International Association
for Cryptologic Research

The best known $n$ party unconditional multiparty computation protocols with an optimal corruption threshold communicates $O(n)$ field elements per gate. This has been the case even in the semi-honest setting despite over a decade of research on communication complexity in this setting. Going to the slightly sub-optimal corruption setting, the work of Damgard, Ishai, and Kroigaard (EUROCRYPT 2010) provided the first protocol for a single circuit achieving communication complexity of $O(\log|C|)$ elements per gate. While a number of works have improved upon this result, obtaining a protocol with $O(1)$ field elements per gate has been an open problem.

In this work, we construct the first unconditional multi-party computation protocol evaluating a single arithmetic circuit with amortized communication complexity of $O(1)$ elements per gate.

In this work, we address communication, computation, and round efficiency of unconditionally secure multi-party computation for arithmetic circuits in the honest majority setting. We achieve both algorithmic and practical improvements:

-- The best known result in the semi-honest setting has been due to Damgard and Nielsen (CRYPTO 2007). Over the last decade, their construction has played an important role in the progress of efficient secure computation. However despite a number of follow-up works, any significant improvements to the basic semi-honest protocol have been hard to come by. We show 33% improvement in communication complexity of this protocol. We show how to generalize this result to the malicious setting, leading to the best known unconditional honest majority MPC with malicious security. -- We focus on the round complexity of the Damgard and Nielsen protocol and improve it by a factor of 2. Our improvement relies on a novel observation relating to an interplay between Damgard and Nielsen multiplication and Beaver triple multiplication. An implementation of our constructions shows an execution run time improvement compared to the state of the art ranging from 30% to 50%.

For decades signature verification has been regarded as a unique, monolithic process. Here, we want to look at it with fresh eyes and pose two fundamental questions: (1) is it possible to extract meaningful information from a partial signature verification? (flexibility); and (2) is it possible to speed up the verification process without impacting unforgeability? (efficiency). We answer both questions in a positive way for specific classes of post-quantum secure schemes.

In detail, we develop formal frameworks for signatures with efficient verification, flexible verification and combinations of the two. Crucially, we regard these as features that may enhance existing constructions. Flexibility is of particular interest as standard verification cannot provide any meaningful information about the validity of a given signature if interrupted in media res. We exhibit generic transformations to realize efficient (and) flexible verification for schemes that involve matrix-vector multiplications among the verification checks. In addition, we present concrete instantiations of efficient (and) flexible verification for Rainbow [ACNS05] (as representative of schemes based on multivariate quadratic equations), MP [EC12] and GVW [STOC15] (as representative of lattice-based constructions). Interestingly, we are able to efficiently verify Rainbow signatures using 50% of the original computational cost, and as little as 0.4% for GVW homomorphic signatures, provided a one-time preprocessing and with only negligible impact on security.

We consider a distributed function computation problem in which parties observing noisy versions of a remote source facilitate the computation of a function of their observations at a fusion center through public communication. The distributed function computation is subject to constraints, including not only reliability and storage but also secrecy and privacy. Specifically, 1) the function computed should remain secret from an eavesdropper observing the public communication and correlated observations, measured in terms of the information leaked about the arguments of the function, to ensure secrecy regardless of the exact function used; 2) the remote source should remain private from the eavesdropper and the fusion center, measured in terms of the information leaked about the remote source itself. We derive the exact rate regions for lossless and lossy single-function computation and illustrate the lossy single-function computation rate region for an information bottleneck example, in which the optimal auxiliary random variables are characterized for binary-input symmetric-output channels. We extend the approach to lossless and lossy asynchronous multiple-function computations with joint secrecy and privacy constraints, in which case inner and outer bounds for the rate regions that differ only in the Markov chain conditions imposed are characterized.

To compensate for the poor reliability of Physical Unclonable Function (PUF) primitives, some low complexity solutions not requiring error-correcting codes (ECC) have been proposed. One simple method is to discard less reliable bits, which are indicated in the helper data stored inside the PUF. To avoid discarding bits, the Two-metric Helper Data (TMH) method, which particularly applies to oscillation-based PUFs, allows to keep all bits by using different metrics when deriving the PUF response. However, oscillation-based PUFs are sensitive to side-channel analysis (SCA) since the frequencies of the oscillations can be observed by current or electromagnetic measurements. This paper studies the security of PUFs using TMH in order to obtain both reliable and robust PUF responses. We show that PUFs using TMH are sensitive to SCA, but can be greatly improved by using temporal masking and adapted extraction metrics. In case of public helper data, an efficient protection requires the randomization of the measurement order. We study two different solutions, providing interesting insights into trade-offs between security and complexity.

