International Association
for Cryptologic Research

In most scenarios of Private Set Intersection (PSI) computed on a cloud server, the client has a smaller set size and lower computation ability than that of the cloud server, which is known as the unbalanced setting. We use Torus Fully Homomorphic Encryption (TFHE) for the first time instead of the leveled ones to construct a PSI protocol. More precisely, we mainly focus on an adaptive and dynamic setting since the server may provide services to multiple clients at the same time and its data set is updated in real time. We use TFHE to construct an adaptive PSI for unbounded items with a lower communication complexity of $O(|Y|)$ than [19](CCS17), where $Y$ is the length of client's sets) . TFHE support arbitrary depth of homomorphic operations, which avoids those optimizations[19]made to reduce the depth of the circuit, resulting in additional computation and communication complexity. We propose a basic protocol that can efficiently compute the intersection with small items and then we apply a partition technique to our full protocol in order to support unbounded items. We also achieve a flexible dynamic protocol by adjusting our parameters into an adaptive setting, which can further reduce the communication cost of our PSI protocol, especially in cloud computing scenarios mentioned above.

Modern cryptographic protocols, such as TLS 1.3 and QUIC, can send cryptographically protected data in "zero round-trip times (0-RTT)", that is, without the need for a prior interactive handshake.

Such protocols meet the demand for communication with minimal latency, but those currently deployed in practice achieve only rather weak security properties, as they may not achieve forward security for the first transmitted payload message and require additional countermeasures against replay attacks.

Recently, 0-RTT protocols with full forward security and replay resilience have been proposed in the academic literature. These are based on puncturable encryption, which uses rather heavy building blocks, such as cryptographic pairings. Some constructions were claimed to have practical efficiency, but it is unclear how they compare concretely to protocols deployed in practice, and we currently do not have any benchmark results that new protocols can be compared with.

We provide the first concrete performance analysis of a modern 0-RTT protocol with full forward security, by integrating the Bloom Filter Encryption scheme of Derler et al. (EUROCRYPT 2018) in the Chromium QUIC implementation and comparing it to Google's original QUIC protocol.

We find that for reasonable deployment parameters, the server CPU load increases approximately by a factor of eight and the memory consumption on the server increases significantly, but stays below 400 MB even for medium-scale deployments that handle up to 50K connections per day. The difference of the size of handshake messages is small enough that transmission time on the network is identical, and therefore not significant.

We conclude that while current 0-RTT protocols with full forward security come with significant computational overhead, their use in practice is not infeasible, and may be used in applications where the increased CPU and memory load can be tolerated in exchange for full forward security and replay resilience on the cryptographic protocol level. Our results also serve as a first benchmark that can be used to assess the efficiency of 0-RTT protocols potentially developed in the future.

A standard requirement for a signature scheme is that it is existentially unforgeable under chosen message attacks (EUF-CMA), alongside other properties of interest such as strong unforgeability (SUF-CMA), and resilience against key substitution attacks.

Remarkably, no detailed proofs have ever been given for these security properties for EdDSA, and in particular its Ed25519 instantiations. Ed25519 is one of the most efficient and widely used signature schemes, and different instantiations of Ed25519 are used in protocols such as TLS 1.3, SSH, Tor, ZCash, and WhatsApp/Signal. The differences between these instantiations are subtle, and only supported by informal arguments, with many works assuming results can be directly transferred from Schnorr signatures. Similarly, several proofs of protocol security simply assume that Ed25519 satisfies properties such as EUF-CMA or SUF-CMA.

In this work we provide the first detailed analysis and security proofs of Ed25519 signature schemes. While the design of the schemes follows the well-established Fiat-Shamir paradigm, which should guarantee existential unforgeability, there are many side cases and encoding details that complicate the proofs, and all other security properties needed to be proven independently.

Our work provides scientific rationale for choosing among several Ed25519 variants and understanding their properties, fills a much needed proof gap in modern protocol proofs that use these signatures, and supports further standardisation efforts.

