International Association
for Cryptologic Research

Serial matrices are a preferred choice for building diffusion layers of lightweight block ciphers as one just needs to implement the last row of such a matrix. In this work we analyze a new class of serial matrices which are the lightest possible $4 \times 4$ serial matrix that can be used to build diffusion layers. With this new matrix we show that block ciphers like LED can be implemented with a reduced area in hardware designs, though it has to be cycled for more iterations. Further, we suggest the usage of an alternative S-box to the standard S-box used in LED with similar cryptographic robustness, albeit having lesser area footprint. Finally, we combine these ideas in an end-end FPGA based prototype of LED. We show that with these optimizations, there is a reduction of $16% $ in area footprint of one round implementation of LED.

In this paper, we provide a new MILP modeling to find better/optimal choices of conditional cubes. These choices generally find new or improved attacks against the keyed constructions based on Keccak permutations, including Keccak-MAC, KMAC, Kravatte, KEYAK, and KETJE, in terms of attack complexities or the number of attacked rounds. Specifically, we find new key recovery attacks against KMAC128 and KMAC256, which are NIST standard way of constructing MAC from SHA-3, reduced to $7$ and $9$ rounds respectively. For Kravatte, up to 10 out of 14 rounds can be attacked similarly. The best attack against Lake KEYAK with 128-bit keys is improved from $6$ to $8$ rounds in the nonce respected setting and 9 rounds of Lake KEYAK can be attacked if the key size is 256. Attack complexity improvements are found generally on other constructions. To verify the correctness of our attacks, reduced-variants of the attacks against KMAC are implemented and tested on a PC practically.

We propose a framework for constructing efficient designated-verifier non-interactive zero-knowledge proofs (DVNIZK) for a wide class of algebraic languages over abelian groups, under standard assumptions. The proofs obtained via our framework are proofs of knowledge, enjoy statistical, and unbounded soundness (the soundness holds even when the prover receives arbitrary feedbacks on previous proofs). Previously, no efficient DVNIZK system satisfying any of those three properties was known. Our framework allows proving arbitrary relations between cryptographic primitives such as Pedersen commitments, ElGamal encryptions, or Paillier encryptions, in an efficient way. For the latter, we further exhibit the first non-interactive zero-knowledge proof system in the standard model which is more efficient than proofs obtained via the Fiat-Shamir transform, with still-meaningful security guarantees and under standard assumptions. Our framework has numerous applications, in particular for the design of efficient privacy-preserving non-interactive authentication.

In this paper, we give a pre-image attack against 1-round KECCAK-512 hash function which also works for 1-round of all the variants of KECCAK.

Systems of Boolean equations of low degree arise in a natural way when analyzing block ciphers. The cipher's round functions relate the secret key to auxiliary variables that are introduced by each successive round. In algebraic cryptanalysis, the attacker attempts to solve the resulting equation system in order to extract the secret key. In this paper we study algorithms for eliminating the auxiliary variables from these systems of Boolean equations. It is known that elimination of variables in general increases the degree of the equations involved. In order to contain computational complexity and storage complexity, we present two new algorithms for performing elimination while bounding the degree at 3, which is the lowest possible for elimination. Further we show that the new algorithms are related to the well known XL algorithm. We apply the algorithms to a downscaled version of the LowMC cipher and to a toy cipher based on the Prince cipher, and report on experimental results pertaining to these examples.

This note analyzes the security of Kravatte against the cube attack. We provide an analysis result which recovers the master key of the current version of full Kravatte with data and time complexities $2^{136.01}$, and negligible memory. The same could be applied to the first version of Kravatte with complexities of $2^{38.04}$, which could be carried out in practice. These results are possible thanks to a clever way of constructing affine spaces bypassing the first permutation layer of Kravatte proposed by the designers and a simple yet efficient way to invert the last layer of Sbox in Kravatte.

