International Association
for Cryptologic Research

This paper analyzes and optimizes quantum circuits for computing discrete logarithms on binary elliptic curves, including reversible circuits for fixed-base-point scalar multiplication and the full stack of relevant subroutines. The main optimization target is the size of the quantum computer, i.e., the number of logical qubits required, as this appears to be the main obstacle to implementing Shor's polynomial-time discrete-logarithm algorithm. The secondary optimization target is the number of logical Toffoli gates.

For an elliptic curve over a field of 2^n elements, this paper reduces the number of qubits to 7n+[log_2(n)]+9. At the same time this paper reduces the number of Toffoli gates to 48n^3+8n^(log_2(3)+1)+352n^2 log_2(n)+512n^2+O(n^(log_2(3))) with double-and-add scalar multiplication, and a logarithmic factor smaller with fixed-window scalar multiplication. The number of CNOT gates is also O(n^3). Exact gate counts are given for various sizes of elliptic curves currently used for cryptography.

In this work we develop optimized software implementationsfor ForkAE, a second round candidate in the ongoing NIST lightweight cryptography standardization process. Moreover, we analyze the perfor-mance and efficiency of different ForkAE implementations on two em-bedded platforms: ARM Cortex-A9 and ARM Cortex-M0.First, we study portable ForkAE implementations. We apply a decryption optimization technique which allows us to accelerate decryption by up to 35%. Second, we go on to explore platform-specific software op-timizations. In platforms where cache-timing attacks are not a risk, we present a novel table-based approach to compute the SKINNY round function. Compared to the existing portable implementations, this technique speeds up encryption and decryption by 20% and 25%, respectively. Additionally, we propose a set of platform-specific optimizations for processors with parallel hardware extensions such as ARM NEON. Without relying on parallelism provided by long messages (cf. bit-sliced implementations), we focus on the primitive-level ForkSkinny parallelism provided by ForkAE to reduce encryption and decryption latency by up to 30%. We benchmark the performance of our implementations on the ARM Cortex-M0 and ARM Cortex-A9 processors and give a comparison withthe other SKINNY-based schemes in the NIST lightweight competition– SKINNY-AEAD and Romulus

The protection of cryptographic implementations against power analysis attacks is of critical importance for many applications in embedded systems. The typical approach of protecting against these attacks is to implement algorithmic countermeasures, like masking. However, implementing these countermeasures in a secure and correct manner is challenging. Masking schemes require the independent processing of secret shares, which is a property that is often violated by CPU microarchitectures in practice. In order to write leakage-free code, the typical approach in practice is to iteratively explore instruction sequences and to empirically verify whether there is leakage caused by the hardware for this instruction sequence or not. Clearly, this approach is neither efficient, nor does it lead to rigorous security statements.

In this paper, we overcome the current situation and present the first approach for co-design and co-verification of masked software implementations on CPUs. First, we present Coco, a tool that allows us to provide security proofs at the gate-level for the execution of a masked software implementation on a concrete CPU. Using Coco , we analyze the popular 32-bit RISC-V Ibex core, identify all design aspects that violate the security of our tested masked software implementations and perform corrections, mostly in hardware. The resulting secured Ibex core has an area overhead around 10%, the runtime of software on this core is largely unaffected, and the formal verification with Coco of an, e.g., first-order masked Keccak S-box running on the secured Ibex core takes around 156 seconds. To demonstrate the effectiveness of our suggested design modifications, we perform practical leakage assessments using an FPGA evaluation board.

Deep learning-based SCA represents a powerful option for profiling side-channel analysis. Numerous results in the last few years indicate neural networks can break targets protected with countermeasures even with a relatively small number of attack traces. Intuitively, the more powerful neural network architecture we require, the more effort we need to spend in its hyperparameter tuning. Current results commonly use random search and reach good performance. Yet, we remain with the question of how good are such architectures if compared with the architectures that are carefully designed by following a specific methodology. Unfortunately, the works considering methodologies are sparse and difficult to ease without prior knowledge about the target.

