International Association
for Cryptologic Research

In two of the main areas of post-quantum cryptography, based on lattices and codes, nearest neighbor techniques have been used to speed up state-of-the-art cryptanalytic algorithms, and to obtain the lowest asymptotic cost estimates to date [May-Ozerov, Eurocrypt'15; Becker-Ducas-Gama-Laarhoven, SODA'16]. These upper bounds are useful for assessing the security of cryptosystems against known attacks, but to guarantee long-term security one would like to have closely matching lower bounds, showing that improvements on the algorithmic side will not drastically reduce the security in the future. As existing lower bounds from the nearest neighbor literature do not apply to the nearest neighbor problems appearing in this context, one might wonder whether further speedups to these cryptanalytic algorithms can still be found by only improving the nearest neighbor subroutines. We derive new lower bounds on the costs of solving the nearest neighbor search problems appearing in these cryptanalytic settings. For the Euclidean metric we show that for random data sets on the sphere, the locality-sensitive filtering approach of [Becker-Ducas-Gama-Laarhoven, SODA 2016] using spherical caps is optimal, and hence within a broad class of lattice sieving algorithms covering almost all approaches to date, their asymptotic time complexity of $2^{0.292d + o(d)}$ is optimal. Similar conditional optimality results apply to lattice sieving variants, such as the $2^{0.265d + o(d)}$ complexity for quantum sieving [Laarhoven, PhD thesis 2016] and previously derived complexity estimates for tuple sieving [Herold-Kirshanova-Laarhoven, PKC 2018]. For the Hamming metric we derive new lower bounds for nearest neighbor searching which almost match the best upper bounds from the literature [May-Ozerov, Eurocrypt 2015]. As a consequence we derive conditional lower bounds on decoding attacks, showing that also here one should search for improvements elsewhere to significantly undermine security estimates from the literature.

Event date: 16 November to 17 November 2021
Submission deadline: 30 June 2021
Notification: 1 September 2021

We are seeking one to two software engineers who can contribute to implementing a software system for privacy-preserving DNA synthesis screening in the Secure DNA project. We are a group of researchers from Tsinghua University, MIT, Aarhus University, Shanghai Jiao Tong University, and other world-leading academic institutions. Our goal is to develop an automatic and accurate screening system that can effectively block hazardous DNA sequences from being produced, while at the same time providing superior levels of security guarantees, in terms of not disclosing the submitted DNA orders or the potential hazards that are not yet public. To learn more visit our website or read the technical whitepaper.

Your Responsibilities

• Develop and implement the software system that realizes secure DNA synthesis.
• Develop the frontend that integrates the system into the production environments of our DNA vendor partners.

Basic Requirements

• Strong software development experience, especially large-scale systems and/or security-critical software.
• Strong knowledge and experience in software programming, such as C++, Rust, or Go.
• Familiarity with common cryptographic software libraries and implementations.

Nice to Have

• Experience in distributed systems.
• Basic theoretical background in cryptography and system security.
• English communication and reading/writing capabilities.
• Passion for modern cryptography-based secure computing.

Benefits

• Involved in world-leading research projects and teamed up with top scientists around the world, including Turing award winners.
• Competitive salary and other benefits from Tsinghua University.
• Future opportunities in long-term collaboration with other research projects at Tsinghua.

Closing date for applications:

Contact: Mingyu Gao, gaomy@tsinghua.edu.cn

More information: https://www.securedna.org

We are seeking a principal software architect who can contribute to implementing a software system for privacy-preserving DNA synthesis screening in the Secure DNA project. We are a group of researchers from Tsinghua University, MIT, Aarhus University, Shanghai Jiao Tong University, and other world-leading academic institutions. Our goal is to develop an automatic and accurate screening system that can effectively block hazardous DNA sequences from being produced, while at the same time providing superior levels of security guarantees, in terms of not disclosing the submitted DNA orders or the potential hazards that are not yet public. To learn more visit our website or read the technical whitepaper.

Your Responsibilities

• Design and propose the system architecture for the software system that realizes the proposed algorithm based on distributed oblivious pseudo-random functions.
• Assemble and lead the engineer team to implement the proposed software system.
• Deploy the system into the production environments of our DNA vendor partners.

