International Association
for Cryptologic Research

Registration has now opened for Crypto 2020. There are four affiliated events associated with the conference that occur on Friday-Sunday before the conference, and information on these has been updated.

A common primitive in election and auction protocols is plaintext equivalence test (PET) in which two ciphertexts are tested for equality of their plaintexts, and a verifiable proof of the test's outcome is provided. The most commonly-cited PETs require at least one honest party, but many applications claim universal verifiability, at odds with this requirement. If a test that relies on at least one honest participant is mistakenly used in a place where universally verifiable proof is needed, then a collusion by all participants can insert a forged proof of equality into the tallying transcript. We show this breaks universal verifiability for the JCJ/Civitas scheme among others, because the only PETs they reference are not universally verifiable. We then demonstrate how to fix the problem.

Minrank problem is investigated as a problem related to a rank attack in multivariate cryptography and decoding of a rank code in coding theory. Recently, the Kipnis-Shamir method for solving this problem has been made significant progress due to Verbel et al. As this method reduces the problem to the MQ problem that asks for a solution of a system of quadratic equations, its complexity depends on the solving degree of a quadratic system deduced from the method. A theoretical value introduced by Verbel et al. approximates the minimal solving degree of the quadratic systems in the method although their value is defined under a certain limit for a considering system. A quadratic system outside their limitation often has the larger solving degree, but its solving complexity is not necessary larger since it has a smaller number of variables and equations. Thus, in order to discuss the best complexity of the Kipnis-Shamir method, we need a theoretical value approximating the solving degree of each deduced quadratic system. A quadratic system deduced from the Kipnis-Shamir method has a multi-degree always, and its solving complexity is influenced by this property. In this paper, we introduce a theoretical value defined by such a multi-degree and show it approximates the solving degree of each quadratic system. Thus we are able to compare the systems in the method and to discuss the best complexity. As its application, in the Minrank problem from the rank attack using the Kipnis-Shamir method against Rainbow, we show a case that a quadratic system outside Verbel et al.'s limitation is the best. Consequently, by using our estimation, the complexities of the attack against Rainbow parameter sets Ia, IIIc and Vc are improved as $2^{160.6}, 2^{327.9}$ and $2^{437.0}$, respectively.

In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL. Several Flush+Reload attacks on T-table implementation of AES have been proposed in the literature which requires a notable number of encryptions. In this paper, we present a technique to enhance the Flush+Reload attack on AES in the ciphertext-only scenario by significantly reducing the number of needed encryptions in both native and cross-VM setups. In this paper, we focus on finding the wrong key candidates and keep the right key by considering only the cache miss event. Our attack is faster than previous Flush+Reload attacks. In particular, our method can speed-up the Flush+Reload attack in cross-VM environment significantly. To verify the theoretical model, we implemented the proposed attack.

In this paper, we present an optimally-resilient, unconditionally-secure asynchronous multi-party computation (AMPC) protocol for $n$ parties, tolerating a computationally unbounded adversary, capable of corrupting up to $t < \frac{n}{3}$ parties. Our protocol needs a communication of ${\cal O}(n^4)$ field elements per multiplication gate. This is to be compared with previous best AMPC protocol (Patra et al, ICITS 2009) in the same setting, which needs a communication of ${\cal O}(n^5)$ field elements per multiplication gate. To design our protocol, we present a simple and highly efficient asynchronous verifiable secret-sharing (AVSS) protocol, which is of independent interest.

In this paper we cryptanalyze a recently proposed signature scheme consisting in a translation of the Lyubashevsky framework to the coding theory, whose security is based on the hardness of decoding low weight errors in the Hamming metric. We show that each produced signature leaks information about the secret key and that, after the observation of a bunch of signatures, the secret key can be fully recovered with simple linear algebra. We conservatively assess the complexity of our proposed attack and show that it grows polynomially in the scheme parameters; numerical simulations are used to confirm our analysis. Our results show that the weakness of the scheme is intrinsic by design, and that security cannot be restored by a mere change in the parameters.

