International Association
for Cryptologic Research

Collective coin-tossing allows $n$ processors with private randomness sources to agree on a common public coin. Without loss of generality, one can assume that the output is in the set $\{0,1\}$, and the expected output of a coin-tossing protocol is $X$. The objective of a coin-tossing protocol is to be robust to adversarial interventions. In this paper, we study Byzantine adversaries who can arbitrarily set the messages of the corrupted processors.

Historically, the study of coin-tossing protocols, with the introduction of even the mildest of variations in its setting, tends to yield surprising and exciting outcomes. We know several optimal or asymptotically optimal protocols like tribes, baton passing, and threshold protocols. Incidentally, there are several variants of coin-tossing where the majority protocol (or, more generally, the threshold protocols) turn out to be asymptotically optimal. In this work, we consider coin-tossing protocols in two security models and study the susceptibility of the optimal coin-tossing protocols in those settings to adversarial attacks.

In the first model, there are $n$ processors and processor $i$ broadcasts her uniformly and independently random message $x_i\in\{0,1\}$. The processors apply a function $f_n\colon\{0,1\}^n\to\{0,1\}$ to the broadcast messages and agree on their common output $f_n(x_1,\dotsc,x_n)$. After all the processors broadcast their messages, the adversary may corrupt at most $t$ processors and change their messages arbitrarily. The optimal protocol minimizes the change in the expected output that this adversary causes. We reduce this problem to an isoperimetric inequality over the boolean hypercube and demonstrate that the threshold protocols are the optimal protocols.

In the second model, at time $i$, processor $i$ broadcasts her message $x_i$, and her message distribution possibly depends on the previously broadcast messages. We consider an adversary who can take control of one processor and change her message arbitrarily. In this case, we prove that the threshold protocols are asymptotically optimal.

We propose a lattice-based zero-knowledge proof system for exactly proving knowledge of a ternary solution $\vec{s} \in \{-1,0,1\}^n$ to a linear equation $A\vec{s}=\vec{u}$ over $\mathbb{Z}_q$, which produces proofs that are $7.5\times$ shorter than the state-of-the-art result by Bootle, Lyubashevsky and Seiler (CRYPTO 2019).

At the core lies a technique that utilizes the module-homomorphic BDLOP commitment scheme (SCN 2018) over the fully splitting cyclotomic ring $\mathbb{Z}_q[X]/(X^d + 1)$ to prove scalar products with the NTT vector of a secret polynomial.

We construct a practical lattice-based zero-knowledge argument for proving multiplicative relations between committed values. The underlying commitment scheme that we use is the currently most efficient one of Baum et al. (SCN 2018), and the size of our multiplicative proof ($8$KB) is only slightly larger than the $7$KB required for just proving knowledge of the committed values. We additionally expand on the work of Lyubashevsky and Seiler (Eurocrypt 2018) by showing that the above-mentioned result can also apply when working over rings $\mathbb{Z}_q[X]/(X^d+1)$ where $X^d+1$ splits into low-degree factors, which is a desirable property for many applications (e.g. range proofs, multiplications over $\mathbb{Z}_q$) that take advantage of packing multiple integers into the NTT coefficients of the committed polynomial.

It is known that attackers can exfiltrate data from air-gapped computers through their speakers via sonic and ultrasonic waves. To eliminate the threat of such acoustic covert channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less systems are considered to be \textit{audio-gapped}, and hence immune to acoustic covert channels.

In this paper, we introduce a technique that enable attackers leak data acoustically from air-gapped and audio-gapped systems.

Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. The malicious code manipulates the internal \textit{switching frequency} of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply without the need for audio hardware or speakers. Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g., smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all. We provide technical background and discuss implementation details such as signal generation and data modulation. We show that the POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need any hardware access or special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive data can be exfiltrated from air-gapped and audio-gapped systems from a distance of five meters away at a maximal bit rates of 50 bit/sec.

