International Association
for Cryptologic Research

Internet of Things(IoT) consists of a large number of interconnected coexist heterogeneous entities, including Radio-frequency identification(RFIDs) based devices and other sensors to detect and transfer various information such as temperature, personal health data, brightness, etc. Security, in particular, authentication, is one of the most important parts of information security infrastructure in  IoT systems. Given that an IoT system has many resource-constrained devices, a goal could be designing a proper authentication protocol that is lightweight and can resist against various common attacks, targeting such devices. Recently, using Physical Unclonable Functions (PUF) to design lightweight authentication protocols has received a lot of attention among researchers. In this paper, we analyze two recently proposed authentication protocols based on PUF chains called PHEMAP and Salted PHEMAP. We show that these protocols are vulnerable to impersonate, desynchronization and traceability attacks.

We review several widely deployed solutions for the Byzantine Fault Tolerance (BFT) problem and analyze their security in asynchronous networks. There are two types of widely accepted definitions for partial synchronous net- works. In the Type I network, Denial of Service (DoS) attack is not allowed and in the Type II network, DoS attack is allowed before the Global Stabilization Time (GST). When DoS attack is allowed, the point-to-point communication channel and the broadcast channel are not reliable. We show that if either the broadcast channel or the point-to-point communication channel is not reliable (before or after GST) then several widely deployed BFT protocols such as PBFT and Tendermint BFT would reach a deadlock and could not achieve liveness property. Specifically, we show that if a malicious participant could broadcast a message to a subset of users instead of all users (before or after GST), then PBFT, Tendermint BFT, and several other BFT systems (e.g., Polkadot’s GRANDPA) would reach a deadlock. To make things worse, we show that, for most of our attacks, the adversary only needs to control one participant to carry out the attack instead of controlling (n-1)/3 participants. Thus these BFT protocols are not secure in the Type II partial synchronous networks. Furthermore, in these protocols, if a participant does not receive appropriate messages within a fixed time period, it initiates a view change process. After a view change, participants will no long accept messages from previous views. Thus our attacks on these protocols in Type II networks will work in the Type I network also. Consequently, these protocols are not secure in any of the widely accepted partial synchronous networks. It should be noted that PBFT has been adopted in many blockchain systems such as Hyperledger sawtooth and Tendermint BFT has been adopted in more than 40% deployed Proof of Stake Blockchains such as Cosmos and Hyperledger burrow. Based on our analysis of BFT security requirements for partial synchronous networks, we propose a BFT protocol BDLS and prove its security in partial synchronous networks. The BDLS protocol could be used in several application scenarios such as state machine replication or as blockchain finality gadgets.

This paper presents an attack based on side-channel information and information set decoding on the Niederreiter cryptosystem and an evaluation of the practicality of the attack using a physical side channel. First, we describe a basic plaintext-recovery attack on the decryption algorithm of the Niederreiter cryptosystem. Our attack is an adaptation of the timing side-channel plaintext-recovery attack by Shoufan et al. from 2010 on the McEliece cryptosystem using the non-constant time Patterson's algorithm for decoding. We then enhance our attack by utilizing an Information Set Decoding approach to support the basic attack and we introduce column chunking to further significantly reduce the number of required side-channel measurements. Our practical evaluation of the attack targets the FPGA-implementation of the Niederreiter cryptosystem in the NIST submission ``Classic McEliece'' with a constant time decoding algorithm and is feasible for all proposed parameters sets of this submission. The attack idea is to distinguish between successful and failed error correction based on the Hamming weight of the decrypted plaintext using the electromagnetic field as side channel. We theoretically estimate that our attack improvements have a significant impact on reducing the number of required side-channel traces. We confirm our findings experimentally and run successful attacks against the ``Classic McEliece'' NIST submission parameter sets. E.g., for the 256bit-security parameter set kem/mceliece6960119 we require starting from a basic attack with 6962 traces over a plain ISD approach with 5415 traces down to on average about 606 traces to mount a successful plaintext recovery attack.

