International Association
for Cryptologic Research

In profiling side-channel analysis, machine learning-based attacks nowadays offer the most powerful performance. This holds especially for techniques stemming from the neural network family: multilayer perceptron and convolutional neural networks. Convolutional neural networks are often favored as state-of-the-art results suggest better performance, especially in scenarios where targets are protected with countermeasures. Multilayer perceptron receives much less attention and researchers seem less interested in this technique, narrowing the results in the literature to comparisons with convolutional neural networks. Yet, a multilayer perceptron has a much simpler structure, which enables easier hyperparameter tuning, and hopefully, could contribute to the explainability of this neural network inner working.

In this paper, we investigate the behavior of a multilayer perceptron in detail in the context of the side-channel analysis of AES. By exploring the sensitivity of multilayer perceptron hyperparameters over the performance of the attack, we aim at providing a better understanding of successful hyperparameters tuning, and ultimately, the performance of this algorithm. Our results show that MLP (with a proper hyperparameter tuning) can easily break implementations having a random delay or masking countermeasures.

The sponge duplex is a popular mode of operation for constructing authenticated encryption schemes. In fact, one can assess the popularity of this mode from the fact that around 25 out of the 56 round 1 submissions to the ongoing NIST lightweight cryptography (LwC) standardization process are based on this mode. Among these, 14 sponge-type constructions are selected for the second round consisting of 32 submissions. In this paper, we generalize the duplexing interface of the duplex mode, which we call Transform-then-Permute. It encompasses Beetle as well as a new sponge-type mode SpoC (both are round 2 submissions to NIST LwC). We show a tight security bound for Transform-then-Permute based on b-bit permutation, which reduces to finding an exact estimation of the expected number of multi-chains(defined in this paper). As a corollary of our general result, authenticated encryption advantage of Beetle and SpoC is about $T(D+r2^r)/2^b$ where $T,D$ and $r$ denotes the number of offline queries (related to time of the algorithm), number of construction queries (related to data complexity) and rate of the construction (related to efficiency). Previously the same bound has been proved for Beetle under the limitation that $T<< \mathsf{min}\{2^r,2^{b/2}\}$ (that forced us to choose larger permutation with higher rate). In the context of NIST LwC requirement, SpoC based on 192-bit permutation achieves the desired security with 64-bit rate, which is not achieved by either duplex or Beetle(as per the previous analysis)

In the profiled side-channel analysis, deep learning-based techniques proved to be very successful even when attacking targets protected with countermeasures. Still, this does not mean that countermeasures do not make the attacks more difficult or that deep learning attacks will always succeed. As such, to improve the performance of attacks, an intuitive solution is to remove the effect of countermeasures. In this paper, we investigate whether we can consider certain types of countermeasures as noise and then use deep learning to remove that noise. We conduct a detailed analysis of four different types of noise and countermeasures either separately or combined and show that in all scenarios, denoising autoencoder improves the attack performance significantly.

We demonstrate that the Interpose PUF proposed at CHES 2019, an Arbiter PUF based design for so-called Strong Physical Unclonable Functions (PUFs), can be modeled by novel machine learning strategies up to very substantial sizes and complexities. Our attacks require in the most difficult cases considerable, but realistic, numbers of CRPs, while consuming only moderate computation times, ranging from few seconds to few days. The attacks build on a new divide-and-conquer approach that allows us to model the two building blocks of the Interpose PUF separately. For non-reliability based Machine Learning (ML) attacks, this eventually leads to attack times on \((k_\text{up},k_\text{down})\)-Interpose PUFs that are comparable to the ones against \(\max\{k_\text{up}, k_\text{down}\}\)-XOR Arbiter PUFs, refuting the original claim that Interpose PUFs provide security similar to $(k_\text{down}+\frac{k_\text{up}}{2})$-XOR Arbiter PUFs (CHES 2019). On the technical side, our novel divide-and-conquer technique might also be useful in analyzing other designs where XOR Arbiter PUF challenge bits are unknown to the attacker.

