International Association
for Cryptologic Research

The KEM BIKE is a Round-3 alternative finalist in the NIST Post-Quantum Cryptography project. It uses the FO$^{\not \bot}$ transformation so that an instantiation with a decoder that has a DFR of $2^{-128}$ will make it IND-CCA secure. The current BIKE design does not bind the randomness of the ciphertexts (i.e., the error vectors) to a specific public key. We propose to change this design, although currently, there is no attack that leverages this property. This modification can be considered if BIKE is eventually standardized.

Tradeoff attacks on symmetric ciphers can be considered as the generalization of the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting the security analysis of small keystream generators and in designing ultra-lightweight stream ciphers with short internal states for their usage in specially low source devices such as IoT devices, wireless sensors or RFID tags.

In this paper, we describe Oblivious TLS: an MPC protocol that we prove UC secure against a majority of actively corrupted parties. The protocol securely implements TLS 1.3. Thus, any party P who runs TLS can communicate securely with a set of servers running Oblivious TLS; P does not need to modify anything, or even be aware that MPC is used. Applications of this include communication between servers who offer MPC services and clients, to allow the clients to easily and securely provide inputs or receive outputs. Also, an organization could use Oblivious TLS to improve in-house security while seamlessly connecting to external parties. Our protocol runs in the preprocessing model, and we did a preliminary non-optimized implementation of the on-line phase. In this version, the hand-shake completes in about 1 second. Performance of the record protocol depends, of course, on the encryption scheme used. We designed an MPC friendly scheme which achieved a throughput of about 300 KB/sec. Based on implementation results from other work, the standard AES-GCM can be expected to be as fast, although our implementation did not do as well.

Edge computing and caching have emerged as key technologies in the future communication network to enhance the user experience, reduce backhaul traffic, and enable various Internet of Things applications. Different from conventional resources like CPU and memory that can be utilized by only one party at a time, a cached data item, which can be considered as a public good, can serve multiple parties simultaneously. Therefore, instead of independent caching, it is beneficial for the parties (e.g., Telcos) to cooperate and proactively store their common items in a shared cache that can be accessed by all the parties at the same time.

In this work, we present MPCCache, a novel privacy-preserving Multi-party Cooperative Cache sharing framework, which allows multiple network operators to determine a set of common data items with the highest access frequencies to be stored in their capacity-limited shared cache while guaranteeing the privacy of their individual datasets. The technical core of our MPCCache is a new construction that allows multiple parties to compute a specific function on the intersection set of their datasets, without revealing the intersection itself to any party.

We evaluate our protocols to demonstrate their practicality and show that MPCCache scales well to large datasets and achieves a few hundred times faster compared to a baseline scheme that optimally combines existing MPC protocols.

We present a new construction of maliciously-secure, two-round multiparty computation (MPC) in the CRS model, where the first message is reusable an unbounded number of times. The security of the protocol relies on the Learning Parity with Noise (LPN) assumption with inverse polynomial noise rate 1/n^{1-epsilon} for small enough epsilon, where n is the LPN dimension. Prior works on reusable two-round MPC required assumptions such as DDH or LWE that imply some flavor of homomorphic computation. We obtain our result in two steps:

We obtain the first construction of this primitive from an assumption that is not known to support general homomorphic operations.

In the first step, we construct a two-round MPC protocol in the silent pre-processing model (Boyle et al., Crypto 2019). Specifically, the parties engage in a computationally inexpensive setup procedure that generates some correlated random strings. Then, the parties commit to their inputs. Finally, each party sends a message depending on the function to be computed, and these messages can be decoded to obtain the output. Crucially, the complexity of the pre-processing phase and the input commitment phase do not grow with the size of the circuit to be computed. We call this multiparty silent NISC, generalizing the notion of two-party silent NISC of Boyle et al. (CCS 2019). We provide a construction of multiparty silent NISC from LPN in the random oracle model.

In the second step, we give a transformation that removes the pre-processing phase and use of random oracle from the previous protocol. This transformation additionally adds (unbounded) reusability of the first round message, giving the first construction of reusable two-round MPC from the LPN assumption. This step makes novel use of randomized encoding of circuits (Applebaum et al., FOCS 2004) and a variant of the ``tree of MPC messages" technique of Ananth et al. and Bartusek et al. (TCC 2020).

Fully homomorphic encryption (FHE) allows to compute any function on encrypted values. However, in practice, there is no universal FHE scheme that is efficient in all possible use cases. In this work, we show that FHE schemes suitable for arithmetic circuits (e.g. BGV or BFV) have a similar performance as FHE schemes for non-arithmetic circuits (TFHE) in basic comparison tasks such as less-than, maximum and minimum operations. Our implementation of the less-than function in the HElib library is up to 3 times faster than the prior work based on BGV/BFV. It allows to compare a pair of 64-bit integers in 11 milliseconds, sort 64 32-bit integers in 19 seconds and find the minimum of 64 32-bit integers in 9.5 seconds on an average laptop without multi-threading.

