International Association
for Cryptologic Research

In this paper we present our solution to the CHES Challenge 2020, the task of which it was to break masked hardware respective software implementations of the lightweight cipher Clyde by means of side-channel analysis. We target the secret cipher state after processing of the first Sbox layer. Using the provided trace data we obtain a strongly biased posterior distribution for the secret-shared cipher state at the targeted point; this enables us to see exploitable biases even before the secret sharing based masking. These biases on the unshared state can be evaluated one $S$-box at a time and combined across traces, which enables us to recover likely key hypotheses $S$-box by $S$-box.

In order to see the shared cipher state, we employ a deep neural network similar to the one used by Gohr, Jacob and Schindler to solve the CHES 2018 AES challenge. We modify their architecture to predict the exact bit sequence of the secret-shared cipher state. We find that convergence of training on this task is unsatisfying with the standard encoding of the shared cipher state and therefore introduce a different encoding of the prediction target, which we call the scattershot encoding. In order to further investigate how exactly the scattershot encoding helps to solve the task at hand, we construct a simple synthetic task where convergence problems very similar to those we observed in our side-channel task appear with the naive target data encoding but disappear with the scattershot encoding.

We complete our analysis by showing results that we obtained with a classical method (as opposed to an AI-based method), namely the stochastic approach, that we generalize for this purpose first to the setting of shared keys. We show that the neural network draws on a much broader set of features, which may partially explain why the neural-network based approach massively outperforms the stochastic approach. On the other hand, the stochastic approach provides insights into properties of the implementation, in particular the observation that the $S$-boxes behave very different regarding the easiness respective hardness of their prediction.

We introduce Designated-Verifier Linkable Ring Signatures (DVLRS), a novel cryptographic primitive which combines designated-verifier and linkable ring signatures. Our goal is to guarantee signer ambiguity and provide the capability to the designated verifier to add ‘noise’ using simulated signatures that are publicly verifiable. This increases the privacy of the participants, as it does not allow an adversary to bypass the anonymity provided by ring signatures by using the content of a message to identify the signer. We model unforgeability, anonymity, linkability and non-transferability for DVLRS and provide a secure construction in the Random Oracle model. Finally, we explore some first applications for our primitive, which revolve around the use case of an anonymous assessment system that also protects the subject of the evaluation, even if the private key is compromised.

Post-quantum cryptography addresses the increasing threat that quantum computing poses to modern communication systems. Among the available "quantum-resistant" systems, the Niederreiter cryptosystem is positioned as a conservative choice with strong security guarantees. As a code-based cryptosystem, the Niederreiter system enables high performance operations and is thus ideally suited for applications such as the acceleration of server workloads. However, until now, no ASIC architecture is available for low latency computation of Niederreiter operations. Therefore, the present work targets the design, implementation and optimization of tailored archi- tectures for low latency Niederreiter decryption. Two architectures utilizing different decoding algorithms are proposed and implemented using a 22nm FDSOI CMOS technology node. One of these optimized architectures improves the decryption latency by 27% compared to a state-of-the-art reference and requires at the same time only 25% of the area.

The General Sieve Kernel (G6K) implemented a variety of lattice reduction algorithms based on sieving algorithms. One of the representative of these lattice reduction algorithms is Pump and jump-BKZ (pnj-BKZ) algorithm which is currently considered as the fastest lattice reduction algorithm. The pnj-BKZ is a BKZ-type lattice reduction algorithm which includes the jump strategy, and uses Pump as the SVP Oracle. Here, Pump which was also proposed in G6K, is an SVP sloving algorithm that combines progressive sieve technology and dimforfree technology. However unlike classical BKZ, there is no simulator for predicting the behavior of the pnj-BKZ algorithm when jump greater than 1, which is helpful to find a better lattice reduction strategy. There are two main differences between pnj-BKZ and the classical BKZ algorithm: one is that after pnj-BKZ performs the SVP Oracle on a certain projected sublattice, it won't calling SVP Oracle for the next nearest projected sublattice. Instead, pnj-BKZ jumps to the corresponding projected sublattice after J indexs to run the algorithm for solving the SVP. By using this jump technique, the number of times that the SVP algorithm needs to be called for each round of pnj-BKZ will be reduced to about 1/J times of original. The second is that pnj-BKZ uses Pump as the SVP Oracle on the projected sublattice. Based on the BKZ2.0 simulator, we proposes a pnj-BKZ simulator by using the properties of HKZ reduction basis. Experiments show that our proposed pnj-BKZ simulator can well predicate the behavior of pnj-BKZ with jump greater than 1. Besides, we use this pnj-BKZ simulator to give the optimization strategy for choosing jump which can improve the reducing efficiency of pnj-BKZ. Our optimized pnj-BKZ is 2.9 and 2.6 times faster in solving TU LWE challenge ( n=75,alpha=0.005 ) and TU LWE challenge ( n=60,alpha=0.010 ) than G6K's default LWE sloving strategy.