Basic Requirements

• 5+ years of experience working with secure software system development and deployment.
• Strong knowledge and experience in software programming, such as C++, Rust, or Go.
• Familiarity with common cryptographic software libraries and implementations.
• Fluent in English communication and reading/writing.

Nice to Have

• Experience in team management.
• Familiarity with modern cryptography-based securing computing algorithms.
• Some familiarity with basic biological knowledge and DNA synthesis.

Benefits

• Flexible work hours and arrangement; remote and/or part-time are both acceptable.
• Involved in world-leading research projects with Turing award winners.
• A critical role in implementing the important bio-security system that will be deployed world-wide.
• Competitive salary and other benefits from Tsinghua University.
• Future opportunities in long-term collaboration with other research projects at Tsingh

  Closing date for applications:

  Contact: Mingyu Gao, gaomy@tsinghua.edu.cn

  More information: https://www.securedna.org

We have multiple open positions within Surrey Centre for Cyber Security (SCCS) at the Department of Computer Science, University of Surrey, UK.

Early Career Fellowship in Cyber Security (Lecturer A)
https://jobs.surrey.ac.uk/vacancy.aspx?ref=026221

Lecturer / Senior Lecturer in Cyber Security
https://jobs.surrey.ac.uk/vacancy.aspx?ref=027721

Positions are available for researchers at different stages of their careers and in a range of security topics such as:

• applied cryptography (incl. post-quantum cryptography, distributed cryptography)
• privacy enhancing technologies (incl. anonymisation, secure multi-party computation, computing on encrypted data)
• software security (e.g., malware analysis)
• system security (incl., security of autonomous or cyber-physical systems)
• security architectures (incl., trusted computing, TEEs)
• security protocols for blockchain and/or machine learning
• tool-assisted formal verification of security and privacy

Please follow the above links for more details.

Closing date for applications:

Contact: Informal inquiries can be sent to Dr. Mark Manulis (m.manulis at surrey.ac.uk)

More information: https://www.surrey.ac.uk/department-computer-science

As a research engineer in the Cyber Security chair you will focus in applied and theoretical cryptography, network and information security. You will establish and work in a state-of-the-art IoT (Internet of Things) lab with smart devices ranging from Raspberry Pi's, sensors, smart microphones, toy cars, RFID tags, RFID readers, smart phones, biometric sensors and you will work with world-leading researchers to implement, test, and showcase secure and privacy-preserving protocols and algorithms. Many projects are done in collaboration with other academic and industrial partners. More specifically, the job includes:

• Development and implementation of concepts and research results, both individually and in collaboration with researchers and PhD students
• Run of experiments and simulation of realistic conditions to test the performance of developed algorithms and protocols
• Development, maintenance and organization of software
• Support to BSc, MSc and PhD students, postdocs and researchers who use the lab
• Responsibility for the daily routines in the lab, for example purchases, installations, bookings, inventory
• Demonstrations and lab tours for external visitors
• Producing media content for our group web page and social media platforms.

Your profile

• The successful applicant is expected to hold or to be about to receive a M.Sc. degree in Computer Science, Electrical Engineering, Applied Mathematics or similar fields, preferably with a focus in Security and Privacy for Computer Science Systems.
• We are looking for a strongly motivated and self-driven person who is able to work and learn new things independently.
• Good command of English is required.
• You should have a good academic track record and well developed analytical and problem solving skills.
• Excellent programming skills and familiarity with cryptographic libraries.
• Previous experience in implementation projects with C++, Matlab, Python is desired.

Deadline: 15 June 2021

Closing date for applications:

Contact: Prof. Katerina Mitrokotsa

More information: https://jobs.unisg.ch/offene-stellen/research-engineer-security-and-privacy-m-f-d/634aea27-37d2-4f1f-ab25-2d3c0a622fc0

You will conduct research towards a distributed intrusion detection system for constrained devices in real-world IoT applications. The intrusion detection system (IDS) you will develop will facilitate detection and containment of a security breach in the Edge, making the IoT applications of tomorrow more secure and reliable.

