International Association
for Cryptologic Research

This paper deals with white-box implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA): First, we consider attack paths to break such implementations. In particular, we provide a systematic overview of various fault attacks, to which ECDSA white-box implementations are especially susceptible. Then, we propose different mathematical countermeasures, mainly based on masking/blinding of sensitive variables, in order to prevent or at least make such attacks more difficult. We also briefly mention some typical implementational countermeasures and their challenges in the ECDSA white-box scenario.

Our work has been initiated by the CHES challenge WhibOx Contest 2021, which consisted of designing and breaking white-box ECDSA implementations, so called challenges. We illustrate our results and findings by means of the submitted challenges and provide a comprehensive overview which challenge could be solved in which way. Furthermore, we analyze selected challenges in more details.

A multi-key fully homomorphic encryption (MKFHE) scheme allows a public server to evaluate arbitrary circuits over ciphertexts encrypted under different keys. One of the main drawbacks of MKFHE schemes is the need for a ciphertext expansion procedure prior to evaluation, which combines ciphertexts encrypted under different keys to a (much larger) ciphertext encrypted under a concatenated key. In this paper, we present a new (leveled) RLWE-based MKFHE scheme without ciphertext expansion.

In this paper, we present an efficient side-channel key recovery attack against Dumbo, the 160-bit variant of NIST lightweight cryptography contest candidate Elephant. We use Correlation Power Analysis to attack the first round of the Spongent permutation during the absorption of the first block of associated data. The full attack runs in about a minute on a common laptop and only requires around 30 power traces to recover the entire secret key on an ARM Cortex-M4 microcontroller clocked at 7.4MHz. This is, to the best of our knoweledge, the first attack of this type presented against Elephant.

Blockchain ``on-chain'' oracles are critical to the functioning of many Decentralized Finance (DeFi) protocols. We analyze these oracles for manipulation resistance. Specifically, we analyze the cost of manipulating on-chain time-weighted average price (TWAP) oracles that use the arithmetic mean. It has been assumed that manipulating a TWAP oracle with the well-known multi-block attack is expensive and scales linearly with the length of the TWAP. We question this assumption with two novel results. First, we describe a single-block attack that works under the same setting as the multi-block attack but costs less to execute. Second, we describe a multi-block MEV (MMEV) style attack where the attacker colludes with a miner/proposer who can mine/propose two blocks in a row. This MMEV style attack makes oracle manipulation orders of magnitude cheaper than previously known attacks. In the proof-of-work setting, MMEV can be done by selfish mining even with very low shares of hashpower.

In 2002, Chow et al. initiated the formal study of white-box cryptography and introduced the CEJO framework. Since then, various white-box designs based on their framework have been proposed, all of them broken. Ranea and Preneel proposed a different method in 2020, called self-equivalence encodings and analyzed its security for AES. In this paper, we apply this method to generate the first academic white-box Speck implementations using self-equivalence encodings. Although we focus on Speck in this work, our design could easily be adapted to protect other add-rotate-xor (ARX) ciphers. Then, we analyze the security of our implementation against key-recovery attacks. We propose an algebraic attack to fully recover the master key and external encodings from a white-box Speck implementation, with limited effort required. While this result shows that the linear and affine self-equivalences of self-equivalence encodings are insecure, we hope that this negative result will spur additional research in higher-degree self-equivalence encodings for white-box cryptography. Finally, we created an open-source Python project implementing our design, publicly available at https://github.com/jvdsn/white-box-speck. We give an overview of five strategies to generate output code, which can be used to improve the performance of the white-box implementation. We compare these strategies and determine how to generate the most performant white-box Speck code. Furthermore, this project could be employed to test and compare the efficiency of attacks on white-box implementations using self-equivalence encodings.

We cryptanalyse the SHealS and HealS cryptosystems of Fouotsa and Petit from Asiacrypt 2021.

We proposed three general frameworks F1,F2, and F3 for n-to-n-bit PRFs with one, two parallel, and two serial public permutation calls respectively, where every permutation is preceded and followed by any bitwise linear mappings. We analyze them in the Q2 model where attackers have quantum-query access to PRFs and permutations. Our results show F1 is not secure with O(n) quantum queries while its PRFs achieve n/2-bit security in the classical setting, and F2,F3 are not secure with O(2^{n/2}n) quantum queries while their PRFs, such as SoEM, PDMMAC, and pEDM, achieve 2n/3-bit security in the classical setting. Besides, we attack three general instantiations XopEM, EDMEM, and EDMDEM of F2,F3, which derive from replacing the two PRPs in Xop, EDM, and EDMD with two independent EM constructions, and concrete PRF instantiations DS-SoEM, PDMMAC, and pEDM, SoKAC21 of F2,F3, with at most O(2^{n/2}n) quantum queries.