All-or-nothing transforms have been defined as bijective mappings on all s-tuples over a specified finite alphabet. These mappings are required to satisfy certain "perfect security" conditions specified using entropies of the probability distribution defined on the input s-tuples. Alternatively, purely combinatorial definitions of AONTs have been given, which involve certain kinds of "unbiased arrays". However, the combinatorial definition makes no reference to probability definitions.

In this paper, we examine the security provided by AONTs that satisfy the combinatorial definition. The security of the AONT can depend on the underlying probability distribution of the s-tuples. We show that perfect security is obtained from an AONT if and only if the input s-tuples are equiprobable. However, in the case where the input s-tuples are not equiprobable, we still achieve a weaker security guarantee. We also consider the use of randomized AONTs to provide perfect security for a smaller number of inputs, even when those inputs are not equiprobable.

Efficient rank estimation algorithms are of prime interest in security evaluation against side-channel attacks (SCA) and recently also for password strength estimators. In a side channel setting it allows estimating the remaining security after an attack has been performed, quantified as the time complexity and the memory consumption required to brute force the key given the leakages as probability distributions over $d$ subkeys (usually key bytes). In password strength estimators the rank estimation allows estimating how many attempts a password cracker would need until it finds a given password. We propose ESrank, the first rank estimation algorithm with a bounded error ratio: its error ratio is bounded by $\gamma^{2d-2}$, for any probability distribution, where $d$ is the number of subkey dimensions and $\gamma>1$ can be chosen according to the desired accuracy. ESrank is also the first rank estimation algorithm that enjoys provable poly-logarithmic time- and space-complexity. Our main idea is to use exponential sampling to drastically reduce the algorithm's complexity.

We evaluated the performance of ESrank on real SCA and password strength corpora. We show ESrank gives excellent rank estimation with roughly a 1-bit margin between lower and upper bounds in less than 1 second on the SCA corpus and 4 seconds preprocessing time and 7$\mu$sec lookup time on the password strength corpus.

In recent years, various deep learning techniques have been exploited in side channel attacks, with the anticipation of obtaining more appreciable attack results. Most of them concentrate on improving network architectures or putting forward novel algorithms, assuming that there are adequate profiling traces available to train an appropriate neural network. However, in practical scenarios, profiling traces are probably insufficient, which makes the network learn deficiently and compromises attack performance. In this paper, we investigate a kind of data augmentation technique, called mixup, and first propose to exploit it in deep learning-based side channel attacks, for the purpose of expanding the profiling set and facilitating the chances of mounting a successful attack. We perform Correlation Power Analysis for generated traces and original traces, and discover that there exists consistency between them regarding leakage information. Our experiments show that mixup is truly capable of enhancing attack performance especially for insufficient profiling traces. Specifically, when the size of the training set is decreased to 30% of the original set, mixup can significantly reduce acquired attacking traces. We test three mixup parameter values and conclude that generally all of them can bring about improvements. Besides, we compare three leakage models and unexpectedly find that least significant bit model, which is less frequently used in previous works, actually surpasses prevalent identity model and hamming weight model in terms of attack results.

Event date: 8 November to 11 November 2021
Submission deadline: 25 May 2021
Notification: 27 August 2021

The CISPA-Stanford Center for Cybersecurity was established as a joint program by CISPA – Helmholtz Center for Information Security - and Stanford University in 2016 and is supported by the German Federal Ministry of Education and Research (BMBF).

The Elite Research Career Program intends to offer the very best postdoctoral cybersecurity researchers a unique career path at two of the leading cybersecurity institutes in the world. The program consists of three consecutive phases:

· a preparatory 1-2-year postdoctoral phase (Phase P) at CISPA, followed by

· a 2-year appointment at Stanford University (Phase I) as a visiting assistant professor, followed by

· a 3-year position at CISPA as an independent research group leader (Phase II).

Applicants to the program must have completed a PhD and demonstrated their potential to become future leaders in their field of IT security research. After their return from Stanford candidates are invited to apply for CISPA Tenure Track Faculty-Positions and will be considered fast track.

Application period: The call is open until April 30, 2021.

Please note: If we receive your application after the end of the indicated period, we cannot guarantee that it will be considered during the selection process.

CISPA is an equal opportunity employer and women are particularly encouraged to apply. Applications of severely disabled candidates with equivalent qualifications will be given priority.

