International Association
for Cryptologic Research

This opportunity is for a Lecturer, Cybersecurity (tenure track), to provide development, coordination of subjects and research within the Bachelor of Computer Science (majoring in Cybersecurity), and the ability to provide an innovative teaching experience in Computer Science at both undergraduate and postgraduate levels. The position requires the successful candidate be research active and have a national reputation in Web Security and/or Cyber Security, and have high quality research skills in Cybersecurity and other relevant topics. The incumbent will have a PhD in the area of cybersecurity blockchain, cryptocurrency or a related area, and have a demonstrated ability to mentor and supervise high degree research students. Please apply online through the website and address the selection criteria accordingly.

Closing date for applications:

Contact: Prof Willy Susilo

More information: https://ejgl.fa.ap1.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/2695/?utm_medium=jobshare

Our research team is looking for a talented R&D Engineer who can implement cryptographic primitives and protocols. The candidate will have an opportunity in interacting with the brightest Cryptography researchers and work with highly talented engineers in building a robust blockchain platform from scratch. The candidate will get to apply the cryptography ideas and concepts in challenging real-world settings.

Required

- Masters in Computer Science with specialisation in Cryptography from a reputed university or Bachelors with extensive crypto experience - Software Development experience - Proficiency in programming languages especially in Rust

Desired

- Working experience with Elliptic curve cryptography / bilinear pairings / ZK proofs

For more information, please visit our website: https://supraoracles.com/

Closing date for applications:

Contact: Phu Le - Executive Assistant

More information: https://supraoracles.com/careers/4598948004/

Our chair performs research and teaching in the area of IT Security with a strong focus on Network Security and Online Privacy. Our goal is to advance the state of the art in research and to educate qualified computer scientists in the area of IT Security who are able to meet the challenges of the growing demand on securing IT Systems and provide data protection in various areas of our life and society. More information can be found at https://www.b-tu.de/en/fg-it-sicherheit.

Tasks:

• Active research in the area of intrusion detection systems (IDS) for critical infrastructures, secure cyber-physical systems, and artificial intelligence / machine learning for traffic analysis
• Implementation and evaluation of new algorithms and methods
• Cooperation and knowledge transfer with industrial partners
• Publication of scientific results
• Assistance with teaching

The employment takes place with the goal of doctoral graduation (obtaining a PhD degree).

Requirements:

• Master’s degree (or equivalent) in Computer Science or related disciplines
• Strong interest in IT security and/or networking and distributed systems
• Knowledge of at least one programming language (C++, Java, etc.) and one scripting language (Perl, Python, etc.) or strong willingness to quickly learn new programming languages
• Linux/Unix skills
• Knowledge of data mining, machine learning, statistics and result visualization concepts is of advantage
• Excellent working knowledge of English; German is of advantage
• Excellent communication skills

Applications containing the following documents:

• A detailed Curriculum Vitae
• Transcript of records from your Master studies
• An electronic version of your Master thesis, if possible should be sent in a single PDF file as soon as possible, but not later than 15.08.2022 at itsec-jobs.informatik@lists.b-tu.de

Closing date for applications:

Contact: Prof. Dr.-Ing. Andriy Panchenko
itsec-jobs.informatik@lists.b-tu.de

More information: https://www.b-tu.de/en/fg-it-sicherheit

iTrust is a Cyber Security Research Center in SUTD and a National Satellite of Excellence in Singapore for securing critical infrastructure. iTrust hosts the world-class cyber-physical system (CPS) testbeds for water treatment (SWaT), water distribution (WADI) and power grid (EPIC). iTrust will build a new maritime shipboard OT testbed (MariOT), to be used for research, education, training, live-fire exercise, and technology validation.

We are looking for postdocs / research fellows with expertise on cybersecurity in general and CPS security in particular. The candidates should have track record of strong R&D capability, with publications at leading security conferences. The candidates familiar with shipboard OT systems will be considered with the priority. Candidate working in the current position less than one year will not be considered (unless due to the end of contract). Fresh PhD graduates are welcome.

