International Association
for Cryptologic Research

A remarkable breakthrough in mathematics in recent years is the proof of the long-standing conjecture: sphere packing (i.e., packing unit balls) in the $E_8$ lattice is optimal in the sense of the best density \cite{V17} for sphere packing in $\mathbb{R}^8$. In this work, based on the $E_8$ lattice code, we design a mechanism for asymmetric key consensus from noise (AKCN), referred to as AKCN-E8, for error correction and key consensus. As a direct application of the AKCN-E8 code, we present highly practical key encapsulation mechanism (KEM) from the ideal lattice based on the ring learning with errors (RLWE) problem. Compared to the RLWE-based NewHope-KEM \cite{newhope-NIST}, which is a variant of NewHope-Usenix \cite{newhope15} and is now a promising candidate in the second round of NIST post-quantum cryptography (PQC) standardization competition, our AKCN-E8-KEM has the following advantages:

* The size of shared-key is doubled,.

* More compact ciphertexts, at the same or even higher security level.

* More flexible parameter selection for tradeoffs among security, ciphertext size and error probability.

Event date: 25 August to 28 August 2020
Submission deadline: 15 March 2020
Notification: 18 May 2020

Event date: 24 August to 27 August 2020
Submission deadline: 23 March 2020
Notification: 8 May 2020

The Cryptography and Privacy Engineering Group (ENCRYPTO) at Technische Universität Darmstadt offers a position for a Doctoral Researcher (Research Assistant/PhD Student) in the project “Privacy-preserving Services on The Internet” (PSOTI) funded via an ERC Starting Grant. We develop techniques and tools for protecting privacy in applications.

Job Description
The fully funded position is for up to 4.5 years with starting date latest on August 1, 2020. In our project, we will build privacy-preserving services on the Internet. This includes protocols for privately outsourcing, searching and processing data among untrusted service providers using secure multi-party computation, and building a scalable secure multi-party computation framework. You will do research, build prototype implementations, and publish and present the results at top conferences and journals. We provide an open and international working environment for excellent research in a sociable team and give the opportunity for further qualification (doctoral/PhD degree). TU Darmstadt is ranked as a top university for IT security and cryptography in Europe and computer science in Germany. The position is based in the “City of Science” Darmstadt, which is very international and livable, and well-connected in the Rhine-Main area around Frankfurt.

Your Profile

• You have a completed Master degree (or equivalent) from a top university with excellent grades in IT security, computer science, applied mathematics, electrical engineering, or a similar field.
• Extensive knowledge in IT security/applied cryptography and excellent software development skills are required.
• Additional knowledge in cryptographic protocols (ideally secure multi-party computation) is a plus.
• You are self-motivated, reliable, creative, able to discuss/write/present scientific results in English, and able to conduct excellent research on challenging scientific problems with practical relevance.

Application deadline: June 1, 2020; later applications will be accepted until the position has been filled.

Closing date for applications:

Contact: Thomas Schneider (schneider@encrypto.cs.tu-darmstadt.de)

More information: https://encrypto.de/PSOTI-PHDSTUDENT

We have a position available for a 12-month postdoc in blockchain technologies. In particular, you are welcome to apply if you are interested in applications of Multi-party Computation to blockchains, high-assurance cryptography for blockchain deployments, and/or blockchain-assisted boardroom voting.
The Postdoc will perform research to construct use cases for blockchain technologies in these application domains. The developed material will be used both for research publications and other educational activities, related to training Danish industry professionals and technical managers in securely adopting blockchain technology.
The project is a collaboration between researchers from many institutions in Denmark: the Departments of Engineering and Computer Science at Aarhus University (AU), the Concordium Blockchain Research Center (COBRA) at AU, the DIGIT Centre for Digitalisation, Big Data and Data Analytics at AU, the Alexandra Institute and other partners in Copenhagen (IT University and Institute for Futures Studies). The project is funded by the Danish Industry Foundation, at a total of 1 million euros.
Qualifications: We are looking for dedicated and enthusiastic applicants, with a PhD in Computer Science/Engineering, Mathematics or related discipline. Previous experience in cryptography for blockchains is fundamental. Further requirements are fluency in English, good reporting/organization skills, ability to collaborate in groups and with industry, and being able to work independently.
To Apply: Send a cover letter, Curriculum Vitae with at least two references to contacts below.

