International Association
for Cryptologic Research

The increasing use of resource limited devices with less memory, less computing resource and less power supply, motivates the adoption of lightweight cryptography to provide security solution. ASCON is a finalist and GIMLI is a round 2 candidate of NIST lightweight cryptography competition. ASCON is a sponge function based authenticated encryption (AE) scheme suitable for high performance applications. It is suitable for use in environments like Internet of Things (IoT) where large number of very constrained devices communicate with high-end servers. The drawback is that fault analyses like Statistical Ineffective fault attack (SIFA) and Sub-Set Fault Analysis (SSFA) are possible. GIMLI is also a sponge function based AE scheme which is susceptible to SIFA. In this work, we modify ASCON 128a and GIMLI exploiting the pseudo-random properties of Cellular Automata (CA) to prevent these attacks. We analyse and show that these attacks are inapplicable in the reinforced cipher.

Attribute based cryptography enhances the chances of secure communication on large scale. There are several features of attribute based encryption which have been proposed as different protocols. Most of these are suitable for access control in large systems like cloud services. Very few protocols focus on reducing the computational overhead for lower end devices like Internet of Things sensors and actuators. Hence, it is desirable to have a mix of features in protocols for IoT architecture. Our protocol enforces accountability of different parties involved while reducing the computational overhead during decryption on miniature devices. We prove that our protocol is RCCA-secure in selective security model and achieve accountability and unlinkability.

Cryptography based on identity and attributes enhances the chance of secure communication on a large scale. Several attribute-based encryption schemes achieve different objectives when used in various protocols. Most of these are suitable for large systems like cloud services. There are a few protocols which focus on reducing the computational overhead for lower end devices like Internet of Things sensors and actuators. It is desirable to have a mix of features in protocols for IoT security architecture. We first propose a scheme to ensure accountability in CPABE scheme FAME. The protocol is proven CPA-secure with full security in random oracle model. We also prove its accountability. We also propose a hybrid protocol that enforces user accountability and outsourced decryption in IoT systems and achieve full security in replayable chosen ciphertext attack (RCCA) under random oracle model.

Measuring efficiency is difficult. In the last decades, several works have contributed in the quest to successfully determine and compare the efficiency of pairing-based attribute-based encryption (ABE) schemes. However, many of these works are limited: they use little to no optimizations, or use underlying pairing-friendly elliptic curves that do not provide sufficient security anymore. Hence, using these works to benchmark ABE schemes does not yield accurate results. Furthermore, most ABE design papers focus on the efficiency of one important aspect. For instance, a new scheme may aim to have a fast decryption algorithm. Upon realizing this goal, the designer compares the new scheme with existing ones, demonstrating its dominance in this particular aspect. Although this approach is intuitive and might seem fair, the way in which this comparison is done might be biased. For instance, the schemes that are compared with the new scheme may be optimized with respect to another aspect, and appear in the comparison consequently inferior.

In this work, we present a framework for accurately benchmarking efficiency of ABE: ABE Squared. In particular, we focus on uncovering the multiple layers of optimization that are relevant to the implementation of ABE schemes. Moreover, we focus on making any comparison fairer by considering the influence of the potential design goals any optimizations. On the lowest layer, we consider the available optimized arithmetic provided by state-of-the-art cryptographic libraries. On the higher layers, we consider the choice of elliptic curve, the order of the computations, and the instantiation of the scheme on the chosen curves. In this latter aspect, the way in which a scheme is type converted plays an important role. Additionally, we show that especially the higher-level optimizations are dependent on the goal of the designer, e.g. optimization of the decryption algorithm. To compare schemes more transparently, we develop this framework, in which ABE schemes can be justifiably optimized and compared by taking into account the possible goals of a designer. To meet these goals, we also introduce manual, heuristic type-conversion techniques where existing techniques fall short. Finally, to illustrate the effectiveness of ABE Squared, we implement several schemes and provide all relevant benchmarks. These show that the design goal influences the optimization approaches, which in turn influence the overall efficiency of the implementations. Importantly, these show that the schemes also compare differently than existing works previously suggested.

This note explains how to guarantee the membership of a point in the prime order subgroup of an elliptic curve (over a finite field) satisfying some moderate conditions. For this purpose, we apply the Tate pairing on the curve, however it is not required to be pairing-friendly. Whenever the cofactor is small, the given approach is more efficient than other known ones, because it needs to compute at most two $n$-th power residue symbols (with small $n$) in the basic field. In particular, we deal with two Legendre symbols for the curve Bandersnatch proposed by the Ethereum Foundation team. Due to recent improvements of Euclidean type constant-time algorithms for the Legendre symbol computation, the new subgroup check is almost free for that curve.