In this paper,we investigate the security of binary secret LearningWithError (LWE). To do so, we improve the classical dual lattice attack. More precisely, we use the dual attack on a projected sublattice, which allows to generate instances of the LWE problem with a slightly bigger noise that correspond to a fraction of the secret key. Then, we search for the fraction of the secret key by computing the corresponding noise for each candidate using the constructed LWE samples. As secrets are binary vectors, we can perform the search step very efficiently by exploiting the re- cursive structure of the search space. This approach offers a trade-off between the cost of lattice reduction and the complexity of the search part which allows to speed up the attack. As an ap- plication we revisit the security estimates of the Fast Fully Homomorphic Encryption scheme over the Torus (TFHE) which is one of the fastest homomorphic encryption schemes based on the LWE problem. We provide an estimate of the complexity of our method for various parameters under three different cost models for lattice reduction and show that security level of the TFHE scheme should be re-evaluated according to the proposed improvement. Our estimates show that the cur- rent security level of the TFHE scheme should be reduced by 10 bits for the parameters proposed in the latest version of the scheme and by 7 bits for the recent update of the parameters that are used in the implementation, available online.

The typical battery supported IoT computing node has progressed in recent years from an 8-bit processor with limited memory resources, to a 32-bit processor with ample amounts of ROM and RAM. This is a game-changer for developers who no longer need to struggle with assembly language programming, but rather can bring to bear all of the tools of modern software engineering, including high level language compilers. At the same time curve based cryptography has matured to the extent that efficient curves and algorithms are now well known. However the dynamics of academic research are such that execution speed, mandating continued use of assembly language, trumps all other considerations. In this paper we report on the performance that can be expected from simple portable high-level language implementations across a wide range of contemporary architectures.

The concept of a self-tallying election (STE) scheme was first introduced by Kiayias et al and captures electronic voting schemes in which the tallying authorities are the voters of the election themselves. This type of electronic voting is particularly compatible with and suitable for (but not only) Blockchain governance, where governance is expected to be maintained in a fully distributed manner. In this work, we formalize the requirements for secure STE schemes in the Universal Composability (UC) framework. Our model captures the standard voting properties of eligibility, fairness, vote-privacy, and one voter-one vote. We present E-cclesia, a new family of STE schemes, and prove that it securely UC-realizes the STE functionality. We propose a first concrete instantiation of E-cclesia using RSA accumulators in combination with a Bitcoin-based time-lock encryption scheme. To this end, we provide en passant the first UC treatment of dynamic accumulators in the public setting as well as time lock encryption (TLE) schemes, and prove the equivalence of our UC definitions to the standard property-based accumulator definitions.

RC4 stream cipher uses two simple operations, swap for state evolution and double indirection for producing the key-stream output byte. The non-randomness produced by these RC4 operations are well known now. However, still there are many important cryptanalytic issues that remain open in RC4. In this paper we first prove the biases presented by Fluhrer and McGrew (FSE 2000) two decades ago. It is surprising that though the biases have been published long back, and there are many applications of them in cryptanalysis till recent days, the proof of the results have not been considered in a disciplined manner. In this paper, we complete that task and also show that any such bias immediately provides a glimpse of hidden variables in RC4. Further, we take up the biases of two non-consecutive key-stream bytes skipping one byte in between. We show the incompleteness of such a result presented by SenGupta et al (JoC, 2013) and produce novel results in this direction related to key-stream bytes and glimpses. Similarly, we show certain missed observation in the famous Glimpse theorem presented by Jenkins in 1996. Our results point out how biases of RC4 key-stream and the Glimpses of the RC4 hidden variables are related. It is evident from our results that the biases and glimpses are everywhere in RC4 and it needs further investigation. The new glimpses and biases that we identify in this paper can be exploited in improving practical attacks in the protocols that use RC4.

Today’s world is organized based on merit and value. A single global currency that’s decentralized is needed for a global economy. Bitcoin is a partial solution to this need, however it suffers from scalability problems which prevent it from being mass-adopted. Also, the deflationary nature of bitcoin motivates people to hoard and speculate on them instead of using them for day to day transactions. We propose a scalable, decentralized cryptocurrency that is based on Proof of Work. The solution involves having parallel chains in a closed network using a mechanism which rewards miners proportional to their effort in maintaining the network. The proposed design introduces a novel approach for solving scalability problem in blockchain network based on merged mining.