Closing date for applications:

Contact: Diego F. Aranha, Assistant Professor of Engineering, dfaranha (at) eng.au.dk
Bas Spitters, Associate Professor of Computer Science, spitters (at) cs.au.dk

More information: https://alexandra.dk/dk/aktuelt/nyheder/2019/industriens-fond-st-tter-blockchain-uddannelser-til-virksomhedsledere

The Cryptography and Privacy Engineering Group (ENCRYPTO) at Technische Universität Darmstadt offers a position for a Postdoctoral Researcher in the project “Privacy-preserving Services on The Internet” (PSOTI) funded via an ERC Starting Grant. We develop techniques and tools for protecting privacy in applications.

Job Description
The fully funded position is for up to 2.5 years with starting date as soon as possible. In our project, we will build privacy-preserving services on the Internet. This includes protocols for privately outsourcing, searching and processing data among untrusted service providers using secure multi-party computation, and building a scalable secure multi-party computation framework. You will co-advise PhD students, be involved in the project management, do research, build prototype implementations, and publish the results at top venues in IT security / applied cryptography. We provide an open and international working environment for excellent research in a sociable team. TU Darmstadt is ranked as a top university for IT security and cryptography in Europe and computer science in Germany. The position is based in the “City of Science” Darmstadt, which is very international and livable, and well-connected in the Rhine-Main area around Frankfurt.

Your Profile

• You have a completed PhD degree (or equivalent) from a top university in IT security, computer science, applied mathematics, electrical engineering, or a similar area.
• Publications at top venues for IT security/applied cryptography (e.g., S&P, CCS, NDSS, USENIX SEC, EUROCRYPT), ideally on cryptographic protocols and secure computation, are required.
• Experience in software development, project management, and supervising students is needed.
• You are self-motivated, reliable, creative, able to discuss/write/present scientific results in English, and can conduct excellent research on challenging scientific problems with practical relevance.

Application deadline: None; applications will be accepted until the position is filled.

Closing date for applications:

Contact: Thomas Schneider (schneider@encrypto.cs.tu-darmstadt.de)

More information: https://encrypto.de/PSOTI-POSTDOC

Microarchitecture based side-channel attacks are common threats nowadays. Intel SGX technology provides a strong isolation from an adversarial OS, however, does not guarantee protection against side-channel attacks. In this paper, we analyze the security of the mbedTLS binary GCD algorithm, an implementation that offers interesting challenges when compared for example with OpenSSL, due to the usage of very tight loops in the former. Using practical experiments we demonstrate the mbedTLS binary GCD implementation is vulnerable to side-channel analysis using the SGX-Step framework against mbedTLS based SGX enclaves.

We analyze the security of some use cases of this algorithm in this library, resulting in the discovery of a new vulnerability in the ECDSA code path that allows a single-trace attack against this implementation. This vulnerability is three-fold interesting:

* It resides in the implementation of a countermeasure which makes it more dangerous due to the false state of security the countermeasure currently offers.

* It reduces mbedTLS ECDSA security to an integer factorization problem.

* An unexpected GCD call inside the ECDSA code path compromises the countermeasure.

We also cover an orthogonal use case, this time inside the mbedTLS RSA code path during the computation of a CRT parameter when loading a private key. The attack also exploits the binary GCD implementation threat, showing how a single vulnerable primitive leads to multiple vulnerabilities. We demonstrate both security threats with end-to-end attacks using 1000 trials each, showing in both cases single-trace attacks can be achieved with success rates very close to 100%.

