International Association
for Cryptologic Research

This note describes some methods for adding a key commitment property to a generic (nonce-based) AEAD scheme. We analyze the the privacy bounds and key commitment guarantee of the resulting constructions, by expressing them in terms of the properties of the underlying AEAD scheme and the added key commitment primitive. We also offer concrete constructions for a key committing version of AES-GCM.

The design and cryptanalysis are the both sides from which we look at symmetric-key primitives. If a symmetric-key primitive is broken by a kind of cryptanalysis, it's definitely insecure. If a designer claims a symmetric-key primitive to be secure, one should demonstrate that the primitive resists against all known attacks. Differential and linear cryptanalysis are two of the most important kinds of cryptanalysis. To conduct a successful differential (linear) cryptanalysis, a differential (linear) distinguisher with significant differential probability (linear correlation) is needed.

We observe that, for some lightweight symmetric-key primitives, their significant trails usually contain iterative trails. In this work, We propose an automatic tool for searching iterative trails. We model the problem of searching itrative trails as a problem of finding elementry ciucuits in a graph. Based on the iterative trails found, we further propose a method to estimate the probability (correlation) of a differential (linear hull).

We apply our methods to the 256-bit KNOT permutation, PRESENT, GIFT-64 and RECTANGLE. Iterative trails are found and visualized. If iterative trails are found, we show our method can efficiently find good differentials and linear hulls. What's more, the results imply that for the primitives we test with bit permutations as their linear layers, the good differentials and linear hulls are dominated by iterative trails.

Diffie-Hellman key exchange (DHKE) is a widely adopted method for exchanging cryptographic key material in realworld protocols like TLS-DH(E). Past attacks on TLS-DH(E) focused on weak parameter choices or missing parameter validation. The confidentiality of the computed DH share, the premaster secret, was never questioned; DHKE is used as a generic method to avoid the security pitfalls of TLS-RSA. We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary. Our main result is a novel side-channel attack, named Raccoon attack, which exploits a timing vulnerability in TLS-DH(E), leaking the most significant bits of the shared Diffie-Hellman secret. The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem. The Raccoon attack takes advantage of uncommon DH modulus sizes, which depend on the properties of the used hash functions. We describe a fully feasible remote attack against an otherwisesecure TLS configuration: OpenSSL with a 1032-bit DH modulus. Fortunately, such moduli are not commonly used on the Internet. Furthermore, with our large-scale scans we have identified implementation-level issues in production-grade TLS implementations that allow for executing the same attack by directly observing the contents of server responses, without resorting to timing measurements.

In this work we show that an adversary can leverage blockchain technology to attack the integrity of contact tracing systems based on Google-Apple Exposure Notifications (GAEN). We design a suite of smart contracts named TEnK-U allowing an on-line market where infected individuals interested in monetizing their status will then upload to the servers of the GAEN-based systems some keys (i.e., TEKs) chosen by an adversary. As a consequence, there will be fake exposure notifications of at-risk contacts arbitrarily decided by the adversary and allowed by infected individuals looking for money.

Such vulnerability can be exploited to anonymously and digitally trade valuable contact tracing data without a mediator and without risks of being cheated. This makes infected individuals prone to get bribed by adversaries willing to compromise the integrity of the contact tracing system for any malicious purpose. For instance, large-scale attacks with catastrophic consequences (e.g., jeopardizing the health system, compromising the result of elections) are easy to mount and attacks to specific targets are completely straight-forward (e.g., schools, shops, hotels, factories).

We show as main contribution a smart contract with two collateral deposits that works, in general, on GAEN-based systems and concretely with Immuni and SwissCovid. In addition, we show smart contracts with one collateral deposit that work with SwissCovid. Finally, we also suggest the design of a more sophisticated smart contract that could potentially be used to attack GAEN-based system even in case those systems are repaired to make the previous attacks ineffective. This last smart contract crucially uses DECO to connect blockchains with TLS sessions.

Our work shows that risks envisioned by Anderson and Vaudenay are absolutely concrete, in particular TEnK-U shows how to realize with Immuni and SwissCovid the terrorist attack to decentralized systems discussed by Vaudenay.

Most blockchain solutions are susceptible to quantum attackers as they rely on cryptography that is known to be insecure in the presence of quantum adversaries. In this work we advance the study of quantum-resistant blockchain solutions by giving a quantum-resistant construction of a deterministic wallet scheme. Deterministic wallets are frequently used in practice in order to secure funds by storing the sensitive secret key on a so-called cold wallet that is not connected to the Internet. Recently, Das et al. (CCS'19) developed a formal model for the security analysis of deterministic wallets and proposed a generic construction from certain types of signature schemes that exhibit key rerandomization properties. We revisit the proposed classical construction in the presence of quantum adversaries and obtain the following results.

