International Association
for Cryptologic Research

In 2016, NIST announced an open competition with the goal of finding and standardizing a suitable quantum-resistant cryptographic algorithm, with the standard to be drafted in 2023. These algorithms aim to implement post-quantum secure key encapsulation mechanism (KEM) and digital signatures. However, the proposed algorithm does not consider authentication and is vulnerable to attacks such as man-in-the-middle. In this paper, we propose an authenticated key exchange algorithm to solve the above problems and improve its usability. The proposed algorithm combines learning with errors (LWE) and elliptic curve discrete logarithm problem to provide the required security goals. As forward security is a desirable property in a key exchange protocol, an ephemeral key pair is designed that a long-term secret compromise does not affect the security of past session keys. Moreover, the exchange steps required by the algorithm are very streamlined and can be completed with only two handshakes. We also use the random oracle model to prove the correctness and the security of proposed scheme. The performance analysis demonstrates the effectiveness of the proposed scheme. We believe that the novel approach introduced in this algorithm opens several doors for innovative applications of digital signatures in KEMs.

In this paper, we focus on the common prime RSA variant and introduces a novel investigation into the partial key exposure attack targeting it. We explore the vulnerability of this RSA variant, which employs two common primes $p$ and $q$ defined as $p=2ga+1$ and $q=2gb+1$ for a large prime $g$. Previous cryptanalysis of common prime RSA has primarily focused on the small private key attack. In our work, we delve deeper into the realm of partial key exposure attacks by categorizing them into three distinct cases. We are able to identify weak private keys that are susceptible to partial key exposure by using the lattice-based method for solving simultaneous modular univariate linear equations. To validate the effectiveness and soundness of our proposed attacks, we conduct experimental evaluations. Through these examinations, we demonstrate the validity and practicality of the proposed partial key exposure attacks on common prime RSA.

NIST has released the draft standard for ML-KEM, and ML-KEM is actively used in several widely-distributed applications. Thus, the wide-spread use of ML-KEM in the embedded worlds has to be expected in the near future. This makes security against side-channel attacks a pressing matter.

Several side-channel attacks have previously been proposed, and one line of research have been attacks against the comparison step of the FO-transform. These attacks construct a decryption failure oracle using a side-channel. A recent work published at TCHES 2022 stresses the need for higher-order masked comparisons by presenting a horizontal attack and proposes a t-probing secure comparison operation. A subsequent work by D’Anvers, Van Beirendonck, and Verbauwhede improves upon the performance of several previous proposals.

In this work, we show that the latter masked comparison suffers from weakness similar to those identified in the former. We first propose an approximate template attack that requires only a very low number of traces for profiling and has an exceptionally high noise tolerance. We show that the profiling phase is not necessary and can be replaced by a vertical analysis of the distribution of certain points of interest without knowledge of the targeted values. Finally, we explain how a horizontal attack may construct a decryption failure oracle from a single trace.

We provide a leakage model of the targeted operations, which is based on the noisy Hamming weight model. Our evaluations are carried out on a physical device to stress the practicality of our attack. In addition, we simulate the attacks to determine the measurement noise levels that can be handled. We discuss the underlying causes for our attack, the difficulty of securing the Fujisaki-Okamoto transform in ML-KEM, and draw conclusion about the (in-)sufficiency of t-probing security in this context.

The Helsinki Institute for Information Technology (HIIT) invites applications for Postdoctoral Fellows and Research Fellows. HIIT offers a HIIT Postdoctoral Fellow position up to three years. For more senior candidates, HIIT offers a HIIT Research Fellow position up to five years. The length of the contract as well as the starting and ending dates are negotiable. All excellent researchers in any area of ICT can be considered, but priority is given to candidates who support one (or more) of the HIIT strategic focus areas:

• Artificial Intelligence
• Computational Health
• Cybersecurity
• Data Science
• Foundations of Computing

In particular, the area of Foundations of Computing welcome candidates with strong background in cryptography.

Closing date for applications:

Contact: For questions regarding these positions and the electronic recruiting system, please contact the HIIT coordinator at coordinator@hiit.fi.
For questions related to cryptography research, please contact Russell W. F. Lai (russell dot lai at aalto.fi).

More information: https://www.hiit.fi/hiit-postdoctoral-and-research-fellow-positions/

At the Chair of Cyber Security we are looking for a research engineer to establish a state-of-the-art IoT (Internet of Things) lab with smart devices ranging from Raspberry Pi's, sensors, smart microphones, toy cars, RFID tags, RFID readers, smart phones, biometric sensors. At our Chair you will work with world-leading researchers to implement, test, and showcase secure and privacy-preserving protocols and algorithms. Many projects are conducted in collaboration with other academic and industrial partners.

