International Association
for Cryptologic Research

FPGAs are increasingly used in cloud applications and being integrated into Systems-on-Chip (SoCs). For these systems, various side-channel attacks on cryptographic implementations have been reported, motivating to apply proper countermeasures. Beyond cryptographic implementations, maliciously introduced covert channel receivers and transmitters can allow to exfiltrate any kind of secret information from the FPGA. In this paper, we present a fast covert channel on FPGAs, which exploits the on-chip power distribution network. This can be achieved without any logical connection between the transmitter and receiver blocks. Compared to FPGA thermal covert channels that reach about 1 bit/s, we can show a transmission rate of 8 MBit/s which is almost error free. We reach a small raw bit error ratio (BER) below 10 $\times$ 10$^{-6}$ BER, even in the presence of noise generated from another functional module in the FPGA, and without using error correction codes. When we place and operate other co-tenant modules that require 85% total FPGA area, the BER increases to $\approx$100-1000$\times$ 10$^{-6}$, depending on the platform. This error rate is still reasonably low for a covert channel. Overall, the transmitter and receiver work with less than 3% FPGA resources together.

Computer-aided cryptography is an active area of research that develops and applies formal, machine-checkable approaches to the design, analysis, and implementation of cryptography. We present a cross-cutting systematization of the computer-aided cryptography literature, focusing on three main areas: (i) design-level security (both symbolic security and computational security), (ii) functional correctness and efficiency, and (iii) implementation-level security (with a focus on digital side-channel resistance). In each area, we first clarify the role of computer-aided cryptography---how it can help and what the caveats are---in addressing current challenges. We next present a taxonomy of state-of-the-art tools, comparing their accuracy and scope of analysis, trustworthiness, and usability. Then, we highlight their main achievements, trade-offs, and research challenges. After covering the three main areas, we present two case studies. First, we study efforts in combining tools focused on different areas to consolidate the guarantees they can provide. Second, we distill the lessons learned from the computer-aided cryptography community's involvement in the TLS 1.3 standardization effort. Finally, we conclude with recommendations to paper authors, tool developers, and standardization bodies moving forward.

The user of an imperfectly correct lattice-based public-key encryption scheme leaks information about their secret key with each decryption query that they answer---even if they answer all queries successfully. Through a refinement of the D'Anvers--Guo--Johansson--Nilsson--Vercauteren--Verbauwhede failure boosting attack, we show that an adversary can use this information to improve his odds of finding a decryption failure. We also propose a new definition of $\delta$-correctness, and we re-assess the correctness of several submissions to NIST's post-quantum standardization effort.

Using a set of pairing product equations (PPEs) to verify the correctness of an untrusted set of pairing elements with respect to another set of trusted elements has numerous cryptographic applications. These include the design of basic and structure-preserving signature schemes, building oblivious transfer schemes from “blind” IBE, finding new verifiable random functions and keeping the IBE/ABE authority “accountable” to the user.

A natural question to ask is: are all trusted-untrusted pairing element groups in the literature PPE testable? We provide original observations demonstrating that the answer is no, and moreover, it can be non-trivial to determine whether or not there exists a set of PPEs that can verify some pairing elements with respect to others. Many IBE schemes have PPE-testable private keys (with respect to the public parameters), while others, such as those based on dual-system encryption, provably do not.

To aid those wishing to use PPE-based element verification in their cryptosystems, we devised rules to systematically search for a set of PPEs that can verify untrusted elements with respect to a set of trusted elements. We prove the correctness of each rule and combine them into a main searching algorithm for which we also prove correctness. We implemented this algorithm in a new software tool, called AutoPPE. Tested on over two dozen case studies, AutoPPE found a set of PPEs (on schemes where they exist) usually in just a matter of seconds. This work represents an important step towards the larger goal of improving the speed and accuracy of pairing-based cryptographic design via computer automation.

Secure multiparty computation enables a set of parties to securely carry out a joint computation on their private inputs without revealing anything but the output. A particularly motivated setting is that of three parties with a single corruption (hereafter denoted 3PC). This 3PC setting is particularly appealing for two main reasons: (1) it admits {\em more efficient} MPC protocols than in other standard settings; (2) it allows in principle to achieve {\em full security} (and fairness).