This work proposes an automated way for deep learning hyperparameter tuning that is based on Bayesian Optimization. We build a custom framework denoted as AutoSCA that supports both machine learning and side-channel metrics. Our experimental analysis shows that Bayesian optimization performs well regardless of the dataset, leakage model, or neural network type. What is more, we find a number of neural network architectures outperforming state-of-the-art attacks. Finally, we note that random search, despite being considered not particularly powerful, manages to reach top performance for a number of considered settings. We postulate this happens since the datasets are relatively easy to break, and there are many neural network architectures reaching top performance.

An oblivious RAM (ORAM), introduced by Goldreich and Ostrovsky (STOC '87 and J. ACM '96), is a technique for hiding RAM's access pattern. That is, for every input the distribution of the observed locations accessed by the machine is essentially independent of the machine's secret inputs. Recent progress culminated in a work of Asharov et al. (EUROCRYPT '20), obtaining an ORAM with (amortized) logarithmic overhead in total work, which is known to be optimal.

Oblivious Parallel RAM (OPRAM) is a natural extension of ORAM to the (more realistic) parallel setting where several processors make concurrent accesses to a shared memory. It is known that any OPRAM must incur logarithmic work overhead and for highly parallel RAMs a logarithmic depth blowup (in the balls and bins model). Despite the significant recent advances, there is still a large gap: all existing OPRAM schemes incur a poly-logarithmic overhead either in total work or in depth.

Our main result closes the aforementioned gap and provides an essentially optimal OPRAM scheme. Specifically, assuming one-way functions, we show that any Parallel RAM with memory capacity~$N$ can be obliviously simulated in space $O(N)$, incurring only $O(\log N)$ blowup in (amortized) total work as well as in depth. Our transformation supports all PRAMs in the CRCW mode and the resulting simulation is in the CRCW mode as well.

Job Description As a Principal Engineer/Cryptographer at Intel, you will lead complex, multi-disciplinary projects to advance cutting-edge applied cryptography within Intel's chips. The ideal candidate is comfortable implementing multiple types of cryptographic algorithms and able to research new constructions and guide hardware, firmware and software teams. The candidate should be experienced in cryptographic solution formulation and problem solving.

Responsibilities include the following:

• Drive a specific strategic cryptographic initiative across Intel
• Collaborate with internal stakeholders to contribute to other strategic objectives of Intel's Cryptography team
• Influence internal security policies and standards regarding cryptography and security
• Collaborate with other team members on internal research activities
• Perform cryptanalytical reviews of algorithms, protocols and implementations
• Track relevant state-of-the-art academic cryptographic research
• Guide and mentor the develop of junior engineers in the technical leadership pipeline

Qualifications
Minimum work experience requirements:
10+ years experience in cryptography/cryptographic implementation and an advanced degree in cryptography or related discipline; or 15+ years experience in cryptography/cryptographic implementation
Preferred qualifications:

• Experience with industrial security engineering, preferably significant contributions to large projects
• Knowledge of computer architecture, CPU, SoC, chipsets, BIOS, Firmware, Drivers, and other compute paradigms
• Very good understanding of side-channel attacks, including architectural and physical attacks
• Familiarity with hardware design toolsets, including RTL
• Familiarity and experience with software languages (C, C++, Java, Python, Go, etc.)
• Strong track record of contributions to the crypto community (papers in well-established conferences, patents, standards)
• Familiarity with latest developments in the area of post-quantum algorithms

For more details please see the full job posting link.Closing date for applications:

Contact: David Wheeler (david.m.wheeler@intel.com)

More information: https://jobs.intel.com/ShowJob/Id/2616826/Principal-Engineer-Senior-Cryptographer

We are looking for a PhD student and a Postdoc to work on Security of Beyond 5G networks under INSPIRE-5Gplus and 6G Flagship projects. The PhD student position is open for students with a Masters Degree in EE or CS fields. More info about Projects: INSPIRE-5Gplus: https://www.inspire-5gplus.eu/ 6G Flagship: https://www.oulu.fi/6gflagship/ If you are interested, Please Contact: madhusanka.liyanage@oulu.fi or Pawani.porambage@oulu.fi

