International Association
for Cryptologic Research

We construct a general purpose secure multiparty computation protocol which remains secure under (a-priori) bounded-concurrent composition and makes only black-box use of cryptographic primitives. Prior to our work, constructions of such protocols required non-black-box usage of cryptographic primitives; alternatively, black-box constructions could only be achieved for super-polynomial simulation based notions of security which offer incomparable security guarantees.

Our protocol has a constant number of rounds and relies on standard polynomial-hardness assumptions, namely, the existence of semi-honest oblivious transfers and collision-resistant hash functions. Previously, such protocols were not known even under sub-exponential assumptions.

Onion routing is a popular, efficient and scalable method for enabling anonymous communications. To send a message m to Bob via onion routing, Alice picks several intermediaries, wraps m in multiple layers of encryption — one per intermediary — and sends the resulting “onion” to the first intermediary. Each intermediary “peels” a layer of encryption and learns the identity of the next entity on the path and what to send along; finally Bob learns that he is the recipient, and recovers the message m.

Despite its wide use in the real world (e.g., Tor, Mixminion), the foundations of onion routing have not been thoroughly studied. In particular, although two-way communication is needed in most instances, such as anonymous Web browsing, or anonymous access to a resource, until now no definitions or provably secure constructions have been given for two-way onion routing.

In this paper, we propose an ideal functionality for a repliable onion encryption scheme and provide a construction that UC-realizes it.

Following recent comments in a NIST document related to threshold cryptographic standards, we examine the case of thresholdizing the HashEdDSA signature scheme. This is a deterministic signature scheme based on Edwards elliptic curves. Unlike DSA, it has a Schnorr like signature equation, which is an advantage for threshold implementations, but it has the disadvantage of having the ephemeral secret obtained by hashing the secret key and the message. We show that one can obtain relatively efficient implementations of threshold HashEdDSA with no modifications to the behaviour of the signing algorithm; we achieve this using a doubly-authenticated bit (daBit) generation protocol tailored for Q2 access structures, that is more efficient than prior work. However, if one was to modify the standard algorithm to use an MPC-friendly hash function, such as Rescue, the performance becomes very fast indeed.

In this paper we spot light on dedicated quantum collision attacks on concrete hash functions, which has not received much attention so far. In the classical setting, the generic complexity to find collisions of an $n$-bit hash function is $O(2^{n/2})$, thus classical collision attacks based on differential cryptanalysis such as rebound attacks build differential trails with probability higher than $2^{-n/2}$. By the same analogy, generic quantum algorithms such as the BHT algorithm find collisions with complexity $O(2^{n/3})$. With quantum algorithms, a pair of messages satisfying a differential trail with probability $p$ can be generated with complexity $p^{-1/2}$. Hence, in the quantum setting, some differential trails with probability up to $2^{-2n/3}$ that cannot be exploited in the classical setting may be exploited to mount a collision attack in the quantum setting. In particular, the number of attacked rounds may increase. In this paper, we attack two international hash function standards: AES-MMO and Whirlpool. For AES-MMO, we present a $7$-round differential trail with probability $2^{-80}$ and use it to find collisions with a quantum version of the rebound attack, while only $6$ rounds can be attacked in the classical setting. For Whirlpool, we mount a collision attack based on a $6$-round differential trail from a classical rebound distinguisher with a complexity higher than the birthday bound. This improves the best classical attack on 5 rounds by 1. We also show that those trails are optimal in our approach. Our results have two important implications. First, there seems to exist a common belief that classically secure hash functions will remain secure against quantum adversaries. Indeed, several second-round candidates in the NIST post-quantum competition use existing hash functions, say SHA-3, as quantum secure ones. Our results disprove this common belief. Second, our observation suggests that differential trail search should not stop with probability $2^{-n/2}$ but should consider up to $2^{-2n/3}$. Hence it deserves to revisit the previous differential trail search activities.

We study the isogenies of certain abelian varieties over finite fields with non-commutative endomorphism algebras with a view to potential use in isogeny-based cryptography. In particular, we show that any two such abelian varieties with endomorphism rings maximal orders in the endomorphism algebra are linked by a cyclic isogeny of prime degree.

Triggered by the increasing deployment of embedded cryptographic devices (e.g., for the IoT), the design of authentication, encryption and authenticated encryption schemes enabling improved security against side-channel attacks has become an important research direction. Over the last decade, a number of modes of operation have been proposed and analyzed under different abstractions. In this paper, we investigate the practical consequences of these findings. For this purpose, we first translate the physical assumptions of leakage-resistance proofs into minimum security requirements for implementers. Thanks to this (heuristic) translation, we observe that (i) security against physical attacks can be viewed as a tradeoff between mode-level and implementation-level protection mechanisms, and (ii) security requirements to guarantee confidentiality and integrity in front of leakage can be concretely different for the different parts of an implementation. We illustrate the first point by analyzing several modes of operation with gradually increased leakage-resistance. We illustrate the second point by exhibiting leveled implementations, where different parts of the investigated schemes have different security requirements against leakage, leading to performance improvements when high physical security is needed. We finally initiate a comparative discussion of the different solutions to instantiate the components of a leakage-resistant authenticated encryption scheme.

