International Association
for Cryptologic Research

We are an international company with branches in Copenhagen, Zurich and Munich. We are looking to strengthen our team of in-house cryptographic experts in either of our locations.

The right person will work on internal and external high-end projects in the area of cryptology. This will involve cutting-edge cryptographic design, cryptanalysis, software development, contributions to product development, customer trainings, security evaluations, etc.

A PhD degree in symmetric-key cryptology (block ciphers, stream ciphers, MACs or hash functions) or a closely related area is a requirement. Proficiency in the efficient software implementations of cryptographic algorithms for such platforms as modern Intel or ARM CPUs is a plus. Postdoctoral research experience in symmetric-key cryptology as well as teaching experience is also an advantage.

We expect that our new Senior Cryptographer can generate value for the company and for our customers. An important part of your job is to take technical responsibility for projects and to be a great team player who is a pleasure to work with. You take the initiative, provide high quality and always deliver on time.

We offer a highly attractive compensation, a permanent contract, a dynamic international working environment, a conference travel package, relocation benefits, an employee success participation plan, as well as significant time and budget to conduct cryptologic research.

Applications will be reviewed on the ongoing basis. Planned target date for employment is 1 April 2020 or sooner.

Please send your CV incl. the list of publications and a motivational letter to jobs@cyber-crypt.com. You can also use this email address if you have any questions about the position.

Closing date for applications:

Contact: Dr. Andrey Bogdanov

More information: https://www.cyber-crypt.com/company/#team

The Center for Secure Information Technologies (CSIT) at Queen's University Belfast is looking for a Ph.D student to work on post-quantum cryptography. This 3 year PhD studentship will commence on October 1st, 2020. The studentship will cover tuition fees at the Home/EU rate and only home students can receive a stipend. More information can be found at https://www.qub.ac.uk/courses/postgraduate-research/phd-opportunities/post-quantum-anonymous-credential.html The application deadline is February 7th, 2020.

Closing date for applications:

Contact: Dr. Jinguang Han (j.han@qub.ac.uk)

More information: https://www.qub.ac.uk/courses/postgraduate-research/phd-opportunities/post-quantum-anonymous-credential.html

We are looking for a motivated Post-Doc or research engineer to work on malware classification on IoT devices through side-channel information.

Research topic While malware detection and mitigation research are now trending, a lot of challenges and unsolved problems still remain. Recently, sophisticated malware designers invented techniques to circumvent software detection techniques. A new direction consists in using unintentionally emitted hardware side-channel information. The big advantage of this information is the non-detection by malware designers. Still, those approaches have to be established in real-world scenarios and efficient analysis techniques developed and implemented. We are currently building up a realistic IoT malware side-channel analysis platform which gives us first interesting new insights.

Joining our team you will

• infect IoT devices with malware samples,
• be responsible for the maintenance of the side-channel workbench,
• derive and develop efficient implementations of analysis algorithms,
• drive top-quality research and publish in A*/A-class security and malware conferences.

Prerequisites We are looking for team players who are motivated and able to drive top-quality research. The area of research lies between several fields and we expect at least competences in one of them:

• embedded devices/side-channel analysis, and/or
• statistics, machine learning, deep learning, and/or
• malware analysis.

Additionally, an ideal candidate should have:

• Research engineer: MS degree in a related field, with 1-3 years of work experience,
• PostDoc: Ph.D. in a related field
• good programming skills,
• good level in written and spoken English,
• motivation to save the world.

Duration/Starting date The position is initially limited to one year but can be extended (up to two years) in case of good performance. The starting date is as soon as possible (given our security clearances).

Closing date for applications:

Contact: Annelie Heuser (annelie.heuser@irisa.fr) with a CV, cover letter, and references.