Stanford University is an affirmative action and equal opportunity employer, committed to increasing the diversity of its workforce. It welcomes applications from women, members of minority groups, veterans, persons with disabilities, and others who would bring additional dimensions to the university's research and teaching mission.

More information: https://www.cispa-stanford.org

Application only via: https://jobs.cispa.saarland/jobs

Closing date for applications:

Contact: application@cispa-stanford.org

More information: https://jobs.cispa.saarland/jobs/detail/cispa-stanford-center-postdoctoral-research-group-leader-positions-m-f-d-in-cybersecurity-96#scrollTop=0

There are two Ph.D. positions opening at Dr. Jiafeng Harvest Xie's research group at the Department of Electrical and Computer Engineering of Villanova University, Villanova, PA (west of Philadelphia), USA. The research topics of the two positions primarily focused on hardware implementation of the post-quantum cryptosystems. Interested ones are warmly welcomed to send their resume/CV to Dr. Xie through email: jiafeng.xie@villanova.edu

Requirements: preferred to be at the majors of Computer Science, Computer Engineering, Electrical Engineering and related others. Familiar with FPGA/VLSI design will be desirable. Proficiency in programming languages such as HDLs, C/C++ etc. Good at English communication and writing. Great enthusiasm of doing research oriented tasks. Excellent team work member.

Degree: both B.S. and M.S. graduates or similar are warmly welcomed to apply.

Start date: Fall 2021. It is always better to apply as early as possible. Positions are open until they are filled. The 2021 U.S. News & World Report ranks Villanova as tied for the 53th best National University in the U.S (Famous Alumni includes the Current First Lady of the United States, etc.).

Brief introduction of Dr. Xie: Dr. Jiafeng Harvest Xie is currently an Assistant Professor at the Department of Electrical and Computer Engineering of Villanova University. His research interests include cryptographic engineering, hardware security, and VLSI digital design. He is the Best Paper Awardee of IEEE HOST 2019. He has served the Associate Editor for Microelectronics Journal, IEEE Access, and IEEE Trans. Circuits and Systems II. He has also been awarded the 2019 IEEE Access Outstanding Associate Editor.

Closing date for applications:

Contact: Dr. Jiafeng (Harvest) Xie

More information: https://www1.villanova.edu/villanova/engineering/departments/ece/facultyStaff/biodetail.html?mail=jiafeng.xie@villanova.edu&xsl=bio_long

LIST is looking for a highly motivated candidate with proven skills in network traffic anomaly detection to work on a research project funded by Luxembourg government under the RDI law program. The project will be carried out in a collaboration between POST Luxembourg (i.e. the biggest telecom service provider in Luxembourg) and LIST. The objective of the project is to measure and secure the 5G services from a telecom operator perspective. Purpose is to develop a 5G telecom security platform (a comprehensive Telecom Intrusion Detection System) over three years to protect the POST network and its users from exploits at infrastructure level against Telecom attacks such as SMS spoofing, call and SMS interception, signaling intrusion. The objective of the platform is to bring both explicit protection towards known exploits and implicit based on machine learning and AI (Artificial Intelligence).

Closing date for applications:

Contact: Dr. Qiang Tang

More information: https://app.skeeled.com/offer/604671bde49223a362f239fd?social=true&lang=en

Multiple Postdoc/RF positions on cybersecurity are immediately available at SUTD, Singapore. Candidates with expertise of applied crypto, blockchain, or CPS/IoT security are most welcome.

Closing date for applications:

Contact: Prof. Jianying Zhou (jianying_zhou@sutd.edu.sg)

More information: http://jianying.space/

The Department of computing science seeks 2 postdoctoral fellows to projects in computer security and software engineering. The fellowship is full-time for two years with access June 2021 or otherwise agreed.

The Department of Computing Science (www.cs.umu.se) is a dynamic department with about 130 employees from over twenty countries. We are providing research and education within a broad spectrum of areas, and offer education on basic, advanced, and PhD levels. The research is internationally well recognized and includes basic research, methods development, and software development, and research and development within various application domains.

The successful candidates will join the new software system security research group. You will contribute to projects in computer security and software engineering such as developing new approaches to detect or prevent software vulnerabilities or scalable static analysis algorithms to extract security properties.

The stipend project is financed by the Kempe foundations. The stipend is full-time for two years with starting date 1st of June, 2021, or to be negotiated. The stipend amounts to 330 000 SEK per year (around 32500 euro). The stipend is not subject to tax.

Application deadline is 15 March 2021.

