International Association
for Cryptologic Research

Recently, a new template attack on the DES key scheduling was demonstrated that allows recovery of a sufficiently large portion of the DES key of a widely deployed certified smart card chip using a single EM (electromagnetic) trace during the Exploitation Phase. Firstly, in this paper we show how the results can be improved upon when combining them with the analysis of another leakage channel, the total Hamming weight. Remaining rest entropies as low as approx 13 bits have been found for some single–trace attacks, meaning that effectively 42 bits of a single–key DES were recovered in a single trace. The nature of single–trace attacks has it that conventional software countermeasures are rendered useless by this attack, and thus the only remaining remedy is a hardware redesign. Secondly, various brute–force search strategies are compared with each other and an extensive analysis of the statistics of the rest entropy is presented. The analysis is also extended to two–key TDES. Finally, the amount of brute–force effort can be drastically reduced when having more than one trace available for the attack. Already as few as N = 8 traces during the Exploitation Phase bring about a reduction of the average brute–force effort of the order of 10 bits for single DES, and 22 bits for two–key TDES. For N approx 100 we achieve an average brute–force effort of less than 50 bits for two–key TDES.

Event date: 22 September 2017
Submission deadline: 10 July 2017
Notification: 24 July 2017

Event date: 12 September to 13 September 2017

The deadline for proposing an IACR Cryptology School is June 30. There are two deadlines annually, and this is the last chance to apply for IACR Schools taking place on or before April 2018. Information about proposing an IACR School can be found at https://www.iacr.org/schools/propose.php

The IACR sponsors a small number of Cryptology Schools providing intensive training on clearly identified topics in cryptology. The aim is to develop awareness and increased capacity for research in cryptology. A list of past and upcoming schools can be found at https://www.iacr.org/schools

With the advancement in computing, sensing, and vehicle electronics, autonomous vehicles are being realized. For autonomous driving, environment perception sensors such as radars, lidars, and vision sensors play core roles as the eyes of a vehicle; therefore, their reliability cannot be compromised. In this work, we present a spoofing by relaying attack, which can not only induce illusions in the lidar output but can also cause the illusions to appear closer than the location of a spoofing device. In a recent work, the former attack is shown to be effective, but the latter one was never shown. Additionally, we present a novel saturation attack against lidars, which can completely incapacitate a lidar from sensing a certain direction. The effectiveness of both the approaches is experimentally verified against Velodyne's VLP-16.

We present a reduction from the module learning with errors problem (MLWE) in dimension \(d\) and with modulus \(q\) to the ring learning with errors problem (RLWE) with modulus \(q^{d}\). Our reduction increases the LWE error rate \(\alpha\) by a quadratic factor in the ring dimension \(n\) and a square root in the module rank \(d\) for power-of-two cyclotomics. Since, on the other hand, MLWE is at least as hard as RLWE, we conclude that the two problems are polynomial-time equivalent. As a corollary, we obtain that the RLWE instance described above is equivalent to solving lattice problems on \emph{module} lattices. We also present a self reduction for RLWE in power-of-two cyclotomic rings that halves the dimension and squares the modulus while increasing the error rate by a similar factor as our MLWE to RLWE reduction. Our results suggest that when discussing hardness to drop the RLWE/MLWE distinction in favour of distinguishing problems by the module rank required to solve them.

A standard method to protect data and secrets is to apply threshold cryptography in the form of secret sharing. This is motivated by the acceptance that adversaries will compromise systems at some point; and hence using threshold cryptography provides a defence in depth. The existence of such powerful adversaries has also motivated the introduction of game theoretic techniques into the analysis of systems, e.g. via the FlipIt game of van Dijk et al. This work further analyses the case of FlipIt when used with multiple resources, dubbed FlipThem in prior papers. We examine two key extensions of the FlipThem game to more realistic scenarios; namely separate costs and strategies on each resource, and a learning approach obtained using so-called fictitious play in which players do not know about opponent costs, or assume rationality.

Is it possible that a block cipher apparently immune to classical differential cryptanalysis can be attacked considering a different operation on the message space? Recently Calderini and Sala showed how to effectively compute alternative operations on a vector space which can serve as message space for a block cipher such that the resulting structure is still a vector space. The latter were used to mount a linearisation attack against a toy cipher. Here we investigate the possibility to design a block cipher which appears to be secure w.r.t. classical differential cryptanalysis, but weaker with respect to our attack which make use of alternative operations. Furthermore we compare the success probabilities of a distinguishing attack.