In multi-client functional encryption (MC-FE) for predicate queries, clients generate ciphertexts of attributes $x_1, \ldots, x_n$ binding with a time period $T$ and store them on a cloud server, and the cloud server receives a token corresponding to a predicate $f$ from a trusted center and learns whether $f(x_1, \ldots, x_n) = 1$ or not by running the query algorithm on the multiple ciphertexts of the same time period. MC-FE for predicates can be used for a network event or medical data monitoring system based on time series data gathered by multiple clients. In this paper, we propose efficient MC-FE schemes that support conjunctive equality or range queries on encrypted data in the multi-client settings. First, we propose an efficient multi-client hidden vector encryption (MC-HVE) scheme in bilinear groups and prove the selective strong attribute hiding security with static corruptions. Our MC-HVE scheme is very efficient since a token is composed of four group elements, a ciphertext consists of $O(n)$ group elements, and the query algorithm only requires four pairing operations. Second, we propose an efficient multi-client range query encryption (MC-RQE) scheme and prove the weak attribute hiding security with static corruptions. Since our MC-RQE scheme uses a binary tree, it is efficient since a ciphertext consists of $O(n \log D)$ group elements and a token consists of $O(n \log D)$ group elements where $D$ is the maximum value of the range.

Bitstream reverse engineering is traditionally associated with Intellectual Property (IP) theft. Another, less known, threat deriving from that is bitstream modification attacks. It has been shown that the secret key can be extracted from FPGA implementations of cryptographic algorithms by injecting faults directly into the bitstream. Such bitstream modification attacks rely on changing the content of Look Up Tables (LUTs). Therefore, related countermeasures aim to make the task of identifying a LUT more difficult (e.g. by masking its content). However, recent advances in FPGA reverse engineering revealed information on how interconnects are encoded in the bitstream of Xilinx 7 series FPGAs. In this paper, we show that this knowledge can be used to break or weaken existing countermeasures, as well as improve existing attacks. Furthermore, a straightforward attack that re-routes the key to an output pin becomes possible. We demonstrate our claims on an FPGA implementation of SNOW 3G stream cipher. The presented results show that there is an urgent need for stronger bitstream protection methods.

In this report, we cryptanalyse the Rescue hash function. In particular, we look at linear and differential cryptanalysis of Rescue, how multiplicative subgroups are propagated by the round function and at rebound attacks. Overall, we do not find any direct threat to the security of Rescue.

We build a two-round, UC-secure oblivious transfer protocol (OT) in the common reference string (CRS) model under the Learning with Errors assumption (LWE) with sub-exponential modulus-to-noise ratio. We do so by instantiating the dual-mode encryption framework of Peikert, Vaikuntanathan and Waters (CRYPTO'08). The resulting OT can be instantiated in either one of two modes: one providing statistical sender security, and the other statistical receiver security. Furthermore, our scheme allows the sender and the receiver to reuse the CRS across arbitrarily many executions of the protocol. To the best of our knowledge, this gives the first construction of a UC-secure OT from LWE that achieves both statistical receiver security and unbounded reusability of the CRS. For comparison, there was, until recently, no such construction from LWE satisfying either one of these two properties. In particular, the construction of UC-secure OT from LWE of Peikert, Vaikuntanathan and Waters only provides computational receiver security and bounded reusability of the CRS.

Our main technical contribution is a public-key encryption scheme from LWE where messy public keys (under which encryptions hide the underlying message statistically) can be recognized in time essentially independent of the LWE modulus $q$.

Secure delegated quantum computing is a two-party cryptographic primitive, where a computationally weak client wishes to delegate an arbitrary quantum computation to an untrusted quantum server in a privacy-preserving manner. Communication via quantum channels is typically assumed such that the client can establish the necessary correlations with the server to securely perform the given task. This has the downside that all these protocols cannot be put to work for the average user unless a reliable quantum network is deployed.