Closing date for applications:

Contact: Madhusanka Liyanage (madhusanka.liyanage@oulu.fi)

More information: https://sites.google.com/view/madhusanka/home

Dr. Yang Zhang (https://yangzhangalmo.github.io/) at CISPA Helmholtz Center for Information Security (Germany) is looking for several fully-funded Ph.D. students working on the following topics:

• Machine learning security and privacy
• Biomedical privacy
• Misinformation detection

Requirements for Ph.D. students:

• A bachelor/master degree in Computer Science, Information Security, or Mathematics
• Excellent English (knowledge of German is not required)
• Good knowledge about machine learning/data mining
• Excellent programming skills

What we offer:

• Full-time working contract (12-month E13-level salary, ~2,400 euros per month)
• Excellent research environment
• Strong supervision

To apply, please send your:

• CV
• Transcript

to zhang@cispa.de

We also have positions for postdocs, if you are interested, please send an email with your CV to zhang@cispa.de as well.

Closing date for applications:

Contact: Yang Zhang

As part of the SecInt Doctoral College (SecInt-DK), TU Wien is offering ten positions as university assistant (Pre-Doc) for 4 years. Expected start: 01.01.2021.

Tasks:

• Collaboration on current research projects
• Deepening scientific knowledge
• Collaboration in academic teaching
• Writing a dissertation and publications
• Participation in regular events organized by the SecInt Doctoral College
• Completion of an internship with one of our international research partners
• Presentation of research results and participation in scientific event

The Research Projects: The SecInt Doctoral college offers 10 interdisciplinary research projects from the areas of Formal Methods, Security and Privacy, and Machine Learning, that are each supervised by at least two professors from the corresponding research areas. Additional details on the individual projects can be found at https://secint.visp.wien/projects.

We offer:

• Diverse and exciting tasks, with lots of interdisciplinary collaboration
• Continuing personal and professional education and flexible working hours
• Central location with very good accessibility in a city regularly ranked first worldwide for life quality
• Possibility of an internship with one of our international research partners
• Very competitive salary

Your profile:

• Completion of a master or diploma curriculum in computer science or another related field
• Experience in Mathematical Modeling, Computational Logic, Formal Methods, Security and Privacy, Robotics and/or Machine Learning
• Very good skills in English communication and writing.
• Readiness for interdisciplinary collaboration
• Team competences, problem-solving skills and innovative ability

A predoctoral researcher at TU Wien currently receives a minimum of EUR 2.196,75/month gross, 14 times/year for 30 hours/week and EUR 2.929,00/month for 40 hours/week (about EUR 28.675/year net). Relevant working experiences may increase the monthly income.

We look forward to receiving yo

Closing date for applications:

Contact: secint@visp.wien

More information: https://jobs.tuwien.ac.at/Job/136572

Several PhD positions in the domains of cryptography, computer security, privacy, and blockchain-based systems are available at the University of Connecticut (UConn), Computer Science and Engineering department, led by Prof. Ghada Almashaqbeh.

The positions provide a great opportunity for students with interest in interdisciplinary projects that combine knowledge from various fields towards the design of secure systems and protocols. We target real-world timely problems and aim to provide secure and practical solutions backed by rigorous foundations and efficient implementations/thorough performance testing. We are also interested in conceptual projects that contribute in bridging the gap between theory and practice of Cryptography. For more information about our current and previous projects please check https://ghadaalmashaqbeh.github.io/research/.

For interested students, please send your CV to ghada.almashaqbeh@uconn.edu and provide any relevant information about the topics you want to work on and the skills/related background you have.