In their Eurocrypt 2021 paper, Beierle et al. showed that the proprietary stream ciphers GEA-1 and GEA-2, widely used for GPRS encryption in the late 1990s and during the 2000s, are cryptographically weak and presented attacks on both algorithms with practical time complexity. Although GEA-1 and GEA-2 are classical stream ciphers, the attack on GEA-1 is interesting from a cryptanalytic point of view. As outlined in the aforementioned paper, there is a strong indication that the security of GEA-1 was deliberately weakened to 40 bits in order to fulfill European export restrictions. In this paper we analyze the design further and answer the open question on how to construct a GEA-1-like cipher with such a reduced security. Indeed, the actual GEA-1 instance could be obtained from this construction. Our observations and analysis yields new theoretical insights in designing secure stream ciphers.

Pilsung is an AES-based North Korean cipher, which uses key-dependent S-Boxes and permutation. The use of pseudo-random ShiftRows permutations gives rise to a potential for weak keys. In this work we show how to build distinguishers to such weak keys and how to effectively search for them. We conclude that no such class of weak keys exist.

Masking and desynchronization of power traces are two widely used countermeasures against power attacks. Higher-order power attacks are used to break cryptographic implementations protected by masking countermeasures. However, they require to capture long-distance dependency, the dependencies among distant Points-of-Interest (PoIs) along the time axis, which together contribute to the information leakage. Desynchronization of power traces provides resistance against power attacks by randomly shifting the individual traces, thus, making the PoIs misaligned for different traces. Consequently, a successful attack against desynchronized traces requires to be invariant to the random shifts of the power traces. A successful attack against cryptographic implementations protected by both masking and desynchronization countermeasures requires to be both shift-invariant and capable of capturing long-distance dependency. Recently, Transformer Network (TN) has been introduced in natural language processing literature. TN is better than both Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) at capturing long-distance dependency, and thus, a natural choice against masking countermeasures. Furthermore, a TN can be made shift-invariant making it robust to desynchronization of traces as well. In this work, we introduce a TN-based model, namely TransNet, for power attacks. Our experiments show that the proposed TransNet model successfully attacks implementation protected by both masking and desynchronization even when it is trained on only synchronized traces. Particularly, it can bring down the mean key rank below 1 using only 400 power traces if evaluated on highly desynchronized ASCAD_desync100 dataset even when it is trained on ASCAD dataset which has no trace desynchronization. Moreover, if compared to other state-of-the-art deep learning models, our proposed model performs significantly better when the attack traces are highly desynchronized.

Event date: 6 January to 8 January 2022
Submission deadline: 30 September 2021
Notification: 15 December 2021

Event date: 20 June to 23 June 2022
Submission deadline: 3 September 2021
Notification: 5 January 2021

A fully-funded PhD scholarship is available at the Cryptography and Security Group (https://cs.au.dk/research/cryptography-and-security/) at Aarhus University.

Project description. The PhD candidate will develop new algorithms and implementation techniques to accelerate public-key cryptography in both the classical and postquantum settings. The project includes designing arithmetic algorithms that are friendlier to parallelization, more precise complexity analysis of existing techniques, and aspects of formal verification to ensure correctness and real-world implementation security.

The PhD candidate will also be involved in other educational activities, such as serving as teaching assistant in courses related to his/her expertise.

Qualifications. We are looking for dedicated and enthusiastic applicants, preferably with a Master’s degree in Computer Science/Engineering, Mathematics or related discipline. A BSc. degree with demonstrated research experience is also welcome. A background in cryptography or formal verification is required. Practical experience with software development will be seen as a plus. Further requirements are fluency in English, good reporting/organization skills and being able to work independently.

Application process: You can apply online at https://phd.nat.au.dk/for-applicants/apply-here >Choose August 2021 Call with deadline 1 August 2021 at noon (11.59 AM CEST) and the corresponding project.

Closing date for applications:

Contact: Contact: Diego F. Aranha, Associate Professor of Computer Science, dfaranha (at) cs.au.dk