Your activity will be at an exciting intersection of the following fields:

• Embedded development. The constrained nature of low-power embedded world will present you with stimulating research challenges. You will implement and test your results on real-world, low-power embedded HW platforms, maintaining a steady link between your research and practice and ensuring a real-world impact.
• Applied security. To defend from attacks, you will get intimately familiar with them. You will acquire knowledge of different types of intrusion, how they manage to penetrate a system, and how they can be recognized.
• Artificial intelligence. Modern IDS systems rely on AI. You will review the state of the art, select the most viable AI algorithms for an IDS in the constrained setting of IoT Edge, and carefully tweak them for the job.
• Distributed computing. A swarm of Things in the Edge can, collaboratively monitor itself much more effectively than a single device. You will combine all the above and deploy a distributed IDS on a group of constrained embedded devices, identifying the tradeoffs between efficiency and overhead.

The result of your work will be an IDS system, which will be able to make a difference in the security and reliability of real-world IoT applications.

We are looking for a student who has a Masters (or equivalent) degree in Electrical Engineering, Electronics or Computer Science with background and passion in (most of):

• Solid understanding of machine learning concepts and some practice
• Proficiency with programming in C
• Experience with embedded development is an advantage
• Background in applied cryptography and security is an advantage
• Fluency in English is required, proficiency in French is an advantage.
• Good communication and interpersonal skills.

Closing date for applications:

Contact: To apply visit https://www.csem.ch/page.aspx?pid=47528&jobid=122842.

You will be based in part at CSEM (Switzerland), and in part at the Cybersecurity Research Group at AAU (Austria); you need to be eligible to work in Europe, and you need to be flexible as you will travel regularly.

Data and signal authentication schemes are being proposed to address Global Navigation Satellite Systems' (GNSS) vulnerability to spoofing. Due to the low power of their signals, the bandwidth available for authentication in GNSS is scarce. Since delayed-disclosure protocols, e.g., TESLA (timed-efficient stream loss-tolerant authentication), are efficient in terms of bandwidth and robust to signal impairments, they have been proposed and implemented by GNSS. The length of message authentication codes (MACs) and cryptographic keys are two crucial aspects of the protocol design as they have an impact on the utilized bandwidth, and therefore on the protocol performance. We analyze both aspects in detail for GNSS-TESLA and present recommendations for efficient yet safe MAC and key lengths. We further complement this analysis by proposing possible authentication success and failure policies and quantify the reduction of the attack surface resulting from employing them. The analysis shows that in some cases it is safe to use MAC and key sizes that are smaller than those proposed in best-practice guidelines. While some of our considerations are general to delayed-disclosure lightweight protocols for data and signal authentication, we particularize them for GNSS-TESLA protocols.

Fully homomorphic encryption (FHE) is one of the prospective tools for privacypreserving machine learning (PPML), and several PPML models have been proposed based on various FHE schemes and approaches. Although the FHE schemes are known as suitable tools to implement PPML models, previous PPML models on FHE encrypted data are limited to only simple and non-standard types of machine learning models. These non-standard machine learning models are not proven efficient and accurate with more practical and advanced datasets. Previous PPML schemes replace non-arithmetic activation functions with simple arithmetic functions instead of adopting approximation methods and do not use bootstrapping, which enables continuous homomorphic evaluations. Thus, they could not use standard activation functions and could not employ a large number of layers. The maximum classification accuracy of the existing PPML model with the FHE for the CIFAR-10 dataset was only 77% until now. In this work, we firstly implement the standard ResNet-20 model with the RNS-CKKS FHE with bootstrapping and verify the implemented model with the CIFAR-10 dataset and the plaintext model parameters. Instead of replacing the non-arithmetic functions with the simple arithmetic function, we use state-of-the-art approximation methods to evaluate these non-arithmetic functions, such as the ReLU, with sufficient precision [1]. Further, for the first time, we use the bootstrapping technique of the RNS-CKKS scheme in the proposed model, which enables us to evaluate a deep learning model on the encrypted data. We numerically verify that the proposed model with the CIFAR-10 dataset shows 98.67% identical results to the original ResNet-20 model with non-encrypted data. The classification accuracy of the proposed model is 90.67%, which is pretty close to that of the original ResNet-20 CNN model. It takes about 4 hours for inference on a dual Intel Xeon Platinum 8280 CPU (112 cores) with 512 GB memory. We think that it opens the possibility of applying the FHE to the advanced deep PPML model.

