International Association
for Cryptologic Research

In this work we show that an adversary can leverage blockchain technology to attack the integrity of contact tracing systems based on Google-Apple Exposure Notifications (GAEN). We design a suite of smart contracts named TEnK-U allowing an on-line market where infected individuals interested in monetizing their status will then upload to the servers of the GAEN-based systems some keys (i.e., TEKs) chosen by an adversary. As a consequence, there will be fake exposure notifications of at-risk contacts arbitrarily decided by the adversary and allowed by infected individuals looking for money.

Such vulnerability can be exploited to anonymously and digitally trade valuable contact tracing data without a mediator and without risks of being cheated. This makes infected individuals prone to get bribed by adversaries willing to compromise the integrity of the contact tracing system for any malicious purpose. For instance, large-scale attacks with catastrophic consequences (e.g., jeopardizing the health system, compromising the result of elections) are easy to mount and attacks to specific targets are completely straight-forward (e.g., schools, shops, hotels, factories).

We show as main contribution a smart contract with two collateral deposits that works, in general, on GAEN-based systems and concretely with Immuni and SwissCovid. In addition, we show smart contracts with one collateral deposit that work with SwissCovid. Finally, we also suggest the design of a more sophisticated smart contract that could potentially be used to attack GAEN-based system even in case those systems are repaired to make the previous attacks ineffective. This last smart contract crucially uses DECO to connect blockchains with TLS sessions.

Our work shows that risks envisioned by Anderson and Vaudenay are absolutely concrete, in particular TEnK-U shows how to realize with Immuni and SwissCovid the terrorist attack to decentralized systems discussed by Vaudenay.

Most blockchain solutions are susceptible to quantum attackers as they rely on cryptography that is known to be insecure in the presence of quantum adversaries. In this work we advance the study of quantum-resistant blockchain solutions by giving a quantum-resistant construction of a deterministic wallet scheme. Deterministic wallets are frequently used in practice in order to secure funds by storing the sensitive secret key on a so-called cold wallet that is not connected to the Internet. Recently, Das et al. (CCS'19) developed a formal model for the security analysis of deterministic wallets and proposed a generic construction from certain types of signature schemes that exhibit key rerandomization properties. We revisit the proposed classical construction in the presence of quantum adversaries and obtain the following results.

First, we give a generic wallet construction with security in the quantum random oracle model (QROM) if the underlying signature scheme is secure in the QROM. We next design the first post-quantum secure signature scheme with rerandomizable public keys by giving a construction from generic lattice-based Fiat-Shamir signature schemes. Finally, we show and evaluate the practicality by analyzing an instantiation of the wallet scheme based on the signature scheme qTESLA (ACNS'20).

This work presents a hardware accelerator, for the optimization of latency and area at the same time, to improve the performance of point multiplication process in Elliptic Curve Cryptography. In order to reduce the overall computation time in the proposed 2-stage pipelined architecture, a rescheduling of point addition and point doubling instructions is performed along with an efficient use of required memory locations. Furthermore, a 41-bit multiplier is also proposed. Consequently, the FPGA and ASIC implementation results have been provided. The performance comparison with state-of-the-art implementations, in terms of latency and area, proves the significance of the proposed accelerator.

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection.

Event date: 10 May to 13 May 2021
Submission deadline: 13 November 2020

Technology Innovation Institute (TII) is a publicly funded research institute, based in Abu Dhabi, United Arab Emirates. It is home to a diverse community of leading scientists, engineers, mathematicians, and researchers from across the globe, transforming problems and roadblocks into pioneering research and technology prototypes that help move society ahead.