This paper suggests to use rounded Gaussians in place of dis- crete Gaussians in rejection-sampling-based lattice signature schemes like BLISS. We show that this distribution can efficiently be sampled from while additionally making it easy to sample in constant time, systematically avoiding recent timing-based side-channel attacks on lattice-based signatures.

We show the effectiveness of the new sampler by applying it to BLISS, prove analogues of the security proofs for BLISS, and present an implementation that runs in constant time. Our implementation needs no precomputed tables and is twice as fast as the variable-time CDT sampler posted by the BLISS authors with precomputed tables.

Lookup-table based side-channel countermeasure is the prime choice for masked S-box software implementations at very low orders. To mask an $n$-bit to $m$-bit S-box at first- and second- orders, one requires a temporary table in RAM of size $m 2^n$ bits. Recently, Vadnala (CT-RSA 2017) suggested masked table compression schemes at first- and second-orders to reduce the table size by (approximately) a factor of $2^l$, where $l$ is a parameter. Though greater compression results in a greater execution time, these proposals would still be attractive for highly resource constrained devices.

In this work, we contradict the second-order security claim of the second-order table compression scheme by Vadnala. We do this by exhibiting several pairs of intermediate variables that jointly depend on the bits of the secret. Motivated by the fact that randomness is also a costly resource for highly resource constrained devices, we then propose a variant of the first-order table compression scheme of Vadnala that has the new randomness complexity of about $l$ instead of $2^l$ for the original proposal. We achieve this without inducing any noticeable difference in the overall execution time or memory requirement of the original scheme. Finally, we show that the randomness complexity of $l$ is optimal in an algebraic sense.

Threshold implementation is a masking technique that provides provable security for implementations of cryptographic algorithms against power analysis attacks. In recent publications, several different threshold implementations of AES have been designed. However in most of the threshold implementations of AES, the Canright S-Box has been used. The Boyar-Peralta S-Box is an alternative implementation of the AES S-Box with a minimal circuit depth and is comparable in size to the frequently used Canright AES S-Box. In this paper, we present several versions of first-order threshold implementations of the Boyar-Peralta AES S-Box with different number of shares and several trade-offs in area, randomness and speed. To the best of our knowledge these are the first threshold implementations of the Boyar-Peralta S-Box. Our implementations compare favourably with some of the existing threshold implementations of Canright S-Box along the design trade-offs, e.g. while one of our S-Boxes is 49\% larger in area than the smallest known threshold implementation of the Canright AES S-Box, it uses 63\% less randomness and requires only 50\% of the clock cycles. We provide results of a practical security evaluation based on real power traces to confirm the first-order attack resistance of our implementations.

Direct Anonymous Attestation (DAA) is a complex cryptographic protocol that has been widely deployed in practice, with more than 500 million machines in the market that are already equipped with its hardware, the so-called Trusted Module Platform (TPM). While formalizing the right security model for such a complex protocol has triggered a dense line of research, all the proposed DAA schemes so far are based on number-theoretic problems that are known to be vulnerable to quantum computer attacks. In this paper, we propose the first lattice-based DAA scheme that is secure w.r.t. the most up-to-date security model proposed by Camenisch et al. More precisely, our lattice-based DAA scheme is secure in the Universally Composable (UC) security model. Furthermore, we give (amongst others) the first lattice-based DAA scheme providing user controlled linkability that is realized by means of a new lattice-based MAC/TAG construction which could be of independent interest.

ChaCha is a family of stream ciphers that are very efficient on constrainted platforms. In this paper, we present electromagnetic side-channel analyses for two different software implementations of ChaCha20 on a 32-bit architecture: one compiled and another one directly written in assembly. On the device under test, practical experiments show that they have different levels of resistance to side-channel attacks. For the most leakage-resilient implementation, an analysis of the whole quarter round is required. To overcome this complication, we introduce an optimized attack based on a divide-and-conquer strategy named bricklayer attack.