The side-channel cryptanalysis of Post-Quantum (PQ) key encapsulation schemes has been a topic of intense activity over the last years. Many attacks have been put forward: Simple Power Analysis (SPAs) against the re-encryption of schemes using the Fujisaki-Okamoto (FO) transform are known to be very powerful; Differential Power Analysis (DPAs) against the decryption are also possible. Yet, to the best of our knowledge, a systematic and quantitative investigation of their impact for designers is still missing. In this paper, we propose to capture these attacks with shortcut formulas in order to compare their respective strength in function of the noise level. Taking the case of Kyber for illustration, we then evaluate the (high) cost of preventing them with masking and the extent to which different parts of an implementation could benefit from varying security levels. We finally discuss tweaks to improve the situation and enable a better leveling of the countermeasures. Our conclusions confirm that current solutions for side-channel secure PQ key encapsulation schemes like Kyber are unlikely to be efficient in low-noise settings without (design or countermeasures) improvements.

Blockchain technology has the potential of transforming cryptography. We study the problem of round-complexity of zero-knowledge, and more broadly, of secure computation in the blockchain-hybrid model, where all parties can access the blockchain as an oracle.

We study zero-knowledge and secure computation through the lens of a new security notion where the simulator is given the ability to ``time-travel” or more accurately, to look into the future states of the blockchain and use this information to perform simulation. Such a time-traveling simulator gives a novel security guarantee of the following form: whatever the adversary could have learnt from an interaction, it could have computed on its own shortly into the future (e.g., a few hours from now).

We exhibit the power of time-traveling simulators by constructing round-efficient protocols in the blockchain-hybrid model. In particular, we construct: 1. Three-round zero-knowledge (ZK) argument for NP with a polynomial-time black-box time-traveling simulator. 2. Three-round secure two-party computation (2PC) for any functionality with a polynomial-time black-box time-traveling simulator for both parties.

In addition to standard cryptographic assumptions, we rely on natural hardness assumptions for Proof-of-Work based blockchains. In comparison, in the plain model, three-round protocols with black-box simulation are impossible, and constructions with non-black-box simulation for ZK require novel cryptographic assumptions while no construction for three-round 2PC is known. Our three-round 2PC result relies on a new, two-round extractable commitment that admits a time-traveling extractor.

We present an information-theoretic transformation from any 2-round OT protocol with only game-based security in the presence of malicious adversaries into a 4-round (which is known to be optimal) OT protocol with simulation-based security in the presence of malicious adversaries. Our transform is the first satisfying all of the following properties at the same time: – It is in the plain model, without requiring any setup assumption. – It only makes black-box usage of the underlying OT protocol. – It is information-theoretic, as it does not require any further cryptographic assumption (besides the existence of the underlying OT protocol). Additionally, our transform yields a cubic improvement in communication complexity over the best previously known transformation.

Garg, Goldwasser and Vasudevan (Eurocrypt 2020) invented the notion of deletion-compliance to formally model the "right to be forgotten", a concept that confers individuals more control over their digital data. A requirement of deletion-compliance is strong privacy for the deletion requesters since no outside observer must be able to tell if deleted data was ever present in the first place. Naturally, many real world systems where information can flow across users are automatically ruled out.

The main thesis of this paper is that deletion-compliance is a standalone notion, distinct from privacy. We present an alternative definition that meaningfully captures deletion-compliance without any privacy implications. This allows broader class of data collectors to demonstrate compliance to deletion requests and to be paired with various notions of privacy. Our new definition has several appealing properties: - It is implied by the stronger definition of Garg et al. under natural conditions, and is equivalent when we add a privacy requirement. - It is naturally composable with minimal assumptions. - Its requirements are met by data structure implementations that do not reveal the order of operations, a concept known as history-independence.

Along the way, we discuss the many challenges that remain in providing a universal definition of compliance to the "right to be forgotten."

In this work, we perform a formal analysis of definitions of non-malleability for commitment schemes in the EasyCrypt theorem prover. There are two distinct formulations of non-malleability found in the literature: the comparison-based definition and the simulation- based definition. In this paper, we do a formal analysis of both. We start by formally proving that the comparison-based definition which was originally introduced by Laur et al. is unsatisfiable. Also, we propose a novel formulation of simulation-based non-malleability and show that it is satisfiable in the Random Oracle Model. Moreover, we validate our definition by proving that it implies hiding and binding of the commitment scheme. Finally, we relate the novel definition to the existing definitions of non-malleability.