Machine learning tools have illustrated their potential in many significant sectors such as healthcare and finance, to aide in deriving useful inferences. The sensitive and confidential nature of the data, in such sectors, raises natural concerns for the privacy of data. This motivated the area of Privacy-preserving Machine Learning (PPML) where privacy of the data is guaranteed. Typically, ML techniques require large computing power, which leads clients with limited infrastructure to rely on the method of Secure Outsourced Computation (SOC). In SOC setting, the computation is outsourced to a set of specialized and powerful cloud servers and the service is availed on a pay-per-use basis. In this work, we explore PPML techniques in the SOC setting for widely used ML algorithms-- Linear Regression, Logistic Regression, and Neural Networks. We propose BLAZE, a blazing fast PPML framework in the three server setting tolerating one malicious corruption over a ring ($\mathbb{Z}_{2^{\ell}}$). BLAZE achieves the stronger security guarantee of fairness (all honest servers get the output whenever the corrupt server obtains the same). Leveraging an {\em input-independent} preprocessing phase, BLAZE has a fast input-dependent online phase relying on efficient PPML primitives such as: (i) A dot product protocol for which the communication in the online phase is {\em independent} of the vector size, the first of its kind in the three server setting; (ii) A method for truncation that shuns evaluating expensive circuit for Ripple Carry Adders (RCA) and achieves a constant round complexity. This improves over the truncation method of ABY3 (Mohassel et al., CCS 2018) that uses RCA and consumes a round complexity that is of the order of the depth of RCA (which is same as the underlying ring size); (iii) Secure Comparison protocol that requires only one round in the online phase as opposed to the solution of ASTRA (Chaudhari et al., CCSW 2019), which requires three rounds.

An extensive benchmarking of BLAZE for the aforementioned ML algorithms over a 64-bit ring in both WAN and LAN settings shows massive improvements over ABY3. Concretely, we observe improvements up to $\mathbf{333\times}$ for Linear Regression, $\mathbf{146 \times}$ for Logistic Regression and $\mathbf{301\times}$ for Neural Networks over WAN. Similarly, we show improvements up to $\mathbf{2610\times}$ for Linear Regression, $\mathbf{820\times}$ for Logistic Regression and $\mathbf{303\times}$ for Neural Networks over LAN.

We improve the fundamental security threshold of Proof-of-Stake (PoS) blockchain protocols, reflecting for the first time the positive effect of rounds with multiple honest leaders. Current analyses of the longest-chain rule in PoS blockchain protocols reduce consistency to the dynamics of an abstract, round-based block creation process determined by three probabilities: $p_A$, the probability that a round has at least one adversarial leader; $p_h$, the probability that a round has a single honest leader; and $p_H$, the probability that a round has multiple, but honest, leaders. We present a consistency analysis that achieves the optimal threshold $p_h + p_H > p_A$. This is a first in the literature and can be applied to both the simple synchronous setting and the setting with bounded delays. We also achieve the optimal consistency error $e^{-\Theta(k)}$, $k$ being the confirmation time. The consistency analyses in Ouroboros Praos (Eurocrypt 2018) and Genesis (CCS 2018) assume that $p_h - p_H > p_A$; the analyses in Sleepy Consensus (Asiacrypt 2017) and Snow White (Fin. Crypto 2019) assume that $p_h > p_A$. Thus existing analyses either incur a penalty for multiply-honest rounds, or treat them neutrally. In addition, previous analyses completely break down when $p_h < p_A$. Our new results can be directly applied to improve the consistency of these existing protocols. We emphasize that these thresholds determine the critical tradeoff between honest majority, network delays, and consistency error. We complement our results with a consistency analysis in the setting where uniquely honest slots are rare, event letting $p_h = 0$, under the added assumption that honest players adopt a consistent chain selection rule. Our analysis provides a direct connection between the Ouroboros analysis focusing on ``relative margin'' and the Sleepy analysis focusing on ``strong pivots.''