First, we give a generic wallet construction with security in the quantum random oracle model (QROM) if the underlying signature scheme is secure in the QROM. We next design the first post-quantum secure signature scheme with rerandomizable public keys by giving a construction from generic lattice-based Fiat-Shamir signature schemes. Finally, we show and evaluate the practicality by analyzing an instantiation of the wallet scheme based on the signature scheme qTESLA (ACNS'20).

This work presents a hardware accelerator, for the optimization of latency and area at the same time, to improve the performance of point multiplication process in Elliptic Curve Cryptography. In order to reduce the overall computation time in the proposed 2-stage pipelined architecture, a rescheduling of point addition and point doubling instructions is performed along with an efficient use of required memory locations. Furthermore, a 41-bit multiplier is also proposed. Consequently, the FPGA and ASIC implementation results have been provided. The performance comparison with state-of-the-art implementations, in terms of latency and area, proves the significance of the proposed accelerator.

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection.

Event date: 10 May to 13 May 2021
Submission deadline: 13 November 2020

Technology Innovation Institute (TII) is a publicly funded research institute, based in Abu Dhabi, United Arab Emirates. It is home to a diverse community of leading scientists, engineers, mathematicians, and researchers from across the globe, transforming problems and roadblocks into pioneering research and technology prototypes that help move society ahead.

Responsibilities

• Specify, design, implement and deploy cryptographic IP cores (including quantum-secure solutions)
• Conduct research on (but not limited to) efficient cryptographic implementations, implementation attacks and countermeasures, design methodologies and tools
• Perform security reviews of hardware designs and implementations
• Work closely with the integration team and other teams in the organization to design and prototype secure systems and communication protocols

  Minimum qualifications:

• BSc, MSc or PhD degree in Cryptography, Computer Science, Engineering or similar degree with 3+ years of relevant work or research
• Thorough knowledge of computer architecture and digital design principles Relevant hardware development experience with a focus on hardware security
• Extensive experience developing for FPGA and/or ASIC platforms in Verilog/VHDL
• Experience writing testbenches and using waveform-based debugging tools
• Solid understanding of cryptography, side-channel analysis attacks and countermeasures

  
  Preferred qualifications:

• Knowledge of UVM and assertion-based formal tools
• Understanding of low-power and high-performance techniques
• Understanding of micro-architectural attacks (e.g., Spectre, Meltdown, MDS)
• Hands-on experience integrating IP blocks in complex systems (SoCs)
• Programming skills in C/C++, Python, and/or Tcl
• Hands-on experience with lab equipment (e.g., oscilloscopes, function generators)

  Closing date for applications:

  Contact: Mehdi Messaoudi
  Talent Acquisition Manager
  mehdi.messaoudi@tii.ae

We are looking for candidates for a free Post-Doc position in the field of design and modeling of self-timed rings (STR) as a source of randomness in logic devices, implementation of true random number generators (TRNG) based on STRs in FPGAs and ASICs, analysis of statistical properties of the generated numbers, statistical modeling of the proposed TRNGs and construction of efficient embedded tests dedicated to the proposed generators and based on their stochastic models. Desired profile: Ph.D. degree is required. Required skills: a) good knowledge of digital electronics and embedded systems; b) knowledge of CAD tools and FPGA design (Intel, Xilinx or Microsemi) as well as simulation tools (Modelsim); c) ASIC design using Cadence tools (design, simulation, verification); d) good level of English. Other useful skills: e) data acquisition and data analysis (use of tcl and python languages in particular); f) signal processing, mathematical modeling, statistics; g) basic knowledge in information security.

Closing date for applications:

Contact: fischer(at)univ-st-etienne.fr

More information: https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures/job-opportunities-2.html

We are looking for a Postdoctoral Cryptography Researcher to join our Team. This is an opportunity for someone who is genuinely excited by new technologies to influence the design and implementation of bleeding edge advanced cryptographic systems and protocols. Functioning somewhat independently and working within the larger Research Team, the Postdoctoral Cryptography Researcher will research and design cryptographic protocols and concepts, partnering with the team to develop prototypes. Our Researchers are also internal subject matter experts, providing guidance and learning opportunities to our extended staff. Researchers are also responsible for publishing meaningful research, independently and with other members of staff.

You will be working on a fast-paced, rapidly growing, high-profile project with a significant opportunity for industry-level impact on emerging blockchain and cryptocurrency technologies.

Overseen by Silvio Micali, this opportunity is for one (1) year with the possibility for extension.

Full role description (including responsibilities and qualifications) and application link is available at the further information link.

Interested candidates should submit their application at the further information link along with their CV (including list of publications), one (1) recently published paper relevant to the position responsibilities, and two (2) reference letters. You can share your paper and reference letter via the "Portfolio" link when applying, or upload the files with you CV. This position is available immediately and thus candidates who are already in the US are preferred.

