast any messages successfully. Further, the attacker cannot be traced by a trusted authority, which means their scheme does not satisfy the requirement of conditional privacy. The results of this article clearly show that the scheme of Azees et al. is insecure.

In 2017, Aggarwal, Joux, Prakash, and Santha proposed an innovative NTRU-like public-key cryptosystem that was believed to be quantum resistant, based on Mersenne prime numbers \(q = 2^N-1\). After a successful attack designed by Beunardeau, Connolly, Géraud, and Naccache, the authors revised the protocol which was accepted for Round 1 of the Post-Quantum Cryptography Standardization Process organized by NIST. The security of this protocol is based on the assumption that a so-called Mersenne Low Hamming Combination Search Problem (MLHCombSP) is hard to solve. In this work, we present a reduction of MLHCombSP to an instance of Integer Linear Programming (ILP). This opens new research directions that are necessary to be investigated in order to assess the concrete robustness of such cryptosystem. We propose different approaches to perform such reduction. Moreover, we uncover a new family of weak keys, for whose our reduction leads to an attack consisting in solving \(<N^3\) ILP problems of dimension 3.