International Association
for Cryptologic Research

At Crypto ’99, Nguyen and Stern described a lattice based algorithm for solving the hidden subset sum problem, a variant of the classical subset sum problem where the n weights are also hidden. While the Nguyen-Stern algorithm works quite well in practice for moderate values of n, we argue that its complexity is actually exponential in n; namely in the final step one must recover a very short basis of a n-dimensional lattice, which takes exponential-time in n, as one must apply BKZ reduction with increasingly large block-sizes. In this paper, we describe a variant of the Nguyen-Stern algorithm that works in polynomial-time. The first step is the same orthogonal lattice attack with LLL as in the original algorithm. In the second step, instead of applying BKZ, we use a multivariate technique that recovers the short lattice vectors and finally the hidden secrets in polynomial time. Our algorithm works quite well in practice, as we can reach n=250 in a few hours on a single PC.

We present a linear approach to analyzing security of attribute-based encryption (ABE). We use this approach to algebraically break eleven schemes: two single-authority and nine multi-authority attribute-based encryption (MA-ABE) schemes. These latter attacks illustrate that mistakes are made in transforming single-authority schemes into multi-authority ones. Our linear approach is not only useful in the analysis of existing schemes, but can also be applied during the design and verification of new schemes. As such, it can prevent the design of insecure MA-ABE schemes in the future.

Fault Template Analysis (FTA) has been shown as a powerful tool for attacking cryptosystems and exposing vulnerabilities which were previously not reported in existing literature. Fault templates can be utilized for attacking block ciphers in middle rounds which were known prior to be resistant against fault attacks. In this paper we revisit the potent of fault templates and show a more systematic methodology to develop fault templates of Boolean circuits using a well known concept in design verification, namely positive Davio's decomposition. We show that the improved FTAs, called FTA2.0, can be used to fault analyze block ciphers in the middle rounds using as few as two bit-flip faults. Further, it can be used to attack TI-implemented block ciphers by considering a Double Bit Upset (DBU) fault in a target share bit. The attack shows that varying the latency of the fault the adversary can obtain unmasked bits and can recover the secret key.

This Ph.D. thesis is offered as part of the ANR-funded 4-year research project MobiS5. The goal of MobiS5 is to provide a cryptographic toolbox for the emerging 5G technologies. More information can be found at: https://mobis5.limos.fr/index.html.

This 3-year Ph.D. thesis will focus on the two following aspects of 5G security:

• 5G Core Network security
• Delegation in the context of 5G networks

We are looking for motivated and hard-working students with a strong background in cryptography, with a degree in Mathematics, Applied Mathematics, or Computer Science (with an affinity for mathematics). Understanding of basic cryptographic primitives and protocols is a requirement. You must also have a good level of spoken and written English. A basic working knowledge of provable security and/or formal verification are a strong plus. Spoken and written French are also a plus. Interested? Here is how to apply ! https://mobis5.limos.fr/jobs.html

Closing date for applications:

Contact: Cristina Onete (maria-cristina.onete@unilim.fr) or Olivier Blazy

More information: https://mobis5.limos.fr/jobs.html

This PhD focuses on data confidentiality and side-channel information leakage analysis in mixed-signal reconfigurable SoCs. Heterogeneous computing has led to physically close mixed-signal devices combining digital processing and analog/radio modules, where digital computation noise flows to the analogue part of the chip and is amplified and transmitted by the antenna. These so-called Screaming Channels have simplified and reduced the cost of previous distant attack setups. In reconfigurable computing, heterogeneity has brought mixed-signal reconfigurable platforms, RFSoCs (Radio Frequency SoCs), adding programmable analog/RF sub-modules to the previous combination of CPUs and logic.
This PhD will study the impact that close-by digital-analog-RF domains in mixed-signal reconfigurable platforms may have on new system vulnerabilities. The thesis will focus on studying data leakage mechanisms in RFSoCs to analyze and understand potential new threats linked to their reconfigurable and mixed-signal nature as a first step to find adequate countermeasures.