More information: https://phd.nat.au.dk/for-applicants/apply-here/

The University of Luxembourg aspires to be one of Europe’s most highly regarded universities with a distinctly international and interdisciplinary character. It fosters the cross-fertilisation of research and teaching, is relevant to its country, is known worldwide for its research and teaching in targeted areas, and is establishing itself as an innovative model for contemporary European Higher Education. The Faculty of Science, Technology and Medicine (FSTM) contributes multidisciplinary expertise in the fields of Mathematics, Physics, Engineering, Computer Science, Life Sciences and Medicine. Through its dual mission of teaching and research, the FSTM seeks to generate and disseminate knowledge and train new generations of responsible citizens, in order to better understand, explain and advance society and environment we live in. Your Role... Cryptolux is a team of cryptographers and security researchers interested in applied cryptography, cryptanalysis, privacy, network security, cryptographic blockchains and is led by Prof. Alex Biryukov, we are affiliated to the Departement of Computer Science (DCS) and to the Security and Trust center (SnT). You will perform the following tasks: Prepare a doctoral thesis in Cryptography and IT Security Publish research papers and give talks at the top international venues Provide guidance to MSc students and TA for classes, depending on the needs of the team Organize science outreach activities, e.g. science for kids, … Area / Potential topics of the thesis Cryptanalysis and design of cryptographic primitives Lightweight block ciphers, hash functions, authenticated encryption schemes Financial Cryptography (security of distributed ledgers, smart contracts) Privacy Enhancing Technology (Tor-like networks, privacy for cryptocurrencies, blockchains) Design of proofs of work, resource-hard functions, commitment schemes Side-channel attacks and countermeasures White-box cryptography What we expect from you. MSc. degree in Computer Science, Applied Mathematics, Electrical Engineering with outstanding grades (GPA > 85%) Strong mathematical and/or algorithmic CS background (Olympiads, CTFs a plus) Backg

Closing date for applications:

Contact: Alex Biryukov (alex.biryukov@uni.lu)

More information: http://emea3.mrted.ly/2qpcj

Background: In late 2016, NIST issued a call for proposals for the standardization of cryptographic systems resistant to a quantum computer for encryption, key exchange and signature primitives. The standardization process is currently in its third phase. Each submission comes with a software implementation, targeting standard security levels for widespread applications, such as e-commerce. Topic: Adaptation of post-quantum primitives to constrained environments and FPGA implementation During this thesis, the successful candidate will study code-based and/or lattice-based proposals, and propose modifications to the protocols (resulting thus in alternative schemes with new proofs to be provided etc.) so that their hardware implementation can be improved. The candidate will then propose such implementations on a commodity FPGA. The development will be done in C and High-Level Synthesis will be used to transform automatically the C implementation into VHDL. As a consequence the candidate does not need to be proficient in VHDL.

Closing date for applications:

Contact: Applicants should express their interest before July 15th- 23h59 (CEST time) by email to : carlos.aguilar-melchor@isae-supaero.fr, arnaud.dion@isae-supaero.fr, philippe.gaborit@unilim.fr

Google's CECPQ1 experiment in 2016 integrated a post-quantum key-exchange algorithm, newhope1024, into TLS 1.2. The Google-Cloudflare CECPQ2 experiment in 2019 integrated a more efficient key-exchange algorithm, ntruhrss701, into TLS 1.3.

This paper revisits the choices made in CECPQ2, and shows how to achieve higher performance for post-quantum key exchange in TLS 1.3 using a higher-security algorithm, sntrup761. Previous work had indicated that ntruhrss701 key generation was much faster than sntrup761 key generation, but this paper makes sntrup761 key generation much faster by generating a batch of keys at once.

Batch key generation is invisible at the TLS protocol layer, but raises software-engineering questions regarding the difficulty of integrating batch key exchange into existing TLS libraries and applications. This paper shows that careful choices of software layers make it easy to integrate fast post-quantum software, including batch key exchange, into TLS with minor changes to TLS libraries and no changes to applications.

As a demonstration of feasibility, this paper reports successful integration of its fast sntrup761 library, via a lightly patched OpenSSL, into an unmodified web browser and an unmodified TLS terminator. This paper also reports TLS 1.3 handshake benchmarks, achieving more TLS 1.3 handshakes per second than any software included in OpenSSL.

In many machine learning applications, training data consists of sensitive information from multiple sources. Privacy-preserving machine learning using secure computation enables multiple parties to compute on their joint data without disclosing their inputs to each other. In this work, we focus on clustering, an unsupervised machine learning technique that partitions data into groups. Previous works on privacy-preserving clustering often leak information and focus on the k-means algorithm, which provides only limited clustering quality and flexibility. Additionally, the number of clusters k must be known in advance. We analyze several prominent clustering algorithms' capabilities and their compatibility with secure computation techniques to create an efficient, fully privacy-preserving clustering implementation superior to k-means. We find affinity propagation to be the most promising candidate and securely implement it using various multi-party computation techniques. Privacy-preserving affinity propagation does not require any input parameters and consists of operations hat are relatively efficient with secure computation. As threat models, we consider passive security as well as active security with an honest and dishonest majority. We offer the first comparison of privacy-preserving clustering between these scenarios, enabling an understanding of the exact trade-offs between them. Based on the clustering quality and the computational and communication costs, privacy-preserving affinity propagation offers a good trade-off between quality and efficiency for practical privacy-preserving clustering.

