International Association
for Cryptologic Research

Event date: 21 May 2020

In 2017, the first CHES Capture the Flag Challenge was organized in an effort to promote good design candidates for white-box cryptography. In particular, the challenge assessed the security of the designs with regard to key extraction attacks. A total of 94 candidate programs were submitted, and all of them were broken eventually. Even though most candidates were broken within a few hours, some candidates remained robust against key extraction attacks for several days, and even weeks. In this paper, we perform a qualitative analysis on all candidates submitted to the CHES 2017 Capture the Flag Challenge. We test the robustness of each challenge against different types of attacks, such as automated attacks, extensions thereof and reverse engineering attacks. We are able to classify each challenge depending on their robustness against these attacks, highlighting how challenges vulnerable to automated attacks can be broken in a very short amount of time, while more robust challenges demand for big reverse engineering efforts and therefore for more time from the adversaries. Besides classifying the robustness of each challenge, we also give data regarding their size and efficiency and explain how some of the more robust challenges could actually provide acceptable levels of security for some real-life applications.

Let $\mathcal{E}/\mathbb{F}_q$ be an elliptic curve, and $P$ a point in $\mathcal{E}(\mathbb{F}_q)$ of prime order $\ell$. Vélu's formulae let us compute a quotient curve $\mathcal{E}' = \mathcal{E}/\langle{P}\rangle$ and rational maps defining a quotient isogeny $\phi: \mathcal{E} \to \mathcal{E}'$ in $\widetilde{O}(\ell)$ $\mathbb{F}_q$-operations, where the $\widetilde{O}$ is uniform in $q$. This article shows how to compute $\mathcal{E}'$, and $\phi(Q)$ for $Q$ in $\mathcal{E}(\mathbb{F}_q)$, using only $\widetilde{O}(\sqrt{\ell})$ $\mathbb{F}_q$-operations, where the $\widetilde{O}$ is again uniform in $q$. As an application, this article speeds up some computations used in the isogeny-based cryptosystems CSIDH and CSURF.

Head mounted displays bring eye tracking into daily use and this raises privacy concerns for users. Privacy-preservation techniques such as differential privacy mechanisms are recently applied to the eye tracking data obtained from such displays; however, standard differential privacy mechanisms are vulnerable to temporal correlations in the eye movement features. In this work, a transform coding based differential privacy mechanism is proposed for the first time in the eye tracking literature to further adapt it to statistics of eye movement feature data by comparing various low-complexity methods. Fourier Perturbation Algorithm, which is a differential privacy mechanism, is extended and a scaling mistake in its proof is corrected. Significant reductions in correlations in addition to query sensitivities are illustrated, which provide the best utility-privacy trade-off in the literature for the eye tracking dataset used. The differentially private eye movement data are evaluated also for classification accuracies for gender and document-type predictions to show that higher privacy is obtained without a reduction in the classification accuracies by using proposed methods.

The Hill cipher is a classical poly-alphabetical cipher based on matrices. Although known plaintext attacks for the Hill cipher have been known for almost a century, feasible ciphertext only attacks have been developed only about ten years ago and for small matrix dimensions. In this paper we extend the ciphertext only attacks for the Hill cipher in two ways. First, we present two attacks for the affine version of the Hill cipher. Secondly, we show that the presented attacks can be extended to several modes of operations. We also provide the reader with several experimental results and show how the message's language can influence the presented attacks.

The Security & Crypto Group in the EECS Department at UC Berkeley welcomes inquiries for postdoctoral fellowships in the area of secure multi-party computation. Please send a CV to raluca.popa@berkeley.edu, and list at least three letter writers in the CV.

Closing date for applications:

Contact: raluca.popa@berkeley.edu

This work introduces novel techniques to improve the translation between arithmetic and binary data types in multi-party computation. To this end, we introduce a new approach to performing these conversions, using what we call extended doubly-authenticated bits (edaBits), which correspond to shared integers in the arithmetic domain whose bit decomposition is shared in the binary domain. These can be used to considerably increase the efficiency of non-linear operations such as truncation, secure comparison and bit-decomposition.

Our edaBits are similar to the daBits technique introduced by Rotaru et al. (Indocrypt 2019). However, our main observations are that (1) applications that benefit from daBits can also benefit from edaBits in the same way, and (2) we can generate edaBits directly in a much more efficient way than computing them from a set of daBits. Technically, the second contribution is much more challenging, and involves a novel cut and choose technique that may be of independent interest, and requires taking advantage of natural tamper-resilient properties of binary circuits that occur in our construction to obtain the best level of efficiency. Finally, we show how our edaBits can be applied to efficiently implement various non-linear protocols of interest, and we thoroughly analyze their correctness for both signed and unsigned integers.

