International Association
for Cryptologic Research

Code-based cryptographic schemes are highly regarded among the quantum-safe alternatives to current standards. Yet, designing code-based signatures using traditional methods has always been a challenging task, and current proposals are still far from the target set by other post-quantum primitives (e.g. lattice-based). In this paper, we revisit a recent work using an innovative approach for signing, based on the hardness of the code equivalence problem. We introduce some optimizations and provide a security analysis for all variants considered. We then show that the new parameters produce instances of practical interest.

Recently, a light-weight authenticated key-exchange (AKE) scheme has been proposed. The scheme provides mutual authentication. It is asymmetric in nature by delegating complex cryptographic operations to resource-equipped servers, and carefully managing the workload on resource-constrained Smart meter nodes by using Physically Unclonable Functions. The prototype Smart meter built using commercial-off-the-shelf products is enabled with a low-cost countermeasure against load-modification attacks, which goes side-by-side with the proposed protocol. An attack against this AKE scheme has been recently proposed claiming that the server can be breached to mount spoofing attacks. It relies on the assumption that the result of an attack against authenticated key-exchange protocol is determined before the attacker learns the session key. In this short paper, we discuss the attack’s validity and describe the misinterpretation of the AKE protocol’s security definition.

Broadbent and Islam (TCC '20) proposed a quantum cryptographic primitive called quantum encryption with certified deletion. In this primitive, a receiver in possession of a quantum ciphertext can generate a classical certificate that the encrypted message is deleted. Though they proved that their construction is information theoretically secure, a drawback is that the construction is limited to the setting of one-time symmetric key encryption (SKE) where a sender and receiver have to share a common key in advance and the key can be used only once. In this paper, we construct a (reusable-key) public key encryption (PKE) and attribute-based encryption (ABE) with certified deletion. Our PKE with certified deletion is constructed assuming the existence of IND-CPA secure PKE, and our ABE with certified deletion is constructed assuming the existence of indistinguishability obfuscation and one-way function.

We extend a basic key agreement model with a hidden identifier source to a multi-user model with joint secrecy and privacy constraints over all entities that do not trust each other. Different entities that use different measurements of the same remote source through broadcast channels (BCs) to agree on mutually-independent local secret keys are considered. This model is the proper multi-user extension of the basic model since the encoder and decoder pairs are not assumed to trust other pairs, unlike assumed in the literature. Strong secrecy constraints imposed jointly on all secret keys, which is more stringent than separate secrecy leakage constraints for each secret key considered in the literature, are satisfied. Inner bounds for maximum key rate, and minimum privacy-leakage and storage rates are proposed for any finite number of entities. Inner and outer bounds for degraded and less-noisy BCs are given to illustrate cases with strong privacy. A multi-enrollment model that is used for common physical unclonable functions (PUFs) is also considered to establish inner and outer bounds for key-leakage-storage regions that differ only in the Markov chains imposed. For this special case, the encoder and decoder measurement channels have the same channel transition matrix and secrecy leakage is measured for each secret key separately. We illustrate cases for which it is useful to have multiple enrollments as compared to a single enrollment and vice versa.

Differential privacy has been widely applied to provide privacy guarantees by adding random noise to the function output. However, it inevitably fails in many high-stakes voting scenarios, where voting rules are required to be deterministic. In this work, we present the first framework for answering the question: ``How private are commonly-used voting rules?" Our answers are two-fold. First, we show that deterministic voting rules provide sufficient privacy in the sense of distributional differential privacy (DDP). We show that assuming the adversarial observer has uncertainty about individual votes, even publishing the histogram of votes achieves good DDP. Second, we introduce the notion of exact privacy to compare the privacy preserved in various commonly-studied voting rules, and obtain dichotomy theorems of exact DDP within a large subset of voting rules called generalized scoring rules.

There is a difference between a system having no known attacks and the system being secure---as cryptographers know all too well. Once we begin talking about the implementations of systems this issue becomes even more prominent since the amount of material which needs to be scrutinised skyrockets. Historically, lack of transparency and low standards for e-voting system implementations have resulted in a culture where open source code is seen as a gold standard; however, this ignores the issue of the comprehensibility of that code.

In this work we make concrete empirical recommendations based on our, and others, experiences and findings from examining the source code of e-voting systems. We highlight that any solution used for significant elections should be well designed, carefully analysed, deftly built, accurately documented and expertly maintained. Until e-voting system implementations are clear, comprehensible, and open to public scrutiny security standards are unlikely to improve.