Key Responsibilities:

• Development and implementation of concepts and research results, both individually and in collaboration with researchers and PhD students,
• Run of experiments and simulation of realistic conditions to test the performance of developed algorithms and protocols,
• Development, maintenance and organization of software, Support to BSc, MSc and PhD students, postdocs and researchers who use the lab,
• Responsibility for day routines in the lab, for example purchases, installations, bookings, inventory,
• Demonstrations and lab tours for external visitors,
• Maintaining and producing content for our group web page and social media platforms.

Your profile:
The successful applicant is expected to hold or to be about to receive a M.Sc. degree in Computer Science, Electrical Engineering, Applied Mathematics or similar fields, preferably with a focus in Security and Privacy for Computer Science Systems.
We are looking for a strongly motivated and self-driven person who is able to work and learn new things independently.

• Good command of English is required.
• You should have a good academic track record and well developed analytical and problem solving skills.
• Excellent programming skills and familiarity with cryptographic libraries.
• Previous experience in implementation projects with C++, Matlab/Simulink, Python is desired.

Please apply by 31. January through the job link.

Closing date for applications:

Contact:
Eriane Breu (Administrative matters)
Prof. Katerina Mitrokotsa (Research related questions)

More information: https://jobs.unisg.ch/offene-stellen/cryptography-engineer-m-w-d/ef5bb893-f482-4475-aeb1-8de48047299a

The selection of a Lightweight Cryptography (LWC) algorithm is crucial for resource limited applications. The National Institute of Standards and Technology (NIST) leads this process, which involves a thorough evaluation of the algorithms’ cryptanalytic strength. Furthermore, careful consideration is given to factors such as algorithm latency, code size, and hardware implementation area. These factors are critical in determining the overall performance of cryptographic solutions at edge devices. Introducing CrISA-X, a Cryptography Instruction Set Architecture extensions designed to improve cryptographic latency on extendable processors. CrISA-X, classified as Generic-Atomic, Block-Specific and Procedure-Specific, leverages RISC processor hardware and a base ISA to effectively execute LWC algorithms. Our study aims to evaluate the execution efficiency of new single-cycle instruction extensions and tightly coupled multicycle instructions on extendable modular RISC processors. CrISA-X provides enhanced speed of various algorithms simultaneously while optimizing ISA adaptability, a feat yet to be accomplished. The extension, diverse for several computation levels, is first specifically tailored for individual algorithms and sets of LWC algorithms, depending on performance, frequency, and area trade-offs. By diligently applying the Min-Max optimization technique, we have configured these extensions to achieve a delicate balance between performance, area code size, etc. Our study presents empirical evidence of the performance enhancement achieved on a real synthesis modular RISC processor. We offer a framework for creating optimized processor hardware and ISA extensions. The CrISA-X framework generally outperforms ISA extensions by delivering significant performance boosts between 3x to 17x while experiencing a relative area cost increase of +12% and +47% in LUTs, in respect to the instruction set category. Notably, as one important example, the utilization of the ASCON algorithm yields a 10x performance boost in contrast to the base ISA instruction implementation

In this paper, we build a framework for constructing Constrained Pseudorandom Functions (CPRFs) with inner-product constraint predicates, using ideas from subtractive secret sharing and related-key-attack security.

Our framework can be instantiated using a random oracle or any suitable Related-Key-Attack (RKA) secure pseudorandom function. We provide three instantiations of our framework:

1. an adaptively-secure construction in the random oracle model; 2. a selectively-secure construction under the DDH assumption; and 3. a selectively-secure construction under the assumption that one-way functions exist.

All three instantiations are constraint-hiding and support inner-product predicates, leading to the first constructions of such expressive CPRFs under each corresponding assumption. Moreover, while the OWF-based construction is primarily of theoretical interest, the random oracle and DDH-based constructions are concretely efficient, which we show via an implementation.

Zero-knowledge proof (ZKP) is a cryptographic primitive that enable a prover to convince a verifier that a statement is true without revealing any other information beyond the correctness of the statement itself. Due to its powerful capabilities, its most practical type, called zero-knowledge Succinct Non-interactive ARgument of Knowledge (zkSNARK), has been widely deployed in various privacy-preserving applications such as cryptocurrencies and verifiable computation. Although state-of-the-art zkSNARKs are highly efficient for the verifier, the computational overhead for the prover is still orders of magnitude too high to warrant use in many applications. This overhead is due to several time-consuming operations, including large-scale matrix-vector multiplication (MUL), number-theoretic transform (NTT), and especially the multi-scalar multiplication (MSM) with the highest proportion. Thus, further efficiency improvements are needed.