We are also looking for research assistants who should be 1) familiar with scripting languages like Python; 2) with knowledge on threat modelling and vulnerability assessment - to conduct vulnerability scan of the systems and analyse the threats; 3) familiar with tools like Wireshark, Metasploit, Ettercap, Nmap - to monitor network traffic, launch MITM attacks, scan for ports; 4) with hands on experience of Linux OS to execute commands and run scripts.

Only short-listed candidates will be contacted for interview. Successful candidates will be offered internationally competitive remuneration.

Interested candidates please send your CV to Prof. Jianying Zhou (http://jianying.space/).

Closing date for applications:

Contact: Prof. Jianying Zhou. Email: jianying_zhou@sutd.edu.sg

More information: http://jianying.space/

Related-key attacks against block ciphers are often considered unrealistic. In practice, as far as possible, the existence of a known "relation" between the secret encryption keys is avoided. Despite this, related keys arise directly in some widely used keyed hash functions. This is especially true for HMAC-Streebog, where known constants and manipulated parameters are added to the secret key. The relation is determined by addition modulo $2$ and $2^{n}$. The security of HMAC reduces to the properties of the underlying compression function. Therefore, as an initial analysis we propose key-recovery methods for 10 and 11 rounds (out of 12) of Streebog compression function in the related-key setting. The result shows that Streebog successfully resists attacks even in the model with such powerful adversaries.

Computational security in cryptography has a risk that computational assumptions underlying the security are broken in the future. One solution is to construct information-theoretically-secure protocols, but many cryptographic primitives are known to be impossible (or unlikely) to have information-theoretical security even in the quantum world. A nice compromise (intrinsic to quantum) is certified everlasting security, which roughly means the following. A receiver with possession of quantum encrypted data can issue a certificate that shows that the receiver has deleted the encrypted data. If the certificate is valid, the security is guaranteed even if the receiver becomes computationally unbounded. Although several cryptographic primitives, such as commitments and zero-knowledge, have been made certified everlasting secure, there are many other important primitives that are not known to be certified everlasting secure.

In this paper, we introduce certified everlasting FE. In this primitive, the receiver with the ciphertext of a message $m$ and the functional decryption key of a function $f$ can obtain $f(m)$ and nothing else. The security holds even if the adversary becomes computationally unbounded after issuing a valid certificate. We, first, construct certified everlasting FE for P/poly circuits where only a single key query is allowed for the adversary. We, then, extend it to $q$-bounded one for NC1 circuits where $q$-bounded means that $q$ key queries are allowed for the adversary with an a priori bounded polynomial $q$. For the construction of certified everlasting FE, we introduce and construct certified everlasting versions of secret-key encryption, public-key encryption, receiver non-committing encryption, and a garbling scheme, which are of independent interest.

In this work, we define and study equivalence problems for sum-rank codes, giving their formulation in terms of tensors. Moreover, we introduce the concept of generating tensors of a sum-rank code, a direct generalization of the generating matrix for a linear code endowed with the Hamming metric. In this way, we embrace well-known definitions and problems for Hamming and rank metric codes. Finally, we prove the TI-completeness of code equivalence for rank and sum-rank codes, and hence, in the future, these problems could be used in the design of post-quantum schemes.

Code equivalence is a well-known concept in coding theory. Recently, literature saw an increased interest in this notion, due to the introduction of protocols based on the hardness of finding the equivalence between two linear codes. In this paper, we analyze the security of code equivalence, with a special focus on the hardest instances, in the interest of cryptographic usage. Our work stems from a thorough review of existing literature, identifies the various types of solvers for the problem, and provides a precise complexity analysis, where previously absent. Furthermore, we are able to improve on the state of the art, providing more efficient algorithm variations, for which we include numerical simulation data. Our results include also a dedicated method for solving code equivalence with a quantum algorithm, as well as a refinement of quantum Information-Set Decoding (ISD) algorithms. In the end, the goal of this paper is to provide a complete, single point of access, which can be used as a tool for designing schemes that rely on the code equivalence problem.