We present efficient and compact hardware/software co-design implementations of the Supersingular Isogeny Key Encapsulation (SIKE) protocol on field-programmable gate arrays (FPGAs). In order to be better equipped for different post-quantum scenarios, our architectures were designed to feature high-flexibility by covering all the currently available parameter sets and with support for primes up to 1016 bits. In particular, any of the current SIKE parameters equivalent to the post-quantum security of AES-128/192/256 and SHA3-256 can be selected and run on-the-fly. This security scalability property, together with the small footprint and efficiency of our architectures, makes them ideal for embedded applications in a post-quantum world. In addition, the proposed implementations exhibit regular, constant-time execution, which provides protection against timing and simple side-channel attacks. Our results demonstrate that supersingular isogeny-based primitives such as SIDH and SIKE can indeed be deployed for embedded applications featuring competitive performance. For example, our smallest architecture based on a 128-bit MAC unit takes only 3415 slices, 21 BRAMs and 57 DSPs on a Virtex 7 690T and can perform key generation, encapsulation and decapsulation in 14.4, 24.4 and 26.0 milliseconds for SIKEp434 and in 52.3, 86.4 and 93.2 milliseconds for SIKEp751, respectively.

Deep learning based side-channel analysis has seen a rise in popularity over the last few years. A lot of work is done to understand the inner workings of the neural networks used to perform the attacks and a lot is still left to do. However, finding a metric suitable for evaluating the capacity of the neural networks is an open problem that is discussed in many articles. We propose an answer to this problem by introducing an online evaluation metric dedicated to the context of side-channel analysis and use it to perform early stopping on existing convolutional neural networks found in the literature. This metric compares the performance of a network on the training set and on the validation set to detect underfitting and overfitting. Consequently, we improve the performance of the networks by finding their best training epoch and thus reduce the number of traces used by 30%. The training time is also reduced for most of the networks considered.

SNOW 3G is one of the core algorithms for confidentiality and integrity in several 3GPP wireless communication standards, includ- ing the new Next Generation (NG) 5G. It is believed to be resistant to classical cryptanalysis. In this paper, we show that SNOW 3G can be broken by a fault attack based on bitstream modification. By changing the content of some look-up tables in the bitstream, we reduce the non- linear state updating function of SNOW 3G to a linear one. As a result, it becomes possible to recover the key from the keystream. To our best knowledge, this is the first successful bitstream modification attack on SNOW 3G. We propose a countermeasure which blows-up the number of candidate points for fault injection, making the presented attack infeasible in practice.

One of the most significant challenges in the design of blockchain protocols is increasing their transaction-processing throughput. In this work we put forth for the first time a formal execution model that enables to express transaction throughput while supporting formal security arguments regarding persistence and liveness. We then present a protocol in the proof-of-stake setting achieving near-optimal throughput under adaptive active corruption of any minority of the stake.

Aigis-Enc is an encryption algorithm based on asymmetrical LWE. In this algorithm, the compression process is utilized during both key generation and encryption (which is equivalent to add some LWR noise). Then encapsulation is realized by FO transformation. It is well known that FO transformation is not considered for discussing CPA security. On the other hand, since the security reduction of LWR is hard to proceed, it is not considered for discussing the CPA security of Aigis-Enc. But compression must be put into consideration when we discuss decryption failure probability. In other words, when we discuss the CPA security of Aigis-Enc, the compression and FO transformation are ignored. But when decryption failure probability is discussed, compression should be taken into consideration while FO transformation remains ignored.

According to the assumptions above, Aigis-Enc designers claim that the CPA security of Aigis-Enc is approximately equal to that of the symmetrical LWE scheme in the same scale, and the decryption failure probability of Aigis-Enc is far below that of the symmetrical LWE scheme in the same scale.

In this paper, we make a thorough comparison between Aigis-Enc (with the recommended parameters) and the symmetrical LWE encryption scheme in the same scale. Our conclusion is as followed:

(1) The comparison on CPA security. The former’s is 160.898, and the latter’s is 161.836.

(2) The comparison on computation complexity. In key generation phase, the ratio of the former and the latter on sampling amount of distribution \(\left[ {\begin{array}{*{20}{c}} 0&1\\ {\frac{1}{2}}&{\frac{1}{2}} \end{array}} \right]\) is 5:4; In encryption phase, that ratio is 19:14. The other computations remain the same.