The candidate must hold a Master degree in Computer/Electrical Engineering, Embedded Systems, Microelectronics, or Computer Science and demonstrate strong background in several of the following topics: Digital design with HDLs; Reconfigurable computing, FPGAs; Hardware security; Embedded systems architectures; Microelectronics/VLSI Design. Knowledge on cryptographic algorithms implementations, C/C++/Python programming and Linux/Git as development environment are highly valuable.

You will receive a 3 year PhD contract and social security coverage, subsidized meals, partial reimbursement of public transport costs, support with accommodation at the campus and access to vocational training and social, cultural and sports events and activities. Send your CV, Bachelor/Master transcripts, a motivational text and reference letter before May 10, 2020.

Closing date for applications:

Contact: Ruben Salvador: ruben (dot) salvador (at) centralesupelec (dot) fr

Side-channel attacks consist in measuring the physical activity emitted by a circuit (processor, microcontroller or cryptographic accelerator) to extract secrets. The consumption of the circuit or the electromagnetic emanation are the most commonly exploited signals. Due to the development of the Internet of Things (IoT), more and more systems are exposed to these attacks. Unfortunately, integrating countermeasures (software or hardware) against such attacks is extremely expensive. Therefore, it is essential to have an accurate idea of side-channel leakages as early as possible in the design phases. On the one hand to target countermeasures on critical areas and on the other hand to have a realistic view of leakages in order to automate the application of countermeasures. The thesis topic is the exploration of electromagnetic leakage models and different ways of interpreting them. The general objective of this work is to model the leakages of a processor based on its state at different abstraction level: Register Transfer Level (RTL), microarchitecture or even instruction set simulator (ISS). The LSOSP laboratory of CEA-LETI where the thesis will take place has a strong experience on physical measurements and has already performed preliminary research on the subject. Therefore, the candidate will start from these results and will perform physical measurements and manipulate different logic models to create a precise leakage model of the targeted processor.

Closing date for applications:

Contact: Vincent Dimper

Due to the potential threat of quantum computers, the research community is re-evaluating the security of a number of protocols and systems in widespread use. At the very least it is necessary to replace some common cryptographic building blocks with post-quantum alternatives. However, in some settings, the resulting systems may not be practical. It is therefore appropriate to reconsider, from the ground up, these protocols and systems. This PhD project will initiate a study of such protocols and systems. The project will leverage the NIST post-quantum standardization process to form a clear picture of the current state of post-quantum crypto. The project will develop new lightweight solutions for certain applications such as the internet of things (IoT).

The project will be supervised by Professor Steven Galbraith, together with other members of the Cyber Security Foundry at the University of Auckland.

Required skills and experience: Bachelor with honours, or Masters degree, in either Engineering, Computer Science or Mathematics. Good mathematical knowledge and understanding of rigorous mathematical thinking. Good knowledge of cryptography and information security. Programming skills. Good communication skills, both written and spoken.

• Duration: 3 years
• Value: International Student Fees + stipend of NZ$ 27,900 per year.
• Application deadline: 20/5/2020

Application process:

• Email your CV to Keshala De Silva, with the subject line "Application for PhD Studentship on Applications of post-quantum cryptography".
• If you have written a master thesis or similar, then please email a pdf of it.

For more information about the PhD application process at Auckland visit:

• https://www.auckland.ac.nz/en/study/study-options/find-a-study-option/mathematics/doctoral.html
• https://www.auckland.ac.nz/en/study/applications-and-admissions/apply-now.html

  Closing date for applications:

  Contact: Steven Galbraith

(Yes ! We are still hiring despite COVID-19)

The Cryptanalysis Taskforce at Nanyang Technological University in Singapore led by Prof. Jian Guo is seeking for candidates to fill 3 postdoctoral research fellow positions on symmetric-key cryptography, including but not limited to the following sub-areas:

