International Association
for Cryptologic Research

Classical secret sharing schemes are built on the assumptions that the number of participants and the access structure remain fixed over time. Evolving secret sharing addresses the question of accommodating new participants with changeable access structures. One goal of this article is to initiate the study of evolving secret sharing sharing such that both share generation and reconstruction algorithms can be implemented by $AC^0$ circuits. We give a concrete construction with some minor storage assumption. Furthermore, allowing certain trade-offs we consider the novel problem of robust redistribution of secret shares (in $AC^0$) in the spirit of dynamic access structure by suitably modifying a construction of Cheng-Ishai-Li (TCC $2017$). A naive solution to the problem is to increase the alphabet size. We avoid this by modifying shares of some of the old participants. This modification is also necessary to make newly added participant(s) non-redundant to the secret sharing scheme.

Differential branch number and linear branch number are critical for the security of symmetric ciphers. The recent trend in the designs like PRESENT block cipher, ASCON authenticated encryption shows that applying S-boxes that have nontrivial differential and linear branch number can significantly reduce the number of rounds. As we see in the literature that the class of 4 x 4 S-boxes have been well-analysed, however, a little is known about the n x n S-boxes for n >= 5. For instance, the complete classification of 5 x 5 affine equivalent S-boxes is still unknown. Therefore, it is challenging to obtain “the best” S-boxes with dimension >= 5 that can be used in symmetric cipher designs. In this article, we present a novel approach to construct S-boxes that identifies classes of n x n S-boxes (n = 5, 6) with differential branch number 3 and linear branch number 3, and ensures other cryptographic properties. To the best of our knowledge, we are the first to report 6 x 6 S-boxes with linear branch number 3, differential branch number 3, and with other good cryptographic properties such as nonlinearity 24 and differential uniformity 4.

The problem of constructing effective statistical tests for random number generators (RNG) is considered. Currently, statistical tests for RNGs are a mandatory part of cryptographic information protection systems, but their effectiveness is mainly estimated based on experiments with various RNGs. We find an asymptotic estimate for the p-value of an optimal test in the case where the alternative hypothesis is a known stationary ergodic source, and then describe a family of tests each of which has the same asymptotic estimate of the p-value for any (unknown) stationary ergodic source.

Internet-of-Things enables interconnection of billions of devices, which perform autonomous operations and collect various types of data. These things, along with their generated huge amount of data, need to be handled efficiently and securely. Centralized solutions are not desired due to security concerns and scalability issue. In this paper, we propose HIBEChain, a hierarchical blockchain system that realizes scalable and accountable management of IoT devices and data. HIBEChain consists of multiple permissioned blockchains that form a hierarchical tree structure. To support the hierarchical structure of HIBEChain, we design a decentralized hierarchical identity-based signature (DHIBS) scheme, which enables IoT devices to use their identities as public keys. Consequently, HIBEChain achieves high scalability through parallel processing as blockchain sharding schemes, and it also implements accountability by use of identity-base keys. Identity-based keys not only make HIBEChain more user-friendly, they also allow private key recovery by validators when necessary. We provide detailed analysis of its security and performance, and implement HIBEChain based on Ethereum source code. Experiment results show that a 6-ary, (7,10)-threshold, 4-level HIBEChain can achieve 32,000 TPS, and it needs only 9 seconds to confirm a transaction.

We investigate constructing message authentication schemes from symmetric cryptographic primitives, with the goal of achieving security when most intermediate values during tag computation and verification are leaked (i.e., mode-level leakage-resilience). Existing efficient proposals typically follow the plain Hash-then-MAC paradigm $T=MAC_K(H(M))$. When the domain of the MAC function $MAC_K$ is $\{0,1\}^{128}$, e.g., when instantiated with the AES, forgery is possible within time $2^{64}$ and data complexity 1. To dismiss such cheap attacks, we propose two modes: LRW1-based Hash-then-MAC (LRWHM) that is built upon the LRW1 tweakable blockcipher of Liskov, Rivest, and Wagner, and Rekeying Hash-then-MAC (RHM) that employs internal rekeying. Built upon secure AES implementations, LRWHM is provably secure up to (beyond-birthday) $2^{78.3}$ time complexity, while RHM is provably secure up to $2^{121}$ time. Thus in practice, their main security threat is expected to be side-channel key recovery attacks against the AES implementations. Finally, we benchmark the performance of instances of our modes based on the AES and SHA3 and confirm their efficiency.