The usage of deep learning in profiled side-channel analysis requires a careful selection of neural network hyperparameters. In recent publications, different network architectures have been presented as efficient profiled methods against protected AES implementations. Indeed, completely different convolutional neural network models have presented similar performance against public side-channel traces databases. In this work, we analyze how the choice of weight initializers influences deep neural networks' performance in the profiled side-channel analysis. Our results show that different weight initializers provide radically different behavior. We observe that even high-performing initializers can reach significantly different performance when conducting multiple training phases. Finally, we found that this hyperparameter is more dependent on the choice of dataset than other, commonly examined, hyperparameters. When evaluating the connections with other hyperparameters, the biggest connection is observed with activation functions.

In this paper, we propose a new heuristic algorithm to search efficient implementations (in terms of Xor count) of linear layers used in symmetric-key cryptography. It is observed that the implementation cost of an invertible matrix is related to its matrix decomposition if sequential-Xor (s-Xor) metric is considered, thus reducing the implementation cost is equivalent to constructing an optimized matrix decomposition. The basic idea of this work is to find various matrix de- compositions for a given matrix and optimize those decompositions to pick the best implementation. In order to optimize matrix decompositions, we present several ma- trix multiplication rules over F2, which are proved to be very powerful in reducing the implementation cost. We illustrate this heuristic by searching implementations of several matrices proposed recently and matrices already used in block ciphers and Hash functions, and the results show that our heuristic performs equally good or outperforms Paar’s and Boyar-Peralta’s heuristics in most cases.

Recently introduced federated learning is an attractive framework for the distributed training of deep learning models with thousands of participants. However, it can potentially be used with malicious intent. For example, adversaries can use their smartphones to jointly train a classifier for extracting secret keys from the smartphones' SIM cards without sharing their side-channel measurements with each other. With federated learning, each participant might be able to create a strong model in the absence of sufficient training data. Furthermore, they preserve their anonymity. In this paper, we investigate this new attack vector in the context of side-channel attacks. We compare the federated learning, which aggregates model updates submitted by N participants, with two other aggregating approaches: (1) training on combined side-channel data from N devices, and (2) using an ensemble of N individually trained models. Our first experiments on 8-bit Atmel ATxmega128D4 microcontroller implementation of AES show that federated learning is capable of outperforming the other approaches.

In this short report, we present a simple yet effective inter-session replay attack against the Diffie-Hellman style private set intersection protocol (cf. [Mea86]). The attack is indistinguishable from ordinary protocol execution, and yet allows the attacker to learn the cardinality of the intersection of honest party's input sets. This kind of attack demonstrates the inadequacy of semi-honest security guarantee when facing more serious adversarial threats, and highlights the necessity for security augmentation of protocols derived from [Mea86].

Code-based public-key cryptosystems are promising candidates for standardisation as quantum-resistant public-key cryptographic algorithms. Their security is based on the hardness of the syndrome decoding problem. Computing the syndrome in a finite field, usually $\mathbb{F}_2$ , guarantees the security of the constructions. We show in this article that the problem becomes considerably easier to solve if the syndrome is computed in $\mathbb{N}$ instead. By means of laser fault injection, we illustrate how to force the matrix-vector product in $\mathbb{N}$ by corrupting specific instructions, and validate it experimentally. To solve the syndrome decoding problem in $\mathbb{N}$, we propose a reduction to an integer linear programming problem. We leverage the computational efficiency of linear programming solvers to obtain real time message recovery attacks against all the code-based proposals to the NIST Post-Quantum Cryptography standardisation challenge. We perform our attacks on worst-case scenarios, i.e. random binary codes, and retrieve the initial message within minutes on a desktop computer. When considering parameters of the code-based submissions to the NIST PQC standardisation challenge, all of them can be attacked in less than three minutes.

