International Association
for Cryptologic Research

The MixColumns operation is an important component providing diffusion for the AES. The branch number of it ensures that any continuous four rounds of the AES have at least 25 active S-Boxes, which makes the AES secure against the differential and linear cryptanalysis. However, the choices of the coefficients of the MixColumns matrix may undermine the AES security against some novel-type attacks. A particular property of the AES MixColumns matrix coefficient has been noticed in recent papers that \emph{each row or column of the matrix has elements that sum to zero}. Several attacks have been developed taking advantage of the coefficient property.

In this paper we investigate further the influence of the specific coefficient property on the AES security. Our target, which is also one of the targets of the previous works, is a 5-round AES variant with a secret S-Box. We will show how we take advantage of the coefficient property to extract the secret key directly without any assistance of the S-Box information. Compared with the previous similar attacks, the present attacks here are the best in terms of the complexity under the chosen-plaintext scenario.

We construct the most efficient two-round adaptively secure bit-OT in the Common Random String (CRS) model. The scheme is UC secure under the Decisional Diffie-Hellman (DDH) assumption. It incurs O(1) exponentiations and sends O(1) group elements, whereas the state of the art requires O(k^2) exponentiations and communicates poly(k) bits, where k is the computational security parameter. Along the way, we obtain several other efficient UC-secure OT protocols under DDH :

- The most efficient yet two-round adaptive string-OT protocol assuming programmable random oracle. Furthermore, the protocol can be made non-interactive in the simultaneous message setting, assuming random inputs for the sender.

- The first two-round string-OT with amortized constant exponentiations and communication overhead which is secure in the observable random oracle model.

- The first two-round receiver equivocal string-OT in the CRS model that incurs constant computation and communication overhead.

We also obtain the first non-interactive adaptive string UC-commitment in the CRS model which incurs a sublinear communication overhead in the security parameter. Specifically, we commit to polylog(k) bits while communicating O(k) bits. Moreover, it is additively homomorphic in nature.

We can also extend our results to the single CRS model where multiple sessions share the same CRS. As a corollary, we obtain a two-round adaptively secure MPC protocol in this model.

MPC-in-the-head based protocols have recently gained much popularity and are at the brink of seeing widespread usage. With widespread use come the spectres of implementation issues and implementation attacks. Side-channel attacks are a serious threat to the security of implementations of secure cryptographic protocols due to unintended leakage of sensitive information. We show that implementations of protocols constructed by the MPC-in-the-head paradigm are vulnerable to such attacks. As a case study, we choose the ZKBoo-protocol of Giacomelli, Madsen, and Orlandi (USENIX 2016) and show that even a single leaked value is sufficient to break the security of the protocol. To show that this attack is not just a theoretical vulnerability, we apply differential power analysis to show the vulnerabilities of the device.

In order to remedy this situation, we extend and generalize the ZKBoo-protocol by making use of the notion of strong non-interference of Barthe et al. (CCS 2016). To apply this notion to ZKBoo, we construct novel versions of strongly non-interfering gadgets that balance the randomness across the different branches evenly. Finally, we show that each circuit can be decomposed into branches using only these balanced strongly non-interfering gadgets. This allows us to construct a version of ZKBoo, called $(n+1)$-ZKBoo secure against side-channel attacks with very limited overhead in both signature-size and running time. Furthermore, $(n+1)$-ZKBoo is scalable to the desired security against adversarial probes. We experimentally confirm that the attacks successful against ZKBoo no longer work on $(n+1)$-ZKBoo.

Smart contracts present a uniform approach for deploying distributed computation and have become a popular means to develop security critical applications. A major barrier to adoption for many applications is the public nature of existing systems, such as Ethereum. Several systems satisfying various definitions of privacy and requiring various trust assumptions have been proposed; however, none achieved the universality and uniformity that Ethereum achieved for non-private contracts: One unified method to construct most contracts. We provide a unified security model for private smart contracts which is based on the Universal Composition (UC) model and propose a novel core protocol, Kachina, for deploying privacy-preserving smart contracts, which encompasses previous systems. We demonstrate the Kachina method of smart contract development, using it to construct a contract that implements privacy-preserving payments, along the lines of Zerocash, which is provably secure in the UC setting and facilitates concurrency.