In this paper we focus on comprehensive optimization of running time and storage space needed by the MSM algorithm on GPUs. Specifically, we propose a new modular and adaptive parameter configuration technique—elastic MSM to enable us to change the scale of MSM according to our own wishes by performing a corresponding amount of preprocessing. This technique enable us to fully unleash the potential of various efficient parallel MSM algorithms. From another perspective, our technique could also be regarded as a preprocessing technique over the well-known Pippenger algorithm, which is modular and could be used to accelerate almost all the most advanced parallel Pippenger algorithms on GPUs. Meanwhile, our technique provides an adaptive trade-off between the running time and the extra storage space needed by parallel Pippenger algorithms on GPUs. We implemented and tested elastic MSM over two prevailing parallel Pippenger algorithms on GPUs. Given a range of practical parameters, across various preprocessing space limitations (across various MSM scales), our construction achieves up to about 28× and 45× (25× and 40×) speedup versus two state-of-the-art preprocessing parallel Pippenger algorithms on GPUs, respectively.

The polynomial attacks on SIDH by Castryck, Decru, Maino, Martindale and Robert have shown that, while the general isogeny problem is still considered unfeasible to break, it is possible to efficiently compute a secret isogeny when given its degree and image on enough torsion points. A natural response from many researchers has been to propose SIDH variants where one or both of these possible extra pieces of information is masked in order to obtain schemes for which a polynomial attack is not currently known. Example of such schemes are M-SIDH, MD-SIDH and FESTA. However, by themselves, theses SIDH variants are vulnerable to the same adaptive attacks where the adversary sends public keys whose associated isogeny is either unknown or inexistent. For the original SIDH scheme, one possible defense against these attacks is to use zero-knowledge proofs that a secret isogeny has been honestly computed. However, such proofs do not currently exist for most SIDH variants. In this paper, we present new zero-knowledge proofs for isogenies whose degree or torsion points have been masked. The security of these proofs mainly relies on the hardness of DSSP.

Proxy re-encryption (PRE) allows a proxy to transform a ciphertext intended for Alice (delegator) to another ciphertext intended for Bob (delegatee) without revealing the underlying message. Recently, a new variant of PRE, namely fine-grained PRE (FPRE), was proposed in [Zhou et al., Asiacrypt 2023]. Generally, FPRE is designed for a function family F: each re-encryption key rk_{A→B}^f is associated with a function f ∈ F, and with rk_{A→B}^f, a proxy can transform Alice's ciphertext encrypting m to Bob's ciphertext encrypting f(m). However, their scheme only supports single-hop re-encryption and achieves only CPA security.

In this paper, we formalize multi-hop FPRE (mFPRE) that supports multi-hop re-encryptions in the fine-grained setting, and propose two mFPRE schemes achieving CPA security and stronger HRA security (security against honest re-encryption attacks), respectively. -- For multi-hop FPRE, we formally define its syntax and formalize a set of security notions including CPA security, HRA security, undirectionality and ciphertext unlinkablity. HRA security is stronger and more reasonable than CPA security, and ciphertext unlinkablity blurs the proxy relations among a chain of multi-hop re-encryptions, hence providing better privacy. We establish the relations between these security notions. -- Our mFPRE schemes support fine-grained re-encryptions for bounded linear functions and have security based on the learning-with-errors (LWE) assumption in the standard model. In particular, one of our schemes is HRA secure and enjoys all the aforementioned desirable securities. To achieve CPA security and HRA security for mFPRE, we extend the framework of [Jafargholi et al., Crypto 2017] and the technique of the [Fuchsbauer et al., PKC 2019].

Asymmetric Searchable Encryption (ASE) is a promising cryptographic mechanism that enables a semi-trusted cloud server to perform keyword searches over encrypted data for users. To be useful, an ASE scheme must support expressive search queries, which are expressed as conjunction, disjunction, or any Boolean formulas. In this paper, we propose a fast and expressive ASE scheme that is adaptively secure, called FEASE. It requires only 3 pairing operations for searching any conjunctive set of keywords independent of the set size and has linear complexity for encryption and trapdoor algorithms in the number of keywords.