Closing date for applications:

Contact: Ghada Almashaqbeh (ghada.almashaqbeh@uconn.edu)

More information: https://ghadaalmashaqbeh.github.io/

There are two Ph.D. positions opening at Dr. Berk Gulmezoglu's research group at the Department of Electrical and Computer Engineering of Iowa State University, Ames, IA. The research topics are side-channel attacks, ML-based analysis techniques and countermeasures. Interested students are welcomed to send their resume and unofficial transcript to bgulmez@iastate.edu Requirements: Preferred to be at the majors of Computer Science or Computer Engineering. Interested in software-based microarchitectural attacks or deep learning algorithms. Proficiency in programming languages such as C/C++, Python and Javascript. Great enthusiasm of conducting research oriented tasks. Degree: B.S. and M.S. graduates Deadline: preferably starting at Spring 2021. Fall 2021 is also okay. Positions are open until they are filled.

Closing date for applications:

Contact: Berk Gulmezoglu bgulmez@iastate.edu

More information: https://www.ece.iastate.edu/bgulmez/

Lund University was founded in 1666 and is repeatedly ranked among the world’s top 100 universities. The University has 40 000 students and more than 8 000 staff based in Lund, Helsingborg and Malmö.

The topic of the project is the study of the security of software implementations of cryptographic primitives and protocols. You will investigate attacks using side-channel leakage in software implementations, in particular libraries implementing current or future standard security protocols and cryptographic primitives such as OpenSSL. The focus can be on cache-timing attacks of different forms and will include both developing attacks as well as different protection methods, such as guaranteeing a constant-time implementation. It can also be on power analysis attacks on devices executing software and its protected implementations.

Work duties: The main duties involved in a post-doctoral position is to conduct research. Teaching may also be included, but up to no more than 20% of working hours. The position include the opportunity for three weeks of training in higher education teaching and learning.

Qualification requirements: Appointment to a post-doctoral position requires that the applicant has a PhD, or an international degree deemed equivalent to a PhD, within the subject of the position, completed no more than three years before the last date for applications. Under special circumstances, the doctoral degree can have been completed earlier.

Additional requirements: Very good oral and written proficiency in English. Publications in top conferences in the crypto and security community.

Terms of employment: This is a full-time, fixed-term employment of a maximum of 2 years with competitive salary (about 42kSEK per month before tax).

Last application date: 09.Nov.2020

Closing date for applications:

Contact: Thomas johansson (thomas@eit.lth.se)

More information: https://lu.varbi.com/en/what:job/jobID:357480/type:job/where:4/apply:1

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct the first universally composable (UC) protocol for oblivious transfer secure against active static adversaries based on the Computational Diffie-Hellman (CDH) assumption. Our protocol is proven secure in the observable Global Random Oracle model. We start by constructing a protocol that realizes an OT functionality with a selective failure issue, but shown to be sufficient to instantiate efficient OT extension protocols. In terms of complexity, this protocol only requires the computation of 6 modular exponentiations and the communication of 5 group elements, five binary strings of security parameter length, and two binary strings of message length. Finally, we lift this weak construction to obtain a protocol that realizes the standard OT functionality (without any selective failures) at an additional cost of computing 9 modular exponentiations and communicating 4 group elements, four binary strings of security parameter length and two binary strings of message length. As an intermediate step before constructing our CDH based protocols, we design generic OT protocols from any OW-CPA secure public-key encryption scheme with certain properties, which could potentially be instantiated from more assumptions other than CDH.

Selfish mining (SM) attack (Eyal and Sirer, CACM ’13) endangered Proof-of-Work blockchains by allowing a rational mining pool with a hash power (&#945;) much less than 50% of the whole network to deviate from the honest mining algorithm and to steal from the fair shares of honest miners. Since then, the attack has been studied extensively in various settings, for understanding its interesting dynamics, optimizing it, and mitigating it. In this context, first, we propose generalized formulas for the calculation of revenue and profitability from SM-type attacks. Second, we propose two different SM-type attacks on the state-of-the-art mitigation algorithm “Freshness Preferred” (Heilman, FC ’14). Our Oracle mining attack works on the setting with forgeable timestamps (i.e., if timestamps are not generated by an authority) and our Bold mining attack works on the setting with both forgeable or unforgeable timestamps (i.e., even if an authority issues timestamps). Although the use of timestamps would be promising for selfish mining mitigation, the analyses of our attacks show that Freshness Preferred is quite vulnerable in the presence of rational miners, as any rational miner with &#945; >0 can directly benefit from our attacks. Third, we propose an SM mitigation algorithm Fortis with forgeable timestamps, which protects the honest miners’ shares against any attacker with &#945;<27.0% against all the known SM-type attacks.