Side channel attacks are powerful attacks for retrieving secret data by exploiting physical measurements such as power consumption or electromagnetic emissions. Masking is a popular countermeasure as it can be proven secure against an attacker model. In practice, software masked implementations suffer from a security reduction due to a mismatch between the considered leakage sources in the security proof and the real ones, which depend on the micro-architecture. We present the model of a system comprising an Arm Cortex-M3 obtained from its RTL description and test-vectors, as well as a model of the memory of a STM32F1 board, built exclusively using test-vectors. Based on these models, we propose Armistice, a framework for formally verifying the absence of leakage in first-order masked implementations taking into account the modelled micro-architectural sources of leakage. We show that Armistice enables to pinpoint vulnerable instructions in real world masked implementations and helps design masked software implementations which are practically secure.

Quadratic form reduction enjoys broad uses both in classical and quantum algorithms such as in the celebrated LLL algorithm for lattice reduction. In this paper, we propose the first quantum circuit for definite binary quadratic form reduction that achieves O(n log n) depth, O(n^2) width and O(n^2 log(n)) quantum gates. The proposed work is based on a binary variant of the reduction algorithm of the definite quadratic form. As side results, we show a quantum circuit performing bit rotation with O(log n) depth, O(n) width, and O(n log n) gates, in addition to a circuit performing integer logarithm computation with O(log n) depth, O(n) width, and O(n) gates.

This paper proposes Băhēm; a symmetric cipher that, when used with a pre-shared secret key k, no cryptanalysis can degrade its security below H(k) bits of entropy, even under Grover's algorithm or even if it turned out that P = NP.

Băhēm's security is very similar to that of the one-time pad (OTP), except that it does not require the communicating parties the inconvenient constraint of generating a large random pad in advance of their communication. Instead, Băhēm allows the parties to agree on a small pre-shared secret key, such as |k| = 128 bits, and then generate their random pads in the future as they go.

For any operation, be it encryption or decryption, Băhēm performs only 4 exclusive-or operations (XORs) per cleartext bit including its 2 overhead bits. If it takes a CPU 1 cycle to perform an XOR between a pair of 64 bit variables, then a Băhēm operation takes 4 / 8 = 0.5 cycles per byte. Further, all Băhēm's operations are independent, therefore a system with n many CPU cores can perform 0.5 / n cpu cycles per byte per wall-clock time.

While Băhēm has an overhead of 2 extra bits per every encrypted cleartext bit, its early single-threaded prototype implementation achieves a faster /decryption/ than OpenSSL's ChaCha20's, despite the fact that Băhēm's ciphertext is 3 times larger than ChaCha20's. This support that the 2 bit overhead is practically negligible for most applications.

Băhēm's early prototype has a slower /encryption/ time than OpenSSL's ChaCha20 due to its use of a true random number generator (TRNG). However, this can be trivially optimised by gathering the true random bits in advance, so Băhēm gets the entropy conveniently when it runs.

Aside from Băhēm's usage as a provably-secure general-purpose symmetric cipher, it can also be used, in some applications such as password verification, to enhance existing hashing functions to become provably one-way, by using Băhēm to encrypt a predefined string using the hash as the key. A password is then verified if its hash decrypts the Băhēm ciphertext to retrieve the predefined string.

We study quantum superposition attacks against permutation-based pseudorandom cryptographic schemes.

