International Association
for Cryptologic Research

Event date: 14 November to 15 November 2019
Submission deadline: 25 August 2019

Recently, in IEEE Transactions on Industrial Informatics, Fan et al. proposed a lightweight RFID protocol which has been suggested to be employed for protecting the Medical Privacy in an IoT system. However, the protocol has trivial flaws, as it is shown recently by Aghili et al., in Future Generation Computer Systems. Aghili \textit{et al.} also proposed an improved version of the protocol, based on the similar designing paradigm, called SecLAP. Although the protocol's designers claimed full security against all attacks in the context, we show that the proposed protocol has serious security flaws, by presenting traceability and passive secret disclosure attacks against this protocol. More precisely, we present passive partial secret disclosure attack with the complexity of eavesdropping one session of the protocol and success probability of `1'. The disclosed parameters can be used to trace the tag/reader in any later session which compromises the tag/reader privacy. In addition, we present a passive full secret disclosure attack against SecLAP which can disclose $2n$-bit secret key, $n$-bit $TID$ and $n$-bit $RID$ with the computational complexity of $27n^7$. In addition, we show that, as it is expected, Fan et al.'s protocol has the worse possible security in random oracle model, where the adversary's advantage after $q$ queries to distinguish the protocol from a random oracle is $1- 2^{-q} $. We also evaluate the security of SecLAP in the random oracle model and show that it is as insecure as its predecessor.

Internet of Things (IoT) has various applications such as healthcare, supply chain, agriculture, etc. Using the Internet of Vehicles(IoV) to control traffic of the cities is one of the IoT applications to construct smart cities. Recently Fan et al. proposed an authentication protocol to provide security of the IoV networks. They claimed that their scheme is secure and can resist against various known attacks. In this paper, we analyze more deeply the proposed scheme and show that their scheme is vulnerable against disclosure and desynchronization attacks. In disclosure attack, we disclose unique identification of the tag $ID$, secret key $S$, encryption matrix $M_2$ and half rows of encryption matrix $M_1$. Furthermore, we proposed an improved authentication scheme based on Maximum Distance Separable(MDS) matrices that is resistance against various attacks while maintaining low computational cost.

IoT systems are vulnerable to various cyber attacks as they form a subset of the In- ternet. Insider attacks find more significance since many devices are configured to access the Internet without intrusion detection systems or firewalls in place. The current work focuses on three insider attacks, namely, blackhole attack, sinkhole attack and wormhole attack. A distrib - uted trust based intrusion detection system is proposed to detect these attacks. The trust scores are compared with those existing in immutable distributed ledger and used to arrive at a deci- sion to include or exclude a node.

Recently Bar-On et al. proposed the DLCT for a tighter analysis of probabilities for differential-linear distinguishers. We extend the analysis of the DLCT, and gain new insights about this notion.

The DLCT entries correspond to the autocorrelation spectrum of the component functions and thus the DLCT is nothing else as the ACT. We note that the ACT spectrum is invariant under some equivalence relations. Interestingly the ACT spectrum is not invariant under inversion (and thus not under CCZ equivalence), implying that it might be beneficial to look at the decryption for a differential-linear cryptanalysis.

Furthermore, while for Boolean functions a lower bound for the maximal absolute autocorrelation, the absolute indicator, is not known, the case for vectorial Boolean functions is different. Here, we prove that for any vectorial Boolean function, its absolute indicator is lower bounded by $2^{n/2}$. Eventually, for APN functions we show a connection of the absolute indicator to the linearity of balanced Boolean functions, and exhibit APN permutations with absolute indicator bounded by $2^{(n+1)/2}$.

In this article, we propose new heuristics for minimizing the amount of XOR gates required to compute a system of linear equations in GF(2). We first revisit the well known Boyar-Peralta strategy and argue that a proper randomization process during the selection phases can lead to great improvements. We then propose new selection criteria and explain their rationale. Our new methods outperform state-of-the-art algorithms such as Paar or Boyar-Peralta (or open synthesis tools such as Yosys) when tested on random matrices with various densities. They can be applied on matrices of reasonable sizes (up to about 32 x 32). Notably, we provide a new implementation record for the matrix underlying the MixColumns function of the AES block cipher, requiring only 94 XORs.

Functional encryption (FE) that bases on user attributes has many useful practical applications. For example, a company may only authorize department heads of other sections to query the average sale figures of the sales department from the encrypted sales amounts of all sales. However, FE schemes that can solve this problem are based on new, but not well-studied assumptions (such as indistinguishable obfuscation or multilinear maps). It is not clear if these FE schemes are secure. In this paper, we develop the first functional encryption scheme (ABFE) from simple and well-studied assumptions that can authorize a user base on the user's attributes to obtain a functional value of the encrypted data.