Highly efficient protocols exist within this setting with security against a semi-honest adversary; however, a significant gap remains between these and protocols with stronger security against a malicious adversary.

In this paper, we narrow this gap within concretely efficient protocols. More explicitly, we have the following contributions:

* Concretely Efficient Malicious 3PC. We present an optimized 3PC protocol for arithmetic circuits over rings with (amortized) communication of 1 ring element per multiplication gate per party, matching the best semi-honest protocols. The protocol applies also to Boolean circuits, significantly improving over previous protocols even for small circuits.

Our protocol builds on recent techniques of Boneh et al.\ (Crypto 2019) for sublinear zero-knowledge proofs on distributed data, together with an efficient semi-honest protocol based on replicated secret sharing (Araki et al., CCS 2016).

We present a concrete analysis of communication and computation costs, including several optimizations. For example, for 40-bit statistical security, and Boolean circuit with a million (nonlinear) gates, the overhead on top of the semi-honest protocol can involve less than 0.5KB of communication {\em for the entire circuit}, while the computational overhead is dominated by roughly 30 multiplications per gate in the field $F_{2^{47}}$. In addition, we implemented and benchmarked the protocol for varied circuit sizes.

* Full Security. We augment the 3PC protocol to further provide full security (with guaranteed output delivery) while maintaining amortized 1 ring element communication per party per multiplication gate, and with hardly any impact on concrete efficiency. This is contrasted with the best previous 3PC protocols from the literature, which allow a corrupt party to mount a denial-of-service attack without being detected.

Tweakable block ciphers are increasingly becoming a common primitive to build new resilient modes as well as a concept for multiple dedicated designs. While regular block ciphers define a family of permutations indexed by a secret key, tweakable ones define a family of permutations indexed by both a secret key and a public tweak. In this work we formalize and study a generic framework for building such a tweakable block cipher based on regular block ciphers, the iterated tweakable FX construction, which includes many such previous constructions of tweakable block ciphers. Then we describe a cryptanalysis from which we can derive a provable security upper-bound for all constructions following this tweakable iterated FX strategy. Concretely, the cryptanalysis of r rounds of our generic construction based on n-bit block ciphers with \kap-bit keys requires O(2^{r(n + \kap)/(r+1)}) online and offline queries. For r = 2 rounds this interestingly matches the proof of the particular case of XHX2 by Lee and Lee (ASIACRYPT 2018) thus proving for the first time its tightness. In turn, the XHX and XHX2 proofs show that our generic cryptanalysis is information theoretically optimal for 1 and 2 rounds.

Code-based public key cryptosystems have been found to be an interesting option in the area of Post-Quantum Cryptography. In this work, we present a key encapsulation mechanism (KEM) using a parity check matrix of the Generalized Srivastava code as the public key matrix. Generalized Srivastava codes are privileged with the decoding technique of Alternant codes as they belong to the family of Alternant codes. We exploit the dyadic structure of the parity check matrix to reduce the storage of the public key. Our encapsulation leads to a shorter ciphertext as compared to DAGS proposed by Banegas et al. in Journal of Mathematical Cryptology which also uses Generalized Srivastava code. Our KEM provides IND-CCA security in the random oracle model. Also, our scheme can be shown to achieve post-quantum security in the quantum random oracle model.

Let $A/\overline{\mathbb{F}}_p$ and $A'/\overline{\mathbb{F}}_p$ be supersingular principally polarized abelian varieties of dimension $g>1$. For any prime $\ell \ne p$, we give an algorithm that finds a path $\phi : A \rightarrow A'$ in the $(\ell, \dots , \ell)$-isogeny graph in $\widetilde{O}(p^{g-1})$ group operations on a classical computer, and $\widetilde{O}(\sqrt{p^{g-1}})$ calls to the Grover oracle on a quantum computer. The idea is to find paths from $A$ and $A'$ to nodes that correspond to products of lower dimensional abelian varieties, and to recurse down in dimension until an elliptic path-finding algorithm (such as Delfs--Galbraith) can be invoked to connect the paths in dimension $g=1$. In the general case where $A$ and $A'$ are any two nodes in the graph, this algorithm presents an asymptotic improvement over all of the algorithms in the current literature. In the special case where $A$ and $A'$ are a known and relatively small number of steps away from each other (as is the case in higher dimensional analogues of SIDH), it gives an asymptotic improvement over the quantum claw finding algorithms and an asymptotic improvement over the classical van Oorschot--Wiener algorithm.