QC-MDPC code-based KEMs rely on decoders that have a small or even negligible Decoding Failure Rate (DFR). These decoders should be efficient and implementable in constant-time. One example for a QC-MDPC KEM is the Round-2 candidate of the NIST PQC standardization project, "BIKE". We have recently shown that the Black-Gray decoder achieves the required properties. In this paper, we deffine several new variants of the Black-Gray decoder. One of them, called Black-Gray-Flip, needs only 7 steps to achieve a smaller DFR than Black-Gray with 9 steps, for the same block size. On current AVX512 platforms, our BIKE-1 (Level-1) constant-time decapsulation is 1:9x faster than the previous decapsulation with Black-Gray. We also report an additional 1:25x decapsulating speedup using the new AVX512-VBMI2 and vector-PCLMULQDQ instructions available on "Ice-Lake" micro-architecture.

While there have been many successes in verifying cryptographic security proofs of noninter- active primitives such as encryption and signatures, less attention has been paid to interactive cryptographic protocols. Interactive protocols introduce the additional verification challenge of concurrency, which is notoriously hard to reason about in a cryptographically sound manner.

When proving the (approximate) observational equivalance of protocols, as is required by simulation based security in the style of Universal Composability (UC), a bisimulation is typically performed in order to reason about the nontrivial control flows induced by concurrency. Unfortunately, bisimulations are typically very tedious to carry out manually and do not capture the high-level intuitions which guide informal proofs of UC security on paper. Because of this, there is currently a large gap of formality between proofs of cryptographic protocols on paper and in mechanized theorem provers.

We work towards closing this gap through a new methodology for iteratively constructing bisimulations in a manner close to on-paper intuition. We present this methodology through Interactive Probabilistic Dependency Logic (IPDL), a simple calculus and proof system for specifying and reasoning about (a certain subclass of) distributed probabilistic computations. The IPDL framework exposes an equational logic on protocols; proofs in our logic consist of a number of rewriting rules, each of which induce a single low-level bisimulation between protocols.

We show how to encode simulation-based security in the style of UC in our logic, and evaluate our logic on a number of case studies; most notably, a semi-honest secure Oblivious Transfer protocol, and a simple multiparty computation protocol robust to Byzantine faults. Due to the novel design of our logic, we are able to deliver mechanized proofs of protocols which we believe are comprehensible to cryptographers without verification expertise. We provide a mechanization in Coq of IPDL and all case studies presented in this work.

This paper describes a vulnerability in Apple's CoreCrypto library, which affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authentication Code (HMAC) and the Ed25519 signature scheme. The vulnerability is present in each of Apple's CoreCrypto libraries that are currently validated under FIPS 140-2 (Federal Information Processing Standard). For inputs of about $2^{32}$ bytes (4 GiB) or more, the implementations do not produce the correct output, but instead enter into an infinite loop. The vulnerability shows a limitation in the Cryptographic Algorithm Validation Program (CAVP) of the National Institute of Standards and Technology (NIST), which currently does not perform tests on hash functions for inputs larger than 65 535 bits. To overcome this limitation of NIST's CAVP, we introduce a new test type called the Large Data Test (LDT). The LDT detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2.

A shuffle argument is a cryptographic primitive for proving correct behaviour of mix-networks without leaking any private information. Several recent constructions of non-interactive shuffle arguments avoid the random oracle model but require the public key to be trusted.

We augment the most efficient argument by Fauzi et al. [Asiacrypt 2017] with a distributed key generation protocol that assures soundness of the argument if at least one party in the protocol is honest and additionally provide a key verification algorithm which guarantees zero-knowledge even if all the parties are malicious. Furthermore, we simplify their construction and improve security by using weaker assumptions while retaining roughly the same level of efficiency. We also provide an implementation to the distributed key generation protocol and the shuffle argument.

Printed Electronics (PE) has a rapidly growing market, thus, the counterfeiting/overbuilding of PE components is anticipated to grow. The common solution for the counterfeiting is Physical Unclonable Functions (PUFs). In PUFs, a unique fingerprint is extracted from (irreproducible) process variations in the production and used in the authentication of valid components. Many commonly used PUFs are electrical PUFs by leveraging the impact of process variations on electrical properties of devices, circuits and chips. Hence, they add overhead to the production which results in additional costs. While such costs may be negligible for many application domains targeted by silicon-based VLSI technologies, they are detrimental to the ultra-low-cost PE applications. In this paper, we propose an optical PUF (iPUF) extracting a fingerprint from the optically visible variation of printed inks in the PE components. Since iPUF does not require any additional circuitry, the PUF production cost consists of merely acquisition, processing and saving an image of the circuit components, matching the requirements of ultra-low-cost margin applications of PE. To further decrease the storage costs for iPUF, we utilize image downscaling resulting in a compression rate of 484x, while still preserving the reliability and uniqueness of the fingerprints. The proposed fingerprint extraction methodology is applied to four datasets for evaluation. The results show that the process variation of the optical shapes of printed inks is suitable as an optical PUF to prevent counterfeiting in PE.