The results of this work can be applied to any corruption threshold, although they seem best suited to dishonest majority protocols such as SPDZ. We implement and benchmark our constructions, and experimentally verify that our technique yield a substantial increase in efficiency. Our edaBits save in communication by a factor that lies between 2 and 170 for secure comparisons with respect to a purely arithmetic approach, and between 2 and 60 with respect to using daBits. Improvements in throughput per second are more subdued but still as high as a factor of 47. We also apply our novel machinery to the tasks of biometric matching and convolutional neural networks, obtaining a noticeable improvement as well.

Discrete Gaussian distributions over lattices are central to lattice-based cryptography, and to the computational and mathematical aspects of lattices more broadly. The literature contains a wealth of useful theorems about the behavior of discrete Gaussians under convolutions and related operations. Yet despite their structural similarities, most of these theorems are formally incomparable, and their proofs tend to be monolithic and written nearly "from scratch,'' making them unnecessarily hard to verify, understand, and extend.

In this work we present a modular framework for analyzing linear operations on discrete Gaussian distributions. The framework abstracts away the particulars of Gaussians, and usually reduces proofs to the choice of appropriate linear transformations and elementary linear algebra. To showcase the approach, we establish several general properties of discrete Gaussians, and show how to obtain all prior convolution theorems (along with some new ones) as straightforward corollaries. As another application, we describe a self-reduction for Learning With Errors~(LWE) that uses a fixed number of samples to generate an unlimited number of additional ones (having somewhat larger error). The distinguishing features of our reduction are its simple analysis in our framework, and its exclusive use of discrete Gaussians without any loss in parameters relative to a prior mixed discrete-and-continuous approach.

As a contribution of independent interest, for subgaussian random matrices we prove a singular value concentration bound with explicitly stated constants, and we give tighter heuristics for specific distributions that are commonly used for generating lattice trapdoors. These bounds yield improvements in the concrete bit-security estimates for trapdoor lattice cryptosystems.

We study the encryption latency of the Gimli cipher, which has recently been submitted to NIST’s Lightweight Cryptography competition. We develop two optimized hardware engines for the 24 round Gimli permutation, characterized by a total latency or 3 and 4 cycles, respectively, in a range of frequencies up to 4.5 GHz. Specifically, we utilize Intel’s 10 nm FinFET process to synthesize a critical path of 15 logic levels, supporting a depth-3 Gimli pipeline capable of computing the result of the Gimli permutation in frequencies up to 3.9 GHz. On the same process technology, a depth-4 pipeline employs a critical path of 12 logic levels and can compute the Gimli permutation in frequencies up to 4.5 GHz. Gimli demonstrates a total unrolled data path latency of 715.9 psec. Compared to our AES implementation, our fastest pipelined Gimli engine demonstrates 3.39 times smaller latency. When compared to the latency of the PRINCE lightweight block cipher, the pipelined Gimli latency is 1.7 times smaller. The paper suggests that the Gimli cipher, and our proposed optimized implementations have the potential to provide breakthrough performance for latency critical applications, in domains such as data storage, networking, IoT and gaming.

The Institut for Geoinformatics (ifgi) at the Westfälischen Wilhelms-Universität Münster is seeking candidates for this post subject to the release of the project funds by the funding agency. The three-year position is part of a joint project on the “sovereign and intuitive management of personal location information (SIMPORT)”. The project aims to develop approaches, guidelines and software components that enable users to reclaim sovereignty over their personal location information.

Detailed information about the position is available at the included link.

Closing date for applications:

Contact: Prof. Dr. Christian Kray

More information: https://www.uni-muenster.de/Rektorat/Stellen/ausschreibungen/st_20201303_sk6.html

Responsibilities include but are not limited to conducting research in the areas of homomorphic encryption, post-quantum cryptography, privacy-preserving mechanisms applied to machine learning, and security proofs, and building software prototypes to demonstrate the feasibility of technical solutions. The ideal candidate will initiate and organize the design, development, execution, implementation, documentation and feasibility studies of scientific research projects to fuel SHIELD’s growth in secure computing and cloud product concepts and new business opportunities. They will also pioneer substantial new knowledge of state-of-the-art principles and theories, contribute to scientific literature and conferences, and participate in the development of intellectual property. Required Abilities: 1) Highly competent in interpersonal communication. 2) A self-starter with initiative and a strong drive to identify and resolve technical issues. 3) Able to clearly explain complex concepts and take the lead in team decision-making. Qualifications: 1) PhD in cryptography. 2) One or more publications on cryptography in a top-tier, peer-reviewed conference/journal. 3) Deep expertise in the state-of-the-art of partially-, somewhat-, and fully homomorphic encryption; experience implementing prototypes is a strong asset. 4) Thorough understanding of lattice-based cryptography, including the underlying security problems, parameter selection, implementation, and side-channel resistance. 5) Skill in developing software prototypes in any of the following programming languages: C++, C, Python, Go or Rust. Preferred Qualifications: 1) Familiarity with other post-quantum cryptography families (e.g. hash-based signatures, code-based, isogeny or multivariate quadratic cryptography). 2) Familiarity with the application of privacy-preserving cryptographic techniques to machine learning. 3) Familiarity with highly regulated industries, such as banking, government, and/or health care. For immediate consideration, please submit your CV/resume and transcripts to careers(at)shieldcrypto.com and include “Cryptographer” in the subject line.