Let $E_a: y^2+xy=x^3+ax^2+1/ \mathbb{F}_{2^m}$ be a Koblitz curve. The window $\tau$-adic nonadjacent-form (window $\tau$NAF) is currently the standard representation system to perform scalar multiplications on $E_a$ by utilizing the Frobenius map $\tau$. Pre-computation is an important part for the window $\tau$NAF. In this paper, we first introduce $\mu\bar{\tau}$-operations in lambda coordinates ($\mu=(-1)^{1-a}$ and $\bar{\tau}$ is the complex conjugate of the complex representation of $\tau$). Efficient formulas of $\mu\bar{\tau}$-operations are then derived and used in a novel pre-computation scheme to improve the efficiency of scalar multiplications using window $\tau$NAF. Our pre-computation scheme costs $7$M$+5$S, $26$M$+16$S, and $66$M$+36$S for window $\tau$NAF with width $4$, $5$, and $6$ respectively whereas the pre-computation with the state-of-the-art technique costs $11$M$+8$S, $43$M$+18$S, and $107$M$+36$S. Experimental results show that our pre-computation is about $60\%$ faster, compared to the best pre-computation in the literature. It also shows that we can save from $2.5\%$ to $4.9\%$ on the scalar multiplications using window $\tau$NAF with our pre-computation.

In this paper, we investigate the efficiency of FPGA implementations of AES and AES-like ciphers, specially in the context of authenticated encryption. We consider the encryption/decryption and the authentication/verification structures of OCB-like modes (like OTR or SCT modes). Their main advantage is that they are fully parallelisable. While this feature has already been used to increase the throughput/performance of hardware implementations, it is usually overlooked while comparing different ciphers. We show how to use it with zero area overhead, leading to a very significant efficiency gain. Additionally, we show that using FPGA technology mapping instead of logic optimization, the area of both the linear and non linear parts of the round function of several AES-like primitives can be reduced, without affecting the runtime performance. We provide the implementation results of two multi-stream implementations of both the LED and AES block ciphers. The AES implementation in this paper achieves an efficiency of 38 Mbps/slice, which is the most efficient implementation in literature, to the best of our knowledge. For LED, achieves 2.5 Mbps/slice on Spartan 3 FPGA, which is 2.57x better than the previous implementation. Besides, we use our new techniques to optimize the FPGA implementation of the CAESAR candidate Deoxys-I in both the encryption only and encryption/decryption settings. Finally, we show that the efficiency gains of the proposed techniques extend to other technologies, such as ASIC, as well.

On-line commercial transactions involve an inherent mistrust between participant parties since, sometimes, no previous relation exists between them. Such mistrust may be a deadlock point in a trade transaction where the buyer does not want to perform the payment until the seller sends the good and the seller does not want to do so until the buyer pays for the purchase. In this paper we present a fair protocol for data trading where the commercial deal, in terms of delivering the data and performing the payment, is atomic since the seller cannot redeem the payment unless the buyer obtains the data and the buyer cannot obtain the data without performing the payment. The protocol is based on Bitcoin scripting language and the fairness of the protocol can be probabilistically enforced.

The rapid growth of the Internet of Things together with the increasing popularity of connected objects have created a need for secure, efficient and lightweight ciphers. Among the multitude of candidates, the block cipher PRIDE is, to this day, one of the most efficient solutions for 8-bit micro-controllers. In this paper, we provide new insights and a better understanding of differential attacks of PRIDE. First, we show that two previous attacks are incorrect, and describe (new and old) properties of the cipher that make such attacks intricate. Based on this understanding, we show how to properly mount a differential attack. Our proposal is the first single key differential attack that reaches 18 rounds out of 20. It requires $2^{61}$ chosen plaintexts and recovers the 128-bit key with a final time complexity of $2^{63.3}$ encryptions, while requiring a memory of about $2^{35}$ blocks of 64 bits.