• tool aided cryptanalysis, such as MILP, CP, STP, and SAT
• machine learning aided cryptanalysis and designs
• privacy-preserving friendly symmetric-key designs
• quantum cryptanalysis
• cryptanalysis against SHA-3 and AES

Established in 2014, the Cryptanalysis Taskforce is a group dedicated for research in symmetric-key cryptography. Since then, the team has been active in both publications in and services for IACR. It has done quite some cryptanalysis work on various important targets such as SHA-3, and is expanding its interests to the areas mentioned above, with strong funding support from the university and government agencies in Singapore. We offer competitive salary package with extremely low tax, as well as excellent environment dedicating for research in Singapore. The contract will be initially for 2 years, and has the possibility to be extended. Candidates are expected to have proven record of publications in IACR conferences. Interested candidates are to send their CV and 2 reference letters to Jian Guo. Review of applicants will start immediately until the positions are filled. More information about the Cryptanalysis Taskforce research group can be found via http://team.crypto.sg.

Closing date for applications:

Contact: Asst Prof. Jian Guo, guojian@ntu.edu.sg

More information: http://team.crypto.sg

Responsibilities

• Design and build security products for connected and autonomous vehicles.
• Research security problems and solutions related to vehicles and transportation
• Design in-vehicle security mechanisms, such as secure vehicle network communication, on-car IDS/IPS, and firewall

Qualifications

• Excellent in security fundamentals, such as network security, applied cryptography, server security, and end-point security
• In-depth knowledge of Linux kernel and OS, and network protocols (TCP/IP, HTTP, MQTT, etc.)
• Worked with Secure Boot on Arm or Aurix processors

Preferred Qualifications

• Experience with Linux kernel hardening
• Knowledge of CAN and vehicle system architecture
• Knowledge of security of various wireless technologies (such as BLE and NFC)

Closing date for applications:

Contact:

Marisela Peifer: Sr Manager, People Ops & Talent

Marisela.Peifer@nio.io

More information: https://jobs.lever.co/nio/8f29bd44-663b-4de2-b6e2-9e596495d5b9

Event date: 3 July 2020
Submission deadline: 3 July 2020

Synchronous consensus protocols, by definition, have a worst-case commit latency that depends on the bounded network delay. The notion of optimistic responsiveness was recently introduced to allow synchronous protocols to commit instantaneously when some optimistic conditions are met. In this work, we revisit this notion of optimistic responsiveness and present optimal latency results.

We present a lower bound for Byzantine Broadcast that relates the latencies of optimistic and synchronous commits when the designated sender is honest and while the optimistic commit can tolerate some faults. We then present two matching upper bounds for tolerating f faults out of n = 2f +1 parties. Our first upper bound result achieves optimal optimistic and synchronous commit latencies when the designated sender is honest and the optimistic commit can tolerate some faults. Our second upper bound result achieves optimal optimistic and synchronous commit latencies when the designated sender is honest but the optimistic commit does not tolerate any faults. The presence of matching lower and upper bound results make both of the results tight for n = 2f + 1. Our upper bound results are presented in a state machine replication setting with a steady state leader who is replaced with a view-change protocol when they do not make progress. For this setting, we also present an optimistically responsive protocol where the view-change protocol is optimistically responsive too.

Sharing a documents with a business partner is not always easy. since the sender often need to send sensitive information. and he want to ensure the integrity and the secrecy of the document. And in the same time. he wants to insure that only the specific individual or the recipients are the only one who can view it. So people tend to use some encryption software. or protecting the document with some sort of password. and then share the password with the recipient to make sure he is the only one who can view the document. But Unfortunately in many situations this method will not work. for a particular reason. and that is once the sender send an email. the email will start his journey into the company's network. and it will pass through many appliances. such Firewalls, Exchange servers and most likely Sandboxes. And there is one feature in sandboxes that we are interested in. once the sandbox sees an encrypted file or a protected file. it will immediately stop the email and quarantine it. because the sandbox couldn’t scan it. or couldn’t ensure if it’s malicious or not. so it will stop it for further analysis or a manual analysis depending on the procedures there. And such an action could stop a valid business transaction. and it could cause some business interruption. In this paper we will introduce a scheme for allowing the share of protected files. and analyzing them through Sandboxes. and in the same time no one can view it except for the authorized people.