Responsibilities

• Specify, design, implement and deploy cryptographic IP cores (including quantum-secure solutions)
• Conduct research on (but not limited to) efficient cryptographic implementations, implementation attacks and countermeasures, design methodologies and tools
• Perform security reviews of hardware designs and implementations
• Work closely with the integration team and other teams in the organization to design and prototype secure systems and communication protocols

  Minimum qualifications:

• BSc, MSc or PhD degree in Cryptography, Computer Science, Engineering or similar degree with 3+ years of relevant work or research
• Thorough knowledge of computer architecture and digital design principles Relevant hardware development experience with a focus on hardware security
• Extensive experience developing for FPGA and/or ASIC platforms in Verilog/VHDL
• Experience writing testbenches and using waveform-based debugging tools
• Solid understanding of cryptography, side-channel analysis attacks and countermeasures

  
  Preferred qualifications:

• Knowledge of UVM and assertion-based formal tools
• Understanding of low-power and high-performance techniques
• Understanding of micro-architectural attacks (e.g., Spectre, Meltdown, MDS)
• Hands-on experience integrating IP blocks in complex systems (SoCs)
• Programming skills in C/C++, Python, and/or Tcl
• Hands-on experience with lab equipment (e.g., oscilloscopes, function generators)

  Closing date for applications:

  Contact: Mehdi Messaoudi
  Talent Acquisition Manager
  mehdi.messaoudi@tii.ae

We are looking for candidates for a free Post-Doc position in the field of design and modeling of self-timed rings (STR) as a source of randomness in logic devices, implementation of true random number generators (TRNG) based on STRs in FPGAs and ASICs, analysis of statistical properties of the generated numbers, statistical modeling of the proposed TRNGs and construction of efficient embedded tests dedicated to the proposed generators and based on their stochastic models. Desired profile: Ph.D. degree is required. Required skills: a) good knowledge of digital electronics and embedded systems; b) knowledge of CAD tools and FPGA design (Intel, Xilinx or Microsemi) as well as simulation tools (Modelsim); c) ASIC design using Cadence tools (design, simulation, verification); d) good level of English. Other useful skills: e) data acquisition and data analysis (use of tcl and python languages in particular); f) signal processing, mathematical modeling, statistics; g) basic knowledge in information security.

Closing date for applications:

Contact: fischer(at)univ-st-etienne.fr

More information: https://laboratoirehubertcurien.univ-st-etienne.fr/en/teams/secure-embedded-systems-hardware-architectures/job-opportunities-2.html

We are looking for a Postdoctoral Cryptography Researcher to join our Team. This is an opportunity for someone who is genuinely excited by new technologies to influence the design and implementation of bleeding edge advanced cryptographic systems and protocols. Functioning somewhat independently and working within the larger Research Team, the Postdoctoral Cryptography Researcher will research and design cryptographic protocols and concepts, partnering with the team to develop prototypes. Our Researchers are also internal subject matter experts, providing guidance and learning opportunities to our extended staff. Researchers are also responsible for publishing meaningful research, independently and with other members of staff.

You will be working on a fast-paced, rapidly growing, high-profile project with a significant opportunity for industry-level impact on emerging blockchain and cryptocurrency technologies.

Overseen by Silvio Micali, this opportunity is for one (1) year with the possibility for extension.

Full role description (including responsibilities and qualifications) and application link is available at the further information link.

Interested candidates should submit their application at the further information link along with their CV (including list of publications), one (1) recently published paper relevant to the position responsibilities, and two (2) reference letters. You can share your paper and reference letter via the "Portfolio" link when applying, or upload the files with you CV. This position is available immediately and thus candidates who are already in the US are preferred.

Closing date for applications:

Contact: Regnia O'Brien, Head of People & Talent

More information: https://jobapply.page.link/TNVg

Leveraging decades of expertise in security inks and solutions, SICPA aims at providing the next generation of trust-enabling security systems for citizens, central banks and governments in the domains of digital currency, identity and value chains. This is a great opportunity to join a strategic project and work with a team of passionate people to design, architect and develop innovative solutions.

WHAT YOU WILL DO

Shape new concepts and ideas, quickly and iteratively, through prototyping.

Have meaningful impact on the crafting and delivery in the early stages of the idea, and product life cycles.

Collaborate closely with our development team to craft solid foundation for future product development.

Deliver, as part of the team, a prototype.

Deliver a functioning sandbox environment, with goal to identify competitive advantage and help implement that in practice.

Drive cooperation with platform and lab teams.