Closing date for applications:

Contact: Alhassan Khedr (CTO)

The chair of Security Engineering at Horst Görtz Institute for IT-Security (HGI) at Ruhr University Bochum (Germany) has openings for a post-doc position. We are looking for outstanding candidate with strong background in Electrical/Computer Engineering, and/or Cryptography. The available position is fully funded for two years with possible extensions depending on the candidate's performance. In addition to the usual computer and electrical engineering background, the candidate is expected to be familiar with side-channel analysis attacks, and be able to deal with FPGAs & hardware designs, e.g., VHDL/verilog, which is essential for the project. The candidate should show strong publication records, at least a publication in venues like CHES, EUROCRYPT, ASIACRYPT, CRYPTO, DATE & DAC.
Please send your application via e-mail as a single pdf containing a CV, list of publications, and copies of transcripts and certificates.

Closing date for applications:

Contact: amir (dot) moradi (at) rub (dot) de

The PCI Standards Council (PCI SCSC) was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. who share equally in governance and execution of the organisation’s work. Its stated aim is to bring payments industry stakeholders together to develop and drive adoption of data security standards and resources for safe payments worldwide. PCI SSC mandates in the PIN Security Requirements and Testing Procedures: V3 2018 that to achieve “Control Objective 5: Keys are used in a manner that prevents or detects their unauthorised usage”, that “Encrypted symmetric keys must be managed in structures called key blocks. The key usage must be cryptographically bound to the key using accepted methods.” This is PIN Security Requirement 18-3, which further details three acceptable methods of implementing this requirement but also states that these methods are not an exhaustive list. The Australian payments industry does not use key blocks to manage the symmetric keys used as PIN Encrypting Keys (PEK). The question of which other methods are acceptable has been raised, which has resulted in a PCI FAQ. The latest version of which is in the publicly available document PCI PTS PIN Security Requirements, Technical FQAs V3, February 2020, FAQ 27, and requires an independent expert to assess the equivalency of other methods. PCI has also produced several blogs on the case for key blocks and two Informational Supplements, PCI PTS PIN: Cryptographic Key Blocks June 2017 and PCI PIN Security Requirement: PIN Security Requirement 18-3 Key Blocks: June 2019. AusPayNet is seeking to engage an independent expert, who meets the requirements set out by PCI in the PIN Security FAQ 27. This expert must assess the Australian PEK key management methodologies and determine if they provide equivalent levels of protection that prevent or detect their unauthorised usage, as compared to key blocks. AusPayNet is seeking to have the work completed in Q2 2020. For more information or to provide a copy of your CV and some indicative costs.

Closing date for applications:

Contact: Arthur Van Der Merwe - avande22@myune.edu.au

1. Overall introduction. There are three Ph.D. position openings (full scholarship, tuition & very competitive stipend) at Dr. Jiafeng Harvest Xie's Security & Cryptography (SAC) Lab for the Fall of 2020, located at the Department of Electrical and Computer Engineering of Villanova University (PA, USA).

2. Research area. Post quantum cryptography hardware, fault detection/attack, and cryptanalysis.

3. Qualification. Preferred to have research experience in the areas of cryptographic engineering, fault detection, cryptanalysis, and VLSI design. Students from electrical/computer engineering, computer science, and cryptography (applied mathematics) or other related majors are WARMLY welcome! Programming skills such as HDL, C++, Python will be more favorable.

4. Application process. Interested students can directly send the CV/resume to Dr. Jiafeng Harvest Xie's email: jiafeng.xie@villanova.edu.

5. Application information. The detailed application requirement is available at https://www1.villanova.edu/villanova/engineering/grad/admission/departmentalRequirements.html

6. Additional information. Villanova University is a private research university located in Radnor Township, a suburb northwest of Philadelphia, Pennsylvania. U.S. News & World Report ranks Villanova as tied for the 46th best National University in the U.S. for 2020.

