International Association
for Cryptologic Research

This work introduces a new non-interactive key-exchange protocol, based on the hardness of the Code Equivalence Problem, a staple problem in coding theory. The protocol is modelled on the Diffie-Hellman framework. The novelty of the construction resides in the use of the code equivalence problem as the sole hardness assumption. To the best of our knowledge, our construction represents the first code-based non-interactive key-exchange protocol, and in fact, the first post-quantum scheme of this kind which is not built upon supersingular isogenies. Our scheme provides significantly better performance than its isogeny counterparts in terms of execution time (at the cost of larger keys). This performance trade-off is favorable to users in most of the cases where the bandwidth is not severely constrained.

SodsBC is an efficient, quantum-safe, and asynchronous blockchain. SodsBC uses only quantum-safe cryptographic tools and copes with at most $f$ malicious (aka Byzantine) participants, where the number of all participants $n=3f+1$. Our blockchain architecture follows the asynchronous secure multi-party computation (ASMPC) paradigm where honest participants agree on a consistent union of several block parts. Every participant proposes a block part, encrypted by a symmetric scheme, utilizing an efficient reliable broadcast protocol. The encryption key is distributed in the form of secret shares, and reconstructed after blockchain consensus. All broadcast instances are finalized by independent binary Byzantine agreement consuming continuously produced common random coins.

SodsBC continuously produces a stream of distributed secrets by asynchronous weak secret sharing batches accompanied by Merkle tree branches for future verification in the secret reconstruction. The finished secret shares are ordered in the same ASMPC architecture and combined to form random coins. Interestingly, SodsBC achieves the blockchain consensus, while the blockchain simultaneously offers an agreement on available new coins. Fresh distributed secrets also provide SodsBC with forward secrecy. Secret leakage does not affect future blocks. The SodsBC cloud prototype outperforms centralized payment systems (e.g., VISA) and state of the art asynchronous blockchains. The SodsBC extension to a permissionless blockchain is also sketched.

We study interactive proof systems (IPSes) in a strong adversarial setting where the machines of {\em honest parties} might be corrupted and under control of the adversary. Our aim is to answer the following, seemingly paradoxical, questions:

- Can Peggy convince Vic of the veracity of an NP statement, without leaking any information about the witness even in case Vic is malicious and Peggy does not trust her computer? - Can we avoid that Peggy fools Vic into accepting false statements, even if Peggy is malicious and Vic does not trust her computer?

At EUROCRYPT 2015, Mironov and Stephens-Davidowitz introduced cryptographic reverse firewalls (RFs) as an attractive approach to tackling such questions. Intuitively, a RF for Peggy/Vic is an external party that sits between Peggy/Vic and the outside world and whose scope is to sanitize Peggy's/Vic's incoming and outgoing messages in the face of subversion of her/his computer, {\em e.g.}\ in order to destroy subliminal channels.

In this paper, we put forward several natural security properties for RFs in the concrete setting of IPSes. As our main contribution, we construct efficient RFs for different IPSes derived from a large class of Sigma protocols that we call malleable.

A nice feature of our design is that it is completely transparent, in the sense that our RFs can be directly applied to already deployed IPSes, without the need to re-implement them.

Oblivious Random Access Machine (ORAM) allows a client to hide the access pattern and thus, offers a strong level of privacy for data outsourcing. An ideal ORAM scheme is expected to offer desirable properties such as low client bandwidth, low server computation overhead and the ability to compute over encrypted data. S3ORAM (CCS’17) is an efficient active ORAM scheme, which takes advantage of secret sharing to provide ideal properties for data outsourcing such as low client bandwidth, low server computation and low delay. Despite its merits, S3ORAM only offers security in the semi-honest setting. In practice, an ORAM protocol is likely to operate in the presence of malicious adversaries who might deviate from the protocol to compromise the client privacy.

In this paper, we propose MACAO, a new multi-server ORAM framework, which offers integrity, access pattern obliviousness against active adversaries, and the ability to perform secure computation over the accessed data. MACAO harnesses authenticated secret sharing techniques and tree-ORAM paradigm to achieve low client communication, efficient server computation, and low storage overhead at the same time. We fully implemented MACAO and conducted extensive experiments in real cloud platforms (Amazon EC2) to validate the performance of MACAO compared with the state-of-the-art. Our results indicate that MACAO can achieve comparable performance to S3ORAM while offering security against malicious adversaries. MACAO is a suitable candidate for integration into distributed file systems with encrypted computation capabilities towards enabling an oblivious functional data outsourcing infrastructure.

