International Association
for Cryptologic Research

As a consequence of the rapid development of the Internet of Things (IoT), where devices are massively interconnected, security breaches are discovered daily. The growing threat of physical attacks, on which connected objects are widely exposed, forces chipmakers to increase the security of their products. True Random Number Generators are the cornerstone of device security; they are required for running cryptographic algorithms and fully integrated into encryption engines. The security level of the system directly depends on the randomness of the bits generated. Furthermore, IoT chips are facing harsh constraints in terms of price and power consumption. In order to be integrated into these chips, TRNG must offer an efficient tradeoff between cost and security. In this perspective, TRNGs based on already integrated components, such as RRAM memories, is a promising lead.

Closing date for applications:

Contact: Florian Pebay-Peyroula

This study is focused on the security of embedded systems and in particular asymmetric cryptography against horizontal attacks and Template attacks. Recent studies, applied to symmetric cryptography, have made it possible to build new techniques for side channel attacks. By improving the effectiveness of Template attacks, these new attacks make it easier to bypass masking countermeasures. It seems appropriate to study these new tools in depth in the context of Template and horizontal attacks against asymmetric cryptography, especially for elliptic curves. The use of machine learning in the context of side channel attacks. The main purpose of the thesis is to evaluate the security properties of ECCs against the most advanced Template and Horizontal attacks that use machine learning. Depending on the results obtained, new countermeasures will have to be constructed in order to address any new weaknesses.

Closing date for applications:

Contact: Antoine Loiseau

Since its inception, the web has grown substantially and websites have turned into rich client-side experience customized for the user where third parties supply a considerable amount of content. The increasing reliance on third parties has brought a number of privacy issues to the web with web tracking being at the top of that list. With cookies and browser fingerprinting, users are on the losing side of privacy as they can be tracked across the domains they are visiting. To regain control, browser vendors like Mozilla and Apple have added in their own browsers a tracking protection mechanism (called Enhanced Tracking Protection for Firefox and Intelligent Tracking Protection for Safari) aimed at preventing track- ing on the web. Yet, essential functionality of a website is sometimes so intertwined with tracking code that using these protective mechanisms can transitively “break” a webpage. We define “page breakage” as an undesirable behavior on a webpage and it includes, but is not limited to, page slowdowns, page freezes, page crashes, page errors and page display issues. In order to push online privacy forward, there is a real need today to identify and block properly tracking entities on the web without the current usability costs associated with it.

Closing date for applications:

Contact: Pierre Laperdrix

More information: https://amiunique.org/phd-proposal-blocking.pdf

We are looking for outstanding Post doctoral researchers working on topics related to cryptography and IT Security.

Current topics of interest include (but are not limited to):

• Secure cryptographic implementations
• Leakage/tamper resilient cryptography
• Blockchains and cryptocurrencies
• Distributed cryptography

The application must include a curriculum vitae, a short research statement, and names of 2 contacts that can provide reference about the applicant and her/his work. The candidate shall be able to show solid expertise in cryptography/IT Security illustrated in form of publications at major crypto/security venues such as CRYPTO, EUROCRYPT, ASIACRYPT, TCC, PKC, CHES, FC, ACM CCS, Oakland, USENIX Security, NDSS etc.

The position offers an internationally competitive salary including social benefits. TU Darmstadt offers excellent working environment in the heart of the Rhein-Main area, and has a strong institute for research on IT security with more than 300 researchers working on all aspects of cybersecurity.

Review of applications starts immediately until the position is filled.

Closing date for applications:

Contact: Sebastian Faust, sebastian@cs.tu-darmstadt.de

The website for Eurocrypt 2020 has been revised with information about the upcoming virtual conference on May 11-15. Registration is now open, and further details will appear in the days to come.

This will be the first virtual conference by IACR, and the only cost for attendees will be the IACR membership fee if you haven't already paid it yet this year.

Stateful hash-based signature schemes are among the most efficient approaches for post-quantum signature schemes. Although not suitable for general use, they may be suitable for some use cases on constrained devices. LMS and XMSS are hash-based signature schemes that are conjectured to be quantum secure. In this work, we compared multiple instantiations of both schemes on an ARM Cortex-M4. More precisely, we compared performance, stack consumption, and other figures for key generation, signing and verifying. To achieve this, we evaluated LMS and XMSS using optimised implementations of SHA-256, SHAKE256, Gimli-Hash, and different variants of Keccak. Furthermore, we present slightly optimised implementations of XMSS achieving speedups of up to 3.11x for key generation, 3.11x for signing, and 4.32x for verifying.