This paper presents a set of efficient and parameterized hardware accelerators that target post-quantum lattice-based cryptographic schemes, including a versatile cSHAKE core, a binary-search CDT-based Gaussian sampler, and a pipelined NTT-based polynomial multiplier, among others. Unlike much of prior work, the accelerators are fully open-sourced, are designed to be constant-time, and are parameterized at compile-time to support different parameters without the need for re-writing the hardware implementation. These flexible, to-be publicly-available accelerators are used to demonstrate the first hardware-software co-design using RISC-V of the post-quantum lattice-based signature scheme qTESLA with provably secure parameters. In particular, we demonstrate that the NIST's Round 2 level 1 and level 3 qTESLA variants achieve over a 40-100x speedup for key generation, about a 10x speedup for signing, and about a 16x speedup for verification, compared to the baseline RISC-V software-only implementation. For instance, this corresponds to execution in 7.7, 34.4, and 7.8 milliseconds for key generation, signing, and verification, respectively, for qTESLA's level 1 parameter set on an Artix-7 FPGA, demonstrating the feasibility of the scheme for embedded applications.

Multivariate encryption schemes are public key encryption schemes using multivariate polynomials over finite fields. In 2020, Jiahui Chen et al. proposed a new multivariate encryption scheme. In order to construct the public key consisting of quadratic polynomials, they used the minus and plus modifiers to prevent known attacks, such as linear equations attack, minRank attack and algebraic attack. However, in this paper we show that even if such modifiers are used, an attack using linear algebra is valid for their scheme. In fact, our attack can break the claimed 80 and 128-bit parameters in the complexity of around 27 and 31 bits, respectively.

The UC Berkeley EECS Department Theory Group welcomes inquiries for postdoctoral fellowships hosted by faculty members in our group. Inquiries will be viewable by all faculty in our group as listed on our website. Individual faculty may then reach out in the case of matched interests. Please send a cover letter, CV, and research statement to tcs-postdoc-inquiries@lists.eecs.berkeley.edu, and in your CV please list at least three writers of letters of reference. In the cover letter, please identify faculty of interest. Please then have your references submit letters to the same e-mail address, with your name in the subject line. Faculty may reach out on a rolling basis, though we encourage inquiries be made as soon as possible.

Closing date for applications:

Contact: tcs-postdoc-inquiries@lists.eecs.berkeley.edu

More information: http://theory.cs.berkeley.edu/postdoc.html

Tweakable TWINE (T-TWINE) is a new lightweight tweakable block cipher family proposed by Sakamoto $et$ $al$. at IWSEC 2019. T-TWINE is the first Tweakable Block Cipher (TBC) that is built on Generalized Feistel Structure (GFS). It is based on the TWINE block cipher in addition to a simple tweak scheduling based on SKINNY’s tweakey schedule. Similar to TWINE, it has two versions, namely, T-TWINE-80 and T-TWINE-128, both have a block length of 64 bits and employ keys of length 80 and 128 bits, respectively. In this paper, we present impossible differential attacks against reduced-round versions of T-TWINE-80 and T-TWINE-128. First, we present an 18-round impossible differential distinguisher against T-TWINE. Then, using this distinguisher, we attack 25 and 27 rounds of T-TWINE-80 and T-TWINE-128, respectively.

During the past two decades there has been a great deal of research published on masked hardware implementations of AES and other cryptographic primitives. Unfortunately, many hardware masking techniques can lead to increased latency compared to unprotected circuits for algorithms such as AES, due to the high-degree of nonlinear functions in their designs. In this paper, we present a hardware masking technique which does not increase the latency for such algorithms. It is based on the LUT-based Masked Dual-Rail with Pre-charge Logic (LMDPL) technique presented at CHES 2014. First, we show 1-glitch extended strong noninterference of a nonlinear LMDPL gadget under the 1-glitch extended probing model. We then use this knowledge to design an AES implementation which computes a full AES-128 operation in 10 cycles and a full AES-256 operation in 14 cycles. We perform practical side-channel analysis of our implementation using the Test Vector Leakage Assessment (TVLA) methodology and analyze univariate as well as bivariate t-statistics to demonstrate its DPA resistance level

Many companies provide neural network prediction services to users for a wide range of applications. However, current prediction systems compromise one party's privacy: either the user has to send sensitive inputs to the service provider for classification, or the service provider must store its proprietary neural networks on the user's device. The former harms the personal privacy of the user, while the latter reveals the service provider's proprietary model.