Therefore the question becomes relevant whether it is possible to rely solely on classical channels between client and server and yet benefit from its quantum capabilities while retaining privacy. Classical-client remote state preparation ($\sf{RSP}_{CC}$) is one of the promising candidates to achieve this because it enables a client, using only classical communication resources, to remotely prepare a quantum state. However, the privacy loss incurred by employing $\sf{RSP}_{CC}$ as sub-module to avoid quantum channels is unclear.

In this work, we investigate this question using the Constructive Cryptography framework by Maurer and Renner (ICS'11). We first identify the goal of $\sf{RSP}_{CC}$ as the construction of ideal \RSP resources from classical channels and then reveal the security limitations of using $\sf{RSP}_{CC}$ in general and in specific contexts:

1. We uncover a fundamental relationship between constructing ideal $\sf{RSP}$ resources (from classical channels) and the task of cloning quantum states with auxiliary information. Any classically constructed ideal $\sf{RSP}$ resource must leak to the server the full classical description (possibly in an encoded form) of the generated quantum state, even if we target computational security only. As a consequence, we find that the realization of common $\sf{RSP}$ resources, without weakening their guarantees drastically, is impossible due to the no-cloning theorem.

2. The above result does not rule out that a specific $\sf{RSP}_{CC}$ protocol can replace the quantum channel at least in some contexts, such as the Universal Blind Quantum Computing ($\sf{UBQC}$) protocol of Broadbent et al. (FOCS ’09). However, we show that the resulting $\sf{UBQC}$ protocol cannot maintain its proven composable security as soon as $\sf{RSP}_{CC}$ is used as a subroutine.

3. We show that replacing the quantum channel of the above $\sf{UBQC}$ protocol by the $\sf{RSP}_{CC}$ protocol QFactory of Cojocaru et al. (Asiacrypt ’19), preserves the weaker, game-based, security of $\sf{UBQC}$.

E-cash and cryptocurrency schemes have been a focus of applied cryptography for a long time. However, we acknowledge the continuing need for a cryptographic protocol that provides global scale, decentralized, secure, and fair delivery of donations. Such a protocol would replace central trusted entities (e.g., charity organizations) and guarantee the privacy of the involved parties (i.e., donors and recipients of the donations). In this work, we target this online donation problem and propose a practical solution for it. First, we propose a novel decentralized e-donation framework, along with its operational components and security definitions. Our framework relies on a public ledger that can be realized via a distributed blockchain. Second, we instantiate our e-donation framework with a practical scheme employing privacy-preserving cryptocurrencies and attribute-based signatures. Third, we provide implementation results showing that our operations have feasible computation and communication costs. Finally, we prove the security of our e-donation scheme via formal reductions to the security of the underlying primitives.

It is of folkloric belief that the security of classical cryptographic protocols is automatically broken if the Adversary is allowed to perform superposition queries and the honest players forced to perform actions coherently on quantum states. Another widely held intuition is that enforcing measurements on the exchanged messages is enough to protect protocols from these attacks.

However, the reality is much more complex. Security models dealing with superposition attacks only consider unconditional security. Conversely, security models considering computational security assume that all supposedly classical messages are measured, which forbids by construction the analysis of superposition attacks. Boneh and Zhandry have started to study the quantum computational security for classical primitives in their seminal work at Crypto'13, but only in the single-party setting. To the best of our knowledge, an equivalent model in the multiparty setting is still missing.

In this work, we propose the first computational security model considering superposition attacks for multiparty protocols. We show that our new security model is satisfiable by proving the security of the well-known One-Time-Pad protocol and give an attack on a variant of the equally reputable Yao Protocol for Secure Two-Party Computations. The post-mortem of this attack reveals the precise points of failure, yielding highly counter-intuitive results: Adding extra classical communication, which is harmless for classical security, can make the protocol become subject to superposition attacks. We use this newly imparted knowledge to construct the first concrete protocol for Secure Two-Party Computation that is resistant to superposition attacks. Our results show that there is no straightforward answer to provide for either the vulnerabilities of classical protocols to superposition attacks or the adapted countermeasures.