We present Orthros, a 128-bit block pseudorandom function. It is designed with primary focus on latency of fully unrolled circuits. For this purpose, we adopt a parallel structure comprising two keyed permutations. The round function of each permutation is similar to Midori, a low-energy block cipher, however we thoroughly revise it to reduce latency, and introduce different rounds to significantly improve cryptographic strength in a small number of rounds. We provide a comprehensive, dedicated security analysis. For hardware implementation, Orthros achieves the lowest latency among the state-of-the-art low-latency primitives. For example, using the STM 90nm library, Orthros achieves a minimum latency of around 2.4 ns, while other constructions like PRINCE, Midori-128 and QARMA_{9}-128-\sigma_{0} achieve 2.56 ns, 4.10 ns, 4.38 ns respectively.

In this paper, we propose a novel primitive named Physically Related Function (PReF) which are devices with hardware roots of trust. It enables secure key-exchange with no pre-established/embedded secret keys. This work is motivated by the need to perform key-exchange between lightweight resource-constrained devices. We present a proof-of-concept realization of our contributions in hardware using FPGAs.

Topology-hiding broadcast (THB) enables parties communicating over an incomplete network to broadcast messages while hiding the topology from within a given class of graphs. THB is a central tool underlying general topology-hiding secure computation (THC) (Moran et al. TCC’15). Although broadcast is a privacy-free task, it was recently shown that THB for certain graph classes necessitates computational assumptions, even in the semi-honest setting, and even given a single corrupted party.

In this work we investigate the minimal assumptions required for topology-hiding communication: both Broadcast or Anonymous Broadcast (where the broadcaster’s identity is hidden). We develop new techniques that yield a variety of necessary and sufficient conditions for the feasibility of THB/THAB in different cryptographic settings: information theoretic, given existence of key agreement, and given existence of oblivious transfer. Our results show that feasibility can depend on various properties of the graph class, such as connectivity, and highlight the role of different properties of topology when kept hidden, including direction, distance, and/or distance-of-neighbors to the broadcaster.

An interesting corollary of our results is a dichotomy for THC with a public number of at least three parties, secure against one corruption: information-theoretic feasibility if all graphs are 2-connected; necessity and sufficiency of key agreement otherwise.

Quantum-access security, where an attacker is granted superposition access to secret-keyed functionalities, is a fundamental security model and its study has inspired results in post-quantum security. We revisit, and fill a gap in, the quantum-access security analysis of the Lamport one-time signature scheme (OTS) in the quantum random oracle model (QROM) by Alagic et al.~(Eurocrypt 2020). We then go on to generalize the technique to the Winternitz OTS. Along the way, we develop a tool for the analysis of hash chains in the QROM based on the superposition oracle technique by Zhandry (Crypto 2019) which might be of independent interest.

Federated learning (FL) is an emerging distributed machine learning paradigm which addresses critical data privacy issues in machine learning by enabling clients, using an aggregation server (aggregator), to jointly train a global model without revealing their training data. Thereby, it improves not only privacy but is also efficient as it uses the computation power and data of potentially millions of clients for training in parallel.

However, FL is vulnerable to so-called inference attacks by malicious aggregators which can infer information about clients’ data from their model updates. Secure aggregation restricts the central aggregator to only learn the summation or average of the updates of clients. Unfortunately, existing protocols for secure aggregation for FL suffer from high communication, computation, and many communication rounds.

In this work, we present SAFELearn, a generic design for efficient private FL systems that protects against inference attacks that have to analyze individual clients' model updates using secure aggregation. It is flexibly adaptable to the efficiency and security requirements of various FL applications and can be instantiated with MPC or FHE. In contrast to previous works, we only need 2 rounds of communication in each training iteration, do not use any expensive cryptographic primitives on clients, tolerate dropouts, and do not rely on a trusted third party. We implement and benchmark an instantiation of our generic design with secure two-party computation. Our implementation aggregates 500~models with more than 300K parameters in less than 0.5 seconds.

The problem of Blockwise Isomorphism of Polynomials was introduced by Santoso at PQCrypto 2020 as a generalization of the problem of Isomorphism of Polynomials. In the present paper, we describe how to solve this problem with circulant matrices, used in Santoso's Diffie-Hellman type encryption scheme.

