IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
20 January 2021
SPRING Lab, EPFL
Job PostingWe have a postdoc opening in the area of privacy engineering to be hosted at the SPRING Lab @EPFL headed by Carmela Troncoso, working on the design, evaluation, and deployment of privacy-preserving systems.
The postdoc will be collaborating on lab projects oriented to creating new privacy-preserving primitives and integrating them into end-to-end systems. The systems we develop at the lab aim to enable users to enjoy technological advances while minimizing the risks of abuse of the data in the system and the system’s impact on society. Our system design projects are typically in collaboration with a stakeholder with high stakes in protecting their users, such as NGOs, governments, or educational institutions. More information about our research: https://www.epfl.ch/labs/spring/
The position is to be filled as soon as possible
We are also looking for motivated PhD students to build privacy-preserving systems. If you are interested in this position please refer to our doctoral school: https://www.epfl.ch/education/phd/edic-computer-and-communication-sciences/
Next application deadline: April 15 2021
Closing date for applications:
Contact: To apply please follow the instructions here: https://recruiting.epfl.ch/Vacancies/1612/Description/2
For any question please contact Carmela Troncoso
More information: https://recruiting.epfl.ch/Vacancies/1612/Description/2
19 January 2021
Queen’s University Belfast
Job PostingClosing date for applications:
Contact: You must clearly demonstrate how you meet the criteria when you submit your application. For further information please contact Resourcing Team, Queen's University Belfast, BT7 1NN. Telephone (028) 9097 3044 or email resourcing@qub.ac.uk.
More information: https://hrwebapp.qub.ac.uk/tlive_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=867106E9Ng&WVID=6273090Lgx&LANG=USA
University of Lyon, Saint-Etienne, France
Job PostingClosing date for applications:
Contact: To apply please send your detailed CV (with publication list), motivation for applying (1 page) and names of at least two persons who can provide reference letters (e-mail). Contact: Prof. Lilian BOSSUET lilian.bossuet(at)univ-st-etienne.fr
More information: https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html.
Huawei International, Singapore
Job Posting
Qualifications:
Closing date for applications:
Contact: Dr. Cheng-Kang Chu (chu.cheng.kang@huawei.com)
More information: https://www.dropbox.com/s/7theyk6o0gl8254/Security-Researcher.pdf?dl=0
18 January 2021
Mohamed Fadl Idris, Je Sen Teh, Jasy Liew Suet Yan, Wei-Zhu Yeoh
ePrint ReportDorin-Marian Ionita, Emil Simion
ePrint ReportIndex Termselliptic curves, cryptography, diffie-hellman, FPGA, hardware security, high level synthesis
Peter Pessl, Lukas Prokop
ePrint ReportInterestingly, many of these KEMs exhibit structural similarities. They can be seen as variants of the encryption scheme of Lyubashevsky, Peikert, and Rosen, and employ the Fujisaki-Okamoto transform (FO) to achieve CCA2 security. The latter involves re-encrypting a decrypted plaintext and testing the ciphertexts for equivalence. This corresponds to the classic countermeasure of computing the inverse operation and hence prevents many fault attacks.
In this work, we show that despite this inherent protection, practical fault attacks are still possible. We present an attack that requires a single instruction-skipping fault in the decoding process, which is run as part of the decapsulation. After observing if this fault actually changed the outcome (effective fault) or if the correct result is still returned (ineffective fault), we can set up a linear inequality involving the key coefficients. After gathering enough of these inequalities by faulting many decapsulations, we can solve for the key using a bespoke statistical solving approach. As our attack only requires distinguishing effective from ineffective faults, various detection-based countermeasures, including many forms of double execution, can be bypassed.
We apply this attack to Kyber and NewHope, both of which belong to the aforementioned class of schemes. Using fault simulations, we show that, e.g., 6,500 faulty decapsulations are required for full key recovery on Kyber512. To demonstrate practicality, we use clock glitches to attack Kyber running on a Cortex M4. As we argue that other schemes of this class, such as Saber, might also be susceptible, the presented attack clearly shows that one cannot rely on the FO transform's fault deterrence and that proper countermeasures are still needed.
Monir Azraoui, Solenn Brunet, Sébastien Canard, Aïda Diop, Lélia Eveillard, Alicia Filipiak, Adel Hamdi, Flavie Misarsky, Donald Nokam Kuate, Marie Paindavoine, Quentin Santos, Bastien Vialla
ePrint ReportCYBERCRYPT is a collaborative and educational game that allows people to understand basic cryptographic mechanisms. It allows to discover from the oldest techniques (Scytale, Caesar and Vernam's encryption, Enigma machine) to most recent ones, currently implemented in our daily transactions (electronic signature, key exchange, etc.).
CYBERCRYPT allows, through several rich and comprehensive workshops, to discover the different techniques used in cryptography, and also highlights the crucial importance of cryptography to protect our digital daily life.
Dominique Unruh
ePrint ReportAs an application of our technique, we show the collision-resistance of the sponge construction based on invertible permutations. In particular, this shows the collision-resistance of SHA3 (in the random oracle model).
Ştefan Maftei, Marius Supuran, Emil Simion
ePrint ReportRan Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, Udi Peled
ePrint Report* Only the last round of our protocols requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol.
* Our protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security.
* Our protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.
* Both protocols achieve accountability by identifying corrupted signatories in case of failure to generate a valid signature.
The protocols provide a tradeoff between the number of rounds to generate a signature and the computational and communication overhead for the identification of corrupted signatories. Namely:
* For one protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties.
* For the other protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds.
These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies.
Chethan Kamath, Karen Klein, Krzysztof Pietrzak, Michael Walter
ePrint ReportPeter Kietzmann, Lena Boeckmann, Leandro Lanzieri, Thomas C. Schmidt, Matthias Wählisch
ePrint ReportTamer Mour
ePrint ReportZhongfeng Niu
ePrint ReportJan Sebastian Götte, Björn Scheuermann
ePrint ReportDavid W. Archer, Shahla Atapoor, Nigel P. Smart
ePrint ReportMadalina Bolboceanu, Zvika Brakerski, Devika Sharma
ePrint ReportIt is a known fact that an unstructured lattice can be cast as an ideal-lattice in some order of a number field (and thus, in a rather trivial sense, that ideals in orders are as general as unstructured lattices). However, it is not known whether this connection can be used to imply useful hardness results for structured lattices, or alternatively new algorithmic techniques for unstructured lattices.
In this work we show that the Order-LWE problem (a generalization of the well known Ring-LWE problem) on certain orders is at least as hard as the (unstructured) LWE problem. So in general one should not hope to solve Order-LWE more efficiently than LWE. However, we only show that this connection holds in orders that are very ``skewed'' and in particular irrelevant for cryptographic applications. We then discuss the ability to embed unstructured lattices in ``friendlier'' orders, which requires devising an algorithm for computing the conductor of relevant orders. One of our technical tools is an improved hardness result for Order-LWE, closing a gap left in prior work.
Rémi Géraud-Stewart, David Naccache
ePrint ReportThe new protocol relies upon elementary number-theoretic properties and can be implemented efficiently using very few operations. This contrasts with state-of-the-art zero-knowledge protocols for RSA modulus proper generation assessment.
The heuristic argument at the end of our construction calls for further cryptanalysis by the community and is, as such, an interesting research question in its own right.