Given the inherent ad-hoc nature of popular communication platforms, out-of-band authenticated key-exchange protocols are becoming widely deployed: Key exchange protocols that enable users to detect man-in-the-middle attacks by manually authenticating one short value. In this work we put forward the notion of immediate key delivery for such protocols, requiring that even if some users participate in the protocol but do not complete it (e.g., due to losing data connectivity or to other common synchronicity issues), then the remaining users should still agree on a shared secret. A property of a similar flavor was introduced by Alwen, Correti and Dodis (EUROCRYPT '19) asking for immediate decryption of messages in user-to-user messaging while assuming that a shared secret has already been established -- but the underlying issue is crucial already during the initial key exchange and goes far beyond the context of messaging.

Equipped with our immediate key delivery property, we formalize strong notions of security for out-of-band authenticated group key exchange, and demonstrate that the existing protocols either do not satisfy our notions of security or are impractical (these include, in particular, the protocols deployed by Telegram, Signal and WhatsApp). Then, based on the existence of any passively-secure key-exchange protocol (e.g., the Diffie-Hellman protocol), we construct an out-of-band authenticated group key-exchange protocol satisfying our notions of security. Our protocol is inspired by techniques that have been developed in the context of fair string sampling in order to minimize the effect of adversarial aborts, and offers the optimal tradeoff between the length of its out-of-band value and its security.

Updatable encryption allows a client to outsource ciphertexts to some untrusted server and periodically rotate the encryption key. The server can update ciphertexts from an old key to a new key with the help of an update token, received from the client, which should not reveal anything about keys or plaintexts to an adversary. We provide a new and highly efficient updatable encryption scheme called SHINE. Ciphertext generation consists of applying one permutation and one exponentiation (per message block), while updating ciphertexts requires just one exponentiation. We also define a new security notion for updatable encryption schemes that implies prior notions (for schemes with randomized and deterministic updates). We prove that SHINE and the previous best scheme, RISE, are secure under our new definition.

Lattices lead to promising practical post-quantum digital signatures, combining asymptotic efficiency with strong theoretical security guarantees. However, tuning their parameters into practical instantiations is a delicate task. On the one hand, NIST round 2 candidates based on Lyubashevsky's design (such as dilithium and qtesla) allow several tradeoffs between security and efficiency, but at the expense of a large bandwidth consumption. On the other hand, the hash-and-sign falcon signature is much more compact and is still very efficient, but it allows only two security levels, with large compactness and security gaps between them. We introduce a new family of signature schemes based on the falcon design, which relies on module lattices. Our concrete instantiation enjoys the compactness and efficiency of falcon, and allows an intermediate security level. It leads to the most compact lattice-based signature achieving a quantum security above 128 bits.

In this paper, we extend the notion of server-aided revocable identity-based encryption (SR-IBE) to the hierarchical IBE (HIBE) setting and propose a generic construction of server-aided revocable hierarchical IBE (SR-HIBE) schemes with decryption key exposure resistance (DKER) from any (weak) L-level revocable HIBE scheme without DKER and (L+1)-level HIBE scheme. In order to realize the server-aided revocation mechanism, we use the “double encryption” technique, and this makes our construction has short ciphertext size. Furthermore, when the maximum hierarchical depth is one, we obtain a generic construction of SR-IBE schemes with DKER from any IBE scheme and two-level HIBE scheme.

In this work we consider the following problem: in a Multi-Prover environment, how close can we get to prove the validity of an NP statement in Zero-Knowledge ? We exhibit a set of two novel Zero-Knowledge protocols for the 3-COLorability problem that use two (local) provers or three (entangled) provers and only require them to reply two trits each. This greatly improves the ability to prove Zero-Knowledge statements on very short distances with very minimal equipment.

The "Intelligent System Security" research group at Karlsruhe Institute of Technology (KIT) is seeking to fill the position of

Two PhD Students/ Research Assistants (f/m/d)
in the field of Computer Security and Artificial Intelligence

Both positions are fully funded with the German salary level TV-L 13 (100%) and should be filled at the soonest possible date. In the beginning, the positions are limited to two years, but they offer the possibility of funding the entire duration of the PhD.

Research

Our research group works on the application of machine learning for computer security. In particular, we develop methods in the area of application security and system security, for instance, approaches for attack detection or vulnerability discovery in software and embedded devices. Also, the robustness, security, and interpretability of machine learning methods are central to our research.