Payment Channel Networks (PCNs) have been a promising approach to scale blockchains. However, PCNs lack liquidity, as large-amount or multi-hop payments may fail. Payment griefing is one of the identified attacks on PCNs’ liquidity, where the payee withholds the preimage in Hash Time Locked Contract. Before this payment expires, coins involved in this payment cannot be used in other payments. We introduce Bankrun attack, which exploits payment griefing to bank run PCNs. Bankrun in finance means numerous clients withdraw their money from a bank, which makes the bank insolvent and even bankrupted. In our Bankrun attack, the attacker generates sybil nodes, establishes channels with hubs in the network, makes payments between his nodes and griefs them simultaneously. If the adversary has sufficient coins, he can lock a high percentage of coins in the PCN, so that the PCN may no longer handle normal payments. We introduce a framework for launching Bankrun attacks, and develop three strategies with a focus on minimising the cost, draining important channels, and locking most amount of coins, respectively. We evaluate the effectiveness of Bankrun attacks on Bitcoin’s Lightning Network, the first and most well-known PCN. Our evaluation results show that, using channels with 1.5% richest nodes, the attacker can lock 83% of the capacity in the entire network. With connections to these nodes, an adversary with 13% (∼77 BTC) of coins in the network can lock up to 45% (∼ 267 BTC) of coins in the entire network until time out (e.g. for an entire day); reduces the success rate of payments by 23.8%∼62.7%; increases fee of payments by 3.5%∼14.0%; and increases average attempts of payments by 26.4%∼113.7%, where payments range from 100,000 to 1,900,000 satoshi (7∼135 USD).

We report on the concrete cryptanalysis of LEDAcrypt, a 2nd Round candidate in NIST's Post-Quantum Cryptography standardization process and one of 17 encryption schemes that remain as candidates for near-term standardization. LEDAcrypt consists of a public-key encryption scheme built from the McEliece paradigm and a key-encapsulation mechanism (KEM) built from the Niederreiter paradigm, both using a quasi-cyclic low-density parity-check (QC-LDPC) code.

In this work, we identify a large class of extremely weak keys and provide an algorithm to recover them. For example, we demonstrate how to recover 1 in $2^{47.72}$ of LEDAcrypt's keys using only $2^{18.72}$ guesses at the 256-bit security level. This is a major, practical break of LEDAcrypt.

Further, we demonstrate a continuum of progressively less weak keys (from extremely weak keys up to all keys) that can be recovered in substantially less work than previously known. This demonstrates that the imperfection of LEDAcrypt is fundamental to the system's design.

We present an optimization of Lagrange's algorithm for lattice basis reduction in dimension 2. The optimized algorithm is proven to be correct and to always terminate with quadratic complexity; it uses more iterations on average than Lagrange's algorithm, but each iteration is much simpler to implement, and faster. The achieved speed is such that it makes application of the speed-up on ECDSA and EC Schnorr signatures described by Antipa et al worthwhile, even for very fast curves such as Ed25519. We applied this technique to signature verification in Curve9767, and reduced verification time by 30 to 33% on both small (ARM Cortex M0+ and M4) and large (Intel Coffee Lake with AVX2) architectures.

We design a consecution of protocols which allows organizations to have secure strong access control of their users to their desktop machines based on biometry. It provides both strong secure authentication and privacy. Moreover, our mechanism allows the system admins to grant a various level of access to their end-users by fine tuning access control policy. Our system implements privacy-by-design. It separates biometric data from identity information. It is practical: we fully implemented our protocols as a proof of concept for a hospital. We use a 3D fingervein scanner to capture the biometric data of the user on a Raspberry Pi. For the biometry part, we developed an optimal way to aggregate scores using sequential distinguishers. It trades desired FAR and FRR against an average number of biometric captures.