We define two metrics on vector spaces over a finite field using the linear complexity of finite sequences. We then develop coding theory notions for these metrics and study their properties. We give a Singleton-like bound as well as constructions of subspaces achieving this bound. We also provide an asymptotic Gilbert-Varshamov-like bound for random subspaces. We show how to reduce the problem of finding codewords with given Hamming weight into a problem of finding a vector of a given linear complexity. This implies that our new metric can be used for cryptography in a similar way to what is currently done in the code-based setting.

Even today, SCA attacks pose a serious threat to the security of cryptographic implementations fabricated with low-power and nano-scale feature technologies. Fortunately, the masking countermeasures offer reliable protection against such attacks based on simple security assumptions. However, the practical application of masking to a cryptographic algorithm is not trivial, and the designer may overlook possible security flaws, especially when masking a complex circuit. Moreover, abstract models like probing security allow formal verification tools to evaluate masked implementations. However, this is computationally too expensive when dealing with circuits that are not based on composable gadgets. Unfortunately, using composable gadgets comes at some area overhead. As a result, such tools can only evaluate subcircuits, not their compositions, which can become the Achilles' heel of such masked implementations. In this work, we apply logic simulations to evaluate the security of masked implementations which are not necessarily based on composable gadgets. We developed PROLEAD, an automated tool analyzing the statistical independence of simulated intermediates probed by a robust probing adversary. Compared to the state of the art, our approach (1) does not require any power model as only the state of a gate-level netlist is simulated, (2) can handle masked full cipher implementations, and (3) can detect flaws related to the combined occurrence of glitches and transitions as well as higher-order multivariate leakages. With PROLEAD, we can evaluate masked implementations that are too complex for existing formal verification tools while being in line with the robust probing model. Through PROLEAD, we have detected security flaws in several publicly-available masked implementations, which have been claimed to be robust probing secure.

The security of code-based constructions is usually assessed by Information Set Decoding (ISD) algorithms. In the quantum setting, amplitude amplification yields an asymptotic square root gain over the classical analogue. However, already the most basic ISD algorithm by Prange suffers enormous width requirements caused by the quadratic description length of the underlying problem. Even if polynomial, this need for qubits is one of the biggest challenges considering the application of real quantum circuits in the near- to mid-term.

In this work we overcome this issue by presenting the first hybrid ISD algorithms that allow to tailor the required qubits to any available amount while still providing quantum speedups of the form $T^\delta$, $0.5<\delta <1$, where $T$ is the running time of the purely classical procedure. Interestingly, when constraining the width of the circuit instead of its depth we are able to overcome previous optimality results on constraint quantum search.

Further we give an implementation of the fully-fledged quantum ISD procedure and the classical co-processor using the quantum simulation library Qibo and SageMath.

The deep learning-based side-channel analysis gave some of the most prominent side-channel attacks against protected targets in the past few years. To this end, the research community's focus has been on creating 1) powerful and 2) (if possible) minimal multilayer perceptron or convolutional neural network architectures. Currently, we see that computationally intensive hyperparameter tuning methods (e.g., Bayesian optimization or reinforcement learning) provide the best results. However, as targets with more complex countermeasures become available, these minimal architectures may be insufficient, and we will require novel deep learning approaches.

This work explores how residual neural networks (ResNets) perform in side-channel analysis and how to construct deeper ResNets capable of working with larger input sizes and requiring minimal tuning. The resulting architectures obtained by following our guidelines are significantly deeper than commonly seen in side-channel analysis, require minimal hyperparameter tuning for specific datasets, and offer competitive performance with state-of-the-art methods across several datasets. Additionally, the results indicate that ResNets work especially well when the number of profiling traces and features in a trace is large.