Your Profile

We are looking for talented candidates that fulfill the following criteria and intend to pursue a PhD in computer science:

• Diploma or Master's degree in computer science or any related field
• Very good knowledge of computer security and/or machine learning
• Enthusiasm for conducting research on computer security

Field of Work

Possible research topics include, but are not limited to:

• The analysis of attacks and malware using machine learning
• Assisted discovery of vulnerabilities
• Fuzz Testing (Fuzzing) using machine learning
• Attacks against learning-based systems
• Explainability of machine learning in computer security

Application

Please send your application including a cover letter, your CV, and certificates/references to applications@intellisec.org. Make sure to point out why you are a good fit for us and research in computer security.

Application Deadline

12. January 2020

Closing date for applications:

Contact: Christian Wressnegger, https://intellisec.org/chris

More information: https://intellisec.de/jobs/phd-2020-en.html

DTU Compute’s Section for Cyber Security invites applications for an appointment as Associate Professor/Assistant Professor within cryptology. The position is available from 1 April 2020 or according to mutual agreement. Deadline January 15, 2020

Closing date for applications:

Contact: Further information may be obtained Head of the Cyber Security Section Christian Damsgaard Jensen, mail: cdje@dtu.dk or Professor of Cryptology Lars Ramkilde Knudsen, mail: lrkn@dtu.dk.

More information: https://www.dtu.dk/english/about/job-and-career/vacant-positions/job?id=7b31b1b3-fb26-41cc-9852-59134bb47a9d

The University of Birmingham is expecting to receive applications for 1 Post-Doc and 1 PhD who will be performing research in cryptographic engineering. These positions are likely to start in early 2020.

We expect the candidates to have skills in digital circuit design (ASIC or FPGA), hardware/software implementation of algorithms, programming etc.

The Post-Doc and PhD will be working with Dr. Sujoy Sinha Roy and will be based at the Security and Privacy group of the University of Birmingham's School of Computer Science. The National Cyber Security Centre (NCSC) and the Engineering and Physical Sciences Research Council (EPSRC) jointly recognise the research group as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR).

If you are interested in the Post-Doc or PhD position, please contact Dr. Sujoy Sinha Roy with a CV. For more information, please visit https://www.cs.bham.ac.uk/~sinharos/

Closing date for applications:

Contact: Dr. Sujoy Sinha Roy (s.sinharoy@cs.bham.ac.uk)

More information: https://www.cs.bham.ac.uk/~sinharos/

We are hiring two junior postdocs, each for two or three years, to work on blue-sky research, real world crypto, cryptanalysis, side channels, or interdisciplinary studies of crypto-system failures. Positions available immediately with internationally competitive salaries and research support, but start dates are negotiable.

Our track records include award-winning papers at Usenix Security, ACM CCS, ACSAC and SOUPS, making a finalist for the Pwnie Award for most innovative research, as well as trailblazing a number of areas e.g. usable security and differential imaging forensics.

Our research philosophy: have fun; write papers that matter; and make an impact.

Closing date for applications:

Contact: Prof Jeff.Yan@liu.se

Event date: 20 April to 22 April 2020

Saber, a CCA-secure lattice-based post-quantum key encapsulation scheme, is one of the second round candidate algorithms in the post-quantum cryptography standardization process of the US National Institute of Standards and Technology (NIST) in 2019. In this work, we provide an efficient implementation of Saber on ESP32, an embedded microcontroller designed for IoT environment with WiFi and Bluetooth support. RSA coprocessor was used to speed up the polynomial multiplications for Kyber variant in a CHES 2019 paper. We propose an improved implementation utilizing the big integer coprocessor for the polynomial multiplications in Saber, which contains significant lower software overhead and takes a better advantage of the big integer coprocessor on ESP32. By using the fast implementation of polynomial multiplications, our single-core version implementation of Saber takes 1639K, 2123K, 2193K clock cycles on ESP32 for key generation, encapsulation and decapsulation respectively. Benefiting from the dual core feature on ESP32, we speed up the implementation of Saber by rearranging the computing steps and assigning proper tasks to two cores executing in parallel. Our dual-core version implementation takes 1176K, 1625K, 1514K clock cycles for key generation, encapsulation and decapsulation respectively.