Logic locking has been proposed as strong protection of intellectual property (IP) against security threats in the IC supply chain especially when the fabrication facility is untrusted. Such techniques use additional locking circuitry to inject incorrect behavior into the digital functionality when the key is incorrect. A family of attacks known as "SAT attacks" provides a strong mathematical formulation to find the correct key of locked circuits. Many conventional SAT-resilient logic locking schemes fail to inject sufficient error into the circuit when the key is incorrect: there are usually very few (or only one) input minterms that cause any error at the circuit output. The state-of-the-art stripped functionality logic locking (SFLL) technique provides a wide spectrum of configurations that introduced a trade-off between security (i.e. SAT attack complexity) and effectiveness (i.e. the amount of error injected by a wrong key). In this work, we prove that such a trade-off is universal among all logic locking techniques. In order to attain high effectiveness of locking without compromising security, we propose a novel secure and effective logic locking scheme, called Strong Anti-SAT (SAS). SAS has the following significant improvements over existing techniques. (1) We prove that SAS's security against SAT attack is not compromised by increases in effectiveness. (2) In contrast to prior work which focused solely on the circuit-level locking impact, we integrate SAS-locked modules into an 80386 processor and show that SAS has a high application-level impact. (3) SAS's hardware overhead is smaller than that of existing techniques.

Neural networks have become increasingly prevalent in many real-world applications including security-critical ones. Due to the high hardware requirement and time consumption to train high-performance neural network models, users often outsource training to a machine-learning-as-a-service (MLaaS) provider. This puts the integrity of the trained model at risk. In 2017, Liu et. al. found that, by mixing the training data with a few malicious samples of a certain trigger pattern, hidden functionality can be embedded in the trained network which can be evoked by the trigger pattern. We refer to this kind of hidden malicious functionality as neural Trojans. In this paper, we survey a myriad of neural Trojan attack and defense techniques that have been proposed over the last few years. In a neural Trojan insertion attack, the attacker can be the MLaaS provider itself or a third party capable of adding or tampering with training data. In most research on attacks, the attacker selects the Trojan's functionality and a set of input patterns that will trigger the Trojan. Training data poisoning is the most common way to make the neural network acquire Trojan functionality. Trojan embedding methods that modify the training algorithm or directly interfere with the neural network's execution at the binary level have also been studied. Defense techniques include detecting neural Trojans in the model and/or Trojan trigger patterns, erasing the Trojan's functionality from the neural network model, and bypassing the Trojan. It was also shown that carefully crafted neural Trojans can be used to mitigate other types of attacks. We systematize the above attack and defense approaches in this paper.

Eurocrypt 2020 will take place in Zagreb, Croatia on May 10-14, 2020.

The registration site is now open. Please note that the early bird registration will end on April 10th (anywhere on earth). After that deadline, a late registration fee will be charged.

A limited number of stipends are available to those unable to obtain funding to attend the conference. Final deadline to apply is March 1st.

A number of affiliated events will take place before the main conference. More information can be found here.

We are living in an era where everything is connected, thus continuously generating, acquiring and processing a huge amount of data. Users may enjoy a diversity of assisted services, personalised applications and targeted recommendations. However, spread concerns about users' privacy are arising.

We are seeking a highly motivated PhD candidate to work in privacy-preserving algorithms and protocols. The proposed topics include (but are not limited to):

- Post-quantum privacy-enhancing techniques

- Privacy-preserving machine learning/deep learning modelling for IoT personalised applications

- Privacy-preserving computation for distributed learning.

We look favourably on applicants who can demonstrate a knowledge of cryptography, machine learning, information security and who have strong programming and mathematical skills. Within your statement, please make sure to discuss which area of research you are interested in and your academic background to support this. In the first instance, candidates can discuss applications with Dr Nesrine Kaaniche via email (n.kaaniche@sheffield.ac.uk).

Required Qualifications: Good first degree in Computer Science If English is not your first language, you must have an IELTS score (or equivalent) of 6.5 overall, with no less than 6.0 in each component.

Funding Details: The studentship will cover tuition fees at the Home/EU rate and provide an annual stipend at the standard RCUK rates for three and a half years.

Closing date for applications:

Contact: Dr. Nesrine Kaaniche (n.kaaniche@sheffield.ac.uk)

2 PhD positions are provided in College of Big Data, Taiyuan University of Technology (TYUT), China. The research topics include but not limited to: blockchain, IoT security, data security, and applied cryptography.