Event date: 17 December to 21 December 2020
Submission deadline: 24 July 2020
Notification: 25 September 2020

To support our growth and in order to strengthen our team, we are looking for an Embedded Cryptographic Software Engineer (M/F). You will be based in Singapore and participate in the development of the Secure-IC portfolio of secure solutions. Missions consist in:

• Ensuring the various phases of specifications for applications embedding cryptography
• C and C++ programming and testing
• Integration and validation on target embedded microprocessor. (knowledge of ARM processors is preferable)
• Developing non-regression tests along with benchmarking tests
• Bringing innovative ideas to improve our products, the quality of deliveries and development processes
• Delivery of customers projects (consulting and training)

Requirements:

• Embedded software development engineer with 5 years minimum experience in an equivalent position
• First experience in the field of automotive: CAN bus, automotive Ethernet
• Master’s degree (or higher) in Computer Science, Mathematics or similar field
• Proficiency in C/C++ language and assembly skills
• Knowledge of ARM processors, development for security and safety
• Proficiency in English
• Knowledge of cryptography
• Excellent communication skills
• Ability to work in a team
• Outstanding analytical and problem-solving skills

  Closing date for applications:

  Contact: Sylvain Guilley

The Cryptography and Privacy Engineering Group (ENCRYPTO) @Department of Computer Science @Technical University of Darmstadt offers a full position for a Doctoral Researcher (Research Assistant/PhD Student) in Cryptography & Privacy Engineering, available immediately and for up to 3 years with the possibility of extension.

Our mission is to demonstrate that privacy can be efficiently protected in real-world applications via cryptographic protocols.

TU Darmstadt is a top research university for IT security, cryptography and computer science in Europe. The position is based in the City of Science Darmstadt, which is very international, livable and well-connected in the Rhine-Main area around Frankfurt. Initially, no knowledge of German is necessary and TU Darmstadt offers corresponding support.

Job description

As doctoral researcher @ENCRYPTO, you conduct research, build prototype implementations, and publish and present the results at top venues. You will also participate in teaching and supervise thesis students and student assistants. The position is co-funded by the ERC Starting Grant “Privacy-preserving Services on the Internet” (PSOTI), where we build privacy-preserving services on the Internet, which includes designing protocols for privately processing data among untrusted service providers using secure multi-party computation and implementing a scalable framework.

Your profile

• Completed Master's degree (or equivalent) at a top university with excellent grades in IT security, computer science, applied mathematics, electrical engineering, or a similar area.
• Extensive knowledge in applied cryptography/IT security and excellent software development skills.
• Additional knowledge in cryptographic protocols (ideally secure computation) is a plus.
• You are self-motivated, reliable, creative, can work independently, and want to do excellent research on challenging scientific problems with practical relevance.
• The working language at ENCRYPTO is English, so you must be able to discuss/write/present scientific results in English, whereas German is not required.

no application deadline

Closing date for applications:

Contact: Thomas Schneider (schneider@encrypto.cs.tu-darmstadt.de)

More information: https://encrypto.de/PHD-STUDENT

The Institute of Distributed Systems at Ulm University is searching for enthusiastic PostDoc and Ph.D.-level researchers who are expected to support and strengthen our research activities in the area of security and privacy in vehicular networking and automotive systems. You will contribute to ongoing projects, as well as new project proposals. As PostDoc, you will also be involved in project management and support the supervision of PhD candidates.

The ideal candidate for the PostDoc position has a Ph.D. degree in computer science, or a closely related discipline, from an internationally-renowned university, a strong background in system security with focus on vehicular security and privacy, documented by high-quality publications, and a strong motivation to become part of our team.
For Ph.D.-level researchers, we require a M.Sc. degree in computer science, or a closely related discipline, from an internationally-renowned university with a visible focus in system security.
Proficient knowledge of written and spoken English is required for both positions. Conversational German skills are a substantial advantage.
We are one of the leading research groups in vehicular security and privacy. Our group and university offer a unique environment for automotive-related research with excellent facilities and highly competitive salary. Automotive technologies are a priority area at Ulm University, and many research groups are active in fields like vehicle-driver interaction and automated driving. Being situated in Southern Germany between Stuttgart and Munich, we are located in the right heart of German car industry in one of the strongest economic regions in Europe. We have strong ties with companies like Daimler, Audi, BMW, and Bosch and many of those companies have research or development labs at our campus.

For more information visit:
https://www.uni-ulm.de/in/vs/inst/offene-stellen/postdoc-and-phd-level-researchers-vehicular-security-privacy/

Closing date for applications:

Contact: Prof. Dr. Frank Kargl (vs-jobs@uni-ulm.de)

More information: https://www.uni-ulm.de/in/vs/inst/offene-stellen/postdoc-and-phd-level-researchers-vehicular-security-privacy/

Guessing entropy is a common choice for a side-channel analysis metric, and it represents the average rank position of a key candidate among all possible key guesses. In the profiled side-channel analysis, the guessing entropy behavior can be very informative about the trained or profiled model. However, to achieve reliable conclusions about the profiled model's performance, guessing entropy behavior should be stable to avoid misleading conclusions in the attack phase.