Event date: 30 May to 1 June 2018
Submission deadline: 20 December 2017
Notification: 27 February 2018

Event date: 6 June to 8 June 2018
Submission deadline: 31 March 2018
Notification: 30 April 2018

Singapore University of Technology and Design (SUTD) is a young university which was established in collaboration with MIT. iTrust is a Cyber Security Research Center with about 15 multi-discipline faculty members from SUTD. It has the world\'s best facilities in cyber-physical systems (CPS) including testbeds for Secure Water Treatment (SWaT), Water Distribution (WADI), Electric Power and Intelligent Control (EPIC), and IoT. (See more info at https://itrust.sutd.edu.sg/research/testbeds/)

I am looking for PhD interns with interest in cyber-physical system security (IoT, water, power grid, transportation, and autonomous vehicle etc.), especially on the topics such as 1) Lightweight and resilient authentication of devices and data in CPS, 2) Advanced SCADA firewall to filter more sophisticated attacking packets in CPS, 3) AI-based threat analytics for detection of attacks to CPS, 4) Security of maritime navigation systems. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Closing date for applications: 30 November 2017

Contact: jianying_zhou (at) sutd.edu.sg

More information: http://jianying.space/

We are looking for outstanding, self-motivated PhD students for SECRET: a collaborative European Training Network (ETN) targeting research on 5G mobile systems.

WHAT WE OFFER

• 2 PhD positions (3-year working contracts);

• An international environment with excellent researchers;

• Personalized supervision and career tracking, coupled with first class infrastructures;

• Exposure to academic and industry driven research;

• Support for career development through training in several fields;

• PhD degree in collaboration with UK universities;

• A working contract with a very competitive salary (40.000€/year - gross), additional family

allowance will be included when applicable.

Positions on:

- ESR1 - Key management schemes for 5G mobile systems

- ESR2 - Intrusion detection and prevention for 5G mobile systems

KEY REQUIREMENTS AND ELIGIBILITY CRITERIA

- Good first degree (Telecommunications / Electronics / Computer Science/ Engineering /Mathematics) and Masters with strong component of research

- Excellent command of English.

- Applicants shall be in the first four years of full-time equivalent research experience of their careers and not yet have a doctoral degree.

- Researchers must not have resided or carried out their main activity (work, studies, etc.) in Portugal for more than 12 months in the 3 years immediately prior to the reference date.

TO APPLY:

To apply, please send an email to cbarbosa (at) av.it.pt with:

- A cover letter

- A detailed CV;

Closing date for applications: 31 October 2017

Contact: Cláudia Barbosa - cbarbosa (at) av.it.pt

More information: http://www.euraxess.pt/jobs/238795

Embedded Security and Cryptography (EMSEC) is a research team within the IRISA computer science institute located in Rennes. Rennes is an important research center in security and cryptography situated at 2 hours (by express train) from Paris, and 45 minutes from the seaside.

We are looking for a motivated postdoctoral researcher with a good publication record and experience/interest in at least one of the following fields:

• Side Channels
• Micro-architecture
• System security for mobile, cloud or IoT systems
• Applied cryptography

The researcher will investigate micro-architectural attacks, including cache attacks, or attacks on DRAM or the branch prediction unit. In particular, we are interested in automatically finding new side channels on hardware, as well as automatically finding related vulnerabilities on software (e.g. in cryptographic protocols). Knowledge of French is not required.

Applications should include the following documents:

• Motivation letter clearly explaining the candidate\'s interest in the proposed topic and his/her fit to the position;
• Curriculum Vitae (including education and research experience, short description of the PhD thesis, list of publications, etc.);
• Names and email addresses of two persons who can provide references.

Candidates are invited to apply as soon as possible. Applications will be reviewed as soon as they are received and until the position is filled.

Ideally, the position will start at the beginning of 2018 (no fixed date).

For any additional information, please contact Clémentine Maurice: clementine.maurice (at) irisa.fr

Closing date for applications: 18 December 2017

Contact: Clémentine Maurice: clementine.maurice (at) irisa.fr

More information: https://www.irisa.fr/emsec/