Secure enclave architectures have become prevalent in modern CPUs and enclaves provide a flexible way to implement various hardware-assisted security services. But special-purpose security chips can still have advantages. Interestingly, dedicated security chips can also assist enclaves and improve their security.

Distributed Auditing Proofs of Liabilities (DAPOL) provides a novel zero knowledge proof solution to a particular class of auditing cases, in which we assume that the audited entity does not have any incentive to increase its liabilities or obligations. There are numerous domains requiring such an auditing feature, including proving financial solvency, transparent fundraising campaigns and accurate lottery jackpot amounts. Additionally, the algorithm provides a solution to official reports, such as in COVID-19 published daily cases, unemployment rate announcements and decentralized product/service rating reviews. Interestingly, it can also be used as a cryptographic primitive for novel e-voting systems (i.e., disapproval voting and counting dislikes), and for innovative private syndicated loan/insurance solutions, new methods for decentralized credit scoring and user ranking, among the others.

Compared to conventional auditor-based approaches, DAPOL provides a privacy preserving mechanism for users to validate their vote or amount inclusion in the reported total of liabilities/obligations and complements the traditional validation performed by the auditors by adding extra privacy and fairness guarantees. The recommended approach combines previously known cryptographic techniques to provide a layered solution with predefined levels of privacy in the form of gadgets. The backbone of this proposal is based on the enhanced Maxwell Merkle-tree construction and is extended using zero knowledge proofs, sparse trees, balance splitting tricks, efficient padding, verifiable random functions, deterministic key derivation functions and the range proof techniques from Provisions and ZeroLedge solvency protocols, respectively.

The Meet-in-the-Middle (MITM) preimage attack is highly effective in breaking the preimage resistance of many hash functions, including but not limited to the full MD5, HAVAL, and Tiger, and reduced SHA-0/1/2. It was also shown to be a threat to hash functions built on block ciphers like AES by Sasaki in 2011. Recently, such attacks on AES hashing modes evolved from merely using the freedom of choosing the internal state to also exploiting the freedom of choosing the message state. However, detecting such attacks especially those evolved variants is difficult. In previous works, the search space of the configurations of such attacks is limited, such that manual analysis is practical, which results in sub-optimal solutions. In this paper, we remove artificial limitations in previous works, formulate the essential ideas of the construction of the attack in well-defined ways, and translate the problem of searching for the best attacks into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. The MILP models capture a large solution space of valid attacks and the objectives are for the optimal. With such MILP models and using the off-the-shelf solver, it is efficient to search for the best attacks exhaustively. As a result, we obtain the first attacks against the full (5-round) and an extended (5.5-round) version of Haraka-512 v2 and 8-round AES-128 hashing modes, as well as improved attacks covering more rounds of Haraka-256 v2 and other members of AES and Rijndael hashing modes.

The design of software countermeasures against active and passive adversaries is a challenging problem that has been addressed by many authors in recent years. The proposed solutions adopt a theoretical foundation (such as a leakage model) but often do not offer concrete reference implementations to validate the foundation. Contributing to the experimental dimension of this body of work, we propose a customized processor called SKIVA that supports experiments with the design of countermeasures against a broad range of implementation attacks. Based on bitslice programming and recent advances in the literature, SKIVA offers a flexible and modular combination of countermeasures against power-based and timing-based side-channel leakage and fault injection. Multiple configurations of side-channel protection and fault protection enable the programmer to select the desired number of shares and the desired redundancy level for each slice. Recurring and security-sensitive operations are supported in hardware through custom instruction-set extensions. The new instructions support bitslicing, secret-share generation, redundant logic computation, and fault detection. We demonstrate and analyze multiple versions of AES from a side-channel analysis and a fault-injection perspective, in addition to providing a detailed performance evaluation of the protected designs. To our knowledge, this is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure.

An important selling point for the RISC-V instruction set is the separation between ISA and the implementation of the ISA, leading to flexibility in the design. We argue that for secure implementations, this flexibility is often a vulnerability. With a hardware attacker, the side-effects of instruction execution cannot be ignored. As a result, a strict separation between the ISA interface and implementation is undesirable. We suggest that secure ISA may require additional implementation constraints. As an example, we describe an instruction-set for the development of power side-channel resistant software.