Encryption is an indispensable tool for securing digital infra- structures as it reduces the problem of protecting the data to just protecting decryption keys. Unfortunately, this also makes it easier for users to share protected data by simply sharing decryption keys. Kiayias and Tang (ACM CCS 2013) were the first to address this important issue pre-emptively rather than a posteriori like traitor tracing schemes do. They proposed leakage-deterring encryption schemes that work as follows. For each user, a piece of secret information valuable to her is embedded into her public key. As long as she does not share her ability to decrypt with someone else, her secret is safe. As soon as she does, her secret is revealed to her beneficiaries. However, their solution suffers from serious drawbacks: (1) their model requires a fully-trusted registration authority that is privy to user secrets; (2) it only captures a CPA-type of privacy for user secrets, which is a very weak guarantee; (3) in their construction which turns any public-key encryption scheme into a leakage-deterring one, the new public keys consist of linearly (in the bit-size of the secrets) many public keys of the original scheme, and the ciphertexts are large. In this paper, we redefine leakage-deterring schemes. We remove the trust in the authority and guarantee full protection of user secrets under CCA attacks. Furthermore, in our construction, all keys and ciphertexts are short and constant in the size of the secrets. We achieve this by taking a different approach: we require users to periodically refresh their secret keys by running a protocol with a third party. Users do so anonymously, which ensures that they cannot be linked, and that the third party cannot perform selective failure attacks. We then leverage this refresh protocol to allow for the retrieval of user secrets in case they share their decryption capabilities. This refresh protocol also allows for the revocation of user keys and for the protection of user secrets in case of loss or theft of a decryption device. We provide security definitions for our new model as well as efficient instantiations that we prove secure.

The world has seen an influx of connected devices through both smart devices and smart cities, paving the path forward for the Internet of Things (IoT). These emerging intelligent infrastructures and applications based on IoT can be beneficial to users only if essential private and secure features are assured. However, with constrained devices being the norm in IoT, security and privacy are often minimized. In this paper, we first categorize various existing privacy-enhancing technologies (PETs) and assessment of their suitability for privacy-requiring services within IoT. We also categorize potential privacy risks, threats, and leakages related to various IoT use cases. Furthermore, we propose a simple novel privacy-preserving framework based on a set of suitable privacy-enhancing technologies in order to maintain security and privacy within IoT services. Our study can serve as a baseline of privacy-by-design strategies applicable to IoT based services, with a particular focus on smart things, such as safety equipment.

Single Sign-On (SSO) is becoming an increasingly popular authentication method for users that leverages a trusted Identity Provider (IdP) to bootstrap secure authentication tokens from a single user password. It alleviates some of the worst security issues of passwords, as users no longer need to memorize individual passwords for all service providers, and it removes the burden of these service to properly protect huge password databases. However, SSO also introduces a single point of failure. If compromised, the IdP can impersonate all users and learn their master passwords. To remedy this risk while preserving the advantages of SSO, Agrawal et al. (CCS'18) recently proposed a distributed realization termed PASTA (password-authenticated threshold authentication) which splits the role of the IdP across $n$ servers. While PASTA is a great step forward and guarantees security as long as not all servers are corrupted, it uses a rather inflexible corruption model: servers cannot be corrupted adaptively and --- even worse --- cannot recover from corruption. The latter is known as proactive security and allows servers to re-share their keys, thereby rendering all previously compromised information useless.

In this work, we improve upon the work of PASTA and propose a distributed SSO protocol with proactive and adaptive security (PESTO), guaranteeing security as long as not all servers are compromised at the same time. We prove our scheme secure in the UC framework which is known to provide the best security guarantees for password-based primitives. %as it avoids any unrealistic assumption on password distributions. The core of our protocol are two new primitives we introduce: partially-oblivious distributed PRFs and a class of distributed signature schemes. Both allow for non-interactive refreshs of the secret key material and tolerate adaptive corruptions. We give secure instantiations based on the gap one-more BDH and RSA assumption respectively, leading to a highly efficient 2-round PESTO protocol. We also present an implementation and benchmark of our scheme in Java, realizing OAuth-compatible bearer tokens for SSO, demonstrating the viability of our approach.