The J-PAKE protocol is a Password Authenticated Key Establishment protocol whose security rests on Diffie-Hellman key establishment and Non-Interactive Zero Knowledge proofs. It has seen widespread deployment and has previously been proven secure, including forward secrecy, in a game-based model. In this paper we show that this earlier proof can be re-cast in the Universal Composability framework, thus yielding a stronger result. We also investigate the extension of such proofs to a significantly more efficient variant of the original J-PAKE, that drops the second round Non-Interactive Zero-Knowledge proofs, that we call sJ-PAKE. Adapting the proofs to this light-weight variant proves highly-non trivial, and requires novel proof strategies and the introduction of the algebraic group model. This means that J-PAKE implementations can be made more efficient by simply deleting parts of the code while retaining security under stronger assumptions. We also investigate the security of two further new variants that combine the efficiency gains of dropping the second round NIZK proofs with the gains achieved by two earlier, lightweight variants: RO-J-PAKE and CRS-J-PAKE. The earlier variants replaced the second Diffie-Hellman terms from each party by either a hash term or a CRS term, thus removing the need for half of the NIZK proofs in the first round. The efficiency and security assumptions of these variants are compared.

Multi-Server Private Information Retrieval (PIR) is a cryptographic primitive that allows a client to securely query a database entry from $n \geq 2$ non-colluding servers, which learn no information about the query. Highly efficient PIR could be used for large-scale applications like Compromised Credential Checking (C3) (USENIX Security'19), which allows users to check whether their credentials have been leaked in a data breach. However, state-of-the art PIR schemes are not efficient enough for fast online responses at this scale.

In this work, we introduce Client-Independent Preprocessing (CIP) PIR that moves $\frac{n-1}{n}$ of the online computation to a local preprocessing phase suitable for efficient batch precomputations. The security and online performance of CIP-PIR improve linearly with the number of servers $n$. We show that large-scale applications like C3 with PIR are practical by implementing our CIP-PIR scheme using a parallelized CPU implementation and further accelerating the huge amount of XOR operations with GPUs. To the best of our knowledge, this is the first multi-server PIR scheme whose preprocessing phase is completely independent of the client, and where security and online performance simultaneously increase with the number of servers $n$. In addition, CIP-PIR is the first multi-server PIR scheme that is accelerated by GPUs. It achieves an improvement up to factor $2.1\times$ over our CPU-based implementation. Moreover, a client can access a database entry of a 25 GByte database within less than 1 second.

In $1$-out-of-$q$ Oblivious Transfer (OT) protocols, a sender is able to send one of $q\ge 2$ messages to a receiver, all while being oblivious to which message was actually transferred. Moreover, the receiver only learns one of these messages.

Oblivious Transfer combiners take $n$ instances of OT protocols as input, and produce a single protocol that is secure if sufficiently many of the $n$ original OT implementations are secure.

We present a generalization of an OT combiner protocol that was introduced by Cascudo et al. (TCC'17). We show a general $1$-out-of-$q$ OT combiner that is valid for any prime power $q\ge 2$. Our OT combiner is based on secret sharing schemes that are of independent interest.

Our construction achieves the strong notion of perfect security against active $(\mathcal{A},\mathcal{B})$-adversaries. For $q\geq n$, we present a single-use, $n$-server, $1$-out-of-$q$ OT combiner that is perfectly secure against active adversaries that corrupt a minority of servers. The amount of bits exchanged during the protocol is $(q^2+q+1)n\log q$.

The 25 year-old NTRU problem is a mainstream security foundation in public-key cryptography. However, from a reduction perspective, its relative hardness compared to other problems on Euclidean lattices is not well-understood. Its decision version reduces to the search Ring-LWE problem, but this only provides a hardness upper bound. We provide two answers to the long-standing open problem of providing reduction-based evidence of the hardness of the NTRU problem. First, we reduce the worst-case approximate Shortest Vector Problem over ideal lattices to an average-case search variant of the NTRU problem. Second, we reduce another average-case search variant of the NTRU problem to the decision NTRU problem.

Differential-linear attacks are a cryptanalysis family that has recently benefited from various technical improvements, mainly in the context of ARX constructions. In this paper we push further this refinement, proposing several new improvements. In particular, we develop a better understanding of the related correlations, improve upon the statistics by using the LLR, and finally use ideas from conditional differentials for finding many right pairs. We illustrate the usefulness of these ideas by presenting the first 7.5-round attack on Chaskey. Finally, we present a new competitive attack on 12 rounds of Serpent, and as such the first cryptanalytic progress on Serpent in 10 years.