Side-channel analysis constitutes a powerful attack vector against crypto- graphic implementations. Techniques such as power and electromagnetic side-channel analysis have been extensively studied to provide an efficient way to recover the secret key used in cryptographic algorithms. To protect against such attacks, countermea- sure designers have developed protection methods, such as masking and hiding, to make the attacks harder. However, due to significant overheads, these protections are sometimes deployed only at the beginning and the end of encryption, which are the main targets for side-channel attacks.

In this paper, we present a methodology for side-channel assisted differential crypt- analysis attack to target middle rounds of block cipher implementations. Such method presents a powerful attack vector against designs that normally only protect the beginning and end rounds of ciphers. We generalize the attack to SPN based ciphers and calculate the effort the attacker needs to recover the secret key. We provide experimental results on 8-bit and 32-bit microcontrollers. We provide case studies on state-of-the-art symmetric block ciphers, such as AES, SKINNY, and PRESENT. Furthermore, we show how to attack shuffling-protected implementations.

Inner product functional encryption (IPFE) [1] is a popular primitive which enables inner product computations on encrypted data. In IPFE, the ciphertext is associated with a vector x, the secret key is associated with a vector y and decryption reveals the inner product <x,y>. Previously, it was known how to achieve adaptive indistinguishability (IND) based security for IPFE from the DDH, DCR and LWE assumptions [8]. However, in the stronger simulation (SIM) based security game, it was only known how to support a restricted adversary that makes all its key requests either before or after seeing the challenge ciphertext, but not both. In more detail, Wee [46] showed that the DDH-based scheme of Agrawal et al. (Crypto 2016) achieves semi-adaptive simulation-based security, where the adversary must make all its key requests after seeing the challenge ciphertext. On the other hand, O'Neill showed that all IND-secure IPFE schemes (which may be based on DDH, DCR and LWE) satisfy SIM-based security in the restricted model where the adversary makes all its key requests before seeing the challenge ciphertext.

In this work, we resolve the question of SIM-based security for IPFE by showing that variants of the IPFE constructions by Agrawal et al., based on DDH, Paillier and LWE, satisfy the strongest possible adaptive SIM-based security where the adversary can make an unbounded number of key requests both before and after seeing the (single) challenge ciphertext. This establishes optimal security of the IPFE schemes, under all hardness assumptions on which it can (presently) be based.

Lattices used in cryptography are integer lattices. Defining and generating a "random integer lattice" are interesting topics. A generation algorithm for random integer lattice can be used to serve as a random input of all the lattice algorithms. In this paper, we recall the definition of random integer lattice given by G.Hu et al. and present an improved generation algorithm for it via Hermite Normal Form. It can be proved that with probability >= 0.99, this algorithm outputs an n-dim random integer lattice within O(n^2) operations.

The Universal Composability (UC) framework (FOCS '01) is the current gold standard for proving security of interactive cryptographic protocols. Proving security of a protocol in UC is an assurance that the theoretical model of a protocol does not have any obvious bugs, in particular when using it as part of a larger construction. UC allows to reason about complex structures in a bottom-up fashion by talking about the individual components and how they are composed. It thereby simplifies the construction of complex secure protocols. Due to certain design choices of the UC framework, realizing certain security notions such as verifiability is cumbersome and ``obviously secure'' constructions require rather strong and thus in practice expensive individual building blocks. In this work we give the first formal study of Non-Interactive Public Verifiability of UC protocols. As Non-Interactive Public Verifiability is crucial when composing protocols with a distributed ledger, it can be beneficial when designing these with formal security in mind. We give a thorough discussion and formalization of what Non-interactive Public Verifiability means in the Universal Composability Framework and construct a general transformation that achieves this notion for a large class of cryptographic protocols. Our framework furthermore allows to reason about the composition of Non-Interactive Publicly Verifiable primitives.

This work introduces a new non-interactive key-exchange protocol, based on the hardness of the Code Equivalence Problem, a staple problem in coding theory. The protocol is modelled on the Diffie-Hellman framework. The novelty of the construction resides in the use of the code equivalence problem as the sole hardness assumption. To the best of our knowledge, our construction represents the first code-based non-interactive key-exchange protocol, and in fact, the first post-quantum scheme of this kind which is not built upon supersingular isogenies. Our scheme provides significantly better performance than its isogeny counterparts in terms of execution time (at the cost of larger keys). This performance trade-off is favorable to users in most of the cases where the bandwidth is not severely constrained.