Three-party key exchange, where two clients aim to agree a session key with the help of a trusted server, is prevalent in present-day systems. In this paper, we present a practical and secure three-party password-based authenticated key exchange protocol over ideal lattices. Aside from hash functions our protocol does not rely on external primitives in the construction and the security of our protocol is directly relied on the Ring Learning with Errors (RLWE) assumption. Our protocol attains provable security. A proof-of-concept implementation shows our protocol is indeed practical.

The Lighting Network (LN) is a network of micropayment channels that runs on top of Bitcoin. The balances of payment channels are not broadcasted to the LN network to preserve the privacy of the nodes participating in the network. A balance disclosure attack (BDA) has been proven to be successful in determining the balance of large amount of channels in the network. In this paper we propose an improved algorithm for the BDA as well as a new type of attack that leverages the differences between LN client software implementations. Our improved algorithm extends the original BDA by performing payments from both sides of the channel. The new attack uses malformed payments to shutdown payment channels an adversary isn't part of.

The key escrow problem is one of the main barriers to the widespread real-world use of identity-based encryption (IBE). Specifically, a key generation center (KGC), which generates secret keys for a given identity, has the power to decrypt all ciphertexts. At PKC 2009, Chow defined a notion of security against the KGC, that relies on assuming that it cannot discover the underlying identities behind ciphertexts. However, this is not a realistic assumption since, in practice, the KGC manages an identity list, and hence it can easily guess the identities corresponding to given ciphertexts. Chow later amended this issue by introducing a new entity called an identity-certifying authority (ICA) and proposed an anonymous key-issuing protocol. Essentially, this allows the users, KGC, and ICA to interactively generate secret keys without users ever having to reveal their identities to the KGC. Unfortunately, since Chow separately defined the security of IBE and that of the anonymous key-issuing protocol, his IBE definition did not provide any formal treatment when the ICA is used to authenticate the users. Effectively, all of the subsequent works following Chow lack the formal proofs needed to determine whether or not it delivers a secure solution to the key escrow problem.

In this paper, based on Chow's work, we formally define an IBE scheme that resolves the key escrow problem and provide formal definitions of security against corrupted users, KGC, and ICA. Along the way, we observe that if we are allowed to assume a fully trusted ICA, as in Chow's work, then we can construct a trivial (and meaningless) IBE scheme that is secure against the KGC. Finally, we present two instantiations in our new security model: a lattice-based construction based on the Gentry--Peikert--Vaikuntanathan IBE scheme (STOC 2008) and R{\"{u}}ckert's lattice-based blind signature scheme (ASIACRYPT 2010), and a pairing-based construction based on the Boneh--Franklin IBE scheme (CRYPTO 2001) and Boldyreva's blind signature scheme (PKC 2003).

In standard Secret Sharing (SS), a dealer shares a secret $s$ among $n$ parties such that an adversary corrupting no more than $t$ parties does not learn $s$, while any $t+1$ parties can efficiently recover $s$. Proactive Secret Sharing (PSS) retains confidentiality of $s$ even when a mobile adversary corrupts all parties over the lifetime of the secret, but no more than a threshold $t$ in each epoch (called a refresh period). Withstanding such adversaries has become of increasing importance with the emergence of settings where private keys are secret shared and used to sign cryptocurrency transactions, among other applications. Feasibility of single-secret PSS for static groups with dishonest majorities was demonstrated but with a protocol that requires inefficient communication of $O(n^4)$.

In this work, we improve over prior work in three directions: batching without incurring a linear loss in corruption threshold, communication efficiency, and handling dynamic groups. While each of properties we improve upon appeared independently in the context of PSS and in other previous work, handling them simultaneously (and efficiently) in a single scheme faces non-trivial challenges. Some PSS protocols can handle batching of $\ell \sim n$ secrets, but all of them are for the honest majority setting. Techniques typically used to accomplish such batching decrease the tolerated corruption threshold bound by a linear factor in $\ell$, effectively limiting the number of elements that can be batched with dishonest majority. We solve this problem by reducing the threshold decrease to $\sqrt{\ell}$ instead, allowing us to deal with the dishonest majority setting when $\ell \sim n$. This is accomplished based on new bivariate-polynomials-based techniques for sharing, and refreshing and recovering of shares, that allow batching of up to $n-2$ secrets in our PSS. To tackle the efficiency bottleneck the constructed PSS protocol requires only $O(n^3/\ell)$ communication for $\ell$ secrets, i.e., an amortized communication complexity of $O(n^2)$ when the maximum batch size is used. To handle dynamic groups we develop three new sub-protocols to deal with parties joining and leaving the group.