In the recent years, some security proofs in cryptography have known significant improvements by replacing the statistical distance with alternative divergences. We continue this line of research, both at a theoretical and practical level. On the theory side, we propose a new cryptographic divergence with quirky properties. On the practical side, we propose new applications of alternative divergences: circuit-private FHE and prime number generators. More precisely, we provide the first formal security proof of the prime number generator PRIMEINC (Brandt and Damgård, CRYPTO 1992), and improve by an order of magnitude the efficiency of a prime number generator by Fouque and Tibouchi (ICALP 2014) and the washing machine technique by Ducas and Stehlé (EUROCRYPT 2016) for circuit-private FHE.

An incompressible encoding can probabilistically encode some data $m$ into a codeword $c$, which is not much larger. Anyone can decode the codeword $c$ to recover the original data $m$. However, the codeword $c$ cannot be efficiently compressed, even if the original data $m$ is given to the decompression procedure on the side. In other words, $c$ is an efficiently decodable representation of $m$, yet is computationally incompressible even given $m$. An incompressible encoding is composable if many encodings cannot be simultaneously compressed.

The recent work of Damg\aa{}rd, Ganesh and Orlandi (CRYPTO '19) defined a variant of incompressible encodings as a building block for ``proofs of replicated storage''. They constructed incompressible encodings in an ideal permutation model, but it was left open if they can be constructed under standard assumptions, or even in the more basic random-oracle model. In this work, we undertake the comprehensive study of incompressible encodings as a primitive of independent interest and give new constructions, negative results and applications:

* We construct incompressible encodings in the common random string (CRS) model under either Decisional Composite Residuosity (DCR) or Learning with Errors (LWE). However, the construction has several drawbacks: (1) it is not composable, (2) it only achieves selective security, and (3) the CRS is as long as the data $m$. * We leverage the above construction to also get a scheme in the random-oracle model, under the same assumptions, that avoids all of the above drawbacks. Furthermore, it is significantly more efficient than the prior ideal-model construction. * We give black-box separations, showing that incompressible encodings in the plain model cannot be proven secure under any standard hardness assumption, and incompressible encodings in the CRS model must inherently suffer from all of the drawbacks above. * We give a new application to ``big-key cryptography in the bounded-retrieval model'', where secret keys are made intentionally huge to make them hard to exfiltrate. Using incompressible encodings, we can get all the security benefits of a big key without wasting storage space, by having the key to encode useful data.

The sequential structure of some side-channel attacks makes them subject to error propagation, i.e. when an error occurs during the recovery of some part of a secret key, all the following guesses might as well be chosen randomly. We propose a methodology that strengthens sequential attacks by automatically identifying and correcting errors. The core ingredient of our methodology is a change-detection test that monitors the distribution of the distinguisher values used to reconstruct the secret key. Our methodology includes an error-correction procedure that can cope both with false positives of the change-detection test, and inaccuracies of the estimated location of the wrong key guess. The proposed methodology is general and can be included in several attacks. As meaningful examples, we conduct two different side-channel attacks against RSA-2048: an horizontal power-analysis attack based on correlation and a vertical timing attack. Our experiments show that, in all the considered cases, strengthened attacks outperforms their original counterparts and alternative solutions that are based on thresholds. In particular, strengthened attacks achieve high success rates even when the side-channel measurements are noisy or limited in number, without prohibitively increasing the computing time.

This position in the COSIC research group of the KU Leuven, addresses valorization opportunities in new forms of cryptography that support calculations on encrypted data, without having to decrypt the data. These new forms of cryptography include fully homomorphic encryption, multi-party computation, trusted execution environments and related topics.

