International Association
for Cryptologic Research

This paper proposes distinguishing and key recovery attacks on the reduced-round versions of the SNOW-V stream cipher. First, we construct a MILP model to search for integral characteristics using the division property, and find the best integral distinguisher in the 3-, 4-, and 5-round versions with time complexities of \(2^8\), \(2^{16}\), and \(2^{48}\), respectively. Next, we construct a bit-level MILP model to efficiently search for differential characteristics, and find the best differential characteristics in the 3- and 4-round versions. These characteristics lead to the 3- and 4-round differential distinguishers with time complexities of \(2^{48}\) and \(2^{103}\), respectively. Then, we consider single-bit and dual-bit differential cryptanalysis, which is inspired by the existing study on Salsa and ChaCha. By carefully choosing the IV values and differences, we observe the best bit-wise differential biases with \(2^{−1.733}\) and \(2^{−17.934}\) in the 4- and 5-round versions, respectively. This is feasible to construct a very practical distinguisher with a time complexity of \(2^{4.466}\) for the 4-round version, and a distinguisher with a time complexity of at least \(2^{36.868}\) for the 5-round version. Finally, we improve the existing differential attack based on probabilistic neutral bits, which is also inspired by the existing study on Salsa and ChaCha. As a result, we present the best key recovery attack on the 4-round version with a time complexity of \(2^{153.97}\) and data complexity of \(2^{26.96}\). Consequently, we significantly improve the existing best attacks in the initialization phase by the designers.

We introduce MatRiCT+, a practical private blockchain payment protocol based on ``post-quantum'' lattice assumptions. MatRiCT+ builds on MatRiCT due to Esgin et al. (ACM CCS'19) and, in general, follows the Ring Confidential Transactions (RingCT) approach used in Monero, the largest privacy-preserving cryptocurrency. In terms of the practical aspects, MatRiCT+ has 2-17x shorter proofs (depending on the number of input accounts, M) and runs 3-8x faster (for a typical transaction) in comparison to MatRiCT. A significant advantage of MatRiCT+ is that the proof length's dependence on M is very minimal (only O(log M)), while MatRiCT has a proof length linear in M.

To support its efficiency, we devise several novel techniques in our design of MatRiCT+ to achieve compact lattice-based zero-knowledge proof systems, exploiting the algebraic properties of power-of-2 cyclotomic rings commonly used in practical lattice-based cryptography. Along the way, we design an ``optimal'' challenge space with minimal $\ell_1$-norm and invertible challenge differences (with overwhelming probability), while supporting highly-splitting power-of-2 cyclotomic rings. We believe all these results to be widely applicable and of independent interest.

In this paper, we investigate the security of SNOW-V, the new member of the SNOW family proposed in response to the new requirements of confidentiality and integrity protection in 5G. Specifically, we demonstrate two guess-and-determine (GnD) attacks against the full SNOW-V with complexities $2^{384}$ and $2^{378}$ using seven and eight keystream words, respectively, and one distinguishing attack against a reduced variant with complexity $2^{303}$. Our guess-and-determine attacks use enumeration with recursion to explore valid guessing paths, and try to truncate as many guessing paths as possible on early stages of the recursion by carefully designing the order of guessing, and fully exploiting the equation constraints. In our first GnD attack, we guess three 128-bit state variables, and determine the other three using three consecutive keystream words. We use a fourth keystream word to efficiently enumerate solutions of the last state variable and the next three for verification of the correct guess. The second GnD attack is similar but exploits one more keystream word as a side information to truncate more guessing paths. In our distinguishing attack, we consider a reduced version where all 32-bit adders are replaced with exclusive-OR and find a 16-bit linear approximation with the SEI bias $2^{-303}$ using three consecutive keystream words. The main advantage of our distinguishing attack is that we can cancel out the contribution from the linear part locally, without a need to combine keystream words very far away, which is typically required in a classical distinguishing attack against stream ciphers. Thus we are able to give a distinguishing attack requiring $2^{303}$ samples, while these samples can be collected from multiple short keystreams under different (Key, IV) pairs. These attacks do not threaten SNOW-V, but provide more in-depth details for understanding its security and give new ideas for cryptanalysis of other ciphers.

To mark the 10-year anniversary of supersingular isogeny Diffie-Hellman, I will touch on 10 points in defense and support of the SIKE protocol, including the rise of classical hardness, the fact that quantum computers do not seem to offer much help in solving the underlying problem, and the importance of concrete cryptanalytic clarity.

In the final section I will discuss the upcoming SIKE challenges: over $50k USD will be up for grabs for the solutions of mini instances that, according to the SIKE team's security analysis, provide significantly less than 64 bits of classical security. I conclude by urging the proponents of other schemes to construct analogous challenge instances.

The three body problem is the founding problem of deterministic chaos theory. In this article is proposed a new stream cipher algorithm based on a mathematical structure similar to that underlying the 3 body poblem. Is also proposed to use said structure for the design of new bloc ciphers and hash functions algorithms.