We first extend Kuwakado and Morii's attack against the Even-Mansour cipher (ISITA 2012), and exhibit key recovery attacks against a large class of pseudorandom schemes based on a single call to an $n$-bit permutation, with polynomial $O(n)$ quantum steps. We also show how to overcome restrictions on available quantum data in certain relevant settings.

We then consider TPPR schemes, namely, Two Permutation-based PseudoRandom cryptographic schemes. Using the improved Grover-meet-Simon method of Bonnetain et al. (ASIACRYPT 2019), we show that the keys of a wide class of TPPR schemes can be recovered with $O(n)$ superposition queries and $O(n2^{n/2})$ quantum steps. We also exhibit sub-classes of "degenerated" TPPR schemes that lack certain internal operations, and exhibit more efficient key recovery attacks using either the Simon's algorithm or Chailloux et al.'s algorithm for collision searching (ASIACRYPT 2017). Further using the all-subkeys-recovery idea of Isobe and Shibutani (SAC 2012), our results give rise to key recovery attacks against several recently proposed permutation-based PRFs, as well as the 2-round Even-Mansour ciphers with generic key schedule functions (Chen et al., JoC 2018) and their tweakable variants (Cogliati et al., CRYPTO 2015). From a constructive perspective, our results establish new quantum Q2 security upper bounds for two permutation-based pseudorandom schemes as well as sound design choices.

In this study, we propose to reduce the depth of the existing quantum Fermat's Little Theorem (FLT)-based inversion circuit for binary finite field. In particular, we propose follow a complete waterfall approach to translate the Itoh-Tsujii's variant of FLT to the corresponding quantum circuit and remove the inverse squaring operations employed in the previous work by Banegas et al., lowering the number of CNOT gates (CNOT count), which contributes to reduced overall depth and gate count. Furthermore, compare the cost by firstly constructing our method and previous work's in Qiskit quantum computer simulator and perform the resource analysis. Our approach can serve as an alternative for a time-efficient implementation.

PlonK is a universal and updatable zk-SNARK for general circuit satisfiability that allows a verifier to check the validity of a certain NP statement very efficiently, optionally in zero-knowledge. PlonK requires that the NP relation of interest be expressed as a system of so-called PlonK constraints. Such conversion is complex and can be implemented in various ways, having a great impact on the prover complexity (which is typically linearithmic in the number of PlonK constraints). We propose several general results for simplifying PlonK constraint systems, which produce more compact but equivalent systems and can lead to significant performance improvements. We also develop an automated optimizer of constraints, based on our techniques, that can be used to construct very compact and less error-prone constraint systems, favoring a more auditable circuit design. Finally, we demonstrate the potential of our techniques by implementing optimized constraint systems for the Poseidon hash, obtaining the most compact representations in the Turbo-PlonK model with minimal custom gates. En route, we devise a novel optimization idea for implementing Poseidon partial rounds and show that it can be applied to both simplifying SNARK circuits and achieving performance improvements in CPU implementations of the Poseidon hash.

Code-based masking is a recent line of research on masking schemes aiming at provably counteracting side-channel attacks. It generalizes and unifies many masking schemes within a coding-theoretic formalization. In code-based masking schemes, the tuning parameters are the underlying linear codes, whose choice significantly affects the side-channel resilience. In this paper, we investigate the exploitability of the information leakage in code-based masking and present attack-based evaluation results of higher-order optimal distinguisher (HOOD). Particularly, we consider two representative instances of code-based masking, namely inner product masking (IPM) and Shamir's secret sharing (SSS) based masking. Our results do confirm the state-of-the-art theoretical derivatives in an empirical manner with numerically simulated measurements. Specifically, theoretical results are based on quantifying information leakage; we further complete the panorama with attack-based evaluations by investigating the exploitability of the leakage. Moreover, we classify all possible candidates of linear codes in IPM with 2 and 3 shares and (3,1)-SSS based masking, and highlight both optimal and worst codes for them.

Relying on our empirical evaluations, we therefore recommend investigating the coding-theoretic properties to find the best linear codes in strengthening instances of code-based masking. As for applications, our attack-based evaluation directly empowers designers, by employing optimal linear codes, to enhance the protection of code-based masking. Our framework leverages simulated leakage traces, hence allowing for source code validation or patching in case it is found to be attackable.