SodsBC is an efficient, quantum-safe, and asynchronous blockchain. SodsBC uses only quantum-safe cryptographic tools and copes with at most $f$ malicious (aka Byzantine) participants, where the number of all participants $n=3f+1$. Our blockchain architecture follows the asynchronous secure multi-party computation (ASMPC) paradigm where honest participants agree on a consistent union of several block parts. Every participant proposes a block part, encrypted by a symmetric scheme, utilizing an efficient reliable broadcast protocol. The encryption key is distributed in the form of secret shares, and reconstructed after blockchain consensus. All broadcast instances are finalized by independent binary Byzantine agreement consuming continuously produced common random coins.

SodsBC continuously produces a stream of distributed secrets by asynchronous weak secret sharing batches accompanied by Merkle tree branches for future verification in the secret reconstruction. The finished secret shares are ordered in the same ASMPC architecture and combined to form random coins. Interestingly, SodsBC achieves the blockchain consensus, while the blockchain simultaneously offers an agreement on available new coins. Fresh distributed secrets also provide SodsBC with forward secrecy. Secret leakage does not affect future blocks. The SodsBC cloud prototype outperforms centralized payment systems (e.g., VISA) and state of the art asynchronous blockchains. The SodsBC extension to a permissionless blockchain is also sketched.

We study interactive proof systems (IPSes) in a strong adversarial setting where the machines of {\em honest parties} might be corrupted and under control of the adversary. Our aim is to answer the following, seemingly paradoxical, questions:

- Can Peggy convince Vic of the veracity of an NP statement, without leaking any information about the witness even in case Vic is malicious and Peggy does not trust her computer? - Can we avoid that Peggy fools Vic into accepting false statements, even if Peggy is malicious and Vic does not trust her computer?

At EUROCRYPT 2015, Mironov and Stephens-Davidowitz introduced cryptographic reverse firewalls (RFs) as an attractive approach to tackling such questions. Intuitively, a RF for Peggy/Vic is an external party that sits between Peggy/Vic and the outside world and whose scope is to sanitize Peggy's/Vic's incoming and outgoing messages in the face of subversion of her/his computer, {\em e.g.}\ in order to destroy subliminal channels.

In this paper, we put forward several natural security properties for RFs in the concrete setting of IPSes. As our main contribution, we construct efficient RFs for different IPSes derived from a large class of Sigma protocols that we call malleable.

A nice feature of our design is that it is completely transparent, in the sense that our RFs can be directly applied to already deployed IPSes, without the need to re-implement them.

Oblivious Random Access Machine (ORAM) allows a client to hide the access pattern and thus, offers a strong level of privacy for data outsourcing. An ideal ORAM scheme is expected to offer desirable properties such as low client bandwidth, low server computation overhead and the ability to compute over encrypted data. S3ORAM (CCS’17) is an efficient active ORAM scheme, which takes advantage of secret sharing to provide ideal properties for data outsourcing such as low client bandwidth, low server computation and low delay. Despite its merits, S3ORAM only offers security in the semi-honest setting. In practice, an ORAM protocol is likely to operate in the presence of malicious adversaries who might deviate from the protocol to compromise the client privacy.

In this paper, we propose MACAO, a new multi-server ORAM framework, which offers integrity, access pattern obliviousness against active adversaries, and the ability to perform secure computation over the accessed data. MACAO harnesses authenticated secret sharing techniques and tree-ORAM paradigm to achieve low client communication, efficient server computation, and low storage overhead at the same time. We fully implemented MACAO and conducted extensive experiments in real cloud platforms (Amazon EC2) to validate the performance of MACAO compared with the state-of-the-art. Our results indicate that MACAO can achieve comparable performance to S3ORAM while offering security against malicious adversaries. MACAO is a suitable candidate for integration into distributed file systems with encrypted computation capabilities towards enabling an oblivious functional data outsourcing infrastructure.

Logic locking has been proposed as strong protection of intellectual property (IP) against security threats in the IC supply chain especially when the fabrication facility is untrusted. Such techniques use additional locking circuitry to inject incorrect behavior into the digital functionality when the key is incorrect. A family of attacks known as "SAT attacks" provides a strong mathematical formulation to find the correct key of locked circuits. Many conventional SAT-resilient logic locking schemes fail to inject sufficient error into the circuit when the key is incorrect: there are usually very few (or only one) input minterms that cause any error at the circuit output. The state-of-the-art stripped functionality logic locking (SFLL) technique provides a wide spectrum of configurations that introduced a trade-off between security (i.e. SAT attack complexity) and effectiveness (i.e. the amount of error injected by a wrong key). In this work, we prove that such a trade-off is universal among all logic locking techniques. In order to attain high effectiveness of locking without compromising security, we propose a novel secure and effective logic locking scheme, called Strong Anti-SAT (SAS). SAS has the following significant improvements over existing techniques. (1) We prove that SAS's security against SAT attack is not compromised by increases in effectiveness. (2) In contrast to prior work which focused solely on the circuit-level locking impact, we integrate SAS-locked modules into an 80386 processor and show that SAS has a high application-level impact. (3) SAS's hardware overhead is smaller than that of existing techniques.