WHAT WE NEED FROM YOU

You have relevant technical skills gained via formal education (PhD preferred), and/or red/blue team experience.

You have expertise in applied cryptography, long-term security, Multi-Party Computation (MPC), key rotation schemes, SoC, SE, TEE, solving difficult challenges for systems in highly adversarial environments.

Also, you master cryptographic protocols and standards (FIPS, AAL, PKI, NIST, ISO/IEC 27001).

You are curious to solve hard problems, oftentimes with competing priorities, using smartly assembled primitives, protocols and solutions, as well as advise on choice tradeoffs.

Besides being a great listener, you are an educator that acts as an advisor and mentor to team members on your domain of expertise.

You thrive in asynchronous communication environments and can express clearly your ideas and thinking, in writing.

You have a natural ability to explain, communicate and influence a broad audience (from highly technical to managerial), seek and engage in external collaboration with academia or red teams.

Read the full job ad here: https://jobs.sicpa.com/job/Prilly_Floris-%28CH01%29-Senior-Cryptographer/616

Closing date for applications:

Contact: Mrs Iuliana Petcu Talent Acquisition Manager hrrecruitment@sicpa.com

More information: https://jobs.sicpa.com/job/Prilly_Floris-%28CH01%29-Senior-Cryptographer/616737401/

The wire probe-and-fault models are currently the most used models to provide arguments for side-channel and fault security. However, several practical attacks are not yet covered by these models. This work extends the wire fault model to include more advanced faults such as area faults and permanent faults. Moreover, we show the tile probe-and-fault adversary model from CRYPTO 2018's CAPA envelops the extended wire fault model along with known extensions to the probing model such as glitches, transitions, and couplings. In other words, tiled (tessellated) designs offer security guarantees even against advanced probe and fault adversaries.

As tiled models use multi-party computation techniques, countermeasures are typically expensive for software/hardware. This work investigates a tiled countermeasure based on the ISW methodology which is shown to perform significantly better than CAPA for practical parameters.

In this paper, we prove that the nonce-based enhanced hash-then-mask MAC ($\mathsf{nEHtM}$) is secure up to $2^{\frac{3n}{4}}$ MAC queries and $2^n$ verification queries (ignoring logarithmic factors) as long as the number of faulty queries $\mu$ is below $2^\frac{3n}{8}$, significantly improving the previous bound by Dutta et al. Even when $\mu$ goes beyond $2^{\frac{3n}{8}}$, $\mathsf{nEHtM}$ enjoys graceful degradation of security.

The second result is to prove the security of PRF-based $\mathsf{nEHtM}$; when $\mathsf{nEHtM}$ is based on an $n$-to-$s$ bit random function for a fixed size $s$ such that $1\leq s\leq n$, it is proved to be secure up to any number of MAC queries and $2^s$ verification queries, if (1) $s=n$ and $\mu<2^{\frac{n}{2}}$ or (2) $\frac{n}{2}<s<2^{n-s}$ and $\mu<\max\{2^{\frac{s}{2}},2^{n-s}\}$, or (3) $s\leq \frac{n}{2}$ and $\mu<2^{\frac{n}{2}}$. This result leads to the security proof of truncated $\mathsf{nEHtM}$ that returns only $s$ bits of the original tag since a truncated permutation can be seen as a pseudorandom function. In particular, when $s\leq\frac{2n}{3}$, the truncated $\mathsf{nEHtM}$ is secure up to $2^{n-\frac{s}{2}}$ MAC queries and $2^s$ verification queries as long as $\mu<\min\{2^{\frac{n}{2}},2^{n-s}\}$. For example, when $s=\frac{n}{2}$ (resp. $s=\frac{n}{4}$), the truncated $\mathsf{nEHtM}$ is secure up to $2^{\frac{3n}{4}}$ (resp. $2^{\frac{7n}{8}}$) MAC queries. So truncation might provide better provable security than the original $\mathsf{nEHtM}$ with respect to the number of MAC queries.