This paper proposes tweakable block cipher (TBC) based modes $\mathsf{PFB\_Plus}$ and $\mathsf{PFB}\omega$ that are efficient in threshold implementations (TI). Let $t$ be an algebraic degree of a target function, e.g.~$t=1$ (resp.~$t>1$) for linear (resp.~non-linear) function. The $d$-th order TI encodes the internal state into $d t + 1$ shares. Hence, the area size increases proportionally to the number of shares. This implies that TBC based modes can be smaller than block cipher (BC) based modes in TI because TBC requires $s$-bit block to ensure $s$-bit security, e.g. \textsf{PFB} and \textsf{Romulus}, while BC requires $2s$-bit block. However, even with those TBC based modes, the minimum we can reach is 3 shares of $s$-bit state with $t=2$ and the first-order TI ($d=1$).

Our first design $\mathsf{PFB\_Plus}$ aims to break the barrier of the $3s$-bit state in TI. The block size of an underlying TBC is $s/2$ bits and the output of TBC is linearly expanded to $s$ bits. This expanded state requires only 2 shares in the first-order TI, which makes the total state size $2.5s$ bits. We also provide rigorous security proof of $\mathsf{PFB\_Plus}$. Our second design $\mathsf{PFB}\omega$ further increases a parameter $\omega$: a ratio of the security level $s$ to the block size of an underlying TBC. We prove security of $\mathsf{PFB}\omega$ for any $\omega$ under some assumptions for an underlying TBC and for parameters used to update a state. Next, we show a concrete instantiation of $\mathsf{PFB\_Plus}$ for 128-bit security. It requires a TBC with 64-bit block, 128-bit key and 128-bit tweak, while no existing TBC can support it. We design a new TBC by extending \textsf{SKINNY} and provide basic security evaluation. Finally, we give hardware benchmarks of $\mathsf{PFB\_Plus}$ in the first-order TI to show that TI of $\mathsf{PFB\_Plus}$ is smaller than that of \textsf{PFB} by more than one thousand gates and is the smallest within the schemes having 128-bit security.

Event date: 19 November to 20 November 2020
Submission deadline: 20 September 2020
Notification: 25 October 2020

Event date: 18 November to 19 November 2020
Submission deadline: 14 June 2020
Notification: 26 July 2020

Event date: to
Submission deadline: 1 June 2021

Event date: 13 December to 16 December 2020
Submission deadline: 31 August 2020
Notification: 19 October 2020

The CHES 2020 Capture the Flag (CTF) is a side-channel cryptanalysis challenge against masked implementations of the Clyde-128 Tweakable Block Cipher (TBC) which is part of the Spook candidate to the NIST lightweight cryptography competition (https://www.spook.dev/).

Different targets are proposed in parallel, both in software and in hardware, corresponding to masked implementations with various number of shares. Challengers are provided with the source code of the implementations (C in software and Verilog in hardware/FPGA), a tool to predict intermediate values of the hardware implementation, profiling sets of traces including the nonces, (random) keys, (random) plaintexts and the randomness used for masking, test sets of traces corresponding to a few fixed keys (without the masking randomness), and finally prototype attacks against a single byte of the secret key for exemplary targets.

The goal of the challenge is to modify and improve the prototype attacks. The submitted attacks will be rated based on the number of measurements needed to reduce the rank of the master key below 2^32 using a rank estimation algorithm. All the attacks submitted will be made public to all challengers (under a GPLv3 license or alternatives).

Link to the challenge website: https://ctf.spook.dev/

High-assurance cryptography for IoT applications.

The RIOT-FP project is looking for a postdoctoral research to work with Inria's GRACE team (on the campus of École poytechnique in the southern suburbs of Paris) and the PROSECCO team (in central Paris). The project aims to develop high-speed, high-security, low-memory cryptographic primitives (especially post-quantum public-key algorithms), backed by proven implementations with safety guarantees for software execution on low-end IoT devices. The real-world objective is to provide some future-proofing for RIOT OS (https:/riot-os.org), a free and open-source operating system for low-end IoT devices.

Candidates are expected to have a strong background in cryptographic algorithms, IoT software security, or formally verified software. They must have, or expect to hold, a PhD in a field related to the project; they must also have strong programming experience and mathematical skills. They should have an international research profile, and be fluent in written and spoken English.

Closing date for applications:

Contact: Benjamin Smith, at inria dot fr

Cryptology forms the backbone of modern digital security. While in theory it is known how to make secure cryptosystems that are asymptotically secure, a considerable gap with practice is demonstrated time and again by breaks of practical, implemented cryptosystems, deployed as part of a larger security ecosystem. The project “concrete cryptology” aims to provide concrete and meaningful security guarantees from low-level implementation to high-level deployment.

The postdoc will have considerable freedom in selecting specific problems to work on within the larger scope of the project. One focus is the effect that side-channel attacks that do not result in full key recovery have on security, including provable security, higher up the chain. Another focus is the effect that large-scale deployment deviating from some abstract ideal has.