Blind signature schemes (BSS) play a pivotal role in privacy-oriented cryptography. However, with blind signature schemes, the signed message remains unintelligible to the signer, giving them no guarantee that the blinded message he signed actually contained valid information. Partially-blind signature schemes (PBSS) were introduced to address precisely this problem. In this paper we present the first leakage-resilient, lattice-based partially-blind signature scheme in the literature. Our construction is provably secure in the random oracle model (ROM) and offers quasilinear complexity w.r.t. key/signature sizes and signing speed. In addition, it offers statistical partial blindness and its unforgeability is based on the computational hardness of worst-case ideal lattice problems for approximation factors in $˜ O(n^4)$ in dimension $n$. Our scheme benefits from the subexponential hardness of ideal lattice problems and remains secure even if a (1-o(1)) fraction of the signer’s secret key leaks to an adversary via arbitrary side-channels. Several extensions of the security model, such as honest-user unforgeability and selective failure blindness, are also considered and concrete parameters for instantiation are proposed.

NewHope Key Encapsulation Mechanism (KEM) has been presented at USENIX 2016 by Alchim et al. and is one of the remaining lattice-based candidates to the post-quantum standardisation initiated by the NIST. However, despite the relative simplicity of the protocol, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work we refine this analysis to get a tight upper-bound on this probability which happens to be much lower than what was originally evaluated. As a consequence we propose a set of alternative parameters, increasing the security and the compactness of the scheme. However using a smaller modulus prevent the use of a full NTT algorithm to perform multiplications of elements in dimension 512 or 1024. Nonetheless, similarly to previous works, we combine different multiplication algorithms and show that our new parameters have competitive execution times on a constant time vectorized implementation. Our most compact parameters bring a speed-up of 9.5% (resp. an overcost of 3.2%) in performance but allow to gain more than 19% over the bandwidth requirements and to increase the security of 6% (resp. 4%) in dimension 512 (resp. 1024).

Randomness extraction is a fundamental problem that has been studied for over three decades. A well-studied setting assumes that one has access to multiple independent weak random sources, each with some entropy. However, this assumption is often unrealistic in practice. In real life, natural sources of randomness can produce samples with no entropy at all or with unwanted dependence. Motivated by this and applications from cryptography, we initiate a systematic study of randomness extraction for the class of adversarial sources defined as follows.

A weak source $\mathbf{X}$ of the form $\mathbf{X}_1,...,\mathbf{X}_N$, where each $\mathbf{X}_i$ is on $n$ bits, is an $(N,K,n,k)$-source of locality $d$ if the following hold:

(1) Somewhere good sources: at least $K$ of the $\mathbf{X}_i$'s are independent, and each contains min-entropy at least $k$. We call these $\mathbf{X}_i$'s good sources, and their locations are unknown. (2) Bounded dependence: each remaining (bad) source can depend arbitrarily on at most $d$ good sources.

We focus on constructing extractors with negligible error, in the regime where most of the entropy is contained within a few sources instead of across many (i.e., $k$ is at least polynomial in $K$). In this setting, even for the case of $0$-locality, very little is known prior to our work. For $d \geq 1$, essentially no previous results are known. We present various new extractors for adversarial sources in a wide range of parameters, and some of our constructions work for locality $d = K^{\Omega(1)}$. As an application, we also give improved extractors for small-space sources.

The class of adversarial sources generalizes several previously studied classes of sources, and our explicit extractor constructions exploit tools from recent advances in extractor machinery, such as two-source non-malleable extractors and low-error condensers. Thus, our constructions can be viewed as a new application of non-malleable extractors. In addition, our constructions combine the tools from extractor theory in a novel way through various sorts of explicit extremal hypergraphs. These connections leverage recent progress in combinatorics, such as improved bounds on cap sets and explicit constructions of Ramsey graphs, and may be of independent interest.