Blockchains are gaining traction and acceptance, not just for cryptocurrencies but increasingly as a general-purpose architecture for distributed computing. In this work we seek solutions that allow a blockchain to act as a trusted long-term repository of secret information: Our goal is to deposit a secret with the blockchain and specify how to use it (e.g., the conditions under which it is released), and have the blockchain keep this information secret and use it only in the requested manner (e.g., only release it once the conditions are met). This simple functionality would be an enabler for many powerful applications, including signing statements on behalf of the blockchain, using blockchain as the control plane for a storage system, performing decentralized program-obfuscation-as-a-service, and many more.

We present a scalable solution for implementing this functionality on a public proof-of-stake blockchain, in the presence of a mobile adversary controlling a small minority of the stake, using proactive secret sharing techniques. The main challenge is that, on the one hand, scalability requires that we use small committees to represent the entire stake, but, on the other hand, a mobile adversary may be able to corrupt the entire committee if it is small. For this reason, prior proactive secret sharing solutions are either non-scalable or insecure in our setting.

We solve this issue using "player replaceability", where the committee is anonymous until after it performs its actions, as in the Algorand blockchain. (Algorand uses player replaceability to defend against DDoS attacks.) Our main technical contribution is a system that allows sharing and re-sharing of secrets among the members of small dynamic committees, without knowing who they are until after they perform their actions. Our solution handles a fully mobile adversary corrupting less than 25\% of the stake at any time, and is scalable in terms of both the number of parties on the blockchain and the number of time intervals.

The advances in machine learning have revealed its great potential for emerging mobile applications such as face recognition and voice assistant. Models trained via a Neural Network (NN) can offer accurate and efficient inference services for mobile users. Unfortunately, the current deployment of such service encounters privacy concerns. Directly offloading the model to the mobile device violates model privacy of the model owner, while feeding user input to the service compromises user privacy. To address this issue, we propose, tailor, and evaluate Leia, a lightweight cryptographic NN inference system at the edge. Unlike prior cryptographic NN inference systems, Leia is designed with two mobile-friendly perspectives. First, Leia leverages the paradigm of edge computing wherein the inference procedure keeps the model closer to the mobile user to foster low latency service. Specifically, Leia's architecture consists of two non-colluding edge services to obliviously perform NN inference on the encoded user data and model. Second, Leia's realization makes the judicious use of potentially constrained computational and communication resources in edge devices. In particular, Leia adapts the Binarized Neural Network (BNN), a trending flavor of NN model with low memory footprint and computational cost, and purely chooses the lightweight secret sharing techniques to develop secure blocks of BNN. Empirical validation executed on Raspberry Pi confirms the practicality of Leia, showing that Leia can produce a prediction result with 97% accuracy by 4 seconds in the edge environment.

Motivated by a fundamental paradigm in cryptography, we consider a recent variant of the classic problem of bounding the distinguishing advantage between a random function and a random permutation. Specifically, we consider the problem of deciding whether a sequence of q values was sampled uniformly with or without replacement from [N], where the decision is made by a streaming algorithm restricted to using at most s bits of internal memory. In this work, the distinguishing advantage of such an algorithm is measured by the KL divergence between the distributions of its output as induced under the two cases. We show that for any s=Ω(logN) the distinguishing advantage is upper bounded by O(q⋅s/N), and even by O(q⋅s/NlogN) when q≤N1−ϵ for any constant ϵ>0 where it is nearly tight with respect to the KL divergence.

At Crypto ’99, Nguyen and Stern described a lattice based algorithm for solving the hidden subset sum problem, a variant of the classical subset sum problem where the n weights are also hidden. While the Nguyen-Stern algorithm works quite well in practice for moderate values of n, we argue that its complexity is actually exponential in n; namely in the final step one must recover a very short basis of a n-dimensional lattice, which takes exponential-time in n, as one must apply BKZ reduction with increasingly large block-sizes. In this paper, we describe a variant of the Nguyen-Stern algorithm that works in polynomial-time. The first step is the same orthogonal lattice attack with LLL as in the original algorithm. In the second step, instead of applying BKZ, we use a multivariate technique that recovers the short lattice vectors and finally the hidden secrets in polynomial time. Our algorithm works quite well in practice, as we can reach n=250 in a few hours on a single PC.

We present a linear approach to analyzing security of attribute-based encryption (ABE). We use this approach to algebraically break eleven schemes: two single-authority and nine multi-authority attribute-based encryption (MA-ABE) schemes. These latter attacks illustrate that mistakes are made in transforming single-authority schemes into multi-authority ones. Our linear approach is not only useful in the analysis of existing schemes, but can also be applied during the design and verification of new schemes. As such, it can prevent the design of insecure MA-ABE schemes in the future.