In this work, we present a small architecture for quantum-safe hybrid key exchange targeting ECDH and SIKE. This is the first known hardware implementation of ECDH/SIKE-based hybrid key exchange in the literature. We propose new ECDH and EdDSA parameter sets defined over the SIKE primes. As a proof-of-concept, we evaluate SIKEX434, a hybrid PQC scheme composed of SIKEp434 and our proposed ECDH scheme X434 over a new, low-footprint architecture. Both schemes utilize the same 434-bit prime to save area. With only 1663 slices on a small Artix-7 device, our SIKE architecture can compute an entire hybrid key exchange in 320 ms. This is the smallest SIKE architecture in the literature. The hybrid SIKEX434 adds approximately 16% communication overhead and 10% latency overhead over SIKEp434. The additional overhead to support multiple primes indicates the need for new standardized ECC parameters for area-efficient designs in the future.

We introduce a new approach for constructing range proofs. Our approach is modular, and leads to highly competitive range proofs under standard assumption, using less communication and (much) less computation than the state of the art methods, without relying on a trusted setup. Our range proofs can be used as a drop-in replacement in a variety of protocols such as distributed ledgers, anonymous transaction systems, and many more, leading to significant reductions in communication and computation for these applications. At the heart of our result is a new method to transform any commitment over a finite field into a commitment scheme which allows to commit to and efficiently prove relations about bounded integers. Combining these new commitments with a classical approach for range proofs based on square decomposition, we obtain several new instantiations of a paradigm which was previously limited to RSA-based range proofs (with high communication and computation, and trusted setup). More specifically, we get: – Under the discrete logarithm assumption, we obtain the most compact and efficient range proof among all existing candidates (with or without trusted setup). Our proofs are 12% to 20% shorter than the state of the art Bulletproof (Bootle et al., CRYPTO’18) for standard choices of range size and security parameter, and are more efficient (both for the prover and the verifier) by more than an order of magnitude. – Under the LWE assumption, we obtain range proofs that improve over the state of the art in a batch setting when at least a few dozen range proofs are required. The amortized communication of our range proofs improves by up to two orders of magnitudes over the state of the art when the number of required range proofs grows. – Eventually, under standard class group assumptions, we obtain the first concretely efficient standard integer commitment scheme (without bounds on the size of the committed integer) which does not assume trusted setup.

Revocable hierarchical identity-based encryption (RHIBE) is a variant of the standard hierarchical identity-based encryption (HIBE) satisfying the key revocation functionality. Recently, the first adaptively secure RHIBE scheme with compact ciphertexts was proposed by Emura et al. by sacrificing the efficiency of the schemes for achieving adaptive security so that the secret keys are much larger than Seo and Emura's selectively secure scheme with compact ciphertexts. In this paper, we propose a more efficient adaptively secure RHIBE scheme with compact ciphertexts. Our scheme has much shorter secret keys and key updates than Emura et al.'s scheme. Moreover, our scheme has much shorter key updates than Seo and Emura's selectively secure scheme. Emura et al. proved the adaptive security of their scheme by reducing the security of the underlying HIBE schemes to that of their proposed RHIBE scheme, where the adaptive security of the HIBE scheme is inherently proven through the dual system encryption methodology. In contrast, we prove the adaptive security of the proposed RHIBE scheme directly through the dual system encryption methodology. Furthermore, our security proof achieves a tighter reduction than that of Emura et al.

Event date: to
Submission deadline: 31 May 2021

Event date: to
Submission deadline: 30 November 2021

Event date: 11 October to 12 October 2021
Submission deadline: 11 June 2021
Notification: 2 July 2021

The Institute of Applied Information Processing and Communications (aka IAIK) is the largest university institute in Austria for research and education in security and privacy. It has been active in this field for more than 30 years and currently employs more than 60 researchers. In order to complement our team, we are looking for a fulltime postdoctoral researcher in cybersecurity and machine learning.

The postdoc position is part the research group of Stefan Mangard. The position is dedicated to basic research in the context of the TU Graz-SAL Dependable Embedded Systems Lab (DES Lab) that aims for new methods for zero-bug software and dependable AI. In the DES Lab she/he will collaborate with SAL (https://silicon-austria-labs.com) and a team TU Graz researchers in the field of cybersecurity, machine learning, formal methods, and embedded systems.

The position offers:

An initial duration of two years with an option for extension

Considerable freedom in selecting specific problems to work on in the context of cybersecurity and machine learning

Highly competitive salary

Highly interdisciplinary work environment

Required Qualifications:

Completed doctoral studies in computer science, computer engineering or a comparable subject

Track record of publications at top tier conferences

Background in cybersecurity and machine learning (the main focus can be in either area)

Please send your applications to applications.csbme@tugraz.at while adding the reference: 7050/21/005.

Deadline for the application: May 27th 2021

Closing date for applications:

Contact: In case of questions, feel free to contact Stefan Mangard via email Stefan.Mangard@iaik.tugraz.at.