Because of the everlasting need of space to store even the headers of a blockchain, Ethereum requiring for example more than 4 GiB for such a task, superlight clients stood out as a necessity, for instance to enable deployment on wearable devices or smart contracts. Among them is FlyClient, whose main benefit was to be non-interactive. However, it is still to be shown how a such protocol can be deployed on an already existing chain, without contentious soft or hard forks. FlyClient suggests the use of velvet forks, a recently introduced mechanism for conflict-free deployment of blockchain consensus upgrades – yet the impact on the security of the light client protocol remains unclear. In this work, we provide a comprehensive analysis of the security of FlyClient under a velvet fork deployment. We discover that a naive velvet fork implementation exposes FlyClient to chain-sewing attacks, a novel type of attack, concurrently observed in similar superlight clients. Specifically, we show how an adversary subverting only a small fraction of the hash rate or consensus participants can not only execute doublespending attacks against velvet FlyClient nodes, but also print fake coins – with high probability of success. We then present three potential mitigations to this attack and prove their security both under velvet and, more traditional soft and hard fork deployment. In particular, our mitigations do not necessarily require a majority of honest, up-to-date miners.

As the Internet of Things (IoT) rolls out today to devices whose lifetime may well exceed a decade, conservative threat models should consider attackers with access to quantum computing power. The SUIT standard (specified by the IETF) defines a security architecture for IoT software updates, standardizing the metadata and the cryptographic tools---namely, digital signatures and hash functions---that guarantee the legitimacy of software updates. While the performance of SUIT has previously been evaluated in the pre-quantum context, it has not yet been studied in a post-quantum context. Taking the open-source implementation of SUIT available in RIOT as a case study, we overview post-quantum considerations, and quantum-resistant digital signatures in particular, focusing on low-power, microcontroller-based IoT devices which have stringent resource constraints in terms of memory, CPU, and energy consumption. We benchmark a selection of proposed post-quantum signature schemes (LMS, Falcon, and Dilithium) and compare them with current pre-quantum signature schemes (Ed25519 and ECDSA). Our benchmarks are carried out on a variety of IoT hardware including ARM Cortex-M, RISC-V, and Espressif (ESP32), which form the bulk of modern 32-bit microcontroller architectures. We interpret our benchmark results in the context of SUIT, and estimate the real-world impact of post-quantum alternatives for a range of typical software update categories.

Over the last few decades, the cost and difficulty of producing integrated circuits at ever shrinking node sizes has vastly increased, resulting in the manufacturing sector moving overseas. Using offshore foundries for chip fabrication, however, introduces new vulnerabilities into the design flow since there is little to no observability into the manufacturing process. At the same time, both design and optimization are becoming increasingly complex, particularly as SoC designs gain popularity. Common practices such as porting a design across node sizes and reusing cores at multiple area/performance tradeoffs further complicate assurance as layout specific features impede comparison. Methods have been developed for conducting integrated circuit decomposition on fabricated chips [1][2][16] to extract the as-fabricated design files such as the GDSII layout or gate-level netlist. While mature netlist equivalency checking tools are included with any design flow, there is a lack of tools for performing deeper analyses on the extracted designs for the purposes of hardware assurance or design recovery from obsolete parts. To this end, there is a need for a tool to extract functionality from netlists at a higher abstraction level to reconstruct behavioral Register Transfer Level (RTL) code.

While server-only authentication with certificates is the most widely used mode of operation for the Transport Layer Security (TLS) protocol on the world wide web, there are many applications where TLS is used in a different way or with different constraints. For example, embedded Internet-of-Things clients may have a server certificate pre-programmed and be highly constrained in terms of communication bandwidth or computation power. As post-quantum algorithms have a wider range of performance trade-offs, designs other than traditional ``signed-key-exchange'' may be worthwhile. The KEMTLS protocol, presented at ACM CCS 2020, uses key encapsulation mechanisms (KEMs) rather than signatures for authentication in the TLS 1.3 handshake, a benefit since most post-quantum KEMs are more efficient than PQ signatures. However, KEMTLS has some drawbacks, especially in the client authentication scenario which requires a full additional roundtrip.