The IACR news channel for job postings has been inactive for a few months, but about 100 new jobs have been posted to the jobs page. We have restored the flow of new job postings to the news channel, but older jobs will not be sent out to subscribers.

The Security and Trust of Advanced Systems Group at the Computer Science Department of the University of Exeter is hiring a Lecturer in Cybersecurity. Candidates in all areas of security are encouraged to apply.

This is a unique opportunity to shape the future development of Cybersecurity research at Exeter both within the Department of Computer Science and the University as a whole. The Department is a member of the Turing Institute and the Complete University Guide ranks the Department 11th in the UK and Exeter is one of the fastest growing cities in the UK, with the IT sector being particularly strong.

The new Security and Trust of Advanced Systems Group is embedded in a strong cyber environment within and outside of the University. Within the University, cybersecurity is not only rooted within the Computer Science Department (e.g. working in the intersection of data science and cybersecurity, an area in which we also offer a new MSc in Cyber Security Analytics: for example, we also work together with the Law School, which has a strong expertise in international cybersecurity law, the Strategy and Security Institute, and we collaborate with the Management School on a MSc in Financial Technology. Outside of the university, we actively engage with the local industry, e.g., via the South West Cyber Security Cluster.

We are looking for a candidate with an outstanding research record in any area of cybersecurity such as (but not limited to): language-based security, access control, usable security, software security, formal methods for security, security analytics, security protocols, human aspects of security, security economics, security by design, applied cryptography, security testing.

You are expected to carry out research in any area of cybersecurity and to supervise PhD students in her/his research area. We are particularly keen on research areas that either extend the current strength in software security and formal methods in security or that complement these existing focus area.

Closing date for applications:

Contact: Prof. Achim Brucker, Streatham Campus Innovation Centre, A1, Exeter EX4 4RN, UK. https://www.brucker.ch/

More information: https://jobs.exeter.ac.uk/hrpr_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=566815Qrwu&WVID=3817591jNg

The Department of Computer Science at University of Sheffield, UK is seeking a highly-motivated PhD candidate in the field of cyber security with an emphasis on embedded and hardware security.

Candidates with experience in one or more of the following are preferred:

Cryptography (lightweight cryptography, post-quantum cryptography, fully-homomorphic encryption)

Designing novel cryptographic primitives and protocols

Digital design on ASIC or FPGA platforms using hardware description languages

Computer architectures and embedded software

Side-channel analysis and fault attacks

Machine learning and artificial intelligence especially for security applications

Research topics include but are not limited to:

Secure cryptographic implementations in hardware and software

Mechanisms against side-channel analysis and fault attacks

Security and privacy for IoT systems

Post-quantum cryptography

Fully-homomorphic encryption

The studentship is available from February 2020.
A stipendiary studentship is available. This covers fees at the EU/home rate as well as a student stipend for three and a half years.
The candidates should have an M.Sc./B.Sc. degree or equivalent in Computer Science/Computer Engineering/Electrical Engineering/Applied Mathematics/IT Security.
If English is not your first language, you must have an IELTS score of 6.5 overall, with no less than 6.0 in each component.

In the first instance, candidates are advised to discuss applications with Dr. Elif Kavun (e.kavun@sheffield.ac.uk).

To apply for the studentship, applicants need to apply directly to The University of Sheffield using the online application system. Please name Dr Elif Kavun as your proposed supervisor.
Complete an application for admission to the standard Computer Science PhD programme http://www.sheffield.ac.uk/postgraduate/research/apply
Applications should include CV, statement of purpose, transcripts, and contact information of at least two referencesClosing date for applications:

Contact: Dr Elif Kavun

More information: http://www.sheffield.ac.uk/postgraduate/research/apply