We present $\BAT$ -- an IND-CCA secure key encapsulation mechanism (KEM) that is based on NTRU but follows an encryption/decryption paradigm distinct from classical NTRU KEMs. It demonstrates a new approach of decrypting NTRU ciphertext since its introduction 25 years ago. Instead of introducing an artificial masking parameter $p$ to decrypt the ciphertext, we use 2 linear equations in 2 unknowns to recover the message and the error. The encryption process is therefore close to the GGH scheme. However, since the secret key is now a short basis (not a vector), we need to modify the decryption algorithm and we present a new NTRU decoder. Thanks to the improved decoder, our scheme works with a smaller modulus and yields shorter ciphertexts, smaller than RSA-4096 for 128-bit classical security with comparable public-key size and much faster than RSA or even ECC. Meanwhile, the encryption and decryption are still simple and fast in spite of the complicated key generation. Overall, our KEM has more compact parameters than all current lattice-based schemes and a practical efficiency. Moreover, due to the similar key pair structure, $\BAT$ can be of special interest in some applications using Falcon signature that is also the most compact signature in the round 3 of the NIST post-quantum cryptography standardization. However, different from Falcon, our KEM does not rely on floating-point arithmetic and can be fully implemented over the integers.

In CRYPTO 2019, Gohr made a pioneering attempt, and successfully applied deep learning to the differential cryptanalysis against NSA block cipher SPECK32/64, achieving higher accuracy than the pure differential distinguishers. By its very nature, mining effective features in data plays a crucial role in data-driven deep learning. In this paper, in addition to considering the integrity of the information from the training data of the ciphertext pair, domain knowledge about the structure of differential cryptanalysis is also considered into the training process of deep learning to improve the performance. Besides, based on the SAT/SMT solvers, we find other high probability compatible differential characteristics which effectively improve the performance compared with previous work. We build neural distinguishers (NDs) and related-key neural distinguishers (RKNDs) against Simon and Simeck. The ND and RKND for SIMON32/64 reach 11-, 11-round with an accuracy of 59.55% and 97.90%, respectively. For SIMON64/128, the ND achieve an accuracy of 60.32% in 13-round, while it is 95.49% for the RKND. For SIMECK32/64, ND and RKND of 11-, 14-round are obtained, reaching an accuracy of 63.32% and 87.06%, respectively. And we build 17-round ND and 21-round RKND for SIMECK64/128 with an accuracy of 64.24% and 62.96%, respectively. Currently, these are the longest (related-key) neural distinguishers with higher accuracy for SIMON32/64, SIMON64/128, SIMECK32/64 and SIMECK64/128.

Medical Data Privacy and Privacy-Preserving ML on Healthcare Data (MDPPML) group at the University of Tübingen is looking for motivated Ph.D. students and Postdocs in the area of Privacy Enhancing Technologies.

Research Topics: Development and analysis of cryptography-based privacy-preserving solutions for real-world healthcare problems. Topics of interest include (but are not limited to): privacy-preserving machine learning, genomic privacy, medical privacy as well as foundations for real-world cryptography.

Your profile:

• Completed Master's degree (or equivalent) at a top university with excellent grades in computer science, or a similar area.
• Extensive knowledge in applied cryptography/security and machine learning.
• Very good software development skills.
• Knowledge of cryptographic protocols (ideally MPC).
• Knowledge of bioinformatics or genomics is plus.
• Self-motivated, reliable, creative, can work independently and want to do excellent research.

Closing date for applications:

Contact: Dr. Mete Akgün (mete.akguen@uni-tuebingen.de)

The University of Innsbruck, located in the heart of the alps, has a tenure track opportunity in the field of cryptography.

The Department of Computer Science is looking for an ambitious researcher to build a bridge between the interdisciplinary approach taken by its Security & Privacy Lab and theoretical research groups, like Computational Logic and Theoretical Computer Science. Research activities would focus on producing evidence on the security or privacy of cryptographic systems covering theory and/or implementation. The individual should be comfortable teaching multiple approaches to cryptography. The ideal candidate would build a research group on cryptography in the course of the tenure process, the details of which are negotiated in the first year of employment as routinely done in the Austrian academic system.

Tyrol, Austria is one of the most livable places in Europe with world-class healthcare, excellent social security, and free education from kindergarden to university.

Applications are due on 28 January 2022. Follow the link above for more details.

Closing date for applications:

Contact: Rainer Böhme [rainer dot boehme at uibk.ac.at]

More information: https://informationsecurity.uibk.ac.at/pdfs/vacancy_cryptography_2022.pdf

The Institute of Applied Information Processing and Communications (aka IAIK) is the largest university institute in Austria for research and education in security and privacy. It has been active in this field for more than 30 years and currently employs more than 60 researchers. Within the "Secure Systems" area of our institute Sujoy Sinha Roy is establishing the new research group "Cryptographic Engineering”.

In order to complement our team, we are looking for a full-time PhD researcher in the implementation aspects of cryptography.