Public key encryption with keyword search (PEKS) was proposed by Boneh et al. in 2004; it allows users to search encrypted keywords without losing data privacy. Although extensive studies have been conducted on this topic, only a few focus on the insider keyword guessing attack that will cause users to leak sensitive information. More specifically, after receiving the trapdoor from the user, the malicious insider (e.g. server) can randomly encrypt possible keywords using the user's public key. Then, the insider can test whether the trapdoor corresponds to the selected keyword. To solve the above issue, we introduce the notion of designated-ciphertext searchable encryption (DCSE) in this work. Then, we propose a generic construction that employs an anonymous identity-based encryption and key encapsulation mechanism. Additionally, we demonstrated that our work satisfies the indistinguishability under chosen-keyword attack (IND-CKA) and indistinguishability under insider keyword guessing attack (IND-IKGA) in the standard model. Moreover, we provide an instantiation from the NTRU lattices. Compared with other state-of-the-art schemes, our scheme is not only more efficient and practical, it also provides more robust security.

Isogenies on elliptic curves are of great interest in post-quantum cryptography and appeal to more and more researchers. Many protocols have been proposed such as OIDH, SIDH and CSIDH with their own advantages. We now focus on the CSIDH which based on the Montgomery curves in finite fields Fp with p=3 mod 8 whose endomorphism ring is O. We try to change the form of elliptic curves into y^2=x^3+Ax^2-x and the characteristic of the prime field into p=7 mod 8 , which induce the endomorphism ring becomes O_K. Moreover, many propositions，including the formula of isogenies between elliptic curves of the special form and the unique of the representation of Fp-isomorphism class, are given to illustrate the rationality of our idea. An important point to notice that the efficiency can't be reduced because the only difference between our formula of isogenies and that of CSIDH is the sign of some items. Furthermore, we also give a proposition that the protocol based on our case can avoid the collision proposed in [17].

In this paper we present a system for maintaining a membership list of users in a group, designed for use in the Signal Messenger secure messaging app. The goal is to support private groups where membership information is readily available to all group members but hidden from the service provider or anyone outside the group. In the proposed solution, a central server stores the group membership in the form of encrypted entries. Members of the group authenticate to the server in a way that reveals only that they correspond to some encrypted entry, then read and write the encrypted entries.

Authentication in our design uses a primitive called a keyed-verification anonymous credential (KVAC), and we construct a new KVAC scheme based on an algebraic MAC, instantiated in a group $\G$ of prime order. The benefit of the new KVAC is that attributes may be elements in $\G$, whereas previous schemes could only support attributes that were integers modulo the order of $\G$. This enables us to encrypt group data using an efficient Elgamal-like encryption scheme, and to prove in zero-knowledge that the encrypted data is certified by a credential. Because encryption, authentication, and the associated proofs of knowledge are all instantiated in $\G$ the system is efficient, even for large groups.

Event date: 29 June to 1 July 2020
Submission deadline: 18 February 2020
Notification: 23 March 2020

Competition funded PhD studentship at the University of York.

Working with Prof. Kahrobaei (the Director of York Interdisciplinary Centre for Cyber Security) and Prof. Wade (the Director of the Centre for Future Health).

Topic: Fully Homomorphic Encryption for Secure Processing of Sensitive Video Game Data by Artificial Intelligence Systems". Application deadline: January 31, 2020.

Fully Homomorphic Encryption (FHE) promises to revolutionise the way we deal with data. It enables researchers to analyze encrypted datasets and obtain useful outputs - safeguarding the privacy of the data providers and broadening the scope of available datasets at the same time. One of the most promising targets for FHE is video game telemetry - a form of data that has vast commercial and health-related potential but which is often hard to share because of issues relating to privacy, security and consent.

This competitively funded PhD studentship is advertised under the IGGI programme (http://www.iggi.org.uk/) - the largest doctoral training programme in advanced video game technology in the world. The student would focus on the theoretical and practical issues involved in implementing a fast and secure next-generation FHE analysis framework based on recent work from PI Delaram Kahrobaei (https://www.cs.york.ac.uk/research/cyber-security/people/). We will iterate development using test datasets from video games in close collaboration with our partners in the video game industry and focus on the secure, private extraction of data relating to worldwide cognitive health.

The student would engage with a full set of the training opportunities presented under the IGGI programme and would gain a broad understanding of the entire video game ecosystem - including design, analytics and applications. In addition, the work would require a deep understanding of the maths and computer science underlying FHE and the student would be supervised by world experts in the fields of both cryptography (PI Kahrobaei) and cognitive neuroscience and game analytics (PI Wade).

We expect candidate to have excellent mathematical skills and some experience in programming.