Closing date for applications:

Contact: Prof. Bartel: alexandre.bartel@cs.umu.se

More information: https://www.umu.se/en/work-with-us/postdoctoral-scholarships/6-237-21/

Thanks to everyone for confirming the importance of the Cryptology ePrint Archive by alerting us that it was not reachable.

The problem has now been fixed

--The eprint editors & maintainers

At CRYPTO 2019, Gohr improved attacks on Speck32/64 using deep learning. In 2020, Chen et al. proposed a neural aided statistical attack that is more generic. Chen et’s attack is based on a statistical distinguisher that covers a prepended differential transition and a neural distinguisher. When the probability of the differential transition is pq, its impact on the data complexity is O(p^{-2}q^{-2}. In this paper, we propose an improved neural aided statistical attack based on a new concept named Homogeneous Set. Since partial random ciphertext pairs are filtered with the help of homogeneous sets, the differential transition’s impact on the data complexity is reduced to O(p^{−1}q^{−2}). As a demonstration, the improved neural aided statistical attack is applied to round-reduced Speck. And several better attacks are obtained.

Gohr has proposed the only deep learning-based distinguisher model at Crypto 2019, which is used to distinguish reduced Speck32/64 and a pseudorandom permutation. This distinguisher model can be applied to many symmetric ciphers. Given a plaintext differential, Gohr’s distinguisher model can learn differences between two distributions from adequate single ciphertext pairs. In this paper, we propose a new neural distinguisher model which takes k > 2 ciphertext pairs as the analysis object. A non-uniform distribution can produce many derived features that will not appear in a single ciphertext pair. Our neural distinguisher model can exploit these derived features from k ciphertext pairs. Taking Gohr’s distinguisher model as the baseline model, we firstly construct strong baseline distinguishers for five reduced ciphers. Then our neural distinguishers for five ciphers are also constructed using the new distinguisher model proposed in this paper. Experiments show our neural distinguishers can always obtain distinguishing accuracy promotions under various settings of k. When combining k samples incorrectly classified by baseline distinguishers into one group, our neural distinguishers can still distinguish correctly with a non-negligible probability. It indicates that derived features have been successfully captured by our neural distinguishers. The distinguishing accuracy promotion also comes from derived features. Our neural distinguishers can also be used to improve the key recovery attack on 11-round Specck32/64. Besides, compared with the raw attack scheme provided by Gohr, we propose a new key recovery attack scheme that can further reduce the time complexity.

Modern SoC designs include several reset domains that enable asynchronous partial resets while obviating complete system boot. Unfortunately, asynchronous resets can introduce security vulnerabilities that are difficult to detect through traditional validation. In this paper, we address this problem through a new security validation framework, SoCCCAR, that accounts for asynchronous resets. The framework involves (1) efficient extraction of reset-controlled events while avoiding combinatorial explosion, and (2) concolic testing for systematic exploration of the extracted design space. Our experiments demonstrate that SoCCAR can achieve almost perfect detection accuracy and verification time of a few seconds on realistic SoC designs.

Garbled Circuits (GCs) represent fundamental and powerful tools in cryptography, and many variants of GCs have been considered since their introduction. An important property of the garbled circuits is that they can be evaluated securely if and only if exactly 1 key for each input wire is obtained: no less and no more.

In this work we study the case when: 1) some of the wire-keys are missing, but we are still interested in computing the output of the garbled circuit and 2) the evaluator of the GC might have both keys for a constant number of wires. We start to study this question in terms of non-interactive multi-party computation (NIMPC) which is strongly connected with GCs. In this notion there is a fixed number of parties ($n$) that can get correlated information from a trusted setup. Then these parties can send an encoding of their input to an evaluator, which can compute the output of the function. Similarly to the notion of ad hoc secure computation proposed by Beimel et al. [ITCS 2016], we consider the case when less than $n$ parties participate in the online phase, and in addition we let these parties colluding with the evaluator. We refer to this notion as Threshold NIMPC. In addition, we show that when the number of parties participating in the online phase is a fixed threshold $l\leq n$ then it is possible to securely evaluate any $l$-input function. We build our result on top of a new secret-sharing scheme (which can be of independent interest) and on the results proposed by Benhamouda, Krawczyk and Rabin [Crypto 2017]. Our protocol can be used to compute any function in NC1 in the information-theoretic setting and any function in $P$ assuming one-way functions. As a second (and main) contribution, we consider a slightly different notion of security in which the number of parties that can participate in the online phase is not specified, and can be any number $c$ above the threshold $l$ (in this case the evaluator cannot collude with the other parties). We solve an open question left open by  Beimel, Ishai and Kushilevitz [Eurocrypt 2017] showing how to build a secure protocol for the case when $c$ is constant, under the Learning with Errors assumption.