With the popularity of biometric-based identity authentication in the field of the Internet of Things, more and more attention has been paid to the privacy protection of biometric data. Gunasinghe et al. presented the PrivBioMTAuth which is the first authentication solution from mobile phones to protect user’s privacy by performing interactive zero-knowledge proof. However, PrivBioMTAuth still requires considerable storage overhead and communication overhead during the registration phase. Meanwhile, the user’s biometric images and password need to be revealed to the identity provider. In this paper, we present an authentication solution for Internet of Things with fully succinct verification, significantly lower storage overhead and communication overhead. Different from PrivBioMTAuth, we rely on the non-interactive zero knowledge arguments given in Groth’s work to reduce the proof size and simplify the verification complexity. In addition, we focus on multi-exponentiation arguments based on Bayer et al.’s work to ensure the truth of the operation results provided by the identity provider.

The Network & Security team at the LIMOS lab offers a fully funded position as PhD student. The missions will be to perform exciting and challenging research in the domain of network security.

Topics:

• Cryptographic algorithms and protocols
• Computer networking

Tasks:

• Research on secure Multi-Part Computation (MPC) and cutting-edge technologies to solve security issues in network routing.
• Possible teaching.

Your profile:

• Completion of a Master's degree (or equivalent) in computer science or applied mathematics
• Knowledge in applied cryptography/security and computer networking
• Analytical and problem solving skills.

To apply, please send your CV with degree certificates and academic transcripts to the contacts below.
Deadline: 3 May 2022

Closing date for applications:

Contact: Kevin Atighehchi (kevin.atighehchi@uca.fr), Gérard Chalhoub (gerard.chalhoub@uca.fr)

We are looking for a post-doctoral researcher in the area of lattice-based cryptography. Possible research topics include:

Cryptanalysis of lattice problems

Side-channel analysis of implementations of lattice-based cryptography

Lattice-based cryptographic protocols

Construction of new candidate structures suitable for, e.g., the ring learning with errors (RLWE) problem and its variants.

Research experience in cryptography is essential. Additionally, background in algebraic number theory, probability theory, complexity theory and/or machine learning are useful. For a cryptographer, we expect that the candidate has published in IACR conferences, established theoretical computer science venues (STOC/FOCS/APPROX-RANDOM/SODA/PODC) or IT security venues (CCS/S&P/Usenix). The applicant is expected to hold a PhD degree in mathematics or computer science. A research level proficiency in English, both writing and speaking, is expected.

We offer advising related to both algebraic lattices (Camilla Hollanti) and cryptography (Chris Brzuska). Our group offers a diverse, international, and open research environment with an interdisciplinary academic and industrial network. We expect the candidate to significantly shape the research questions which we investigate together as well as to pursue their own research within their existing research network.

The tentative duration of the position is September 2022 — December 2023 (16 months), but a shorter duration or an earlier starting date is negotiable. There is an option to renew the contract subject to acquiring funding (either by the candidate or by the hosts). The initial salary is €3700 and the contract includes occupational health care.

For details, see: https://www.aalto.fi/en/open-positions/postdoctoral-researcher-in-mathematics-or-computer-science-lattice-based

Closing date for applications:

Contact: Camilla Hollanti and Chris Brzuska for scientific questions and Johanna Glader for questions on the application process. (eMail: firstname.lastname@aalto.fi )

More information: https://www.aalto.fi/en/open-positions/postdoctoral-researcher-in-mathematics-or-computer-science-lattice-based

We are looking for a PhD student to join our group on reinforcement learning and decision making under uncertainty more generally, at the University of Neuchatel, Switzerland. We are looking for candidates with a strong research interest in the following fields:

• Theory of differntial privacy.
• Algorithms for differentially private machine learning.
• Algorithms for fairness in machine learning.
• Interactions between machine learning and game theory.
• Inference of human models of fairness or privacy.

The main supervisor will be Chrsitos Dimitrakakis ( https://sites.google.com/site/christosdimitrakakis ) Past research of the group in differential privacy focused on the interaction between Bayesian inference and privacy, and on the derivation of regret bounds for privacy-constrained bandit problems. The student will also have the opportunity to visit and work with other group members at the University of Oslo, Norway and Chalmers University of Technology, Sweden.