Closing date for applications:

Contact: Regnia O'Brien, Head of People & Talent

More information: https://jobapply.page.link/TNVg

Leveraging decades of expertise in security inks and solutions, SICPA aims at providing the next generation of trust-enabling security systems for citizens, central banks and governments in the domains of digital currency, identity and value chains. This is a great opportunity to join a strategic project and work with a team of passionate people to design, architect and develop innovative solutions.

WHAT YOU WILL DO

Shape new concepts and ideas, quickly and iteratively, through prototyping.

Have meaningful impact on the crafting and delivery in the early stages of the idea, and product life cycles.

Collaborate closely with our development team to craft solid foundation for future product development.

Deliver, as part of the team, a prototype.

Deliver a functioning sandbox environment, with goal to identify competitive advantage and help implement that in practice.

Drive cooperation with platform and lab teams.

WHAT WE NEED FROM YOU

You have relevant technical skills gained via formal education (PhD preferred), and/or red/blue team experience.

You have expertise in applied cryptography, long-term security, Multi-Party Computation (MPC), key rotation schemes, SoC, SE, TEE, solving difficult challenges for systems in highly adversarial environments.

Also, you master cryptographic protocols and standards (FIPS, AAL, PKI, NIST, ISO/IEC 27001).

You are curious to solve hard problems, oftentimes with competing priorities, using smartly assembled primitives, protocols and solutions, as well as advise on choice tradeoffs.

Besides being a great listener, you are an educator that acts as an advisor and mentor to team members on your domain of expertise.

You thrive in asynchronous communication environments and can express clearly your ideas and thinking, in writing.

You have a natural ability to explain, communicate and influence a broad audience (from highly technical to managerial), seek and engage in external collaboration with academia or red teams.

Read the full job ad here: https://jobs.sicpa.com/job/Prilly_Floris-%28CH01%29-Senior-Cryptographer/616

Closing date for applications:

Contact: Mrs Iuliana Petcu Talent Acquisition Manager hrrecruitment@sicpa.com

More information: https://jobs.sicpa.com/job/Prilly_Floris-%28CH01%29-Senior-Cryptographer/616737401/

The wire probe-and-fault models are currently the most used models to provide arguments for side-channel and fault security. However, several practical attacks are not yet covered by these models. This work extends the wire fault model to include more advanced faults such as area faults and permanent faults. Moreover, we show the tile probe-and-fault adversary model from CRYPTO 2018's CAPA envelops the extended wire fault model along with known extensions to the probing model such as glitches, transitions, and couplings. In other words, tiled (tessellated) designs offer security guarantees even against advanced probe and fault adversaries.

As tiled models use multi-party computation techniques, countermeasures are typically expensive for software/hardware. This work investigates a tiled countermeasure based on the ISW methodology which is shown to perform significantly better than CAPA for practical parameters.

In this paper, we prove that the nonce-based enhanced hash-then-mask MAC ($\mathsf{nEHtM}$) is secure up to $2^{\frac{3n}{4}}$ MAC queries and $2^n$ verification queries (ignoring logarithmic factors) as long as the number of faulty queries $\mu$ is below $2^\frac{3n}{8}$, significantly improving the previous bound by Dutta et al. Even when $\mu$ goes beyond $2^{\frac{3n}{8}}$, $\mathsf{nEHtM}$ enjoys graceful degradation of security.

The second result is to prove the security of PRF-based $\mathsf{nEHtM}$; when $\mathsf{nEHtM}$ is based on an $n$-to-$s$ bit random function for a fixed size $s$ such that $1\leq s\leq n$, it is proved to be secure up to any number of MAC queries and $2^s$ verification queries, if (1) $s=n$ and $\mu<2^{\frac{n}{2}}$ or (2) $\frac{n}{2}<s<2^{n-s}$ and $\mu<\max\{2^{\frac{s}{2}},2^{n-s}\}$, or (3) $s\leq \frac{n}{2}$ and $\mu<2^{\frac{n}{2}}$. This result leads to the security proof of truncated $\mathsf{nEHtM}$ that returns only $s$ bits of the original tag since a truncated permutation can be seen as a pseudorandom function. In particular, when $s\leq\frac{2n}{3}$, the truncated $\mathsf{nEHtM}$ is secure up to $2^{n-\frac{s}{2}}$ MAC queries and $2^s$ verification queries as long as $\mu<\min\{2^{\frac{n}{2}},2^{n-s}\}$. For example, when $s=\frac{n}{2}$ (resp. $s=\frac{n}{4}$), the truncated $\mathsf{nEHtM}$ is secure up to $2^{\frac{3n}{4}}$ (resp. $2^{\frac{7n}{8}}$) MAC queries. So truncation might provide better provable security than the original $\mathsf{nEHtM}$ with respect to the number of MAC queries.