The QC-MDPC code-based KEM BIKE is one of the Round-2 candidates of the NIST PQC standardization project. Its specification document describes a version that is claimed to have IND-CCA security. The security proof uses the Fujisaki-Okamoto transformation and a de-coder that targeted a Decoding Failure Rate (DFR) of 2^{-128} (for Level-1 security). However, there are several aspects that need to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2^{-128} does not necessarily imply that the underlying PKE is \delta correct with \delta=2^{-128}, as required.

In this paper, we handle the necessary aspects in the definitions of the KEM to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of a message-agnostic PKE for which decryption failures are independent of the encrypted message. We show that all the PKE underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.

In the recent trend of CAESAR competition and NIST light-weight competition, cryptographic community have witnessed the submissions of several cryptographic schemes that are build on public random permutations. Recently, in CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing beyond birthday bound PRFs from public random permutations and they proposed two instances of such PRFs. In this work, we extend this research direction by proposing a nonce-based MAC build from public random permutations. We show that our proposed MAC achieves $2n/3$ bit security (with respect to the state size of the permutation) and the bound is essentially tight. Moreover, the security of the MAC degrades gracefully with the repetition of the nonce.

Side-channel leakage detection methods based on statistical tests, such as t-test or chi^2-test, provide high confidence in the presence of leakage with a large number of traces. However, practical limitations on testing time and equipment may set an upper-bound on the number of traces available, turning the number of traces into a limiting factor in side-channel leakage detection. We describe a statistical technique, based on statistical bootstrapping, that significantly improves the effectiveness of leakage detection using a limited set of traces. Bootstrapping generates additional sample sets from an initial set by assuming that it is representative of the entire population. The additional sample sets are then used to conduct additional leakage detection tests, and we show how to combine the results of these tests. The proposed technique, applied to side-channel leakage detection, can significantly reduce the number of traces required to detect leakage by one, or more orders of magnitude. Furthermore, for an existing measured sample set, the method can significantly increase the confidence of existing leakage hypotheses over a traditional (non-bootstrap) leakage detection test. This paper introduces the bootstrapping technique for leakage detection, applies it to three practical cases, and describes techniques for its efficient computation.

The existence of some structure in a code can lead to the decrease of security of the whole system built on it. Often subcodes are used to ``disguise'' the code as a ``general-looking'' one. However, the security of subcodes, whose Hadamard square is equal to the square of the base code, is reduced to the security of this code, i.e. this condition is undesirable. The paper finds the limiting conditions on the number of vectors of degree $ r $ removing of which retains this weakness for Reed--Muller subcodes and, accordingly, conditions for it to vanish. For $ r = 2 $ the exact structure of all resistant subcodes was found. For an arbitrary code $ RM(r, m) $, the desired number was estimated from both sides. Finally, the ratio of subcodes, whose Hadamard square is not equal to the square of the original code, was proven to tend to zero if additional conditions on the codimension of the subcode and the parameter $ r $ are imposed and $ m \rightarrow \infty $. Thus, the implementation of checks proposed in the paper helps to immediately filter out some insecure subcodes.

Cryptographic implementations deployed in real world devices often aim at (provable) security against the powerful class of side-channel attacks while keeping reasonable performances. Last year at Asiacrypt, a new formal verification tool named tightPROVE was put forward to exactly determine whether a masked implementation is secure in the well-deployed probing security model for any given security order t. Also recently, a compiler named Usuba was proposed to automatically generate bitsliced implementations of cryptographic primitives. This paper goes one step further in the security and performances achievements with a new automatic tool named Tornado. In a nutshell, from the high-level description of a cryptographic primitive, Tornado produces a functionally equivalent bitsliced masked implementation at any desired order proven secure in the probing model, but additionally in the so-called register probing model which much better fits the reality of software implementations. This framework is obtained by the integration of Usuba with tightPROVE+, which extends tightPROVE with the ability to verify the security of implementations in the register probing model and to fix them with inserting refresh gadgets at carefully chosen locations accordingly. We demonstrate Tornado on the lightweight cryptographic primitives selected to the second round of the NIST competition and which somehow claimed to be masking friendly. It advantageously displays performances of the resulting masked implementations for several masking orders and proves their security in the register probing model.