Taiyuan University of Technology (TYUT), which was one of the first three national universities in China, was established in 1902. TYUT now has 30960 undergraduates, 7017 postgraduates and 762 doctoral students.

Scholarship for graduates from TYUT: tuition fees will be waived, and the monthly living allowance will be provided. Scholarship and admission details can be found in the pdf file from this link: http://ciee.tyut.edu.cn/info/1016/3205.htm

Application deadline: open until the positions are filled. All successful candidates are expected to start in September 2020.

Interested applicants are advised to email the following documents to huangxin@tyut.edu.cn. (1) CV, (2) Reference letters, (3) Personal statement, (4) School transcripts, (5) Publications if possible.

Closing date for applications:

Contact: Prof. Xin Huang, Email: huangxin@tyut.edu.cn

PhD internship with research interest in cybersecurity is available in SUTD, especially on the topics of cyber-physical and IoT system security, applied cryptography and blockchain security. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

Closing date for applications:

Contact: Jianying Zhou (jianying_zhou@sutd.edu.sg)

More information: http://jianying.space/

Peter L. Montgomery

Fast Software Encryption - FSE 2020 will take place in Athens, Greece in March 22-26.

Early-bird registration is open until February 26 and the detailed program will be out soon.

To register to the conference and find information concerning the venue please visit FSE 2020 webpage: https://fse.iacr.org/2020/

Send any questions to the FSE 2020 General Chair at fse2020@iacr.org.

The area of leakage resilient cryptography aims to provide proofs under the assumption that the side channel leakage of implementations behaves in a certain way, e.g., the leakage is bounded, hard-to-invert, or simulatable. On the other hand, it is often hard to show that a practical implementation has such a behavior. Moreover, these models are typically targeted exclusively towards side channel attacks and hence, other implementation attacks like fault attacks are excluded. In this paper, we provide an alternative approach that we call accumulated leakage. In our model, no a priori restriction or assumption on the leakage is made. Instead, leakage resilience bounds are expressed in terms of an accumulated gain, which is a function of the leakage obtained by an attacker. In particular, we express the accumulated gain as a function of the number of computations of a primitive using a secret that an attacker can observe, one of the major restrictions that determines whether a certain implementation attack is possible or not. Having the advantage of a scheme expressed with the help of accumulated leakage, we have two roads to go. One option is to stick to the a priori bounding made in, e.g., the bounded leakage model and put an a priori restriction on the maximum allowed leakage per primitive call. Another option is to compute the accumulated gain based on measurements a posteriori. As a proof of concept, we apply the accumulated leakage concept to a sponge-based stream encryption scheme called asakey: first, a formal leakage resilience analysis is delivered as a function of the accumulated gain, and second, leakage measurements on permutations are performed to demonstrate how the accumulated gain can be estimated a posteriori.

White-box cryptography is a software technique to protect secret keys from attackers who have access to memory for cryptographic algorithms. By adapting techniques of differential power analysis to computation traces containing runtime information such as memory accesses of the target software, Differential Computation Analysis (DCA) has been recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation has been suggested. However, each byte of the round output was not masked and just permuted by byte encodings. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptographic implementation in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we implement a white-box AES implementation combined with masking techniques applied to the key-dependent intermediate value and the several outer-round outputs. Our analysis and experimental results show that the proposed method can protect against DCA variants including DCA with a 2-byte key guess, collision and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES implementation.

We describe a digital signature scheme MPSign, whose security relies on the conjectured hardness of the Polynomial Learning With Errors problem (PLWE) for at least one defining polynomial within an exponential-size family (as a function of the security parameter). The proposed signature scheme follows the Fiat-Shamir framework and can be viewed as the Learning With Errors counterpart of the signature scheme described by Lyubashevsky at Asiacrypt 2016, whose security relies on the conjectured hardness of the Polynomial Short Integer Solution (PSIS) problem for at least one defining polynomial within an exponential-size family. As opposed to the latter, MPSign enjoys a security proof from PLWE that is tight in the quantum-access random oracle model.

The main ingredient is a reduction from PLWE for an arbitrary defining polynomial among exponentially many, to a variant of the Middle-Product Learning with Errors problem (MPLWE) that allows for secrets that are small compared to the working modulus. We present concrete parameters for MPSign using such small secrets, and show that they lead to significant savings in signature length over Lyubashevsky's Asiacrypt 2016 scheme (which uses larger secrets) at typical security levels. As an additional small contribution, and in contrast to MPSign (or MPLWE), we present an efficient key-recovery attack against Lyubashevsky's scheme (or the inhomogeneous PSIS problem), when it is used with sufficiently small secrets, showing the necessity of a lower bound on secret size for the security of that scheme.