7. PI introduction. Dr. Jiafeng Harvest Xie is currently an Assistant Professor at the Department of Electrical and Computer Engineering of Villanova University. His research interests include cryptographic engineering, hardware security, and VLSI digital design. He is the Best Paper Awardee of IEEE HOST 2019. He is also the Associate Editor for Microelectronics Journal, IEEE Access, and IEEE Trans. Circuits and Systems II.

Closing date for applications:

Contact: Dr. Jiafeng Harvest Xie, email: jiafeng.xie@villanova.edu

The Network and Information Security Group is currently looking for up to 2 motivated and talented researchers (Postdoctoral Researchers) to contribute to research projects related to applied cryptography, security and privacy. The successful candidates will be working on the following topics (but not limited to):

• Searchable Encryption and data structures enabling efficient search operations on encrypted data;
• Restricting the type of access given when granting access to search over one's data;
• Processing of encrypted data in outsourced and untrusted environments;
• Applying encrypted search techniques to SGX environments;
• Revocable Attribute-Based Encryption schemes and their application to cloud services;
• Functional Encryption;
• Privacy-Preserving Analytics;
• IoT Security.

Programming skills is a must.

The positions are strongly research-focused. Activities include conducting both theoretical and applied research, design of secure and/or privacy-preserving protocols, software development and validation, reading and writing scientific articles, presentation of the research results at seminars and conferences in Finland and abroad, acquiring (or assisting in acquiring) further funding.

Closing date for applications:

Contact: Antonis Michalas

Traditional Blockchain Sharding approaches can only tolerate up to n/3 of nodes being adversary because they rely on the hypergeometric distribution to make a failure (an adversary does not have n/3 of nodes globally but can manipulate the consensus of a Shard) hard to happen. The system must maintain a large Shard size (the number of nodes inside a Shard) to sustain the low failure probability so that only a small number of Shards may exist. In this paper, we present a new approach of Blockchain Sharding that can withstand up to n/2 of nodes being bad. We categorise the nodes into different classes, and every Shard has a fixed number of nodes from different classes. We prove that this design is much more secure than the traditional models (only have one class) and the Shard size can be reduced significantly. In this way, many more Shards can exist, and the transaction throughput can be largely increased. The improved Blockchain Sharding approach is promising to serve as the foundation for decentralised autonomous organisations and decentralised database.

We consider $n$-bit permutations with differential uniformity of 4 and null nonlinearity. We first show that the inverses of Gold functions have the interesting property that one component can be replaced by a linear function such that it still remains a permutation. This directly yields a construction of 4-uniform permutations with trivial nonlinearity in odd dimension. We further show their existence for all $n = 3$ and $n \geq 5$ based on a construction in [1]. In this context, we also show that 4-uniform 2-1 functions obtained from admissible sequences, as defined by Idrisova in [8], exist in every dimension $n = 3$ and $n \geq 5$. Such functions fulfill some necessary properties for being subfunctions of APN permutations. Finally, we use the 4-uniform permutations with null nonlinearity to construct some 4-uniform 2-1 functions from $\mathbb{F}_2^n$ to $\mathbb{F}_2^{n-1}$ which are not obtained from admissible sequences. This disproves a conjecture raised by Idrisova.

Linkable ring signature (LRS) plays a major role in the Monero-type cryptocurrencies, as it provides the anonymity of initiator and the prevention of double spending in transactions. In this paper, we propose SLRS: a simpler and modular construction of linkable ring signature scheme, which only use standard ring signature as component, without any additional one-time signatures or zero-knowledge proofs. SLRS is more efficient than existing schemes in both generation and verification. Moreover, we use SLRS to construct an efficient and compact position-preserving linkable multi-ring signature to support application in Monero-type cryptocurrencies. We also give the security proofs, implementation as well as the performance comparisons between SLRS, Ring-CT and Ring-CT 3.0 in size and efficiency.

Proof of Work is a prevalent mechanism to prove investmentof time in blockchain projects. However the use of massive parallelismand specialized hardware gives an unfair advantage to a small portion ofnodes and raises environmental and economical concerns. In this paperwe provide an implementation study of two Verifiable Delay Functions, anew cryptographic primitive achieving Proof of Work goals in an unpar-allelizable way. We provide simulation results and an optimization basedon a multiexponentiation algorithm.

In the modified CTR (CounTeR) mode known as CTR2, nonces are encrypted before constructing sequences of counters from them. This way we have only probabilistic guarantees for non-overlapping of the sequences. We show that these guarantees, and therefore the security guarantees of CTR2, are strong enough in two standard scenarios: random nonces and non-repeating nonces. We also show how to extend CTR2 to an authenticated encryption mode which we call CHE (Counter-Hash-Encrypt). To extend, we use one invocation of polynomial hashing and one additional block encryption.