The Lightning Network (LN) is a prominent scalability solution for Bitcoin that allows for low-latency off-chain payments through a network of payment channels. LN users lock bitcoins into collaboratively owned addresses and redistribute the ownership of these funds without confirming each transfer on-chain. The LN introduces new privacy challenges.

In this paper, we focus on channel balance probing. We propose a new model of the LN that accounts for parallel and unidirectional channels, which has not been done in prior work. We describe a probing algorithm that accurately updates the attacker's balance estimates without the need to directly connect to victims. We introduce an uncertainty-based metric to measure the attacker's information gain.

We implement the first probing-focused LN simulator and suggest several countermeasures against general probing (implemented considering parallel channels). We evaluate these techniques using the simulator, as well as experiments on the real network.

According to our simulations, an attacker can infer up to $80\%$~information regarding channel balances spending $\approx 20$~seconds per channel. The suggested countermeasures limit the attacker's gain at $30\%$, while also increasing the attack time by 2-4x.

In addition, we describe sophisticated attack techniques that combine fee-probing and channel jamming to get precise access to individual channel balances inside a hop, and test them against the real network.

Finally, we discuss payment flows and their concealment.

This report considers combining three well-known optimization methods for elliptic curve scalar multiplication: Gallant--Lambert--Vanstone (GLV) for complex multiplication endomorphisms $[i]$ and $[i+1]$; 3-bit fixed windows (signed base 8); and Hisil--Wong--Carter--Dawson (HWCD) curve arithmetic for twisted Edwards curves.

An $x$-only Diffie--Hellman scalar multiplication for curve $2y^2=x^3+x$ over field size $8^{91}+5$ has arithmetic cost $947\textbf{M} + 1086\textbf{S}$, where $\textbf{M}$ is a field multiplication and $\textbf{S}$ is a field squaring. This is approximately $(3.55\textbf{M} + 4.07\textbf{S})$/bit, with $1\textbf{S}$/bit for input decompression and $1\textbf{S}$/bit for output normalization. Optimizing speed by allowing uncompressed input points leads to an estimate $(3.38\textbf{M}+2.95\textbf{S})$/bit.

To mitigate some side-channel attacks, the secret scalar is only used to copy curve points from one array to another: the field operations used are fixed and independent of the secret scalar. The method is likely vulnerable to cache-timing attacks, nonetheless.

Event date: 11 August to 14 August 2021
Submission deadline: 20 May 2021
Notification: 30 July 2021

We are proud to announce the winners of the 2021 IACR Test-of-Time Award. This award honors papers published at the 3 IACR flagship conferences 15 years ago which have had a lasting impact on the field.

The Test-of-Time award for Eurocrypt 2006 is awarded to "A provable-security treatment of the key-wrap problem" (Phillip Rogaway and Thomas Shrimpton), for placing the important real world primitive of key-wrapping on a solid theoretic foundation.

The Test-of-Time award for Crypto 2006 is awarded to "New proofs for NMAC and HMAC: Security without collision-resistance" (Mihir Bellare), for proving that the security of the widely deployed HMAC construction does not depend on the collision resistance of the underlying hash function.

The Test-of-Time award for Asiacrypt 2006 is awarded to "Simulation-sound NIZK proofs for a practical language and constant size group signatures" (Jens Groth), for constructing asymptotically optimal NIZK proofs and group signatures without using random oracles, and paving the way to practical constructions.

For more information, see https://www.iacr.org/testoftime.

Dear fellow researchers,

As part of a wider effort on Blockchain Security and Finance research, we are offering funded Ph.D. positions related to the field of Decentralized Finance for stellar candidates.

We offer a striving research group with:

• Over 15 combined years of full-time research experience in the blockchain domain.
• Very consistent publications in highly competitive venues. So far, in the year 2021 alone: 2x IEEE Symposium on Security & Privacy (Oakland), 2x Financial Cryptography and Datasecurity (FC) and 1x IEEE EuroS&P paper.
• Hands-on supervision and collaboration among senior and junior Ph.D. students.
• Interdisciplinary challenges covering information security, cryptography, game theoretic incentives, economics, finance, systems, etc.
• Practical, real-world applicable research.
• Regular Zoom/Slack/iPad calls/chats/whiteboard sessions.
• Fun group events, such as game evenings etc.