We introduce Dynamic Decentralized Functional Encryption (DDFE), a generalization of Functional Encryption which allows multiple users to join the system dynamically, without relying on a trusted third party or on expensive and interactive Multi-Party Computation protocols. This notion subsumes existing multi-user extensions of Functional Encryption, such as Multi-Input, Multi-Client, and Ad Hoc Multi-Input Functional Encryption. We define and construct schemes for various functionalities which serve as building-blocks for latter primitives and may be useful in their own right, such as a scheme for dynamically computing sums in any Abelian group. These constructions build upon simple primitives in a modular way, and have instantiations from well-studied assumptions, such as DDH or LWE. Our constructions culminate in an Inner-Product scheme for computing weighted sums on aggregated encrypted data, from standard assumptions in prime-order groups in the Random Oracle Model.

We suggest an alternative method of generating groups of unknown order for constructions such as cryptographic accumulators, by using the Jacobian groups of hyperelliptic curves (especially of genus 3). We propose that this construction is more efficient in practice than other proposals such as the use of ideal class groups of imaginary quadratic fields. We suggest that both the group operation and the size of element representation is an improvement over class groups. We also offer potential parameter choices for security with respect to best current algorithms for calculating the order of these groups.

This paper introduces a new approach to reduce end-to-end costs in large-scale replicated systems built under a Byzantine fault model. Specifically, our approach transforms a given replicated state machine (RSM) to another RSM where nodes incur lower costs by delegating state machine execution: an untrusted prover produces succinct cryptographic proofs of correct state transitions along with state changes, which nodes in the transformed RSM verify and apply respectively.

To realize our approach, we build Piperine, a system that makes the proof machinery profitable in the context of RSMs. Specifically, Piperine reduces the costs of both proving and verifying the correctness of state machine execution while retaining liveness—a distinctive requirement in the context of RSMs. Our experimental evaluation demonstrates that, for a payment service, employing Piperine is more pro table than naive reexecution of transactions as long as there are $>10^4$ nodes. When we apply Piperine to ERC-20 transactions in Ethereum (a real-world RSM with up to $10^5$ nodes), it reduces per-transaction costs by $5.4\times$ and network costs by $2.7\times$.

In this work, we present:

- the first adaptively secure ABE for DFA from the k-Lin assumption in prime-order bilinear groups; this resolves one of open problems posed by Waters [CRYPTO'12];

- the first ABE for NFA from the k-Lin assumption, provided the number of accepting paths is smaller than the order of the underlying group; the scheme achieves selective security;

- the first compact adaptively secure ABE (supporting unbounded multi-use of attributes) for branching programs from the k-Lin assumption, which generalizes and simplifies the recent result of Kowalczyk and Wee for boolean formula (NC1) [EUROCRYPT'19].

Our adaptively secure ABE for DFA relies on a new combinatorial mechanism avoiding the exponential security loss in the number of states when naively combining two recent techniques from CRYPTO'19 and EUROCRYPT'19. This requires us to design a selectively secure ABE for NFA; we give a construction which is sufficient for our purpose and of independent interest. Our ABE for branching programs leverages insights from our ABE for DFA.

We present a 2-party private set intersection (PSI) protocol which provides security against malicious participants, yet is almost as fast as the fastest known semi-honest PSI protocol of Kolesnikov et al. (CCS 2016).

Our protocol is based on a new approach for two-party PSI, which can be instantiated to provide security against either malicious or semi-honest adversaries. The protocol is unique in that the only difference between the semi-honest and malicious versions is an instantiation with different parameters for a linear error-correction code. It is also the first PSI protocol which is concretely efficient while having linear communication and security against malicious adversaries, while running in the OT-hybrid model (assuming a non-programmable random oracle).

State of the art semi-honest PSI protocols take advantage of cuckoo hashing, but it has proven a challenge to use cuckoo hashing for malicious security. Our protocol is the first to use cuckoo hashing for malicious-secure PSI. We do so via a new data structure, called a probe-and-XOR of strings (PaXoS), which may be of independent interest. This abstraction captures important properties of previous data structures, most notably garbled Bloom filters. While an encoding by a garbled Bloom filter is larger by a factor of $O(\lambda)$ than the original data, we describe a significantly improved PaXoS based on cuckoo hashing that achieves constant rate while being no worse in other relevant efficiency measures.