More information on the DES Lab: https://research-network.silicon-austria.com/des-lab/

The Applied Crypto group of the University of Luxembourg is offering multiple post-doc positions in cryptography, funded by the H2020 ERC programme. Possible topics of interests are fully homomorphic encryption, multilinear maps, public-key cryptanalysis, side-channel attacks and countermeasures, white-box cryptography, and blockchain applications.

The post-docs will be members of the Security and Trust (SnT) research center from the university of Luxembourg (>200 researchers in all aspects of IT security). We offer a competitive salary (about 60,000 euro/year gros). The duration of the position is 2.5 years.

Profile: a PhD in cryptography, with publications in competitive cryptographic conferences

Closing date for applications: June 30th, 2021. We encourage early applications.

Closing date for applications:

Contact: Jean-Sebastien Coron - jean-sebastien.coron at uni dot lu

More information: http://www.crypto-uni.lu/vacancies.html

Event date: 5 October to 8 October 2021
Submission deadline: 15 May 2021
Notification: 24 June 2021

Event date: 7 December to 11 December 2021
Submission deadline: 30 April 2021
Notification: 25 July 2021

Event date: 14 December to 17 December 2021
Submission deadline: 16 July 2021

Event date: 11 November to 12 November 2021
Submission deadline: 25 June 2021
Notification: 30 August 2021

Updatable Encryption (UE), as originally defined by Boneh et al. in 2013, addresses the problem of key rotation on outsourced data while maintaining the communication complexity as low as possible. The security definitions for UE schemes have been constantly updated since then. However, the security notion that is best suited for a particular application remains unclear.

To solve this problem in the ciphertext-independent setting, we use the Constructive Cryptography (CC) framework defined by Maurer et al. in 2011. We define and construct a resource that we call Updatable Server-Memory Resource (USMR), and study the confidentiality guarantees it achieves when equipped with a UE protocol, that we also model in this framework. With this methodology, we are able to construct resources tailored for each security notion. In particular, we prove that IND-UE-RCCA is the right security notion for many practical UE schemes.

As a consequence, we notably rectify a claim made by Boyd et al., namely that their IND-UE security notion is better than the IND-ENC+UPD notions, in that it hides the age of ciphertexts. We show that this is only true when ciphertexts can leak at most one time per epoch.

We stress that UE security is thought of in the context of adaptive adversaries, and UE schemes should thus bring post-compromise confidentiality guarantees to the client. To handle such adversaries, we use an extension of CC due to Jost et al. and give a clear, simple and composable description of the post-compromise security guarantees of UE schemes. We also model semi-honest adversaries in CC.

Our adaption of the CC framework to UE is generic enough to model other interactive protocols in the outsourced storage setting.

Distributed ledger technologies like blockchain have gained great attention in both academia and industry. Blockchain as a potentially disruptive technology can advance many different fields, e.g., cryptocurrencies, supply chains, and the industrial Internet of Things. The next-generation blockchain ecosystem is expected to consist of various homogeneous and heterogeneous distributed ledgers. These ledger systems will inevitably require a certain level of proper cooperation of multiple blockchains to enrich advanced functionalities and enhance interoperable capabilities for future applications. The interoperability among blockchains will definitely revolutionize current blockchain design principles, like the emergence of Internet. The development of cross-blockchain applications involves much complexity regarding the variety of underlying cross-blockchain communication. The way to effectively enable interoperability across multiple blockchains is thus essential and expecting to confront various unprecedented challenges. For instance, due to different transaction structures, ensuring the properties of ACID (Atomicity, Consistency, Isolation, Durability) in transactions processing and verification processes across diverse blockchain systems remains a challenging task in both academia and industry. This paper provides a systematic and comprehensive review of the current progress of blockchain interoperability. We explore both general principles and practical schemes to achieve interoperable blockchain systems. We then survey and compare the state-of-the-art solutions to deal with the interoperability of blockchains in detail. Finally, we discuss several critical challenges and some potential research directions to advance the research on exploring blockchain interoperability.

Lattice-based structures offer considerable possibilities for post-quantum cryptography. Recently, many algorithms have been built on hard lattice problems. The three of the remaining four in the final round of the post-quantum cryptography standardization process use lattice-based methods. Especially in embedded systems, these algorithms should be operated effectively. In this study, the potential of transport triggered architecture is examined in this sense. We try to compare open source RISC-V processors with our transport triggered architecture processors under fair conditions. Thus, we aim to provide a base architecture for developing application specific processors for post-quantum cryptography, which is becoming an increasingly urgent research area. The tests performed are implemented on the same FPGA and evaluated as performance, resource utilization, average power and total energy consumption. Regardless of the algorithm, our design exhibit better results than RISC-V processors for all tests. It seems to be 2x - 3x faster, 2x - 2.5x smaller and consumes 2.5x - 5x less energy than RISC-V competitors. We also share how the results vary for many different configurations of our processor that can be easily converted. The obtained findings show that the transport triggered architecture is a promising option on developing application-specific processors for lattice-based post-quantum cryptography applications.