Your profile ideally matches with the following:

• You enjoy to communicate transparently and openly, e.g. through regular/daily Zoom calls and slack.
• You are self-motivated, outcome drive and productive, especially during the current pandemic.
• You have a strong analytical background coupled with a solid ability to write clean and simple code.
• You prefer simplicity over complexity. You first strive towards a quick and non-perfect solution, and don't prematurely optimise something that shouldn't exist.
• While you may not yet like writing, you want to learn being able to write the perfect English text.
• You want to produce world-leading research, which you'd like to get challenged by reviewers from only the best conferences.

When applying, please familiarize yourself with the group's publications which can be found in reverse chronological order here: https://scholar.google.com/citations?hl=en&user=jLr_xi4AAAAJ&view_op=list_works&sortby=pubdate

Closing date for applications:

Contact: arthur@gervais.cc

More information: https://scholar.google.com/citations?hl=en&user=jLr_xi4AAAAJ&view_op=list_works&sortby=pubdate

The Institute of Applied Information Processing and Communications (aka IAIK) is the largest university institute in Austria for research and education in security and privacy. It has been active in this field for more than 30 years and currently employs more than 60 researchers. Within the "Secure Systems" area of our institute Sujoy Sinha Roy is establishing the new research group "Cryptographic Engineering”.

In order to complement our team, we are looking for a fulltime PhD researcher in Post-Quantum Cryptography.

Responsibilities:
The PhD researcher will be working on the implementation and side-channel security aspects of post-quantum cryptography within the “Cyroptografic Engineering” group within the “Secure Systems” area at IAIK.
The PhD candidate will have to start by May/June 2021.

Required Qualifications:
• MSc degree (or close to completion) in computer science, information and computer engineering, software development, mathematics, or a related field.
• Research experience from MSc/BSc projects.
• Outstanding candidates with BSc degree and publications in related research area are also welcome.
• Experience with cryptography, programming, and digital circuit design (ASIC or FPGA) design

How to apply:
Applications, curriculum vitae and other documents should preferably be uploaded here https://free.formcloud.de/formcycle/form/provide/7780/. Please select „7050 – PhD 2021 – crypteng" as a reference number. The application deadline is April 20th 2021.

Closing date for applications:

Contact: For more detailed information please conctact Sujoy Sinha Roy - sujoy.sinharoy@iaik.tugraz.at.

More information: https://www.tugraz.at/index.php?id=50397

The Department of Computer Science at the University of Manchester (UK) wishes to appoint a Senior Lecturer in Systems Security. The new appointment will complement existing world-class research in software security and automated reasoning.

Applicants should be computer scientists with a strong interest and track record in a relevant area of systems security, for example, cryptography, operating systems and virtualization, distributed systems security, authentication, authorization, and accountability. We also encourage applicants with a strong interest and track record in code and data integrity, malware analysis, integrity, trustworthiness, privacy, and anonymity. You will be a member of the Formal Methods Group with access to expertise in program analysis and reasoning methods. We are particularly interested in developing collaborations involving several groups within the department and wider University. For example, an exciting opportunity exists to work closely with the well-known advanced processor technologies group to study applications in massively parallel software and the IoT. Thus, experience and interest in collaborative research are particularly welcome.

You should hold a relevant Ph.D. or equivalent, have an excellent international publication record in top security conferences (e.g., ACM CCS, IEEE S&P, NDSS, USENIX Security). The applicants should show the capability of developing a portfolio of funded research activities in a multidisciplinary environment and have a solid commitment to excellence in teaching.

Closing date for applications:

Contact:

Enquiries about the vacancy, shortlisting and interviews: Dr. Lucas Cordeiro (lucas.cordeiro@manchester.ac.uk) or Dr. Giles Reger (giles.reger@manchester.ac.uk).

General enquiries: hrservices@manchester.ac.uk

More information: https://www.jobs.manchester.ac.uk/displayjob.aspx?isPreview=Yes&jobid=19901

We construct two tightly secure signature schemes based on the computational Diffie-Hellman (CDH) and factoring assumptions in the random oracle model. Our schemes are proven secure in the multi-user setting, and their security loss is constant and does not depend on the number of users or signing queries. They are the first schemes that achieve this based on standard search assumptions, as all existing schemes we are aware of are either based on stronger decisional assumptions, or proven tightly secure in the less realistic single-user setting. Under a concrete estimation, in a truly large scale, the cost of our CDH-based scheme is about half of Schnorr and DSA (in terms of signature size and running time for signing).