We design, implement, and evaluate Delphi, a secure prediction system that allows two parties to execute neural network inference without revealing either party's data. Delphi approaches the problem by simultaneously co-designing cryptography and machine learning. We first design a hybrid cryptographic protocol that improves upon the communication and computation costs over prior work. Second, we develop a planner that automatically generates neural network architecture configurations that navigate the performance-accuracy trade-offs of our hybrid protocol. Together, these techniques allow us to achieve a 22x improvement in online prediction latency compared to the state-of-the-art prior work.

We present and evaluate a custom extension to the RISC-V instruction set for finite fields arithmetic. The result serves as a very compact approach to software-hardware co-design of PQC implementations in the context of small embedded processors such as smartcards. The extension provides instructions that implement finite field operations with subsequent reduction of the result. As small finite fields are used in various PQC schemes, such instructions can provide a considerable speedup for an otherwise software-based implementation. Furthermore, we create a prototype implementation of the presented instructions for the extendable VexRiscv core, integrate the result into a chip design, and evaluate the design on two different FPGA platforms. The effectiveness of the extension is evaluated by using the instructions to optimize the Kyber and Newhope key-encapsulation schemes. To that end, we also present an optimized software implementation for the standard RISC-V instruction set for the polynomial arithmetic underlying those schemes, which serves as basis for comparison. Both variants are tuned on an assembler level to optimally use the processor pipelines of contemporary RISC-V CPUs. The result shows a speedup for the polynomial arithmetic of up to 85% over the basic software implementation. Using the custom instructions drastically reduces the code and data size of the implementation without introducing runtime-performance penalties at a small cost in circuit size. When used in the selected schemes, the custom instructions can be used to replace a full general purpose multiplier to achieve very compact implementations.

Recently proposed searchable symmetric encryption (SSE) scheme HXT improves the OXT by avoiding the KPRP leakage at the cost of increasing the storage by two orders of magnitude. In this paper, we reconsider the principle of designing SSE protocols to prevent KPRP leakage. At first, we introduce a new primitive called subset membership check (SMC), where a set is encrypted such that its subset membership can be checked only through a protocol between Sender and Tester. The security of SMC requires that nothing is revealed other than the membership of a subset after each execution of the protocol. We propose a hash-based SMC implementation with efficient computation, communication, and storage. Secondly, based on the hash-based SMC, we present two practical SSE protocols that support conjunctive queries without KPRP leakage. Our first protocol, called ‘Practical Hidden Cross-Tags’ (PHXT), maintains the same storage size as OXT while preserving the same privacy and functionality as HXT. Our second protocol, called ‘Fast Hidden Cross-Tags’ (FHXT), further optimizes the performances of PHXT through eliminating the expensive Diffie-Hellman type operations. Compared with HXT, our FHXT reduces the storage size, server’s computational costs, client’s computational costs, and the communication overhead by 96.09%, 98.44%, 79.54%, and 78.57%, respectively.

Maximum Distance Separable (MDS) Matrix plays a crucial role in designing cryptosystems. In this paper we mainly talk about constructing lightweight Hadamard MDS matrices based on subquadratic multipliers over $GF(2^4)$. We firstly propose subquadratic Hadamard matrix-vector product formulae (HMVP), and provide two new XOR count metrics. To the best of our knowledge, subquadratic multipliers have not been used to construct MDS matrices. Furthermore, combined with HMVP formulae we design a construction algorithm to find lightweight Hadamard MDS matrices under our XOR count metric. Applying our algorithms, we successfully find MDS matrices with the state-of-the-art fewest XOR counts for $4 \times 4$ and $8 \times 8$ involutory and non-involutory MDS matrices. Experiment results show that our candidates save up to $40.63\%$ and $10.34\%$ XOR gates for $8 \times 8$ and $4 \times 4$ matrices over $GF(2^4)$ respectively.