We explore how the situation changes with pre-distributed public keys, which may be viable in many scenarios, for example pre-installed public keys in apps, on embedded devices, cached public keys, or keys distributed out of band. Our variant of KEMTLS with pre-distributed keys, called KEMTLS-PDK, is more efficient in terms of both bandwidth and computation compared to post-quantum signed-KEM TLS (even cached public keys), and has a smaller trusted code base. When client authentication is used, KEMTLS-PDK is more bandwidth efficient than KEMTLS yet can complete client authentication in one fewer round trips, and has stronger authentication properties. Interestingly, using pre-distributed keys in KEMTLS-PDK changes the landscape on suitability of PQ algorithms: schemes where public keys are larger than ciphertexts/signatures (such as Classic McEliece and Rainbow) can be viable, and the differences between some lattice-based schemes is reduced. We also discuss how using pre-distributed public keys provides privacy benefits compared to pre-shared symmetric keys in TLS.

Attribute-based encryption (ABE) schemes by lattices are likely to resist quantum attacks, and can be widely applied to many Internet of Thing or cloud scenarios. One of the most attractive feature for ABE is the ability of fine-grained access control which provides an effective way to ensure data security. In this work, we propose an efficient ciphertext policy attribute-based encryption scheme based on hardness assumption of LWE. Being different from other similar schemes, a user's secret key can only be generated once only and it can be used to decrypt ciphertext under different access policies by making combinations of secret key fragments. Specially, we propose a method for binding users' secret keys with their attributes and identities, which solves the collusion attack problem. The security of the scheme is proved to be selective secure under the LWE assumption.

In this paper, we introduce the problem of Asynchronous Data Dissemination (ADD). Intuitively, an ADD protocol replicates a message to all honest nodes in an asynchronous network, given that at least $t+1$ honest nodes initially hold the message where $t$ is the maximum number of malicious nodes. We design a simple yet efficient ADD protocol for $n$ parties that is information theoretically secure, tolerates up to one-third malicious nodes, and has a communication cost of $O(n|M|+n^2)$ for replicating a message $M$.

We then use our ADD protocol to improve many important primitives in cryptography and distributed computing. For reliable broadcast, assuming the existence of collision resistance hash functions, we present a protocol with communication cost $O(n|M| + \kappa n^2)$ where $\kappa$ is the size of the hash function output. This is an improvement over the best-known complexity of $O(n|M| + \kappa n^2 \log n)$ under the same setting. Next, we use our ADD protocol along with additional new techniques to improve the communication complexity of Asynchronous Verifiable Secret Sharing~(AVSS) and Asynchronous Complete Secret Sharing~(ACSS) with no trusted setup from $O(\kappa n^2 \log n)$ to $O(\kappa n^2)$. Furthermore, we use ADD and a publicly-verifiable secret sharing scheme to improve dual-threshold ACSS and Asynchronous Distributed Key Generation~(ADKG).

The proliferation of the Internet of Things (IoT) technology has made ubiquitous computing a reality by broadening Internet connectivity across diverse application domains, thus bridging billions of devices and human beings as well for information collection, data processing, and decision-making. In recent years, IoT technology and its applications in various industrial sectors have grown exponentially. Most existing industrial IoT (IIoT) implementations, however, are still relying on a centralized architecture, which is vulnerable to the single point of failure attack and requires a massive amount of computation at the central entity. The emerging blockchain technology is currently undergoing rapid development and has the full potential to revolutionize the IIoT platforms and applications. As a distributed and decentralized tamper-resistant ledger, blockchain maintains the consistency of data records at different locations and holds the potential to address the issues in traditional IIoT networks, such as heterogeneity, interoperability, and security. Integrating the blockchain technology into IIoT platforms requires to address several critical challenges that are inherent in IIoT and blockchain themselves, such as standardization, scalability, and interoperability. This paper provides a comprehensive review on the recent advances in architecture design and technology development towards tackling these challenges. We further provide several representative industrial use cases that can benefit from the integration of blockchain technology, and discuss the recent research trends and open issues in blockchain-enabled IIoT platforms.