The Innovation Manager will identify opportunities for bilateral projects and research platforms, technology transfer, and potentially spin-off companies, including the definition of licenses, patents or other forms of valorization. All these tasks are executed in coordination with KU Leuven Research and Development. In particular, the Innovation Manager will assist in defining and maintaining a strategic research agenda to create a continuum between fundamental research, strategic research and applied research.

The lndustrial Research Fund (lOF) of KU Leuven forms a bridge between strategic basic research, technological innovations and industrial collaborations. Based on cooperations with KU Leuven research groups and different stakeholders from industry and society, we aim to broaden our valorization portfolio and to increase the transfer of knowledge. We have a team of more than 40 experienced innovation managers involved in the development of practical and innovative technological solutions based on the expertise and infrastructure of the research groups within KU Leuven.

Profile

• PhD or equivalent research expertise in applied cryptography
• Preferably industrial experience
• At least a high level understanding or parts of MPC, FHE, PQC, TEE
• Experience in valorization of research results
• Creative, enthusiastic, with a strong commitment to research valorization
• Proactive, entrepreneurial mindset
• Strong communication skills, including international and intercultural
• Willing to travel globally

Offer An exciting and challenging job, focused on continuous innovation and development in a transdisciplinary and international context. We offer a permanent position as Innovation Manager of the Industrial Research Fund (IOF) at KU

Closing date for applications:

Contact: Nigel Smart (nigel.smart@kuleuven.be) Ingrid Verbauwhede (ingrid.verbauwhede@kuleuven.be) Frederik Vercauteren (frederik.vercauteren@kuleuven.be)

More information: https://www.kuleuven.be/personeel/jobsite/jobs/55715055

Event date: 30 November to 1 December 2020
Submission deadline: 24 August 2020
Notification: 1 October 2020

Event date: 30 January to 2 February 2020
Submission deadline: 20 July 2020
Notification: 15 September 2020

The Security and Cryptography team in Fujitsu Laboratories of America is looking for an engineer for contributing to opensource blockchain projects. You will work closely with a team of cryptographers and security researchers located in Sunnyvale, California and Tokyo, Japan. Your main task will be secure software development in C/C++/Rust/golang/Nodejs as part of Fujitsu Laboratory's OSS activity in Hyperledger. In addition, you will also be encouraged to write academic papers based on your work leading to publications in top tier cryptography and security conferences.

Profile Description:

• Proven experience in production quality software development.
• Previous experience and code contributions to open source projects is a plus.
• Experience in implementation of cryptographic libraries.
• Graduate level knowledge of crypto theory. Familiarity with threshold cryptosystems and multiparty protocols (MPC). Academic publications in Crypto/Security is a plus.
• Experience in design and implementation of large software systems and writing secure code in C/C++/Rust/Golang.
• Familiarity with blockchain systems such as Hyperledger Fabric and/or Ethereum.
• Ability to meet deliverables and deadlines with minimal supervision.
• Fluent in written and spoken english.

Working hours are flexible. Initially you will be offered a full time (we are also open to offering part time) remote contractor position for six months. Depending on your performance and status of the project, the contract can be extended or can be converted to a full time permanent position based on Sunnyvale, California.

Deadline for Application: Open until the position is filled.
Start Date: Immediate, but flexible.
Salary: Very attractive, depends on experience.

Closing date for applications:

Contact: Avradip Mandal, Researcher. amandal@fujitsu.com

The Max Planck Institute (MPI) for Security and Privacy is looking for motivated students to apply for a Ph.D. program. The research will be conducted on the theory of cryptography and computer security and more specifically in one of the following topics:

Homomorphic encryption and code obfuscation

Zero-knowledge proofs and succinct arguments

Cryptocurrencies and blockchains

Post-quantum and lattice-based cryptography

Multi-party computation

Other research proposals by the candidate will also be considered, depending on the common interests.