FEASE is based on a new fast Anonymous Key-Policy Attribute-Based Encryption (A-KP-ABE) scheme as our first proposal, which is of independent interest. To address optional protection against keyword guessing attacks, we extend FEASE into the first expressive Public-Key Authenticated Encryption with Keyword Search (PAEKS) scheme.

We provide implementations and evaluate the performance of all three schemes, while also comparing them with the state of the art. We observe that FEASE outperforms all existing expressive ASE constructions and that our A-KP-ABE scheme offers anonymity with efficiency comparable to the currently fastest yet non-anonymous KP-ABE schemes FAME (ACM CCS 2017) and FABEO (ACM CCS 2022).

All anonymous identity-based encryption (IBE) schemes that are group homomorphic (to the best of our knowledge) require knowledge of the identity to compute the homomorphic operation. This paper is motivated by this open problem, namely to construct an anonymous group-homomorphic IBE scheme that does not sacrifice anonymity to perform homomorphic operations. Note that even when strong assumptions such as indistinguishability obfuscation (iO) are permitted, no schemes are known. We succeed in solving this open problem by assuming iO and the hardness of the DBDH problem over rings (specifically, $Z_{N^2}$ for RSA modulus $N$). We then use the existence of such a scheme to construct an IBE scheme with re-randomizable anonymous encryption keys, which we prove to be IND-ID-RCCA secure. Finally, we use our results to construct identity-based anonymous aggregation protocols.

Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as SymSum_Vec in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3, constituting one of the best distinguishers on the latest cryptographic hash standard. SymSum_Vec exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in Africacrypt 2020, Suryawanshi et al. extended SymSum_Vec using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major limitation of SymSum_Vec is the maximum attainable derivative (MAD) which is less than half of the widely studied ZeroSum distinguisher. This is attributed to SymSum_Vec being dependent on m−fold vectorial derivatives while ZeroSum relies on m−fold simple derivatives. In this work we overcome this limitation of SymSum_Vec by developing and validating the theory of computing SymSum_Vec with simple derivatives. This gives us a close to 100% improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with one/two-round linearization to penetrate more rounds. Moreover, we identify an issue with the two-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnish an algebraic fix at the cost of some additional constraints.

Combining all results we report SymSum_Sim , a new variant of the SymSum_Vec distinguisher based on m−fold simple derivatives that outperforms ZeroSum by a factor of $2^{257}$, $2^{129}$ for 10-round SHA-3-384 and 9-round SHA-3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant, SymSum_Sim maintains an advantage of factor 2. Combined with one/two-round linearization, SymSum_Sim improves upon all existing ZeroSum and SymSum_Vec distinguishers on both SHA-3 and Xoodyak. As regards Keccak-p, the internal permutation of SHA-3, we report the best 15-round distinguisher with a complexity of $2^{256}$ and the first better than birthday-bound 16-round distinguisher with a complexity of $2^{512}$ (improving upon the 15/16-round results by Guo et al. in Asiacrypt 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of $2^{32}$ and furnish the first third-party distinguishers on the Belarushian hash function Bash. All distinguishers furnished in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken, SymSum_Sim emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomness of crypto primitives.

This technical note presents limits on the security (as a function of the number of plaintext bytes encrypted and the number of forgery attempts made by an adversary) for the main Authenticated Encryption schemes available in TLS 1.2 and the draft of TLS 1.3. These limits are derived from security proofs for the considered schemes available in the literature. Our intention is to provide considered technical input to on-going discussions in the TLS Working Group of the IETF concerning, amongst other things, the necessity of adding a key update feature to the TLS 1.3 specification.

Zero-Knowledge Proofs (ZKPs), a cryptographic tool known for decades, have gained significant attention in recent years due to advancements that have made them practically applicable in real-world scenarios. ZKPs can provide unique attributes, such as succinctness, non-interactivity, and the ability to prove knowledge without revealing the information itself, making them an attractive solution for a range of applications.

This paper aims to critically analyze the applicability of ZKPs in various scenarios. We categorize ZKPs into distinct types: SNARKs (Succinct Non-Interactive Arguments of Knowledge), Commit-then-Prove ZKPs, MPC-in-the-Head, and Sigma Protocols, each offering different trade-offs and benefits. We introduce a flowchart methodology to assist in determining the most suitable ZKP system, given a set of technical application requirements. Next, we conduct an in-depth investigation of three major use cases: Outsourcing Computation, Digital Self-Sovereign Identity, and ZKPs in networking. Additionally, we provide a high-level overview of other applications of ZKPs, exploring their broader implications and opportunities. This paper aims to demystify the decision-making process involved in choosing the right ZKP system, providing clarity on when and how these cryptographic tools can be effectively utilized in various domains — and when they are better to be avoided.