Responsibilities:
The PhD researcher will be working on Scientific research in the field of implementation and physical security aspects of novel cryptographic algorithms within the “Cyroptografic Engineering” group within the “Secure Systems” area at IAIK.

Required Qualifications:

MSc degree in computer science, information and computer engineering, software development, mathematics, or a related field.

Excellent knowledge of English

The ability to work in an international environment

Research experience from MSc projects or publication of scientific publications

Strong background in the field of cryptography and cryptographic implementations

Excellent skills in programming and/or digital circuit design

How to apply: Applications, curriculum vitae and other documents should preferably be uploaded here csbme.tugraz.at/go/applications/7050-21-013.
The earliest starting date for the PhD candidate will be March 2022.
The application deadline is February 6th.

Closing date for applications:

Contact: Sujoy Sinha-Roy - sujoy.sinha-roy@iaik.tugraz.at

More information: https://www.tugraz.at/tu-graz/karriere/ausgeschriebene-jobs/ausgeschriebene-wissenschaftliche-stellen-ausser-professuren/#c427935

We are currently looking for a highly motivated Engineer Advanced Technology (M/F/D) to join our Advanced Technology team in Munich. If you want to be a part of our growing company and want to work towards a PhD degree on a three-year fixed-term basis, consider applying.

Closing date for applications:

Contact: Joo Yeon Cho (jcho@adva.com)

More information: https://adva.wd3.myworkdayjobs.com/en-US/ADVA/job/Munich-Germany/Engineer-Advanced-Technology--M-F-D-_R001000

The main objective of the research in the Embedded System Security Group is to propose efficient and robust hardware architectures aimed at applied cryptography and telecom that are resistant to passive and active cryptographic attacks. More information on https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html. For a new project which addresses the problem of the security System-on-Chip (inside side channel analysis, fault injection, malicious exploitation of share hardware resources, etc.). We are looking for candidates with an outstanding Ph.D in hardware security and a strong publication record in this field. Knowledge of French is not mandatory. The Post-Doc position will start in March 2022, it is funded for at least 12 monthq. To apply please send your detailed CV (with publication list), motivation for applying (1 page) and names of at least two people who can provide reference letters (e-mail).

Closing date for applications:

Contact: Contact: Prof. Lilian BOSSUET lilian.bossuet(at)univ-st-etienne.fr

CryptoExperts develops and maintains a white-box cryptography technology which aims at producing white-box cryptography software components secure against beyond-state-of-the-art attacks.

We are looking for a candidate who will take part to the design and implementation effort of CryptoExperts’ white-box cryptography technology.

The complete job offer is available here: https://www.cryptoexperts.com/job-offer-wbc.pdf

Closing date for applications:

Contact: To apply please write to jobs@cryptoexperts.com with a short description of your profile, story and motivation, your CV, and (optionally) recommendation from (former) co-workers.

More information: https://www.cryptoexperts.com/job-offer-wbc.pdf

At the Department of Information Security and Communication Technology there is a vacant permanent position as associate professor in Cryptology within our Cryptology Discipline.

Required qualifications: You must have the qualifications required for the position of associate professor in the field of Cyptology, as outlined:
A. Your PhD, or comparable academic work, must be within the field of cryptology (or a comparable relevant field), of particular interest are candidates with a documented acadmic track record within one or several of the following topics: A1. Design and analysis of post-quantum cryptographic primitives; A2. Design and analysis of post-quantum cryptographic protocols; A3. Lightweight cryptography; A4. Blockchain technologies; A5. Cryptography and Privacy; A6. Homomorphic encryption; A7. Secure Cryptographic Hardware, Side Channels Security (attacks and resistance); A8. Cryptology and Biometrics; A9. Cryptology and Software Security (Secure Operating Systems).
B. Relevant academic fields include mathematics, computer science and communication technology. If you can document that you are in the final stages of your PhD studies, your application may also be considered.
C. Good written and oral English language skills.

More information about the position and the whole application process should be completed via the initial Jobbnorge link and web page

Closing date for applications:

Contact: Professor Danilo Gligoroski, e-mail danilo.gligoroski@ntnu.no

More information: https://www.jobbnorge.no/en/available-jobs/job/216381/associate-professor-in-cryptology

Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misusage of well-known libraries such as PKCS #11. We introduced a generic tool CRYScanner, to identify such misuses during and post-development. It works on the similar philosophy of an intrusion detection system for an internal network. This tool provides verification functions needed to check the safety of the code, such as detecting incorrect call flow and input parameters.

We performed a feature-wise comparison with the existing state of the art solutions. CRYScanner includes additional features, preserving the capabilities of both static and dynamic analysis tools. We also show the detection of potential vulnerabilities in the several sample codes found online.