In recent years several papers have appeared investigating the classical discrete logarithm problem for elliptic curves by means of the multivariate polynomial approach based on the celebrated summation polynomials, introduced by Semaev in 2004. However, with a notable exception by Petit et al. in 2016, all numerous papers have investigated only the composite-field case, leaving apart the laborious prime-field case. In this paper we propose a variation of Semaev's original approach for the prime-field case. Our proposal outperforms both the original Semaev's method and Petit et al. specialized algorithm. The improvement is reached by reducing the necessary Groebner basis computations to only one basis calculation.

Protecting cryptographic implementations against side-channel attacks is a must to prevent leakage of processed secrets. As a cell-level countermeasure, so called DPA-resistant logic styles have been proposed to prevent a data-dependent power consumption.

As most of the DPA-resistant logic is based on dual-rails, properly implementing them is a challenging task on FPGAs which is due to their fixed architecture and missing freedom in the design tools. While previous works show a significant security gain when using such logic on FPGAs, we demonstrate this only holds for power-analysis. In contrast, our attack using high-resolution electromagnetic analysis is able to exploit local characteristics of the placement and routing such that only a marginal security gain remains, therefore creating a severe threat.

To further analyze the properties of both attack and implementation, we develop a custom placer to improve the default placement of the analyzed AES S-box. Different cost functions for the placement are tested and evaluated w.r.t. the resulting side-channel resistance on a Spartan-6 FPGA. As a result, we are able to more than double the resistance of the design compared to cases not benefiting from the custom placement.

Digital signatures constructed solely from hash functions offer competitive signature sizes and fast signing and verifying times. Moreover, the security of hash functions against a quantum adversary is believed to be well understood. This means that hash-based signatures are strong candidates for standard use in a post-quantum world. The Leighton-Micali signature scheme (LMS) is one such scheme being considered for standardization. However all systematic analyses of LMS have only considered a classical adversary. In this work we close this gap by showing a proof of the security of LMS in the quantum random-oracle model. Our results match the bounds imposed by Grover's search algorithm within a constant factor, and remain tight in the multi-user setting.

Practical hardness results are necessary to select parameters for cryptographic schemes. Cryptographic challenges proved to be useful for determining the practical hardness of computational problems that are used to build public-key cryptography. However, several of these problems have the drawback that it is not known how to create a challenge for them without knowing the solutions. Hence, for these problems the creators of the challenges are excluded from participating. In this work, we present a method to create cryptographic challenges without excluding anyone from participating. This method is based on secure multi-party computation (MPC). We demonstrate that the MPC-based approach is indeed feasible by using it to build a challenge for the learning with errors (LWE) problem. The LWE problem is one of the most important problems in lattice-based cryptography. The security of many cryptographic schemes that have been proposed in the last decade is directly based on it. We identify parameters for LWE instances that provide the appropriate hardness level for a challenge while representing instances used to instantiate encryption schemes as close as possible. The LWE challenge is designed to determine the practical hardness of LWE, to gain an overview of the best known LWE solvers, and to motivate additional research effort in this direction.

A Unlinkable Sanitizable Signature scheme (USS) allows a sanitizer to modify some parts of a signed message such that nobody can link the modified signature to the original one. A Verifiable Ring Signature scheme (VRS) allows the users to sign messages anonymously within a group such that a user can prove a posteriori to a verifier that he is the signer of a given message. In this paper, we first revisit the notion of VRS: we improve the proof capabilities of the users, we give a complete security model for VRS and we give an efficient and secure scheme called EVeR. Our main contribution is GUSS , a generic USS based on a VRS scheme and an unforgeable signature scheme. We show that GUSS instanciated with EVeR and the Schnorr's signature is twice as efficient as the best USS scheme of the literature. Moreover, we propose a stronger definition of accountability: a USS is accountable when the signer can prove whether a signature is sanitized. We formally define the notion of strong accontability when the sanitizer can also prove the origin of a signature. We show that the notion of strong accountability is important in practice. Finally, we prove the security properties of GUSS (including the strong accountability) and EVeR under the Decisional Diffie-Hellman assumption in the random oracle model.