The algebraic group model, introduced by Fuchsbauer, Kiltz and Loss (CRYPTO '18), is a substantial relaxation of the generic group model capturing algorithms that may exploit the representation of the underlying group. This idealized yet realistic model was shown useful for reasoning about cryptographic assumptions and security properties defined via computational problems. However, it does not generally capture assumptions and properties defined via decisional problems. As such problems play a key role in the foundations and applications of cryptography, this leaves a significant gap between the restrictive generic group model and the standard model.

We put forward the notion of algebraic distinguishers, strengthening the algebraic group model by enabling it to capture decisional problems. Within our framework we then reveal new insights on the algebraic interplay between a wide variety of decisional assumptions. These include the decisional Diffie-Hellman assumption, the family of Linear assumptions in multilinear groups, and the family of Uber assumptions in bilinear groups.

Our main technical results establish that, from an algebraic perspective, these decisional assumptions are in fact all polynomially equivalent to either the most basic discrete logarithm assumption or to its higher-order variant, the $q$-discrete logarithm assumption. On the one hand, these results increase the confidence in these strong decisional assumptions, while on the other hand, they enable to direct cryptanalytic efforts towards either extracting discrete logarithms or significantly deviating from standard algebraic techniques.

This document provides a simple standard specification for the Rescue-Prime family of arithmetization-oriented hash functions.

Given a non-square n=pq, since p, q are two roots of x^2-\theta x+n=0, where \theta=p+q is unknown, one can pick the initial values l, r and use Newton method to construct A(\theta, l, k), B(\theta, r, k) approximating to p, q, respectively, where k is the iteration depth. Solve A(\theta, l, k)B(\theta, r, k)=n && \theta>2\sqrt{n} && l< A(\theta, l, k)<\sqrt{n}< B(\theta, r, k)<r to obtain the approximations of \theta. Accumulate and sort the approximations for different initial values. Then pivot these approximations to search for the target \theta such that \theta^2-4n is a square. The success probability of this algorithm depends on the choice of initial values, the iteration depth, and the search scope around the pivots. The algorithm can be easily parallelized, and its complexity can be restricted to O(\log^9n).

In this paper we present a signature scheme based on the difficulty of finding a point in a shifted Grassmannian variety or on its secant variety from a knowledge of its defining polynomials. An advantage of using the secant variety of the Grassmannian is that it is defined by sparse cubic equations, which are in general more difficult to solve than quadratic ones, thereby reducing the size of the public key.

The min-entropy is an important metric to quantify randomness of generated random numbers in cryptographic applications; it measures the difficulty of guessing the most-likely output. One of the important min-entropy estimator is the compression estimator of NIST Special Publication (SP) 800-90B, which relies on Maurer's universal test. In this paper, we propose two kinds of min-entropy estimators to improve computational complexity and estimation accuracy by leveraging two variations of Maurer's test: Coron's test (for Shannon entropy) and Kim's test (for Renyi entropy). First, we propose a min-entropy estimator based on Coron's test which is computationally efficient than the compression estimator while maintaining the estimation accuracy. The secondly proposed estimator relies on Kim's test that computes the Renyi entropy. This proposed estimator improves estimation accuracy as well as computational complexity. We analytically characterize an interesting trade-off relation between theoretical gap of accuracy and variance of min-entropy estimates, which depends on the order of Renyi entropy. By taking into account this trade-off relation, we observe that the order of two is a proper assignment since the proposed estimator based on the collision entropy (i.e., the Renyi entropy of order two) provides the most accurate estimates. Moreover, the proposed estimator based on the collision entropy has a closed-form solution whereas both the compression estimator and the proposed estimator based on Coron's test do not have closed-from solutions. Numerical evaluations demonstrate that the first proposed estimator achieves the same accuracy as the compression estimator with much less computations. Moreover, the second estimator can even improve the accuracy as well as reduce the computational complexity.

We present succinct and adaptively secure attribute-based encryption (ABE) schemes for arithmetic branching programs, based on k-Lin in pairing groups. Our key-policy ABE scheme has ciphertexts of constant size, independent of the length of the attributes, and our ciphertext-policy ABE scheme has secret keys of constant size. Our schemes improve upon the recent succinct ABE schemes in [Tomida and Attrapadung, ePrint '20], which only handle Boolean formulae. All other prior succinct ABE schemes either achieve only selective security or rely on q-type assumptions.

Our schemes are obtained through a general and modular approach that combines a public-key inner product functional encryption satisfying a new security notion called gradual simulation security and an information-theoretic randomized encoding scheme called arithmetic key garbling scheme.