Learning with Errors (LWE) and Ring-LWE (RLWE) problems allow the construction of efficient key exchange and public-key encryption schemes. However, while improving the security through the use of error distributions with large standard deviations, the decryption failure rate increases as well. Currently, the independence of individual coefficient failures is assumed to estimate the overall decryption failure rate of many LWE/RLWE schemes. However, previous work has shown that this assumption is not correct. This assumption leads to wrong estimates of the decryption failure probability and consequently of the security level of the LWE/RLWE cryptosystem. An exploration of the influence of the LWE/RLWE parameters on the stochastic dependence among the coefficients is still missing. In this paper, we propose a method to analyze the stochastic dependence between decryption failures in LWE/RLWE cryptosystems. We present two main contributions. First, we use statistical methods to analyze the influence of fixing the norm of the error distribution on the stochastic dependence among decryption failures. The results have shown that fixing the norm of the error distribution indeed reduces the stochastic dependence of decryption failures. Therefore, the independence assumption gives a very close approximation to the true behavior of the cryptosystem. Second, we analyze and explore the influence of the LWE/RLWE parameters on the stochastic dependence. This exploration gives designers of LWE/RLWE based schemes the opportunity to compare different schemes with respect to the inaccuracy made by using the independence assumption. This work shows that the stochastic dependence depends on three LWE/RLWE parameters in different ways: i) it increases with higher lattice dimensions ($n$) and higher standard deviations of the error distribution ($\sqrt{k/2}$); and ii) it decreases with higher modulus ($q$).

A trapdoor over NTRU lattice proposed by Ducas, Lyubashevsky and Prest~(ASIACRYPT 2014) has been widely used in various crytographic primitives such as identity-based encryption~(IBE) and digital signature, due to its high efficiency compared to previous lattice trapdoors. However, the most of applications use this trapdoor with the power-of-two cyclotomic rings, and hence to obtain higher security level one should double the ring dimension which results in a huge loss of efficiency.

In this paper, we give a new way to overcome this problem by introducing a generalized notion of NTRU lattices which we call \emph{Module-NTRU}~(MNTRU) lattices, and show how to efficiently generate a trapdoor over MNTRU lattices. Moreover, beyond giving parameter flexibility, we further show that the Gram-Schmidt norm of the trapdoor can be reached to about $q^{1/d},$ where MNTRU covers $d \ge 2$ cases while including NTRU as $d = 2$ case. Since the efficiency of trapdoor-based IBE is closely related to the Gram-Schmidt norm of trapdoor, our trapdoor over MNTRU lattice brings more efficient IBE scheme than the previously best one of Ducas, Lyubashevsky and Prest, while providing the same security level.

Distributed computational networks allow for effective hardware encryption systems and the rise of Quantum level encryption as well for Qubit based processing. Part of the reason distributed architecture can lead to Qubit level encryption is similar mechanisms applied to cryptographic hashing. In the work presented in this paper, we will look at the decentralized-internet SDK and protocol, grid computing architecture, and mathematical approaches to parallel Qubit-based processing. The utilization for hardware oriented cryptography, modeled around distributed computing, will allow for an even more secure approach to Quantum authentication. The importance of works such as these, are due to the lack of security classical computing has in relation to encryption. Once mathematical formalities surpass NP-hardness, classical encryption mechanisms can be easily surpassed. However, a latent model for increased complexity in post-quantum level encryption likely forbids this trade-off. Given that Quantum Algorithms speed up superpolynomially, than deterministic NP-hardness would likely pose less harm to quantum encryption networks. Furthermore, with Qubit-based parallel processing, complexity models for encryption can harden in difficulty over time.

In a highly influential paper from fifteen years ago, Canetti, Goldreich, and Halevi showed a fundamental separation between the Random Oracle Model (ROM) and the Standard Model. They constructed a signature scheme which can be shown to be secure in the ROM, but is insecure when instantiated with any hash function (and thus insecure in the standard model). In 2011, Boneh et al. defined the notion of the Quantum Random Oracle Model (QROM), where queries to the random oracle may be made in quantum superposition. Because the QROM generalizes the ROM, a proof of security in the QROM is stronger than one in the ROM. This leaves open the possibility that security in the QROM could imply security in the standard model. In this work, we show that this is not the case, and that security in the QROM cannot imply standard model security. We do this by showing that the original schemes that show a separation between the standard model and the ROM are also secure in the QROM. We consider two schemes that establish such a separation, one with length-restricted messages, and one without, and show both to be secure in the QROM. Our results give further understanding to the landscape of proofs in the ROM versus the QROM or standard model, and point towards the QROM and ROM being much closer to each other than either is to standard model security.

Event date: 1 May to 22 May 2020
Submission deadline: 22 February 2020

The Institute of Cybersecurity and Cryptology (iC2) as a part of the School of Computing and Information Technology (SCIT) is seeking a Lecturer with expertise in cyber security. The primary task of this position is to support the newly developed online course in Master of Cyber Security. Experience with delivering online course in cyber security is highly desirable.