The advent of blockchain protocols has reignited the interest in adaptively secure broadcast, as it is by now well known that broadcasting over a diffusion network allows an adaptive adversary to corrupt the sender depending on the message s/he attempts to send and change it. Hirt and Zikas [Eurocrypt '10] proved that this is an inherent limitation of broadcast in the simulation-based setting, i.e., that this task is impossible against an adaptive adversary corrupting a strict majority of the parties.

In this work, we show that, contrary to previous perception, the above limitation is not an artifact of simulation-based security, but that it also applies to the property-based broadcast definition adapted for adaptive adversaries. We then turn to the resource-restricting cryptography (RRC) paradigm, which was proven useful in circumventing strong impossibility results, and ask whether it also allows us to circumvent the above negative result. We answer this question in the affirmative, by showing that time-lock puzzles (TLPs)---which can be viewed as an instance of RRC---indeed allow for achieving the property-based definition and circumvent the impossibility of adaptively secure broadcast.

The natural question is then, do TLPs also allow for simulation-based adaptively secure broadcast against corrupted majorities? It turns out that they do not, which serves as yet another motivation for simulation-based security, especially when dealing with adaptive adversaries. Nonetheless, we show that a positive result can be achieved if we turn to what is essentially a non-committing version of TLPs, which uses access to a programmable random oracle.

HMAC and NMAC are the most basic and important constructions to convert Merkle-Damg{\aa}rd hash functions into message authentication codes (MACs) or pseudorandom functions (PRFs). In the quantum setting, at CRYPTO 2017, Song and Yun showed that HMAC and NMAC are quantum pseudorandom functions (qPRFs) under the standard assumption that the underlying compression function is a qPRF. Their proof guarantees security up to $O(2^{n/5})$ or $O(2^{n/8})$ quantum queries when the output length of HMAC and NMAC is $n$ bits. However, there is a gap between the provable security bound and a simple distinguishing attack that uses $O(2^{n/3})$ quantum queries. This paper settles the problem of closing the gap. We show that the tight bound of the number of quantum queries to distinguish HMAC or NMAC from a random function is $\Theta(2^{n/3})$ in the quantum random oracle model, where compression functions are modeled as quantum random oracles. To give the tight quantum bound, based on an alternative formalization of Zhandry's compressed oracle technique, we introduce a new proof technique focusing on the symmetry of quantum query records.

Merkle tree is applied in diverse applications, namely, Blockchain, smart grid, IoT, Biomedical, financial transactions, etc., to verify authenticity and integrity. Also, the Merkle tree is used in privacy-preserving computing. However, the Merkle tree is a computationally costly data structure. It uses cryptographic string hash functions to partially verify the data integrity and authenticity of a data block. However, the verification process creates unnecessary network traffic because it requires partial hash values to verify a particular block. Moreover, the performance of the Merkle tree also depends on the network latency. Therefore, it is not feasible for most of the applications. To address the above issue, we proposed an alternative model to replace the Merkle tree, called HEX-BLOOM, and it is implemented using hash, Exclusive-OR and Bloom Filter. Our proposed model does not depends on network latency for verification of data block's authenticity and integrity. HEX-BLOOM uses an approximation model, Bloom Filter. Moreover, it employs a deterministic model for final verification of the correctness. In this article, we show that our proposed model outperforms the state-of-the-art Merkle tree in every aspect.

Abstract—This paper proposes the first side-channel attack on FALCON—a NIST Round-3 finalist for the post-quantum digital signature standard. We demonstrate a known-plaintext attack that uses the electromagnetic measurements of the device to extract the secret signing keys, which then can be used to forge signatures on arbitrary messages. The proposed attack targets the unique floating-point multiplications within FALCON’s Fast Fourier Transform through a novel extend-and-prune strategy that extracts the sign, mantissa, and exponent variables without false positives. The extracted floating-point values are then mapped back to the secret key’s coefficients. Our attack, notably, does not require pre-characterizing the power profile of the target device or crafting special inputs. Instead, the statistical differences on obtained traces are sufficient to successfully execute our proposed differential electromagnetic analysis. The results on an ARM-Cortex-M4 running the FALCON NIST’s reference software show that approximately 10k measurements are sufficient to extract the entire key.