Rank metric is a very promising research direction for code-based cryptography. In fact, thanks to the high complexity of generic decoding attacks against codes in this metric, it is possible to easily select parameters that yield very small data sizes. In this paper we analyze cryptosystems based on Low-Rank Parity-Check (LRPC) codes, one of the classes of codes that are efficiently decodable in the rank metric. We show how to exploit the decoding failure rate, which is an inherent feature of these codes, to devise a reaction attack aimed at recovering the private key. As a case study, we cryptanalyze the recent McNie submission to NIST’s Post-Quantum Standardization process. Additionally, we provide details of a simple implementation to validate our approach.

This paper presents pqm4 – a testing and benchmarking framework for the ARM Cortex-M4. It makes use of a widely available discovery board with 196 KiB of memory and 1 MiB flash ROM. It currently includes 10 key encapsulation mechanisms and 5 signature schemes of the NIST PQC competition. For the remaining 11 schemes, the available implementations do require more than the available memory or they depend on external libraries which makes them arguably unsuitable for embedded devices.

CSIDH is an isogeny-based key exchange protocol proposed by Castryck, Lange, Martindale, Panny, and Renes in 2018. CSIDH is based on the ideal class group action on $\mathbb{F}_p$-isomorphic classes of Montgomery curves. In order to calculate the class group action, we need to take points defined over $\mathbb{F}_{p^2}$. The original CSIDH algorithm requires a calculation over $\mathbb{F}_p$ by representing points as $x$-coordinate over Montgomery curves. Meyer and Reith proposed a faster CSIDH algorithm in 2018 which calculates isogenies on Edwards curves by using a birational map between a Montgomery curve and an Edwards curve. If we try to calculate the class group action on Edwards curves in a similar way on Montgomery curves, we have to consider points defined over $\mathbb{F}_{p^4}$. Therefore, it is not a trivial task to calculate the class group action on Edwards curves over $\mathbb{F}_p$.

In this paper, we prove a number of theorems on the properties of Edwards curves. By using these theorems, we devise a new CSIDH algorithm that uses only Edwards curves while calculating over $\mathbb{F}_p$. This algorithm is as fast as (or a little bit faster than) the algorithm proposed by Meyer and Reith.

Poly1305 is a polynomial hash function designed by Bernstein in 2005. Presently, it is part of several major platforms including the Transport Layer Security protocol. Vectorised implementation of Poly1305 has been proposed by Goll and Gueron in 2015. We provide some simple algorithmic improvements to the Goll-Gueron vectorisation strategy. Implementation of the modified strategy on modern Intel processors shows marked improvements in speed for short messages.

Recently, an article by Felke appeared in Cryptography and Communications discussing the security of biquadratic C* and a further generalization, k-ary C*. The article derives lower bounds for the complexity of an algebraic attack, directly inverting the public key, under an assumption that the first-fall degree is a good approximation of the solving degree, an assumption that the paper notes requires ``greater justification and clarification."

In this work, we provide a practical attack breaking all k-ary C* schemes. The attack is based on differential techniques and requires nothing but the ability to evaluate the public key and solve linear systems. In particular, the attack breaks the parameters provided in CryptoChallenge11 by constructing and solving linear systems of moderate size in a few minutes.

The Tire Pressure Monitoring System (TPMS) is used to monitor the pressure of the tires and to inform the driver of it. This equipment is mandatory for vehicles in US and EU. To ensure the security of TPMS, it is important to reduce the cost of the cryptographic mechanisms implemented in resourced-constrained devices. To address this problem, previous work has proposed countermeasures employing lightweight block ciphers such as PRESENT, SPECK, or KATAN. However, it is not clear to us that any of these works have addressed the issues of software optimization that considers TPMS-packet protection as well as session key updates for architectures consisting of the vehicle TPMS ECU and four low-cost TPM sensors equipped with the tires. In this paper, we propose to application of the ISO/IEC 29192-5 lightweight hash function Lesamnta-LW to address this issue. Our approach is to apply the known method of converting Lesamnta-LW to multiple independent pseudo-random functions (PRFs) in TPMS. In our case, we generate five PRFs this way and then use one PRF for MAC-generation and four for key derivation. Although we follow the NIST SP 800-108 framework of converting PRFs to key derivation functions, we confirm the significant advantage of Lesamnta-LW-based PRFs over HMAC-SHA-256 by evaluating the performance on AVR 8-bit micro-controllers, on which we consider simulating TPMS sensors. We expect that our method to achieve multiple-purposes with a single cryptographic primitive will help to reduce the total implementation cost required for TPMS security.

We give the first construction of statistical Zaps. Our construction satisfies computational soundness and relies on the quasi-polynomial hardness of learning with errors assumption.

Proof-of-stake (PoS) has been shown to be a suitable replacement—in many respects—for the expensive proof-of-work mechanism introduced by the Bitcoin protocol. Nevertheless, one common and seemingly intrinsic shortcoming of all existing PoS blockchains in the permissionless “dynamic availability” setting introduced by Badertscher et al. [CCS 2018], where parties come and go without warning, is that they require explicit use of a common notion of time among the participants, i.e., a “global” clock that provides the correct time on demand.