Excellent technical skills in calculus, linear algebra, probability as well as competence in at least one programming language is expected. In addition,the doctoral student must have a strong background, as evidenced by their master thesis, in one of the following areas:

• Privacy.
• Theory of computation
• Statistics.
• Game theory.
• Economics.
• Fairness.

Application Information

• Starting date 1 September 2022 or soon afterwards.
• Application deadline 31 May 2022.
• The PhD is funded, for 4 years, with 25% of the time as teaching assistant.

An application must include:

• A statement of research interests.
• A CV with a list of references.
• Your MSc thesis (or a draft) or another research work demonstrating your academic writing.
• Degree transcripts.

Closing date for applications:

Contact: Christos Dimitrakakis

More information: https://sites.google.com/site/christosdimitrakakis/positions

IACR Statement Condemning the Russian war in Ukraine
April 6, 2022

Statement from the International Association for Cryptologic Research (IACR) Condemning the Russian war in Ukraine

The IACR strongly condemns the unprovoked and unjust war that Russia is waging in Ukraine. We are outraged by the suffering and loss of life that this brutal aggression is inflicting on the Ukrainian People.

While this war continues, the IACR will not hold or plan to hold any conference in Russia, nor will it be affiliated with conferences in Russia.

The IACR fully endorses the following joint statement by the National Academies of G7 States which was published on 2 March 2022:

"The unprovoked attack against Ukraine, a democratic and independent country, is a blatant violation of international law and of core values of humanity. The Russian invasion is an assault on the fundamental principles of freedom, democracy and self-determination, which provide the basis for academic freedom and opportunities for scientific exchange and cooperation.

In this dark hour, our thoughts and deepest sympathy are with the people of Ukraine. We are determined to support the National Academy of Sciences of Ukraine. We stand in solidarity with the scientific community and the scientists in Ukraine.

We acknowledge the Russian scientists and citizens who are ashamed of this attack and speak out against the war.

We call on the Russian leadership to immediately cease all military action against Ukraine and put an end to this war."

Approved by the IACR board of directors, April 6, 2022

The Department of Computer Science at New Jersey Institute of Technology (NJIT) seeks candidates to fill a University Lecturer/Senior University Lecturer position starting in Fall 2022. Candidates are expected to teach courses under the umbrella of Cybersecurity, in support of our graduate and undergraduate programs. Applicants must have at least an MS degree in Computer Science or in a related computing area. A PhD degree and prior university teaching experience are an advantage.

Successful candidates must have an expert grasp of knowledge of Cybersecurity at all levels, with an emphasis on hands-on applied cybersecurity skills, either through a demonstrated record of teaching excellence, or through industrial experience. The successful candidate will also be involved in creating course content and materials with a focus on hands-on experiential and project-based learning. Strong written, oral and interpersonal skills are required in order to communicate effectively with students in person and online. The formal education and experience prerequisites may be waived at the university's discretion if the candidate can demonstrate to the satisfaction of the university an equivalent combination of education and experience specifically preparing the candidate for success in the position.

Interested applicants should submit their CV by applying as soon as possible at: https://njit.csod.com/ux/ats/careersite/1/home/requisition/3493?c=njit

Work environment and location:

The Computer Science department, part of the Ying Wu College of Computing, is the largest at NJIT, comprising one-tenth of the student population. It is also the largest computer science department among all research universities in the New York metropolitan area.​ Located in Northern New Jersey, within the greater New York Metropolitan area, NJIT is part of a vibrant ecosystem of research universities and corporate research centers.

Diversity is a core value of NJIT and we are committed to make diversity, equity and inclusion, part of everything we do.

Closing date for applications:

Contact: Reza Curtmola (reza.curtmola@njit.edu)

More information: https://njit.csod.com/ux/ats/careersite/1/home/requisition/3493?c=njit

Who We Are

Subspace Network is building a radically decentralized, next-generation blockchain which allows developers to easily run Web3 apps at Internet scale. Subspace is based on original research funded by the US National Science Foundation and planning to launch its Network later this year. Subspace Labs is an early-stage, venture-backed startup with a remote-first, globally distributed team. To learn more, visit our website and read the technical whitepaper.