Fault Template Analysis (FTA) has been shown as a powerful tool for attacking cryptosystems and exposing vulnerabilities which were previously not reported in existing literature. Fault templates can be utilized for attacking block ciphers in middle rounds which were known prior to be resistant against fault attacks. In this paper we revisit the potent of fault templates and show a more systematic methodology to develop fault templates of Boolean circuits using a well known concept in design verification, namely positive Davio's decomposition. We show that the improved FTAs, called FTA2.0, can be used to fault analyze block ciphers in the middle rounds using as few as two bit-flip faults. Further, it can be used to attack TI-implemented block ciphers by considering a Double Bit Upset (DBU) fault in a target share bit. The attack shows that varying the latency of the fault the adversary can obtain unmasked bits and can recover the secret key.

This Ph.D. thesis is offered as part of the ANR-funded 4-year research project MobiS5. The goal of MobiS5 is to provide a cryptographic toolbox for the emerging 5G technologies. More information can be found at: https://mobis5.limos.fr/index.html.

This 3-year Ph.D. thesis will focus on the two following aspects of 5G security:

• 5G Core Network security
• Delegation in the context of 5G networks

We are looking for motivated and hard-working students with a strong background in cryptography, with a degree in Mathematics, Applied Mathematics, or Computer Science (with an affinity for mathematics). Understanding of basic cryptographic primitives and protocols is a requirement. You must also have a good level of spoken and written English. A basic working knowledge of provable security and/or formal verification are a strong plus. Spoken and written French are also a plus. Interested? Here is how to apply ! https://mobis5.limos.fr/jobs.html

Closing date for applications:

Contact: Cristina Onete (maria-cristina.onete@unilim.fr) or Olivier Blazy

More information: https://mobis5.limos.fr/jobs.html

This PhD focuses on data confidentiality and side-channel information leakage analysis in mixed-signal reconfigurable SoCs. Heterogeneous computing has led to physically close mixed-signal devices combining digital processing and analog/radio modules, where digital computation noise flows to the analogue part of the chip and is amplified and transmitted by the antenna. These so-called Screaming Channels have simplified and reduced the cost of previous distant attack setups. In reconfigurable computing, heterogeneity has brought mixed-signal reconfigurable platforms, RFSoCs (Radio Frequency SoCs), adding programmable analog/RF sub-modules to the previous combination of CPUs and logic.
This PhD will study the impact that close-by digital-analog-RF domains in mixed-signal reconfigurable platforms may have on new system vulnerabilities. The thesis will focus on studying data leakage mechanisms in RFSoCs to analyze and understand potential new threats linked to their reconfigurable and mixed-signal nature as a first step to find adequate countermeasures.

The candidate must hold a Master degree in Computer/Electrical Engineering, Embedded Systems, Microelectronics, or Computer Science and demonstrate strong background in several of the following topics: Digital design with HDLs; Reconfigurable computing, FPGAs; Hardware security; Embedded systems architectures; Microelectronics/VLSI Design. Knowledge on cryptographic algorithms implementations, C/C++/Python programming and Linux/Git as development environment are highly valuable.

You will receive a 3 year PhD contract and social security coverage, subsidized meals, partial reimbursement of public transport costs, support with accommodation at the campus and access to vocational training and social, cultural and sports events and activities. Send your CV, Bachelor/Master transcripts, a motivational text and reference letter before May 10, 2020.

Closing date for applications:

Contact: Ruben Salvador: ruben (dot) salvador (at) centralesupelec (dot) fr

Side-channel attacks consist in measuring the physical activity emitted by a circuit (processor, microcontroller or cryptographic accelerator) to extract secrets. The consumption of the circuit or the electromagnetic emanation are the most commonly exploited signals. Due to the development of the Internet of Things (IoT), more and more systems are exposed to these attacks. Unfortunately, integrating countermeasures (software or hardware) against such attacks is extremely expensive. Therefore, it is essential to have an accurate idea of side-channel leakages as early as possible in the design phases. On the one hand to target countermeasures on critical areas and on the other hand to have a realistic view of leakages in order to automate the application of countermeasures. The thesis topic is the exploration of electromagnetic leakage models and different ways of interpreting them. The general objective of this work is to model the leakages of a processor based on its state at different abstraction level: Register Transfer Level (RTL), microarchitecture or even instruction set simulator (ISS). The LSOSP laboratory of CEA-LETI where the thesis will take place has a strong experience on physical measurements and has already performed preliminary research on the subject. Therefore, the candidate will start from these results and will perform physical measurements and manipulate different logic models to create a precise leakage model of the targeted processor.

Closing date for applications:

Contact: Vincent Dimper