The algebraic group model, introduced by Fuchsbauer, Kiltz and Loss (CRYPTO '18), is a substantial relaxation of the generic group model capturing algorithms that may exploit the representation of the underlying group. This idealized yet realistic model was shown useful for reasoning about cryptographic assumptions and security properties defined via computational problems. However, it does not generally capture assumptions and properties defined via decisional problems. As such problems play a key role in the foundations and applications of cryptography, this leaves a significant gap between the restrictive generic group model and the standard model.

We put forward the notion of algebraic distinguishers, strengthening the algebraic group model by enabling it to capture decisional problems. Within our framework we then reveal new insights on the algebraic interplay between a wide variety of decisional assumptions. These include the decisional Diffie-Hellman assumption, the family of Linear assumptions in multilinear groups, and the family of Uber assumptions in bilinear groups.

Our main technical results establish that, from an algebraic perspective, these decisional assumptions are in fact all polynomially equivalent to either the most basic discrete logarithm assumption or to its higher-order variant, the $q$-discrete logarithm assumption. On the one hand, these results increase the confidence in these strong decisional assumptions, while on the other hand, they enable to direct cryptanalytic efforts towards either extracting discrete logarithms or significantly deviating from standard algebraic techniques.

This document provides a simple standard specification for the Rescue-Prime family of arithmetization-oriented hash functions.

Given a non-square n=pq, since p, q are two roots of x^2-\theta x+n=0, where \theta=p+q is unknown, one can pick the initial values l, r and use Newton method to construct A(\theta, l, k), B(\theta, r, k) approximating to p, q, respectively, where k is the iteration depth. Solve A(\theta, l, k)B(\theta, r, k)=n && \theta>2\sqrt{n} && l< A(\theta, l, k)<\sqrt{n}< B(\theta, r, k)<r to obtain the approximations of \theta. Accumulate and sort the approximations for different initial values. Then pivot these approximations to search for the target \theta such that \theta^2-4n is a square. The success probability of this algorithm depends on the choice of initial values, the iteration depth, and the search scope around the pivots. The algorithm can be easily parallelized, and its complexity can be restricted to O(\log^9n).

In this paper we present a signature scheme based on the difficulty of finding a point in a shifted Grassmannian variety or on its secant variety from a knowledge of its defining polynomials. An advantage of using the secant variety of the Grassmannian is that it is defined by sparse cubic equations, which are in general more difficult to solve than quadratic ones, thereby reducing the size of the public key.

The min-entropy is an important metric to quantify randomness of generated random numbers in cryptographic applications; it measures the difficulty of guessing the most-likely output. One of the important min-entropy estimator is the compression estimator of NIST Special Publication (SP) 800-90B, which relies on Maurer's universal test. In this paper, we propose two kinds of min-entropy estimators to improve computational complexity and estimation accuracy by leveraging two variations of Maurer's test: Coron's test (for Shannon entropy) and Kim's test (for Renyi entropy). First, we propose a min-entropy estimator based on Coron's test which is computationally efficient than the compression estimator while maintaining the estimation accuracy. The secondly proposed estimator relies on Kim's test that computes the Renyi entropy. This proposed estimator improves estimation accuracy as well as computational complexity. We analytically characterize an interesting trade-off relation between theoretical gap of accuracy and variance of min-entropy estimates, which depends on the order of Renyi entropy. By taking into account this trade-off relation, we observe that the order of two is a proper assignment since the proposed estimator based on the collision entropy (i.e., the Renyi entropy of order two) provides the most accurate estimates. Moreover, the proposed estimator based on the collision entropy has a closed-form solution whereas both the compression estimator and the proposed estimator based on Coron's test do not have closed-from solutions. Numerical evaluations demonstrate that the first proposed estimator achieves the same accuracy as the compression estimator with much less computations. Moreover, the second estimator can even improve the accuracy as well as reduce the computational complexity.

We present succinct and adaptively secure attribute-based encryption (ABE) schemes for arithmetic branching programs, based on k-Lin in pairing groups. Our key-policy ABE scheme has ciphertexts of constant size, independent of the length of the attributes, and our ciphertext-policy ABE scheme has secret keys of constant size. Our schemes improve upon the recent succinct ABE schemes in [Tomida and Attrapadung, ePrint '20], which only handle Boolean formulae. All other prior succinct ABE schemes either achieve only selective security or rely on q-type assumptions.