(3) The comparison on decryption failure probability. The former’s is $2^{-128.699}$, the latter's is $2^{-67.0582}$. The comparison seems to be dramatic. But in fact, we can slightly increase some traffic to keep failure probability unchanged. In other words, by compressing less to keep decryption failure probability unchanged. In specific: we change the parameters \(\left( {{d_1},{d_2},{d_3}} \right)\) from \(\left( {9,9,4} \right)\) to \(\left( {10,10,4} \right)\), which means a large part of the public key remains the same, the small part of the public key changes from 9 bits per entry into 10bits. A large part of the ciphertext changes from 9 bits per entry into 10 bits, the small part of the ciphertext remains the same. As thus, the communication traffic increases less than $\frac{1}{9}$, while the decryption failure probability is lower than $2^{-128.699}$.

We generalize those attacks presented by designers of Aigis-Enc, including primal attacks and dual attacks. More detailedly, our attacks are more extensive, simpler, and clearer. With them, we obtain the optimal attacks and “the optimal-optimal attack” on Aigis-Enc and the symmetrical LWE scheme in the same scale.

In this paper, we propose a novel lattice-based group key exchange protocol with dynamic membership. Our protocol is constructed by generalizing Dutta-Barua protocol to RLWE setting, inspired by Apon et al.’s recent paper in PQCrypto 2019. We describe our (static) group key exchange protocol from Apon et al.’s paper by modifying its third round and computation step. Then, we present both authenticated and dynamic group key exchange protocol with Join and Leave algorithms. The number of rounds for authenticated group key exchange remains the same as unauthenticated one. Our protocol also supports the scalable property so that the number of rounds does not change depending on the number of group participants. By assuming the hardness of RLWE assumption and unforgeability of digital signatures, we give a full security proof for (un-)authenticated (dynamic) group key exchange protocols.

Many studies focus on the blockchain privacy protection. Unfortunately, the privacy protection brings regulatory issues (e.g., countering money-laundering). Tracing users' identities is a critical step in addressing blockchain regulatory issues. In this paper, we propose SkyEye, a traceable scheme for blockchain. SkyEye can be applied to the blockchain applications that satisfy the following conditions: (I) The users have public and private information, where the public information is generated by the private information; (II) The users' public information is disclosed in the blockchain data. SkyEye enables the regulator to trace users' identities. The design of SkyEye leverages some cryptographic primitives, including chameleon hash and zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK). Moreover, we demonstrate the security of SkyEye under specific cryptographic assumptions. Finally, we implement two prototypes of SkyEye, and evaluate the running time and related data storage requirements by performing the aforementioned prototypes.

McCorry et al. (Financial Cryptography 2017) presented the first implementation of a decentralized self-tallying voting protocol on Ethereum. However, their implementation did not scale beyond 40 voters since all the computations were performed on the smart contract. In this paper, we tackle this problem by delegating the bulk computations to an off-chain untrusted administrator in a verifiable manner. Specifically, the administrator tallies the votes off-chain and publishes a Merkle tree that encodes the tallying computation trace. Then, the administrator submits the Merkle tree root and the tally result to the smart contract. Subsequently, the smart contract transits to an intermediate phase where at least a single honest voter can contend the administrator's claimed result if it was not computed correctly. Then, in the worst case, the smart contract verifies the dispute at the cost of an elliptic curve point addition and scalar multiplication, and two Merkle proofs of membership which are logarithmic in the number of voters. This allows our protocol to achieve higher scalability without sacrificing the public verifiability or voters' privacy. To assess our protocol, we implemented an open-source prototype on Ethereum and carried out multiple experiments for different numbers of voters. The results of our implementation confirm the scalability and efficiency of our proposed solution which does not exceed the current block gas limit for any practical number of voters.