Multi-Party Computation (MPC) allows multiple parties to compute a function together while keeping their inputs private. Large scale implementations of MPC protocols are becoming practical thus it is important to have strong guarantees for the whole development process, from the underlying cryptography to the implementation. Computer aided proofs are a way to provide such guarantees. We use CryptHOL to formalise a framework for reasoning about two party protocols using the security definitions for MPC. In particular we consider protocols for 1-out-of-2 Oblivious Transfer ($OT^1_2$) --- a fundamental MPC protocol --- in both the semi-honest and malicious models. We then extend our semi-honest formalisation to $OT^1_4$ which is a building block for our proof of security for the two party GMW protocol --- a protocol that can securely compute any Boolean circuit. The semi-honest $OT^1_2$ protocol we formalise is constructed from Extended Trapdoor Permutations (ETP), we first prove the general construction secure and then instantiate for the RSA collection of functions --- a known ETP. Our general proof assumes only the existence of ETPs, meaning any instantiated results come without needing to prove any security properties, only that the requirements of an ETP are met.

Recent publications describe profiled side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with large, key-dependent variations and results as low as a few bits using only a single attack trace. Unfortunately, they leave important questions unanswered: Is the reported wide distribution of results plausible? Are the results device-specific or more general? What is the impact on the security of 3-key triple DES? In this contribution, we systematically answer those and several other questions. We also analyze two commercial security controllers reproducing reported results, while explaining details of algorithmic choices. We verified the overall reduction and large variations in single DES key security levels (49.4 bit mean and 0.9 % of keys < 40 bit) and observe a fraction of keys with exceptionally low security levels, called weak keys. A simplified simulation of device leakage shows that the distribution of security levels is predictable to some extend given a leakage model. We generalize results to other leakage models by attacking the hardware DES accelerator of a general purpose microcontroller. We conclude that weaker keys are mainly caused by switching noise, which is always present in template attacks on any key-schedule, regardless of the algorithm and implementation. Further, we describe a sound approach to estimate 3-key triple-DES security levels from empirical single DES results and find that the impact on the security of 3-key triple-DES is limited (96.1 bit mean and 0.24 % of key-triples < 80 bit).

The Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) at the University of Kent is a UK government recognised ACE-CSR (Academic Centre of Excellence in Cyber Security Research). The soon-to-be-established Institute of Advanced Studies in Cyber Security and Conflict (SoCyETAL) will further extend the excellent research in cyber security at KirCCS to more inter-disciplinary areas.

KirCCS is calling for applications for three batches of PhD studentships (2+3+20). Five of these studentships for KirCCS academics will be funded by the University of Kent. There are up to 20 more studentships for all academics of the University of Kent, to be funded jointly by the China Scholarship Council (CSC) and the University of Kent.

The 5 University of Kent funded studentships provide full funding for 3 years with an annual stipend at the EPSRC rate (£15,009 p.a. for 2019-20), and a waiver of the home student fees (£4,327 p.a. for 2019-20), totaling £19,336 p.a. (based on 2019-20 figures). The full funding is for "home" students only (eligibility and detailed fees regulations in the UK can be found at https://www.ukcisa.org.uk/Information--Advice/Fees-and-Money/England-fee-status). Candidates who do not meet the "home student" criteria are still eligible to apply, but will need to bring additional funding to cover the difference between the overseas fees (£19,000 p.a. for 2019-20) and the home fees.

The 20 CSC funded studentships provide full funding for (Chinese) applicants who are eligible for PhD studentships from the China Scholarship Council (CSC) only. The full funding for CSC funded (Chinese) students include a stipend of £1,200 per month (£14,400 p.a. for 2019-20) provided by CSC and a waiver of full overseas fees (£19,000 p.a. for 2019-20) by the University of Kent, totaling £33,400 p.a. (based on 2019-20 figures). The CSC will also cover a return flight ticket from China to the UK, medical insurance, and one-off UK visa costs.

All successful candidates are expected to start in September 2020.

Closing date for applications:

Contact: For academic queries (like identifying research topics or supervisors) please contact Prof Shujun Li (s.j.li@kent.ac.uk). For queries on the admission procedure, please contact Dr Laura Bocchi, L.Bocchi@kent.ac.uk).

More information: https://cyber.kent.ac.uk/calls.html#PhDs