Applications are invited for a tenure track position in the broad area of cyber security technologies. The focus can be in software security, hardware security, critical systems security or network security. Candidates considered for this tenure track position are expected to have research experience in one or more of the aforementioned areas.

Today, security is an essential ingredient of all information systems. Due to the complexity of the systems, and flaws in the design of the present-day Internet and the web, as well as weaknesses in the development methodologies, software design and tools, large-scale systems face risks due to cyber criminals and other malicious actors. The security related research in the laboratory currently includes topics in side-channel analysis, vulnerabilities in open-source software, security issues in IoT and SDN and network security in general.

The successful candidate aims to excel in:

• scientific research
• conducting and developing education in the field.

The candidate is expected to:

• acquire external competitive funding
• participate in the activities of the global scientific community as well as locally
• interact with society and industry.

Closing date for applications: 28 August 2017

Contact: Miia Haikonen miia.haikonen(at)tut.fi

More information: https://careers.fi/tty/careers.cgi?action=view&job_id=1182&lang=uk#.WU5NOydLc8o

The Fujisaki-Okamoto (FO) transformation (CRYPTO 1999 and Journal of Cryptology 2013) turns any weakly secure public-key encryption scheme into a strongly (i.e., IND-CCA) secure one in the random oracle model. Unfortunately, the FO analysis suffers from several drawbacks, such as a non-tight security reduction, and the need for a perfectly correct scheme. While several alternatives to the FO transformation have been proposed, they have stronger requirements, or do not obtain all desired properties. In this work, we provide a fine-grained and modular toolkit of transformations for turning weakly secure into strongly secure public-key encryption schemes. All of our transformations are robust against schemes with correctness errors, and their combination leads to several tradeoffs among tightness of the reduction, efficiency, and the required security level of the used encryption scheme. For instance, one variant of the FO transformation constructs an IND-CCA secure scheme from an IND-CPA secure one with a tight reduction and very small efficiency overhead. Another variant assumes only an OW-CPA secure scheme, but leads to an IND-CCA secure scheme with larger ciphertexts. We note that we also analyze our transformations in the quantum random oracle model, which yields security guarantees in a post-quantum setting.

The main objective of the research in the Embedded System Security Group is to propose efficient and robust hardware architectures aimed at applied cryptography and telecom that are resistant to passive and active cryptographic attacks. More information on https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures.html.

For a new project which addresses the problem of the security of True Random Number Generator (TRNG). We are looking for candidates with an outstanding Ph.D in applied mathematics and a strong publication record in this field. The main topic of the post-doc is to work on stochastic modeling of TRNG. Knowledge of French is not mandatory.

The Post-Doc position will start in September or October 2017 (flexible starting date), it is funded for 12 month.

To apply please send your detailed CV (with publication list), motivation for applying (1 page) and names of at least two people who can provide reference letters (e-mail).

Closing date for applications: 14 July 2017

Contact: Dr. Lilian BOSSUET lilian.bossuet(at)univ-st-etienne.fr

The IMDEA Software Institute invites applications for a postdoctoral position in the area of Cryptography. The successful candidate will join the cryptography group to do research in the analysis and design of provably-secure cryptographic protocols (in particular, possible subjects are zero-knowledge proofs, electronic voting protocols, secure outsourcing).

The position is based in Madrid, Spain, where the IMDEA Software Institute is situated. Salaries are internationally competitive and include attractive conditions such as access to an excellent public healthcare system. The working language at the institute is English.

Applicants should have already completed, or be close to completing, a PhD in computer science, mathematics, or a related discipline. Applicants should have an excellent research track record demonstrated by publications at major cryptography/security venues, and should have significant experience in the design of cryptographic protocols and provable security. The application requires, among other document, a CV, a research statement, and the names of 3 persons that can provide references about you and your work.

The postdoctoral position is for one year. The starting date is negotiable but not later than January 2018.

Applicants interested in the position should send an email to Dario Fiore and submit the application documents at https://careers.imdea.org/software/. Applications are accepted until the position is filled.