Closing date for applications:

Contact: Professor Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=191851&tz=GMT%2B11%3A00&tzname=Australia%2FSydney

The Institute of Cybersecurity and Cryptology (iC2) as a part of The School of Computing and Information Technology (SCIT) is looking to recruit two new staff members (Level B) to start ideally to be ready to teach in Spring 2020 predominately to meet the teaching requirements by UOW's SWS undertaking. SCIT aims to be a world class Research School and this position is expected to contribute towards that aim. One important part of the degrees offered by SCIT is the Bachelor of Computer Science (majoring cybersecurity) and Master of Computer Science (with major in Information Security).

Closing date for applications:

Contact: Professor Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=191859&tz=GMT%2B11%3A00&tzname=Australia%2FSydney

The Institute of Cybersecurity and Cryptology (iC2) as a part of the School of Computing and Information Technology (SCIT) is seeking a full-time continuing Associate Professor with expertise in cyber security. The position will act as the Academic Program Director for delivering a new degree for the Master in Cyber Security.

Closing date for applications:

Contact: Willy Susilo

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=191858&tz=GMT%2B11%3A00&tzname=Australia%2FSydney

Event date: 8 July to 10 July 2020
Submission deadline: 14 February 2020
Notification: 15 April 2020

Simplistic assumptions, modeling attack discovery by a Poisson point process, lead to quantifiable statistical estimates for security assurances, supporting the wisdom that more independent effort spent on cryptanalysis leads to better security assurance, but hinting security assurance also relies significantly upon general optimism.

The estimates also suggest somewhat better security assurance from compounding two independent cryptosystems, but perhaps not enough to outweigh the extra cost.

We investigate the minimal assumptions necessary for minimal interaction zero-knowledge type primitives—ZAPs (two-round, public coin, witness indistinguishable proofs), NIWI (non-interactive witness indistinguishable proofs) and NIZK (non-interactive zero-knowledge proofs)—in the standard (no trusted setup) model. Since our goal is to obtain constructions from Minicrypt and/or worst-case assumptions only, we consider the setting where the prover is computationally more powerful than the simulator/zero-knowledge distinguisher. This covers both the traditional setting of computationally unbounded provers, as well as a new “fine-grained” setting that we introduce, where the prover is polynomial time and the verifier/simulator/zero-knowledge adversary are in a lower complexity class, such as NC1.

We present constructions of ZAPs and NIWI for AM from Minicrypt and worst-case assumptions. We also present (a form of) NIZK with uniform soundness for NP, from Minicrypt and worst-case assumptions. We present analogous “fine-grained” constructions of all of the above, where the zero- knowledge adversary is limited to NC1. Specifically, we achieve “fine-grained” ZAPs and NIWI for NP from worst-case assumptions only and achieve a form of “fine-grained” NIZK with uniform soundness for NP from worst-case and Minicrypt assumptions.

The active participation of external entities in the manufacturing flow has produced numerous hardware security issues in which piracy and overproduction are likely to be the most ubiquitous and expensive ones. The main approach to prevent unauthorized products from functioning is logic encryption that inserts key-controlled gates to the original circuit in a way that the valid behavior of the circuit only happens when the correct key is applied. The challenge for the security designer is to ensure neither the correct key nor the original circuit can be revealed by different analyses of the encrypted circuit. However, in state-of-the-art logic encryption works, a lot of performance is sold to guarantee security against powerful logic and structural attacks. This contradicts the primary reason of logic encryption that is to protect a precious design from being pirated and overproduced. In this paper, we propose a bilateral logic encryption platform that maintains high degree of security with small circuit modification. The robustness against exact and approximate attacks is also demonstrated.

Common for the overwhelming majority of privacy-preserving greater-than integer comparison schemes is that cryptographic computations are conducted in a bitwise manner. To ensure the secrecy, each bit must be encoded in such a way that nothing is revealed to the opposite party. The most noted disadvantage is that the computational and communication cost of the bitwise encoding is as best linear to the number of bits. Also, many proposed schemes have complex designs that may be difficult to implement and are not intuitive. Carlton et al. proposed in 2018 an interesting scheme that avoids bitwise decomposition and works on whole integers. % It uses a special composite RSA modulus. A variant was proposed by Bourse et al. in 2019. In this paper, we show that in particular the Bourse scheme does not provide the claimed security. Inspired by the two mentioned papers, we propose a comparison scheme with a somewhat simpler construction and with clear security reductions.