Our schemes are obtained through a general and modular approach that combines a public-key inner product functional encryption satisfying a new security notion called gradual simulation security and an information-theoretic randomized encoding scheme called arithmetic key garbling scheme.

We introduce formal definitions for deniability in group chats by extending a pre-existing model that did not have this property. We then introduce “epochal signatures” as an almost drop-in replacement for signatures, which can be used to make certain undeniable group-chats deniable by just performing that replacement. Following that we provide a practical epochal signature scheme and prove its security.

We present MOTION, an efficient and generic framework for mixed-protocol secure multi-party computation (MPC). Our framework is built from the ground up and incorporates several important engineering decisions such as full communication serialization which enables MPC over arbitrary messaging interfaces and removes the need of owning network sockets. It is available under the liberal MIT license and independent of external MPC libraries, which often have stricter licenses. MOTION is extensive and thoroughly tested: it currently consists of more than 36000 lines of code, 20% of which are unit and component tests. It is built in a user-friendly, modular, and extensible way, intended to be used as tool in MPC research and to increase adoption of MPC protocols in practice. MOTION incorporates several novel performance optimizations that improve the communication complexity and latency, e.g., 2x better online round complexity of precomputed correlated Oblivious Transfer (OT).

We instantiate our framework with protocols for $N$ parties and security against up to $N-1$ passive corruptions: the MPC protocols of Goldreich-Micali-Wigderson (GMW) in its arithmetic and Boolean version and oblivious transfer (OT)-based BMR (Ben-Efraim et al., CCS'16), as well as novel and highly efficient conversions between them, including a non-interactive conversion from BMR to arithmetic GMW. Moreover, we design a novel garbling technique that saves 20% of communication in the BMR protocol.

MOTION is highly efficient, which we demonstrate in our experiments by measuring its run-times in various network settings with different numbers of parties. For secure evaluation of AES-128 with $N=3$ parties in the high-latency network setting from the OT-based BMR paper, we achieve a 16x better throughput of 16 AES/s using BMR. This shows that the BMR protocol is much more competitive than previously assumed. For $N=3$ parties and full-threshold protocols in the LAN setting, MOTION is 10x-18x faster than the previous best passively secure implementation from the MP-SPDZ framework, and 190x-586x faster than the actively secure SCALE-MAMBA framework. Finally, we show that our framework is highly efficient for privacy preserving neural network inference.

This paper is devoted to a more precise classification of the family of curves $E_b:y^2=x^3+b/\mathbb{F}_p$. For prime $p\equiv 1 \pmod 3$, explicit formula of the number of $\mathbb{F}_p$-rational points on $E_b$ is given based on the the coefficients of a (primary) decomposition of $p=(c+d\omega)\overline{(c+d\omega)}$ in the ring $\mathbb{Z}[\omega]$ of Eisenstein integers. More specifically, \[ \#E_b(\mathbb{F}_p)\in p+1-\big\{\pm(d-2c),\pm(c+d), \pm(c-2d)\big\}. \] The correspondence between these $6$ number of points and the $6$ isomorphism classes of the groups $E_b(\mathbb{F}_p)$ can be efficiently determined.

For prime $p\equiv 2 \pmod 3$, it is shown that $E_b(\mathbb{F}_p)\cong \mathbb{Z}_{p+1}$. Two efficiently computable isomorphisms are described within the single isomorphism class of groups for representatives $E_1(\mathbb{F}_p)$ and $E_{-3}(\mathbb{F}_p)$

The explicit formulas $\#E_b(\mathbb{F}_p)$ for $p\equiv 1 \pmod p$ are used in searching prime (or almost prime) order Koblitz curves over prime fields. An efficient procedure is described and analyzed. The procedure is proved to be deterministic polynomial time, assuming the Generalized Riemann Hypothesis.

Several tools that are useful in computing cubic residues are also developed in this paper.