In this work, we investigate this problem of misleading conclusions from the entropy behavior, and we define two new concepts, simple and generalized guessing entropy. We demonstrate that the first one needs only a limited amount of attack traces but can lead to wrong interpretations about leakage detection. The second concept requires a large (sometimes unavailable) amount of attack traces, but it represents the optimal way of calculating guessing entropy. To quantify the profiled model's learnability, we first define a leakage distribution metric to estimate the underlying leakage model. This metric, together with the generalized guessing entropy results for all key candidates, can estimate the leakage learning or detection when a necessary amount of attack traces are available in the attack phase. By doing so, we provide a tight estimation of profiled side-channel analysis model learnability. We confirm our observations with a number of experimental results.

Event date: 21 October to 23 October 2020
Submission deadline: 11 August 2020
Notification: 17 September 2020

The Applied Crypto Group of the University of Luxembourg has multiple post-doc positions, funded by the H2020 ERC programme.

Possible topics of interests are:

• fully homomorphic encryption and multilinear maps
• public-key cryptanalysis
• side channel attacks and countermeasures
• white-box cryptography
• blockchain applications

Candidates must have a Ph.D. degree in cryptography or related field. The duration of the positions is 2.5 years. The post-docs will be members of the Security and Trust (SnT) research center from the University of Luxembourg (>200 researchers in all aspects of IT security). We offer a competitive salary (about 60,000 euro/year).

Deadline for application: September 15th, 2020.

Closing date for applications:

Contact: Jean-Sebastien Coron: jean-sebastien.coron@uni.lu

More information: http://www.crypto-uni.lu/vacancies.html

This work presents new speed records for XMSS (RFC 8391) signature verification on embedded devices. For this we make use of a probabilistic method recently proposed by Perin, Zambonin, Martins, Custodio, and Martina (PZMCM) at ISCC 2018, that changes the XMSS signing algorithm to search for fast verifiable signatures. We improve the method, ensuring that the added signing cost for the search is independent of the message length. We provide a statistical analysis of the resulting verification speed and support it by experiments. We present a record setting RFC compliant implementation of XMSS verification on the ARM Cortex-M4. At a signing time of about one minute on a general purpose CPU, we create signatures that are verified about $1.44$ times faster than traditionally generated signatures. Adding further implementation optimizations to the verification algorithm we reduce verification time by over a factor two from $13.85$ million to $6.56$ million cycles.

In contrast to previous works, we provide a detailed security analysis of the resulting signature scheme under classical and quantum attacks that justifies our selection of parameters. On the way, we fill a gap in the security analysis of XMSS as described in RFC 8391 proving that the modified message hashing in the RFC does indeed mitigate multi-target attacks. This was not shown before and might be of independent interest.

In our daily lives we constantly use and trust Public-Key Cryptography to exchange keys over insecure communication channels. With the development and progress in the research &#64257;eld of quantum computers, well established schemes like RSA and ECC are more and more threatened. The urgent demand to &#64257;nd and standardize new schemes – which are secure in a post-quantum world – was also realized by the National Institute of Standards and Technology which announced a Post-Quantum Cryptography Standardization Project in 2017. Currently, this project is in the third round and one of the submitted candidates is the Key Encapsulation Mechanism scheme BIKE.

In this work we investigate di&#64256;erent strategies to e&#64259;ciently implement the BIKE algorithm on FPGAs. To this extend, we improve already existing polynomial multipliers, propose e&#64259;cient strategies to realize polynomial inversions, and implement the Black-Gray-Flip decoder for the &#64257;rst time. Additionally, our implementation is designed to be scalable and generic with the BIKE speci&#64257;c parameters. All together, the fastest designs achieve latencies of 2.69 ms for the key generation, 0.1 ms for the encapsulation, and 104.04 ms for the decapsulation considering the &#64257;rst security level.