We propose a group signature scheme with a function of designated traceability; each opener has attributes, and a signer of a group signature can be traced by only the openers whose attributes satisfy the boolean formula designated by the signer. We describe syntax and security definitions of the scheme. Then we give a generic construction of the scheme by employing a ciphertext-policy attribute-based encryption scheme.

Implicit certificates own the shorter public key validation data. This property makes them appealing in resource-constrained IoT systems where public key validation is performed very often, which is common in Host Identity Protocol (HIP). However, it is still a critical challenge in IoT how to guarantee the security and efficiency of implicit certificates. This article presents a forgery attack for the Privacy-aware HIP (P-HIP), and then propose a Secure and Efficient Implicit Certificate (SEIC) scheme that can improve the security of the P-HIP and the efficiency of elliptic-curve point multiplications for IoT devices. For a fix-point multiplication, the proposed approach is about 1:5 times faster than the method in SIMPL scheme. Furthermore, we improve the performance of SEIC with the butterfly key expansion process, and then construct an improved P-HIP. Experimental results show that the improved P-HIP can achieve the performance gains.

We introduce a new way to conduct post-election audits using untrusted scanners. Audits perform statistical hypothesis testing to confirm election outcomes. However, existing approaches are costly and laborious for close elections—often the most important cases to audit—requiring extensive hand inspection of ballots. We instead employ automated consistency checks, augmented by manual checks of only a small number of ballots. Our protocols scan each ballot twice, shuffling the ballots between the scans. This gives strong statistical guarantees even for close elections, as long as (1) the permutation accomplished by the shuffle is unknown to the scanners and (2) the scanners cannot reliably identify a particular ballot among others cast for the same candidate. In practice, ballots often have distinguishing features, of course; but we argue that reasonable measures can limit their detection by scanners under controlled conditions. Our techniques drastically reduce the time, expense, and labor of auditing close elections, which we hope will facilitate wider deployment.

We present three rescan audit protocols and analyze their statistical guarantees. We first present a simple scheme illustrating our basic idea in a simplified two-candidate setting. We then extend this scheme to allow (1) more than two candidates; (2) processing of ballots in batches; and (3) tolerating imperfect scanners, as long as scanning errors are too infrequent to affect the election outcome. Finally, we propose and discuss an alternate scheme that reduces the trust assumptions placed on the shuffling mechanism at the expense of adding an additional scan. Our proposals require manual handling or inspection of 10–100 ballots per batch in a variety of settings, in contrast to existing techniques that require hand inspecting many more ballots in close elections. Unlike prior techniques that depend on the *relative* margin of victory, our protocols are to our knowledge the first to depend on the *absolute* margin, and give meaningful guarantees even for extremely close elections: e.g., absolute margins of tens or hundreds of votes.

MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure.

We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway.

Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models.

The Lightning Network, a real-world payment channel network deployed over Bitcoin, provides almost-instant payments to its parties. In addition to direct payments, which require a shared account, parties can pay each other in the form of multi-hop payments via existing payment channels. Such multi-hop payments rely on a 2-phase commit protocol to achieve balance security; that is, no honest intermediary party loses her coins. Unfortunately, failures or attacks in this 2-phase commit protocol can lead to coins being committed (locked) in a payment for extended periods of time (in the order of days in the worst case). During these periods, parties cannot go offline without losing funds due to their existing commitments, even if they use watchtowers. Furthermore, they cannot use the locked funds for initiating or forwarding new payments, reducing their opportunities to use their coins and earn fees.

We introduce Bailout, the first protocol that allows intermediary parties in a multi-hop payment to unlock their coins before the payment completes by re-routing the payment over an alternative path. We achieve this by creating a circular payment route starting from the intermediary party in the opposite direction of the original payment. Once the circular payment is locked, both payments are canceled for the intermediary party, which frees the coins of the corresponding channels. This way, we create an alternative route for the ongoing multi-hop payment without involving the sender or receiver. The parties on the alternative path are incentivized to participate through fees.