Neural networks have become increasingly prevalent in many real-world applications including security-critical ones. Due to the high hardware requirement and time consumption to train high-performance neural network models, users often outsource training to a machine-learning-as-a-service (MLaaS) provider. This puts the integrity of the trained model at risk. In 2017, Liu et. al. found that, by mixing the training data with a few malicious samples of a certain trigger pattern, hidden functionality can be embedded in the trained network which can be evoked by the trigger pattern. We refer to this kind of hidden malicious functionality as neural Trojans. In this paper, we survey a myriad of neural Trojan attack and defense techniques that have been proposed over the last few years. In a neural Trojan insertion attack, the attacker can be the MLaaS provider itself or a third party capable of adding or tampering with training data. In most research on attacks, the attacker selects the Trojan's functionality and a set of input patterns that will trigger the Trojan. Training data poisoning is the most common way to make the neural network acquire Trojan functionality. Trojan embedding methods that modify the training algorithm or directly interfere with the neural network's execution at the binary level have also been studied. Defense techniques include detecting neural Trojans in the model and/or Trojan trigger patterns, erasing the Trojan's functionality from the neural network model, and bypassing the Trojan. It was also shown that carefully crafted neural Trojans can be used to mitigate other types of attacks. We systematize the above attack and defense approaches in this paper.

Eurocrypt 2020 will take place in Zagreb, Croatia on May 10-14, 2020.

The registration site is now open. Please note that the early bird registration will end on April 10th (anywhere on earth). After that deadline, a late registration fee will be charged.

A limited number of stipends are available to those unable to obtain funding to attend the conference. Final deadline to apply is March 1st.

A number of affiliated events will take place before the main conference. More information can be found here.

We are living in an era where everything is connected, thus continuously generating, acquiring and processing a huge amount of data. Users may enjoy a diversity of assisted services, personalised applications and targeted recommendations. However, spread concerns about users' privacy are arising.

We are seeking a highly motivated PhD candidate to work in privacy-preserving algorithms and protocols. The proposed topics include (but are not limited to):

- Post-quantum privacy-enhancing techniques

- Privacy-preserving machine learning/deep learning modelling for IoT personalised applications

- Privacy-preserving computation for distributed learning.

We look favourably on applicants who can demonstrate a knowledge of cryptography, machine learning, information security and who have strong programming and mathematical skills. Within your statement, please make sure to discuss which area of research you are interested in and your academic background to support this. In the first instance, candidates can discuss applications with Dr Nesrine Kaaniche via email (n.kaaniche@sheffield.ac.uk).

Required Qualifications: Good first degree in Computer Science If English is not your first language, you must have an IELTS score (or equivalent) of 6.5 overall, with no less than 6.0 in each component.

Funding Details: The studentship will cover tuition fees at the Home/EU rate and provide an annual stipend at the standard RCUK rates for three and a half years.

Closing date for applications:

Contact: Dr. Nesrine Kaaniche (n.kaaniche@sheffield.ac.uk)

2 PhD positions are provided in College of Big Data, Taiyuan University of Technology (TYUT), China. The research topics include but not limited to: blockchain, IoT security, data security, and applied cryptography.

Taiyuan University of Technology (TYUT), which was one of the first three national universities in China, was established in 1902. TYUT now has 30960 undergraduates, 7017 postgraduates and 762 doctoral students.

Scholarship for graduates from TYUT: tuition fees will be waived, and the monthly living allowance will be provided. Scholarship and admission details can be found in the pdf file from this link: http://ciee.tyut.edu.cn/info/1016/3205.htm

Application deadline: open until the positions are filled. All successful candidates are expected to start in September 2020.

Interested applicants are advised to email the following documents to huangxin@tyut.edu.cn. (1) CV, (2) Reference letters, (3) Personal statement, (4) School transcripts, (5) Publications if possible.

Closing date for applications:

Contact: Prof. Xin Huang, Email: huangxin@tyut.edu.cn

PhD internship with research interest in cybersecurity is available in SUTD, especially on the topics of cyber-physical and IoT system security, applied cryptography and blockchain security. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Closing date for applications:

Contact: Jianying Zhou (jianying_zhou@sutd.edu.sg)

More information: http://jianying.space/