In this paper, we extend Inner-Product Functional Encryption (IPFE), where there is just a vector in the key and a vector in the single sender's ciphertext, to two-client ciphertexts. More precisely, in our two-client functional encryption scheme, there are two Data Providers who can independently encrypt vectors $\mathbf{x}$ and $\mathbf{y}$ for a data consumer who can, from a functional decryption key associated to a vector $\mathbf{\alpha}$, compute $\sum \alpha_i x_i y_i = \mathbf{x} \cdot \mathsf{Diag}(\mathbf{\alpha}) \cdot \mathbf{y}^\top$. Ciphertexts are linear in the dimension of the vectors, whereas the functional decryption keys are of constant size.

We study two interesting particular cases: - 2-party Inner-Product Functional Encryption, with $\mathbf{\alpha}= (1,\ldots,1)$. There is a unique functional decryption key, which enables the computation of $\mathbf{x}\cdot \mathbf{y}^\top$ by a third party, where $\mathbf{x}$ and $\mathbf{y}$ are provided by two independent clients; - Inner-Product Functional Encryption with a Selector, with $\mathbf{x}= \mathbf{x}_0 \| \mathbf{x}_1$ and $\mathbf{y}= \bar{b}^n \| b^n \in \{ 1^n \| 0^n, 0^n \| 1^n \}$, for some bit $b$, on the public coefficients $\mathbf{\alpha} = \mathbf{\alpha}_0 \| \mathbf{\alpha}_1$, in the functional decryption key, so that one gets $\mathbf{x}_b \cdot \mathbf{\alpha}_b^\top$, where $\mathbf{x}$ and $b$ are provided by two independent clients.

This result is based on the fundamental Product-Preserving Lemma, which is of independent interest. It exploits Dual Pairing Vector Spaces (DPVS), with security proofs under the \mathsf{SXDH} assumption. We provide two practical applications to medical diagnosis for the latter IPFE with Selector, and to money-laundering detection for the former 2-party IPFE, both with strong privacy properties, with adaptative security and the use of labels granting a Multi-Client Functional Encryption (MCFE) security for the scheme, thus enabling its use in practical situations.

Cache side-channel attacks allow adversaries to learn sensitive information about co-running processes by using only access latency measures and cache contention. This vulnerability has been shown to lead to several microarchitectural attacks. As a promising solution, recent work proposes Randomization-based Protected Caches (RPCs). RPCs randomize cache addresses, changing keys periodically so as to avoid long-term leakage. Unfortunately, recent attacks have called the security of state-of-the-art RPCs into question.

In this work, we tackle the problem of formally defining and analyzing the security properties of RPCs. We first give security definitions against access-based cache side-channel attacks that capture security against known attacks such as Prime+Probe and Evict+Probe. Then, using these definitions, we obtain results that allow to guarantee security by adequately choosing the rekeying period, the key generation algorithm and the cache randomizer, thus providing security proofs for RPCs under certain assumptions.

Conventional wisdom purports that FFT-based integer multiplication methods (such as the Schönhage-Strassen algorithm) begin to compete with Karatsuba and Toom-Cook only for integers of several tens of thousands of bits. In this work, we challenge this belief: Leveraging recent advances in the implementation of Number-Theoretic Transforms (NTT) stimulated by their use in Post-Quantum Cryptography, we report on implementations of NTT-based integer arithmetic on two Arm Cortex-M CPUs on opposite ends of the performance spectrum: Cortex-M3 and Cortex-M55. Our results indicate that NTT-based multiplication is capable of outperforming the big-number arithmetic implementations of popular embedded cryptography libraries for integers as small as 2048 bits. To provide a realistic case study, we benchmark implementations of the RSA encryption and decryption operations. Between Cortex-M3 and Cortex-M55, we observe a $\approx10\times$ performance improvement.

Would you like to have your impact on the elderly care? Gaining a PhD along the way? We are delighted to be offering the opportunities for PhD studentship at University of Plymouth, United Kingdom in the scope of the project “Privacy-preserving IoT-assisted Elderly Monitoring for Smart Health Community” (PEM)(https://lnkd.in/dBBQtaUp) and its collaborated project “Harnessing Wearables for Protection” (https://lnkd.in/dd4R3MXZ). The focus of the research (PEM) is to create privacy-preserving anomaly detection service for IoT and cloud computing and promote its use for the elderly care. The studentship is supported for 3.5 years and includes full Home tuition fees (United Kingdom) plus a stipend of £16,062.00 per annum (2022/23 rate). Applicants should have a first or upper second class honours degree in an appropriate subject and preferably a relevant Masters qualification. Prospective applicant should have a mathematical inclination, good knowledge of applied cryptography, good development skills, problem-solving skills and an ability to work independently, interpersonal and collaborative skills.

Closing date for applications:

Contact: Dr. Hai-Van Dang

More information: https://www.plymouth.ac.uk/student-life/your-studies/research-degrees/postgraduate-research-studentships/privacy-preserving-iot-assisted-elderly-monitoring-for-smart-health-community

Event date: to
Submission deadline: 2 May 2022
Notification: 1 December 2022

The Applied Crypto group of the University of Luxembourg is offering a Ph.D. student and a post-doc position in cryptography. Possible topics of interests are fully homomorphic encryption, public-key cryptanalysis, and side-channel attacks and countermeasures.