Simula UiB Offers

- Excellent opportunities for performing high-quality research, as part of a highly competent and motivated team of international researchers and engineers.

- An informal and inclusive international working environment

- Generous support for travel and opportunities to build international networks, through established collaboration with industry, exchange programs and research visits with other universities, and funding to attend conferences

- Modern office facilities located in downtown Bergen

- A competitive salary. Starting salary from NOK 532.300

- Numerous benefits: access to company cabin, BabyBonus arrangements, sponsored social events, generous equipment budgets (e.g., computer, phone and subscription), comprehensive travel/health insurance policy, etc

- Relocation assistance: accommodation, visas, complimentary Norwegian language courses, etc

- Administrative research support: e.g., quality assurance process for grant proposals (including RCN and EU programs)

- Wellness and work-life balance. Our employees’ health and well-being is a priority and we encourage them to make use of our flexible work arrangements to help balance their work and home lives efficiently

Closing date for applications:

Contact: Martijn Stam

More information: https://www.simula.no/about/job/call-post-doctoral-fellow-concrete-cryptography

The IACR Fellows Program recognizes outstanding IACR members for technical and professional contributions to the field of cryptology. Today we are pleased to announce five members that have been elevated to the rank of Fellow for 2020:

• Yevgeniy Dodis, for fundamental contributions to cryptology, especially to cryptographic randomness and symmetric-key primitives, and for service to the IACR.
• Rosario Gennaro, for essential contributions, including to threshold cryptography, delegated computation, and lower bounds, and for service to the IACR.
• Xuejia Lai, for fundamental contributions to research in symmetric-key cryptography, and for service to the IACR.
• Tal Malkin, for foundational contributions, including black-box separations, multiparty computation, and tamper resilience, and for service to the IACR.
• David Naccache, for significant contributions to applied cryptography in industry and academia, and for the service to the IACR.

Congratulations to the new fellows! More information about the IACR Fellows Program can be found at https://iacr.org/fellows/.

A cryptographic accumulator is a scheme where a set of elements is represented by a single short value. This value, along with another value called witness allows to prove membership into the set. In their survey on accumulators [FN02], Fazzio and Nicolisi noted that the Camenisch and Lysyanskaya's construction[CL02] was such that the time to update a witness after m changes to the accumulated value was proportional to m. They posed the question whether batch update was possible, namely if it was possible to build a cryptographic accumulator where the time to update witnesses is independent from the number of changes in the accumulated set. Recently, Wang et al. answered positively by giving a construction for an accumulator with batch update in [WWP07, WWP08]. In this work we show that the construction is not secure by exhibiting an attack. Moreover, we prove it cannot be fixed. If the accumulated value has been updated m times, then the time to update a witness must be at least (m) in the worst case.

In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multi-purpose KDFs. In practice, most KDFs (including those widely standardized) follow ad-hoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extract-then-expand approach; we present the first general and rigorous definition of KDFs and their security which we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario.

Beyond the theoretical interest in modeling KDFs, this work is intended to address two important and timely needs of cryptographic applications: (i) providing a single hash-based KDF design that can be standardized for use in multiple and diverse applications, and (ii) providing a conservative, yet efficient, design that exercises much care in the way it utilizes a cryptographic hash function.

(The HMAC-based scheme presented here, named HKDF, is being standardized by the IETF.)

Modern messaging applications often rely on out-of-band communication to achieve entity authentication, with human users actively verifying and attesting to long-term public keys. This "user-mediated" authentication is done primarily to reduce reliance on trusted third parties by replacing that role with the user. Despite a great deal of research focusing on analyzing the confidentiality aspect of secure messaging, the authenticity aspect of it has been largely assumed away. Consequently, while many existing protocols provide some confidentiality guarantees after a compromise, such as post-compromise security (PCS), authenticity guarantees are generally lost. This leads directly to potential man-in-the-middle (MitM) attacks within the intended threat model. In this work, we address this gap by proposing a model to formally capture user-mediated entity authentication in ratcheted secure messaging protocols that can be composed with any ratcheted key exchange. Our threat model captures post-compromise entity authentication security. We demonstrate that the Signal application's user-mediated authentication protocol cannot be proven secure in this model and suggest a straightforward fix for Signal that allows the detection of an active adversary. Our results have direct implications for other existing and future ratcheted secure messaging applications.