We design and analyze a PoS blockchain protocol that we prove UC-secure without assuming access to a global time functionality. Central to our construction is a novel clock synchronization mechanism that enables joining parties to adjust their local clocks correctly, relying only on knowledge of the genesis block and the assumption that their local, initially desynchronized clocks advance at approximately the same speed. This is particularly challenging as we work in the dynamic availability setting which addresses optimal resilience under arbitrary and potential adversarial participation patterns. As a corollary of our construction, we obtain a permissionless PoS implementation of a global clock that may be used whenever access to global time is a requirement in a higher level protocol.

CSIDH is a recent quantum-resistant primitive based on the difficulty of finding isogeny paths between supersingular curves. Recently, two constant-time versions of CSIDH have been proposed: first by Meyer, Campos and Reith, and then by Onuki, Aikawa, Yamazaki and Takagi. While both offer protection against timing attacks and simple power consumption analysis, they are vulnerable to more powerful attacks such as fault injections. In this work, we identify and repair two oversights in these algorithms that compromised their constant-time character. By exploiting Edwards arithmetic and optimal addition chains, we produce the fastest constant-time version of CSIDH to date. We then consider the stronger attack scenario of fault injection, which is relevant for the security of CSIDH static keys in embedded hardware. We propose and evaluate a dummy-free CSIDH algorithm. While these CSIDH variants are slower, their performance is still within a small constant factor of less- protected variants. Finally, we discuss derandomized CSIDH algorithms.

We explore two main issues in the performance of Secure Two- Party Computation (2PC): (1) interaction of 2PC with the transport layer and (2) evaluation of 2PC implementations.

Transport layer: Although significantly improved, the performance of 2PC is still prohibitive for practical systems. Contrary to the common belief that bandwidth is the remaining bottleneck for 2PC implementation, we show that the network is under-utilised due to the use of standard TCP sockets. Nevertheless, using other sockets is a nontrivial task: the developers of secure computation need to integrate them into the operating systems, which is challenging even for systems experts. To resolve this issue, and break the efficiency barrier of 2PC, we design and develop a framework, we call Transputation, which automates the integration of transport layer sockets into 2PC implementations. The goal of Transputation is to enable developers of 2PC protocols to easily identify and use the optimal transport layer protocol for the given computation task and network conditions and hence to improve performance of secure computation.

We integrated selected transport layer protocols into Transputation and evaluated the performance for a number of computational tasks. As a highlight, even a general purpose transport layer protocol, such as SABUL, improves the run-time of 2PC over TCP on EU-Australia connection for circuits with $ > 10^6 $ Boolean gates by a factor of $ 8 $.

Evaluations of 2PC: Evaluations of 2PC implementations do not reflect performance in real networks since they are typically done on simulated environments and even more often on a single host. To address this issue, we provide a testbed platform for evaluation of 2PC implementations in real life settings on the Internet.

Smart contracts are programmable, decentralized and transparent financial applications. Because smart contract platforms typically support Turing-complete programming languages, such systems are often said to enable arbitrary applications. However, the current permissionless smart contract systems impose heavy restrictions on the types of computations that can be implemented. For example, the globally-replicated and sequential execution model of Ethereum requires gas limits that make many computations infeasible.

In this paper, we propose a novel system called ACE whose main goal is to enable more complex smart contracts on permissionless blockchains. ACE is based on an off-chain execution model where the contract issuers appoint a set of service providers to execute the contract code independent from the consensus layer. The primary advantage of ACE over previous solutions is that it allows one contract to safely call another contract that is executed by a different set of service providers. Thus, ACE is the first solution to enable off-chain execution of interactive smart contracts with flexible trust assumptions. Our evaluation shows that ACE enables several orders of magnitude more complex smart contracts than standard Ethereum.

Succinct non-interactive arguments (SNARGs) are highly efficient certificates of membership in non-deterministic languages. Constructions of SNARGs in the random oracle model are widely believed to be post-quantum secure, provided the oracle is instantiated with a suitable post-quantum hash function. No formal evidence, however, supports this belief.

In this work we provide the first such evidence by proving that the SNARG construction of Micali is unconditionally secure in the *quantum* random oracle model. We also prove that, analogously to the classical case, the SNARG inherits the zero knowledge and proof of knowledge properties of the PCP underlying the Micali construction. We thus obtain the first zero knowledge SNARG of knowledge (zkSNARK) that is secure in the quantum random oracle model.

Our main tool is a new lifting lemma that shows how, for a rich class of oracle games, we can *generically* deduce security against quantum attackers by bounding a natural classical property of these games. This means that in order to prove our theorem we only need to establish *classical* properties about the Micali construction. This approach not only lets us prove post-quantum security but also enables us to prove explicit bounds that are tight up to small factors.

We additionally use our techniques to prove that SNARGs based on interactive oracle proofs (IOPs) with round-by-round soundness are unconditionally secure in the quantum random oracle model. This result establishes the post-quantum security of many SNARGs of practical interest.

In this short report we present the shortest linear program for AES MixColumn circuit with 94 XOR gates.