We are seeking a Protocol Research Intern to join our rapidly growing team of Blockchain and Cryptocurrency enthusiasts and engineers. As a Research Intern you will be responsible for assisting in analyzing the security claims of the Subspace Network. Your goal is to work on proving these claims or suggesting improvement to the protocol as needed to support them.

Other Areas for Contribution: Research and review our solutions to some of the hardest problems in the blockchain space, as they relate to Nakamoto consensus, decentralized storage, decoupled execution, crypto-economic incentives, and the blockchain scalability trilemma; collaborate with our Research team to transform findings into peer-review quality specificaitons, publications, and presentations; work with our university partners, academic advisors, and third party engineering security partners on formal security analyses and audits.

Key Requirements: Currently enrolled in a graduate program in computer science, cryptography, or a related field, with the ability to dedicate at least 8 weeks to the internship Completed graduate level coursework in cryptography, distributed systems, peer-to-peer networking, or crypto-economic game theory; excellent written and verbal communication skills, and the ability to collaborate across our protocol and research teams; passion and curiosity for decentralized, peer-to-peer systems and Web3 technologies.

What We Offer: Competitive compensation and flexibility to work from anywhere in the world; a unique opportunity to shape the future of the Subspace Network and play a critical role in building the worlds most scalable blockchain.

Closing date for applications:

Contact: Sky McWilliams, Director of People

More information: https://jobs.lever.co/subspacelabs/3594920a-d99c-40c0-9ca3-66c7eaf639da?lever-origin=applied&lever-source%5B%5D=IACR

Persistent Fault Analysis (PFA) is an innovative and powerful analysis technique in which fault persists throughout the execution. The prior prominent results on PFA were on SPN block ciphers, and the security of Feistel ciphers against this attack has received less attention. In this paper, we introduce a framework to utilize Statistical Ineffective Fault Analysis (SIFA) in the persistent fault setting by proposing Statistical Ineffective Persistent Faults Analysis (SIPFA) that can be efficiently applied to Feistel ciphers in a variety of scenarios. To demonstrate the effectiveness of our technique, we apply SIFPA on three widely used Feistel schemes, DES, 3DES, and Camellia. Our analysis reveals that the secret key of these block ciphers can be extracted with a complexity of at most $2^{50}$ utilizing a single unknown fault. Furthermore, we demonstrate that the secret can be recovered in a fraction of a second by increasing the adversary's control over the injected faults. To evaluate SIPFA in a variety of scenarios, we conducted both simulations and real experiments utilizing electromagnetic fault injection on DES and 3DES.

We derive a tight upper bound on the probability over $\mathbf{x}=(x_1,\dots,x_\mu) \in \mathbb{Z}^\mu$ uniformly distributed in $ [0,m)^\mu$ that $f(\mathbf{x}) = 0 \bmod N$ for any $\mu$-linear polynomial $f \in \mathbb{Z}[X_1,\dots,X_\mu]$ co-prime to $N$. We show that for $N=p_1^{r_1},...,p_\ell^{r_\ell}$ this probability is bounded byb$\frac{\mu}{m} + \prod_{i=1}^\ell I_{\frac{1}{p_i}}(r_i,\mu)$ where $I$ is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter $\lambda$ bounds the minimum size of $N$ for which the probability that $f(\mathbf{x}) \equiv 0 \bmod N$ is at most $2^{-\lambda} + \frac{\mu}{m}$. For $\mu =1$ this is simply $N \geq 2^\lambda$. For $\mu \geq 2$, $\log_2(N) \geq 8 \mu^{2}+ \log_2(2 \mu)\cdot \lambda$ the probability that $f(\mathbf{x}) \equiv 0 \bmod N$ is bounded by $2^{-\lambda} +\frac{\mu}{m}$. We also present a computational method that derives tighter bounds for specific values of $\mu$ and $\lambda$. For example, our analysis shows that for $\mu=20$, $\lambda = 120$ (values typical in cryptography applications), and $\log_2(N)\geq 416$ the probability is bounded by $ 2^{-120}+\frac{20}{m}$. We provide a table of computational bounds for a large set of $\mu$ and $\lambda$ values.