Side-channel analysis based on machine learning, especially neural networks, has gained significant attention in recent years. However, many existing methods still suffer from certain limitations. Despite the inherent capability of neural networks to extract features, there remains a risk of extracting irrelevant information. The heavy reliance on profiled traces makes it challenging to adapt to remote attack scenarios with limited profiled traces. Besides, attack traces also contain critical information that can be used in the training process to assist model learning. In this paper, we propose a side-channel analysis approach based on contrastive learning named CL-SCA to address these issues. We also leverage a stochastic data augmentation technique to assist model to effectively filter out irrelevant information from the profiled traces. Through experiments of different datasets from different platforms, we demonstrate that CL-SCA significantly outperforms various conventional machine learning side-channel analysis techniques. Moreover, by incorporating attack traces into the training process using our approach, known as CL-SCA+, it becomes possible to achieve even greater enhancements. This extension can further improve the effectiveness of key recovery, which is fully verified through experiments on different datasets.

Event date: 26 October 2024
Submission deadline: 31 March 2024

The Cybersecurity (CYS) group at the Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) invites applications for full-time doctoral candidates in Computer Security and Applied Cryptography. Successful candidates will tackle exciting and challenging research problems in the area of private computing, privacy-enhancing technologies, secure multiparty computation and generally applied cryptography. Examples include developing attacks against existing cryptosystems by exploiting their information leakage and building new secure and practical schemes. Successful candidates will have the opportunity to work closely with world-class researchers at TU Delft and our research collaborators in Europe and the US.

Requirements:

MSc (or equivalent) degree in Computer Science, Mathematics or a closely related field by the time of the appointment.

Strong ability in at least one programming language: e.g. Python, C/C++

Experience in (at least one of): Cryptography, Privacy, Algorithmic Design

A strong foundation of Mathematics

Some research experience is a plus

Excellent oral and written skills in English

Closing date for applications:

Contact: Lilika Markatou (e.a.markatou@tudelft.nl).

More information: https://www.tudelft.nl/over-tu-delft/werken-bij-tu-delft/vacatures/details?jobId=15653

Requirements: PhD in Computer Science, Information Security, Cryptography, or related fields Strong Analysis and Synthesis Skills Strong Security Analytic Skills Strong Algorithmic Knowledge Information Security Knowledge and Digital Identity Protocols Knowledge of Distributed Ledger and Blockchains Proficiency in one of the major programming languages, such as Python, Node.js, Java, Golang, and Solidity. Knowledge of formal specification and verification would be considered an asset. Keywords: Data Sharing, Zero Knowledge Proof (ZkP), Trust, Formal Modeling and Specification, Smart Contract, Blockchain, DLT Application process: Please send the following documents (in a single PDF file): CV Motivation Lettre List of Publications and Patents Other scientific/technological contributions (if any),

Closing date for applications:

Contact: Prof. Nazim Agoulmine: nazim.agoulmine(at)univ-evry.fr Prof. Djamel Khadraoui: djamel.khadraoui(at)list.lu Dr. Adnan Imeri: adnan.imeri(at)list.lu

More information: https://drive.google.com/file/d/1asWQBNyUKgMPiM-ZU92-kKRPymSY-ru7/view?usp=sharing

We are hiring a research engineer / applied scientist to work out of our Hoboken NJ office. In this position, you will be part of a team developing and implementing analytics and machine learning algorithms using privacy-protected computation. The team includes well-known researchers and is a major contributor to the open-source OpenFHE software library.

The candidate is expected to have a strong research background in implementing complex mathematical operations into efficient processing pipelines. C++ software engineering skills are required, and Python experience is desirable. Experience with privacy-enhancing technologies, such as Fully Homomorphic Encryption (FHE) and Secure Multiparty Computation (SMC), is preferred. Familiarity with modern AI/ML development techniques and frameworks and runtime optimization is preferred.

The candidate is expected to work in the hybrid mode (at least halftime in the Hoboken, NJ office). Initially, the work can be done remotely. More information is available at https://dualitytech.com/careers/research-engineer/.

Closing date for applications:

Contact: Yuriy Polyakov (ypolyakov@dualitytech.com)

More information: https://dualitytech.com/careers/research-engineer/