We prove the security of our protocol in the Universal Composability (UC) framework. Furthermore, we evaluate the utility of our protocol using a real-world Lightning Network snapshot. Bailouts may fail due to insufficient balance in alternative paths used for re-routing. We find that attempts of a node to bailout typically succeed with a probability of more than 94% if at least one alternative path exists.

The recent work of Caulk introduces the security notion of position hiding linkability for vector commitment schemes, providing a zero-knowledge argument that a committed vector's elements comprise a subset of some other committed vector. The protocol has very low cost to the prover in the case where the size $m$ of the subset vector is much smaller than the size $n$ of the one containing it. The asymptotic prover complexity is $O(m^2 + m \log n)$, where the $\log n$ dependence comes from a subprotocol showing that the roots of a blinded polynomial are all $n$th roots of unity. In this work, we show how to simplify this argument, replacing the subprotocol with a polynomial divisibility check and thereby reducing the asymptotic prover complexity to $O(m^2)$, removing any dependence on $n$.

This paper presents an improved Plantard's modular arithmetic (Plantard arithmetic) tailored for Lattice-Based Cryptography (LBC). Based on the improved Plantard arithmetic, we present faster implementations of two LBC schemes, Kyber and NTTRU, running on Cortex-M4. The intrinsic advantage of Plantard arithmetic is that one multiplication can be saved from the modular multiplication of a constant. However, the original Plantard arithmetic is not very practical in LBC schemes because of the limitation on the unsigned input range. In this paper, we improve the Plantard arithmetic and customize it for the existing LBC schemes with theoretical proof. The improved Plantard arithmetic not only inherits its aforementioned advantage but also accepts signed inputs, produces signed output, and enlarges its input range compared with the original design. Moreover, compared with the state-of-the-art Montgomery arithmetic, the improved Plantard arithmetic has a larger input range and smaller output range, which allows better lazy reduction strategies during the NTT/INTT implementation in current LBC schemes. All these merits make it possible to replace the Montgomery arithmetic with the improved Plantard arithmetic in LBC schemes on some platforms. After applying this novel method to Kyber and NTTRU schemes using 16-bit NTT on Cortex-M4 devices, we show that the proposed design outperforms the known fastest implementation that uses Montgomery and Barrett arithmetic. Specifically, compared with the state-of-the-art Kyber implementation, applying the improved Plantard arithmetic in Kyber results in a speedup of 25.02% and 18.56% for NTT and INTT, respectively. Compared with the reference implementation of NTTRU, our NTT and INTT achieve speedup by 83.21% and 78.64%, respectively. As for the LBC KEM schemes, we set new speed records for Kyber and NTTRU running on Cortex-M4.

GIFT-COFB is a lightweight AEAD scheme and a submission to the ongoing NIST lightweight cryptography standardization process where it currently competes as a finalist. The construction processes 128-bit blocks with a key and nonce of the same size and has a small register footprint, only requiring a single additional 64-bit register. Be- sides the block cipher, the mode of operation uses a bit permutation and finite field multiplication with different constants. It is a well-known fact that implementing a hardware block cipher in a bit-serial manner, which advances only one bit in the computation pipeline in each clock cycle, results in the smallest circuits. Nevertheless, an efficient bit-serial circuit for a mode of operation that utilizes finite field arithmetic with multiple constants has yet to be demonstrated in the literature.

In this paper, we fill this gap regarding efficient field arithmetic in bit- serial circuits, and propose a lightweight circuit for GIFT-COFB that occupies less than 1500 GE, making it the to-date most area-efficient implementation of this construction. In a second step, we demonstrate how the additional operations in the mode can be executed concurrently with GIFT itself so that the total latency is significantly reduced whilst incurring only a modest area increase. Finally, we propose a first-order threshold implementation of GIFT-COFB, which we experimentally verify resists first-order side-channel analysis.