Threshold ECDSA signatures have received much attention in recent years due to the widespread use of ECDSA in cryptocurrencies. While various protocols now exist that admit efficient distributed key generation and signing, these protocols have two main drawbacks. Firstly, if a player misbehaves, the protocol will abort, but all current protocols give no way to detect which player is responsible for the abort. In distributed settings, this can be catastrophic as any player can cause the protocol to fail without any consequence. General techniques to realize dishonest-majority MPC with identifiable abort add a prohibitive overhead, but we show how to build a tailored protocol for threshold ECDSA with minimal overhead. Secondly, current threshold ECDSA protocols (that do not rely on generic MPC) have numerous rounds of interaction. We present a highly efficient protocol with a non-interactive online phase allowing for players to asynchronously participate in the protocol without the need to be online simultaneously. We benchmark our protocols and find that our protocol simultaneously reduces the rounds and computations of current protocols, while adding significant functionality: identifiable abort and noninteractivity.

Lattice-based cryptography is currently under consideration for standardization in the ongoing NIST PQC Post-Quantum Cryptography competition, and is used as the basis for Homomorphic Encryption schemes world-wide. Both applications rely specifically on the hardness of the Learning With Errors (LWE) problem. Most Homomorphic Encryption deployments use small secrets as an optimization, so it is important to understand the concrete security of LWE when sampling the secret from a non-uniform, small distribution. Although there are numerous heuristics used to estimate the running time and quality of lattice reduction algorithms such as BKZ2.0, more work is needed to validate and test these heuristics in practice to provide concrete security parameter recommendations, especially in the case of small secret. In this work, we introduce a new approach which uses concrete attacks on the LWE problem as a way to study the performance and quality of BKZ2.0 directly. We find that the security levels for certain values of the modulus q and dimension n are smaller than predicted by the online LWE Estimator, due to the fact that the attacks succeed on these uSVP lattices for blocksizes which are smaller than expected based on current estimates. We also find that many instances of the TU Darmstadt LWE challenges can be solved significantly faster when the secret is chosen from the binary or ternary distributions.

CRYPTO 2020 is the 40th Annual International Cryptology Conference and one of the three general conferences of the International Association for Cryptologic Research (IACR). It was originally scheduled to take place on the campus of University of California, Santa Barbara (UCSB), August 16-20. However, due to the COVID-19 pandemic, UCSB has cancelled all summer 2020 conferences.

As a result, CRYPTO 2020 has been converted into an all-digital event with slightly changed dates. It is now scheduled to take place online Monday-Friday, August 17-21. The conference proceedings will be published according to the original schedule.

Details about the new all-digital event, including its scientific program and registration process, will be communicated at a later time via the usual IACR channels and the conference website.

The board wishes safety and health to all our members during these challenging times.

We are looking for a highly motivated candidate for one renewable year post-doctoral researcher interested in machine learning for secure Lab-on-Chip (LoC). The research will be conducted within a collaborative, international and highly stimulating environment. The working place will be the IEMN Lab (CNRS 5820) at Polytechnic University Hauts-de-France (UPHF) situated in Valenciennes, France. The research will also involve collaborations from George Mason University (Waschington, USA) and University of California Riverside. The aim of this project is to develop privacy and security-aware machine learning based techniques that are intended to be integrated in a LoC. Expected Qualifications: PhD in Computer Science, Electronics , or Applied Mathematics with strong expertise in machine learning High-quality publications Ability to work in a highly collaborative and interdisciplinary environment Experience with Machine Learning, Security of ML Familiarity with signal processing theory A background in cryptography, cybersecurity, side-channel attacks is a bonus Fluency in English, both written and spoken Job application: The position is expected to start in September 2020. For application, please send the following information in a single PDF file to Ihsen Alouani (ihsen.alouani@uphf.fr) with subject [Post_Doc_ML-LoC]: ·A letter of motivation ·A curriculum vitae, including a list of publications; ·The contact information of two references The research will be held at Polytechnic University Hauts-de-France (UPHF) in Valenciennes, France and more specifically at the IEMN Lab (Institut d’Electronique, Micro-electronique et Nanotechnologie, https://www.uphf.fr/DOAE/), Campus Mont-Houy Valenciennes in an international environment and a strategic geographical place (2h from Paris by train, 1h from Brussels by train, 2h from London by Eurostar). Polytechnic University Hauts-de-France (UPHF) provides an excellent research environment with recognized research teams in different areas. **** NB: ***** Because of Covid-19 crisis, we will NOT be able to accept candidates from outside Schengen Space

Closing date for applications:

Contact: Ihsen Alouani --email-- ihsen.alouani@uphf.fr

More information: https://www.hipeac.net/jobs/11457/postdoc-embedded-machine-learning-for-secure-lab-on-chip/