Closing date for applications:

Contact: Project enquiries: Professor Delaram Kahrobaei (delaram.kahrobaei@york.ac.uk) Professor Alex Wade (alex.wade@york.ac.uk) Application enquiries: apply@iggi.org.uk

More information: http://iggi.org.uk/apply

Project/Job description

Cryptology forms the backbone of modern digital security. While in theory it is known how to make secure cryptosystems that are asymptotically secure, a considerable gap with practice is demonstrated time and again by breaks of practical, implemented cryptosystems, deployed as part of a larger security ecosystem. The project “concrete cryptology” aims to provide concrete and meaningful security guarantees from low-level implementation to high-level deployment.

The postdoc will have considerable freedom in selecting specific problems to work on within the larger scope of the project. One focus is the effect that side-channel attacks that do not result in full key recovery have on security, including provable security, higher up the chain. Another focus is the effect that large-scale deployment deviating from some abstract ideal has.

Candidate Profile

We are looking for interested candidates who have completed, or are about to complete, a PhD degree in cryptology or a suitably related relevant field. We expect an excellent academic track record and will be looking for publications in the relevant venues. Previous experience with the analysis of practical implementations or deployed cryptosystems is an advantage, but a lack of such experience may be compensated for by a demonstrated ability to learn advanced topics in related areas. We are looking for a curious and creative mind.

Closing date for applications:

Contact: Martijn Stam

More information: https://www.simula.no/about/job/call-post-doctoral-fellow-concrete-cryptography

Closing Date: Sunday 5 January 2020 The Department of Computer Science at the University of Surrey, is looking for new faculty members at all academic career levels. I would appreciate your assistance in directing the information to truly outstanding candidates who might be interested in moving to Surrey. We are looking for people in the following areas: machine learning, distributed systems, cloud computing, programming-languages principles, robotics, and the intersection of security and AI, as well as the established areas of cyber security and AI research within the Department. The posts also provide an opportunity to expand our research in new directions including Dev Ops and human factors. The Department has an ambitious growth strategy and very strong student numbers. We are looking to attract talented individuals who will inspire, lead, and make a significant impact in their research and to student experience. The Department is part of a School with the Department of Electrical and Electronic Engineering. The post also provides opportunities to create links with the research centres across the School and the wider University. With respect to the senior positions there is an opportunity for some of the lecturer/senior lecturer posts to support those appointments. We encourage candidates seeking senior positions to engage in discussions with the Department on their vision for leading research. The senior posts will also provide leadership in the Department.

Closing date for applications:

Contact: Professor Helen Treharne Head of Computer Science Department h.treharne@surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=091419

Event date: 3 August to 7 August 2020
Submission deadline: 17 February 2020
Notification: 4 May 2020

In this paper, we propose a new method to launch a more efficient algebraic cryptanalysis. Algebraic cryptanalysis aims at finding the secret key of a cipher by solving a collection of polynomial equations that describe the internal structure of the cipher, while chosen correlated plaintexts, as what appear in higher order differential cryptanalysis and its derivatives such as cube attack or integral cryptanalysis, forces many linear relation between intermediate state bits in the cipher. In this paper, we take these polynomial relations into account, so it become possible to simplify the equation system arising from algebraic cryptanalysis, and consequently solve the polynomial system more efficiently. We take advantage of Universal Proning technique to provide an efficient method to recover such linear polynomials. Another important parameter in algebraic cryptanalysis of ciphers is to effectively describe the cipher. We employ FWBW representation of S-boxes together with Universal Proning to help provide a more powerful algebraic cryptanalysis based on Gröbner-basis computation. We show our method is more efficient than doing algebraic cryptanalysis with MQ representation, and also than employing MQ together with Universal Proning. To show the effectiveness of our approach, we applied it for the cryptanalysis of several light weight block ciphers. A by-product of employing this approach is that we have achieved such an efficiency to algebraic cryptanalyse 12-round LBlock, 6-round MIBS, 7-round PRESENT and 9-round SKINNY light-weight block ciphers, so far.

In this article we put forward an encryption mechanism that dwells on the problem of identifying the correct subset of primes from a known set. By utilizing our specially constructed public key when computing the ciphertext equation, the decryption mechanism can correctly output the shared secret parameter. The scheme has short key length, no decryption failure issues, plaintext-to-ciphertext expansion of one-to-two as well as uses \simple" mathematics in order to achieve maximum simplicity in design, such that even practitioners with limited mathematical background will be able to understand the arithmetic. Due to in-existence of efficient algorithms running upon a quantum computer to obtain the roots of our ciphertext equation and also to retrieve the private key from the public key, our encryption mechanism can be a probable candidate for seamless post quantum drop-in replacement for current traditional asymmetric schemes.