In a quantum money scheme, a bank can issue money that users cannot counterfeit. Similar to bills of paper money, most quantum money schemes assign a unique serial number to each money state, thus potentially compromising the privacy of the users of quantum money. However in a quantum coins scheme, just like the traditional currency coin scheme, all the money states are exact copies of each other, providing a better level of privacy for the users. A quantum money scheme can be private, i.e., only the bank can verify the money states, or public, meaning anyone can verify. In this work, we propose a way to lift any private quantum coin scheme -- which is known to exist based on the existence of one-way functions, due to Ji, Liu, and Song (CRYPTO'18) -- to a scheme that closely resembles a public quantum coin scheme. Verification of a new coin is done by comparing it to the coins the user already possesses, by using a projector on to the symmetric subspace. No public coin scheme was known prior to this work. It is also the first construction that is very close to a public quantum money scheme and is provably secure based on standard assumptions. The lifting technique when instantiated with the private quantum coins scheme, due to Mosca and Stebila 2010, gives rise to the first construction that is very close to an inefficient unconditionally secure public quantum money scheme.

Computing on data in a manner that preserve the privacy is of growing importance. Secure Multi-Party Computation (MPC) and Homomorphic Encryption (HE) are two cryptographic techniques for privacy-preserving computations. In this work, we have developed efficient UC-secure multiparty protocols for matrix multiplications and two-dimensional convolutions. We built upon the SPDZ framework and integrated the state-of-the-art HE algorithms for matrix multiplication. We also optimized the zero-knowledge proofs and the ``sacrifice'' step of SPDZ to further improve efficiency. As a result, our protocol achieved communication cost linear only on the input and output dimensions and not on the number of multiplication operations. We implemented our protocols and benchmarked them against the SPDZ LowGear variant (Keller et al. Eurocrypt'18). For multiplying two square matrices of size 128, we reduced the communication cost from 1.54 GB to 12.46 MB, an improvement of over two orders of magnitude that only improves with larger matrix sizes. For evaluating all convolution layers of the ResNet-50 neural network, we reduced the communication cost from 5 TB to 41 GB.

Pointcheval-Sanders (PS) signatures are well-studied in the literature and have found use within e.g. threshold credential schemes and redactable anonymous credential schemes. The present work leverages a mapping between PS signatures and a related class of polynomial-based signatures to construct multiple new signature/credential schemes. Specifically, new protocols for multi-message signatures, sequential aggregate signatures, signatures for message commitments, redactable signatures, and unlinkable redactable signatures are presented. A redactable anonymous credential scheme is also constructed. All original protocols employ constant-sized secret keys rather than linear-sized (in the number of messages/attributes). Security properties of the new protocols are analysed and a general discussion of security properties for both PS signatures and the new schemes is provided.

Variant secret sharing schemes deriving from Shamir's threshold secret sharing protocol are presented. Results include multi-secret sharing protocols using shares with $O(1)$ elements, independent of the number of secrets. The new schemes achieve a weaker notion of security (they're secure rather than strongly secure) but maintain a property called $K$-privacy (inspired by $k$-anonymity). $K$-privacy ensures that all secrets remain private with respect to a subset of the secret space, though the particular subset providing privacy may vary among adversaries that acquire distinct sub-threshold sets of shares. Depending on the number of secrets and the protocol details, secure $K$-private multi-secret sharing schemes may be ``almost'' strongly secure or may remain merely secure and $K$-private - a difference captured by the notion of $K$-security. Novel applications of the multi-secret sharing schemes are presented, realising a primitive called a switched threshold signature. Switched threshold signatures have the quirky property that aggregating a threshold number of signatures of one type (e.g. Pointcheval-Sanders signatures) ``switches'' the signatures into a master signature of a different type. Collectively these results may permit efficiencies within, e.g., threshold credential issuance protocols.