Closing date for applications: 30 November 2017

Contact: For enquiries about the position, please contact:

Dario Fiore dario.fiore (at) imdea.org

The EMSEC research team (https://www.irisa.fr/emsec/) and Pierre-Alain Fouque (http://www.di.ens.fr/~fouque/) are looking for a post-doc on real-world security and cryptography, in particular applied to TLS 1.3. This research is funded by the Agence Nationale de Recherche (ANR) for the SafeTLS project (safetls.gforge.inria.fr).

We are looking for a motivated researcher with a good publication record and an interest in real-world cryptography. More particularly we require:

• a basic knowledge of Authenticated Key-Exchange protocols (AKE)

• an understanding of the TLS protocol
• expertise in computational security models and proofs
• knowledge of TLS 1.3 (optional, but a strong plus)
• knowledge of TLS implementations (a strong plus)

The successful candidate is expected to contribute in high-level research, and to work together with the SafeTLS partners (http://safetls.gforge.inria.fr/consortium.html) towards attaining the ambitious goals of the SafeTLS project (http://safetls.gforge.inria.fr/aims.html). We are an international team and will require no knowledge of French.

A successful candidate will be hired for a two-year research contract, hosted by the Université de Rennes 1 (https://international.univ-rennes1.fr/) at the IRISA research center in Rennes, France (https://www.irisa.fr/en). Situated at 2 hours (by express train) from Paris, Rennes is an important research center in cryptography and security, and a strong partner in the Pôle d’Excellence Cybersécurité (PEC) in France -- which attracts competitive and very-high level research in all areas of security and cryptography.

Candidates are invited to apply as soon as possible. Applications will be reviewed as soon as they are received and until the position is filled. For any additional information, please contact Pierre-Alain Fouque pa.fouque (at) gmail.com or Cristina Onete, cristina.onete (at) gmail.com

Closing date for applications: 1 September 2017

Contact: Pierre-Alain Fouque, pa.fouque (at) gmail.com

Cristina Onete, cristina.onete (at) gmail.com

More information: https://www.irisa.fr/emsec

A cryptanalytic technique known as time-memory tradeoff (TMTO) was proposed by Hellman for finding the secret key of a block cipher. This technique allows sharing the effort of key search between the two extremes of exhaustively enumerating all keys versus listing all possible ciphertext mappings produced by a given plaintext (i.e. table lookups). The TMTO technique has also been used as an effective cryptanalytic approach for password hashing schemes (PHS). Increasing threat of password leakage from compromised password hashes demands a resource consuming algorithm to prevent the precomputation of the password hashes. A class of password hashing designs provide such a defense against TMTO attack by ensuring that any reduction in the memory leads to exponential increase in runtime. These are called \textit{Memory hard} designs. However, it is generally difficult to evaluate the ``memory hardness" of a given PHS design.\\ In this work, we present a simple technique to analyze TMTO for any password hashing schemes which can be represented as a directed acyclic graph (DAG). The nodes of the DAG correspond to the storage required by the algorithm and the edges correspond to the flow of the execution. Our proposed technique provides expected run-times at varied levels of available storage for the DAG. Although our technique is generic, we show its efficacy by applying it on three designs from the ``Password Hashing Competition" (PHC) - Argon2i (the PHC winner), Catena and Rig. Our analysis shows that Argon2i fails to maintain the claimed memory hardness. In a recent work Corrigan-Gibbs et al. indeed showed an attack highlighting the weak memory hardening of Argon2i. We also analyze these PHS for performance under various settings of time and memory complexities.

Recent efficient constructions of zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs), require a setup phase in which a common-reference string (CRS) with a certain structure is generated. This CRS is sometimes referred to as the public parameters of the system, and is used for constructing and verifying proofs. A drawback of these constructions is that whomever runs the setup phase subsequently possesses trapdoor information enabling them to produce fraudulent pseudoproofs.

Building on a work of Ben-Sasson, Chiesa, Green, Tromer and Virza [BCGTV15], we construct a multi-party protocol for generating the CRS of the Pinocchio zk-SNARK [PHGR15], such that as long as at least one participating party is not malicious, no party can later construct fraudulent proofs except with negligible probability. The protocol also provides a strong zero-knowledge guarantee even in the case that all participants are malicious.

This method has been used in practice to generate the required CRS for the Zcash cryptocurrency blockchain.