As the need for lightweight cryptography has grown even more due to the evolution of the Internet of Things, it has become a greater challenge for cryptographers to design ultra lightweight stream ciphers in compliance with the rule of thumb that the internal state size should be at least twice as the key size to defend against generic Time-Memory-Data Tradeoff (TMDT) attacks. However, recently in 2015, Armknecht and Mikhalev sparked a new light on designing keystream generators (KSGs), which in turn yields stream ciphers, with small internal states, called KSG with Keyed Update Function (KSG with KUF), and gave a concrete construction named Sprout. But, currently, security analysis of KSGs with KUF in a general setting is almost non-existent. Our contribution in this paper is two-fold. 1) We give a general mathematical setting for KSGs with KUF, and for the first time, analyze a class of such KSGs, called KSGs with Boolean Keyed Feedback Function (KSG with Boolean KFF), generically. In particular, we develop two generic attack algorithms applicable to any KSG with Boolean KFF having almost arbitrary output and feedback functions where the only requirement is that the secret key incorporation is biased. We introduce an upper bound for the time complexity of the first algorithm. Our extensive experiments validate our algorithms and assumptions made thereof. 2) We study Sprout to show the effectiveness of our algorithms in a practical instance. A straightforward application of our generic algorithm yields one of the most successful attacks on Sprout.

The IEEE Std 802.15.6 is the latest international standard for Wireless Body Area Networks (WBANs). The security of communication in this standard is based upon four elliptic-curve based key agreement protocols. These protocols have been shown to exhibit serious security vulnerabilities but surprisingly, do not provision any privacy guarantees. To date, no suitable key agreement protocol has been proposed which fulfils all the requisite objectives for IEEE Std 802.15.6. In this paper two key agreement protocols are presented which, in addition to being efficient and provisioning advance security properties, also offer the essential privacy attributes of anonymity and unlinkability. The protocols are also quantum-safe as they are independent of any public-key based operations. We develop a formal security and privacy model in an appropriate complexity-theoretic framework and prove the proposed protocols secure in this model.

Centralized pools and renting of mining power are considered as sources of possible censorship threats and even 51% attacks for decentralized cryptocurrencies. Non-outsourceable Proof-of-Work schemes have been proposed to tackle these issues. However, tenets in the folklore say that such schemes could potentially be bypassed by using escrow mechanisms.

In this work, we propose a concrete example of such a mechanism which is using collateralized smart contracts. Our approach allows miners to bypass non-outsourceable Proof-of-Work schemes if the underlying blockchain platform supports smart contracts in a sufficiently advanced language. In particular, the language should allow access to the PoW solution.

At a high level, our approach requires the miner to lock collateral covering the reward amount and protected by a smart contract that acts as an escrow. The smart contract has logic that allows the pool to collect the collateral as soon as the miner collects any block reward. We propose two variants of the approach depending on when the collateral is bound to the block solution. Using this, we show how to bypass previously proposed non-outsourceable Proof-of-Work schemes (with the notable exception for strong non-outsourceable schemes) and show how to build mining pools for such schemes.

Vehicle-to-vehicle (V2V) communication systems are currently being prepared for real-world deployment, but they face strong opposition over privacy concerns. Position beacon messages are the main culprit, being broadcast in cleartext and pseudonymously signed up to 10 times per second. So far, no practical solutions have been proposed to en- crypt or anonymously authenticate V2V messages. We propose two cryptographic innovations that enhance the privacy of V2V communication. As a core contribution, we introduce zone-encryption schemes, where vehicles generate and authentically distribute encryption keys associated to static geographic zones close to their location. Zone encryption provides security against eavesdropping, and, combined with a suitable anonymous authentication scheme, ensures that messages can only be sent by genuine vehicles, while adding only 224 Bytes of cryptographic overhead to each message. Our second contribution is an authentication mechanism fine-tuned to the needs of V2V which allows vehicles to authentically distribute keys, and is called dynamic group signatures with attributes. Our instantiation features unlimited locally generated pseudonyms, negligible credential download-and-storage costs, identity recovery by a trusted authority, and compact signatures of 216 Bytes at a 131-bit security level.