The ideal candidate shall satisfy the following requirements:

Have a Master degree or equivalent (or is close to complete one) in computer science, mathematics, or related fields

Is fluent in English and has excellent communication and writing skills

Is familiar with probability theory and mathematical proofs. Strong background in cryptography, linear algebra, number theory, or complexity theory is a plus

Most importantly, is passionate about learning new concepts and determined to solve challenging questions in the theory of cryptography and computer security

Publications (or manuscripts under submission) in related areas are greatly valued but are not mandatory

The MPI for Security and Privacy is co-located with the Ruhr University of Bochum (Germany) and offers a vibrant atmosphere for research that spans across all aspects of computer security. The Ph.D. program is entirely in English and the knowledge of German is not required for a successful career at MPI.

The position is fully funded (100%) and paid according to the E-13 pay category. The starting date if flexible but ideally somewhere in fall 2020. To apply for the position, send an email to Giulio Malavolta (address below) including the following documents:

A curriculum vitae

2-3 recommendation letters from previous advisors or employers

A brief cover letter (half page at most) describing your research interests

If you have any question, don’t hesitate to get in touch.

Closing date for applications:

Contact: Giulio Malavolta (giulio.malavolta@berkeley.edu)

More information: https://www.mpi-sp.org/

Your responsibilities:

• Identifying weaknesses in existing 3GPP radio access network technologies including 4G and 5G (NR). • Develop and promote proposals to mitigate the security/privacy issues identified. • Cooperate with universities and other eco-system partners on security research and analysis • Help shape the industry with new innovation via standardization bodies e.g. 3GPP, ETSI, etc. • Engage with customers and regulators in order to help shape a secure ICT world. • Work with the world leading researchers across the world on the most advanced technologies including AI, IoT under the scope of 5G. • Help steer our 5G products and solutions security. • Provide analysis and insight of industry trends. • Generate product security roadmap recommendations.

Our requirements:

• PhD in computer science or advanced PhD with focus on telecommunication security (preferably radio access technologies, the 3GPP air-interface protocol stack). • Several years of experience in network security research, specifically in the domains of protocol analysis, vulnerability detection, protocol correctness, protocol verification, etc. • Several years of experience researching and developing tools/demos/PoCs which demonstrate the impact of such security issues (vulnerabilities) on the network. • Several years of experience researching and implementing mitigation solutions (PoC/Demo level) for protocol vulnerabilities including algorithms development, performance/cost and impact analysis of algorithms implementation. • Openness to work in a diversified work environment with unique work cultures. • Experience in presenting technical information to both technical and non-technical audience. • Fluent in English (written and spoken).

Must be eligible to work in the EU to be considered for this position.

By applying to this position, you agree with our PRIVACY STATEMENT. You can read in full our privacy policy via the link below.

https://career.huawei.com/reccampportal/portal5/grcprivacy.html

For further information on the requirements please click on the link below:

https://apply.worka

Closing date for applications:

Contact: Viet-Duc Benedikt Lai duc.lai.ext@huawei.com

More information: https://apply.workable.com/j/64698ECA7B

Work Sub-area:

Lightweight Cryptography including authentication protocols

Secure boot mechanisms for embedded/IoT devices

Funding Agency: Ministry of Communication and Information Technology

Tentative Duration: Upto:31/03/2021

Qualifications: B. Tech. (with GATE qualification) / MSc. (with NET/SET qualification) / M.C.A. (with GATE* qualification) 1st class or equivalent in the appropriate discipline.

Desirables: Basic knowledge of cryptography or some experience with using RFID tags or experience on some Raspberry based project or using Trusted Platform Modules (TPMs)

Note: The requirement of qualifying NET/SET/GATE qualification may be relaxed by the Committee in case of highly meritorious candidates.

Closing date for applications:

Contact:
Dr. Dhiman Saha,
Department of Electrical Engineering and Computer Science,
Indian Institute of Technology Bhilai.
email: dhiman [at] iitbhilai [dot] ac [dot] in

For more info about the research group and other opportunities visit: http://de.ci.phe.red

More information: http://ird.iitd.ac.in/sites/default/files/jobs/project/IITD-IRD-100-2020.pdf