In this paper, we propose a method for implementing binary matrices with low-cost XOR. First, using a random-iterative method, we obtain a list S from a binary matrix A. Then, based on the list S, we construct a binary matrix B. Next, we find a relation between the implementations of A and B. In other words, using the implementation of the matrix B, we get a low-cost implementation for the matrix A. Also, we show that the implementation of an MDS matrix M is associated with the form of the binary matrix used to construct the binary form of M. In addition, we propose a heuristics algorithm to implement MDS matrices. The best result of this paper is the implementation of a 8 × 8 involutory MDS matrix over 8-bit words with 408 XOR gates. The Paar algorithm is used as an SLP application to obtain implementations of this paper.

We initiate a study of locally decodable codes with randomized encoding. Standard locally decodable codes are error correcting codes with a deterministic encoding function and a randomized decoding function, such that any desired message bit can be recovered with good probability by querying only a small number of positions in the corrupted codeword. This allows one to recover any message bit very efficiently in sub-linear or even logarithmic time. Besides this straightforward application, locally decodable codes have also found many other applications such as private information retrieval, secure multiparty computation, and average-case complexity.

However, despite extensive research, the tradeoff between the rate of the code and the number of queries is somewhat disappointing. For example, the best known constructions still need super-polynomially long codeword length even with a logarithmic number of queries, and need a polynomial number of queries to achieve a constant rate. In this paper, we show that by using a randomized encoding, in several models we can achieve significantly better rate-query tradeoff. In addition, our codes work for both the standard Hamming errors, and the more general and harder edit errors.

We present the design of a novel low latency, bit length parameterizable cipher, called the ``K-Cipher''. K-Cipher is particularly useful to applications that need to support ultra low latency encryption at arbitrary ciphertext lengths. We can think of a range of networking, gaming and computing applications that may require encrypting data at unusual block lengths for many different reasons, such as to make space for other unencrypted state values. Furthermore, in modern applications, encryption is typically required to complete inside stringent time frames in order not to affect performance. K-Cipher has been designed to meet these requirements. In the paper we present the K-Cipher design and discuss its rationale.

We consider a scenario where multiple organizations holding large amounts of sensitive data from their users wish to compute aggregate statistics on this data while protecting the privacy of individual users. To support large-scale analytics we investigate how this privacy can be provided for the case of sketching algorithms running in time sub-linear of the input size.

We begin with the well-known LogLog sketch for computing the number of unique elements in a data stream. We show that this algorithm already achieves differential privacy (even without adding any noise) when computed using a private hash function by a trusted curator. Next, we show how to eliminate this requirement of a private hash function by injecting a small amount of noise, allowing us to instantiate an efficient LogLog protocol for the multi-party setting. To demonstrate the practicality of this approach, we run extensive experimentation on multiple datasets, including the publicly available IP address data set from University of Michigan’s scans of internet IPv4 space, to determine the tradeoffs among efficiency, privacy and accuracy of our implementation for varying numbers of parties and input sizes.

Finally, we generalize our approach for the LogLog sketch and obtain a general framework for constructing multi-party differentially private protocols for several other sketching algorithms.

The majority of real-world applications of digital signatures use timestamping to ensure non-repudiation in face of possible key revocations. This observation led Buldas, Laanoja, and Truu to a server-assisted digital signature scheme built around cryptographic timestamping.

In this paper, we report on the machine-checked proofs of existential unforgeability under the chosen-message attack (EUF-CMA) of some variations of BLT digital signature scheme. The proofs are developed and verified using the EasyCrypt framework, which provides interactive theorem proving supported by the state-of-the-art SMT solvers.

Event date: 6 December to 10 December 2020

In this paper we consider several methods for an efficient extraction of roots of a polynomial over large finite fields. The problem of computing such roots is often the performance bottleneck for some multivariate quantum-immune cryptosystems, such as HFEv-based Quartz, Gui, etc. We also discuss a number of techniques for fast computation of traces as part of the factorization process. These optimization methods could significantly improve the performance of cryptosystems where roots factorization is a part thereof.