EUROCRYPT 2020 is the 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques and one of the three general conferences of the International Association for Cryptologic Research (IACR).

Due to the current novel coronavirus outbreak, EUROCRYPT 2020 has been converted into an all-digital event, which will be taking place online during 11-15 May 2020.

Registration. The registration site (https://eurocrypt.iacr.org/2020/registration.php) for EUROCRYPT 2020 virtual attendance is now open. There will be no cost for virtual attendance itself but you have to register. If you have not already paid your IACR membership fee (USD 50 for regular members or USD 25 for student members) by attending a previous IACR event in 2020, you will need to pay that fee as part of registering for EUROCRYPT 2020.

Program. The program for EUROCRYPT 2020 is already available online (https://eurocrypt.iacr.org/2020/program.php). Sessions will be conducted as panel discussions in which authors give a very brief overview (5 minutes) of their papers, and then take live questions from the panel moderators and audience. There will also be links to papers and videos of longer talks by authors on their papers.

More details about virtual participation can be found here: https://eurocrypt.iacr.org/2020/participation.php

Event date: 20 June to 21 June 2020
Submission deadline: 28 May 2020

Event date: 5 May 2020

Status is building a communications tool with extreme security, coercion resistance and privacy in mind. As a protocol engineer in the Vac team, you will help us research and develop new and existing technologies in secure messaging.

Closing date for applications:

Contact: Ceri Power CA29 FB53 97E3 0232 106A  2DE6 9F07 1B10 A0D1 12EB

More information: https://grnh.se/c967211f1us

One funded PhD position (International/EU/UK) in hardware security with attractive travel grant for attending conferences.

Closing date: 8th May

We expect the PhD candidate to have a strong background in programming, digital circuit design, hardware/software implementation of algorithms, etc.

For more information on 'Why PhD with us?' see my website. https://www.cs.bham.ac.uk/~sinharos/

The PhD will be working with Dr. Sujoy Sinha Roy and will be based at the Security and Privacy group of the University of Birmingham's School of Computer Science. The National Cyber Security Centre (NCSC) and the Engineering and Physical Sciences Research Council (EPSRC) jointly recognise the research group as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR).

If you are interested in the PhD position, please contact Dr. Sujoy Sinha Roy with a CV. For more information, please visit https://www.cs.bham.ac.uk/~sinharos/

Closing date for applications:

Contact: Dr. Sujoy Sinha Roy

BED: BOTNET ECONOMIC DISRUPTION VIA DARK WEB MARKETPLACE INFILTRATION Every year, cyber-attacks result in costs of hundreds of billions of dollars worldwide. One of the core facilitators of attacks are botnets, which are networks of infected computing devices. This PhD project will investigate a novel interdisciplinary approach for defending against botnets. BED will utilize research from the fields of network security, business economics and law, along with specialized research in botnet monitoring. The goal of BED is to: -identify and infiltrate botnet marketplaces with an emphasis on the dark web, -model the business economy of botnets, -Analyze the influence of botnet-specific parameters to the economy model -propose a botnet economy disruption plan. The PhD candidate will join the growing AAU cyber-security network in Copenhagen and work together with an interdisciplinary group of experts. The candidate will be able to collaborate with leading security experts worldwide and present their findings in top conferences all over the world. Supervisors: Jens Myrup Pedersen, Emmanouil Vasilomanolakis and Morten Falch Workplace: Campus Copenhagen

Closing date for applications:

Contact: Emmanouil Vasilomanolakis

More information: https://www.stillinger.aau.dk/vis-stilling/?vacancy=1098638