We offer a competitive salary (about 37,000 euro/year gross for Ph.D, and 64,000 euro/year gros for post-doc). The duration of the position is 3 years (+ 1 year extension) for Ph.D., and 2.5 years for post-doc.

Profile:

• For Ph.D. position: MSc degree or equivalent in Computer Science or in Mathematics.
• For post-doc position: a PhD in cryptography, with publications in competitive cryptographic conferences

Closing date for applications: June 1st, 2022. Early submission is encouraged.

Closing date for applications:

Contact: Prof. Jean-Sebastien Coron - jean-sebastien.coron at uni dot lu

More information: http://www.crypto-uni.lu/vacancies.html

Multiple fully-funded Ph.D. positions in the area of databases, secure data processing, IoT, cloud/edge computing, blockchain, and secure model learning.
Details: NJIT is a Rank 1 Research University, situated in New York Metropolitan area, and is about 7 miles away from the beautiful New York City. New York Metropolitan area is a key part of the US and is the hub of several major tech and research companies. The qualified candidates will have opportunities for research internships and joint projects with lead-industrial companies. The position is looking for highly motivated graduate students to explore, design, and implement algorithms for databases, secure computing, IoT, and blockchain.
Topics are as follows:

Multi-party computation (MPC) or secret-sharing based database systems

• Design and implementation of an end-to-end-secure database system using MPC or secret-sharing
• Algorithm development for side-channel attacks on MPC

Outcome: The work will expose the student to novel data management algorithms, advanced secure computing using cryptographic techniques, programming with secure hardware (Intel SGX), and cluster computing frameworks.
Requirements: 1. Adequate knowledge of cryptographic techniques/algorithms, programming, and relational database systems 2. Knowledge of Java, SQL, and C/C++ 3. Familiarity with development tools for managing and building software projects, version control systems (Git), and testing tools (JUnit) 4. You must be an Undergraduate/Master student in computer science or a related field
Additional Information:
1. Starting date: As soon as possible 2. Please send your CV and other information (e.g., github account, sample projects, etc.) to: Shantanu Sharma (shantanu.sharma[AT]njit[DOT]edu) 3. Please write a few sentences in the email to introduce yourself and your interest in the position
Thank you and I look forward to hearing from you!

Closing date for applications:

Contact: Shantanu Sharma (shantanu.sharma[AT]njit[DOT]edu)

More information: https://web.njit.edu/~ss797/students.html

Subspace Network is building a radically decentralized, next-generation blockchain which allows developers to easily run Web3 apps at Internet scale. Subspace is based on original research funded by the US National Science Foundation and plans to launch its Network later this year. Subspace Labs is an early-stage, venture-backed startup with a remote-first, globally distributed team.

We are seeking a Protocol Researcher to join our rapidly growing team of Blockchain and Cryptocurrency enthusiasts and engineers. As a Protocol Research you will be responsible for formally analyzing the security claims of the Subspace Network. Your goal is to formally prove these claims or suggest improvement to the protocol as needed to support them. This shall result in a series of formal specifications and peer-reviewed papers.

As a Protocol Researcher you will: Analyze and validate our solutions to some of the hardest problems in the blockchain space, as they relate to Nakamoto consensus, decentralized storage, decoupled execution, crypto-economic incentives, and the scaling trilemma; research and propose solutions to open problems or unsubstantiated claims; develop a series of formal specifications that codify and clarify our solutions; collaborate directly with our protocol engineering team to ensure that specifications are clearly understood and implemented correctly; iterate findings into research papers suitable for peer-reviewed publication; work directly with our university partners, academic advisors, and third party engineering security partners on formal security analyses and audits; present research finding at industry events and university conferences; distribute and discuss results in our open-source online research forum.

Position Requirements: A PhD in Computer Science, Cryptography or a related field, and a strong record of peer-reviewed publications in cryptography, distributed systems, or peer-to-peer network, as they relate to blockchain protocols.

Closing date for applications:

Contact: Sky McWilliams, Director of People

More information: https://jobs.lever.co/subspacelabs/95bd61e2-8aae-4109-89df-67b7350263c8?lever-origin=applied&lever-source%5B%5D=IACR

Description

As a Principal Architect in Applied Cryptography at IOG, you must be an engineer, an architect, an applied cryptographer, and a leader - it’s a multifaceted role. You have the exciting challenge of working with bleeding-edge research and technology, always with a focus on the market's needs. You will be a leader of an exceptional team, working on everything from Post-Quantum prototypes to hand-optimization of existing primitives to completely new products. To support you on this challenge, we have software architects, product managers, project managers, formal methods specialists, and QA test engineers, with whom you must have high bandwidth communications.

Your mission

• Champion the applied cryptography team

• Captain end-to-end development and delivery of new products

• Spearhead prototyping of cryptographic products

• Translate research into rigorous engineering specifications and implementations

• Meticulously review cryptographic protocols and proposed primitives

• Contribute to industry standards and operational best practices

• Identify where the business needs to be next and get it there.

Closing date for applications:

Contact:

https://apply.workable.com/io-global/j/8D6CAEE7DD/

marios.nicolaides@iohk.io

More information: https://apply.workable.com/io-global/j/8D6CAEE7DD/