I describe a blockchain design that hides the transaction graph from Blockchain Analyzers. The design is based on the realization that today the miner creating a block needs enough information to verify the validity of transactions, which makes details about the transactions public and thus allows blockchain analysis. Some protocols, such as Mimblewimble, obscure the transaction amounts but not the source of the funds which is enough to allow for analysis. The insight in this technical note is that the block creator can be restricted to the task of ensuring no double spends. The task of actually verifying transaction balances really belongs to the receiver. The receiver is the one motivated to verify that she is receiving a valid transaction output since she has to convince the next receiver that the balances are valid, otherwise no one will accept her spending transaction. The bulk of the transaction can thus be encrypted in such a manner that only the receiver can decrypt and examine it. Opening this transaction allows the receiver to also open previous transactions to allow her to work her way backward in a chain until she arrives at the coin generation blocks and completely verify the validity of the transaction. Since transactions are encrypted on the blockchain a blockchain analyzer cannot create a transaction graph until he is the receiver of a transaction that allows backward tracing through to some target transaction.

Basic key exchange protocols built from the learning with errors (LWE) assumption are insecure if secret keys are reused in the face of active attackers. One example of this is Fluhrer's attack on the Ding, Xie, and Lin (DXL) LWE key exchange protocol, which exploits leakage from the signal function for error correction. Protocols aiming to achieve security against active attackers generally use one of two techniques: demonstrating well-formed keyshares using re-encryption like in the Fujisaki--Okamoto transform; or directly combining multiple LWE values, similar to MQV-style Diffie--Hellman-based protocols.

In this work, we demonstrate improved and new attacks exploiting key reuse in several LWE-based key exchange protocols. First, we show how to greatly reduce the number of samples required to carry out Fluhrer's attack and reconstruct the secret period of a noisy square waveform, speeding up the attack on DXL key exchange by a factor of over 200. We show how to adapt this to attack a protocol of Ding, Branco, and Schmitt (DBS) designed to be secure with key reuse, breaking the claimed 128-bit security level in under a minute. We also apply our technique to a second authenticated key exchange protocol of DBS that uses an additive MQV design, although in this case our attack makes use of ephemeral key compromise powers of the eCK security model, which was not in scope of the claimed BR-model security proof. Our results show that building secure authenticated key exchange protocols directly from LWE remains a challenging and mostly open problem.

Cryptographic Primitives in Multivariate Public Key Cryptography are of relevant interest, specially in the quadratic case. These primitives classify the families of schemes that we encounter in this field. In this paper, the reader can find a new primitive based on the product of the roots of a polynomial over a field, where the coefficients of this polynomials are the elementary symmetric polynomials on $n$ variables, which guarantees a solution when inverting the scheme. Moreover, a cryptosystem and a digital signature scheme are built on top of this primitive, where distinct parametrizations and criteria that define the schemes are commented, along with applications of attacks available in literature.

Secure two-party computation considers the problem of two parties computing a joint function of their private inputs without revealing anything beyond the output of the computation. In this work, we take the first steps towards understanding the setting in which the two parties want to evaluate a joint quantum functionality while using only a classical communication channel between them. Our first result indicates that it is in general impossible to realize a two-party quantum functionality against malicious quantum adversaries with black-box simulation, relying only on classical channels. The negative result stems from reducing the existence of a black-box simulator to the existence of an extractor for classical proof of quantum knowledge, which in turn leads to violation of the quantum no-cloning.

Towards the positive results, we first introduce the notion of Oblivious Quantum Function Evaluation (OQFE). An OQFE is a two-party quantum cryptographic primitive with one fully classical party (Alice) whose input is (a classical description of a) quantum unitary, $U$, and a quantum party (Bob) whose input is a quantum state, $\psi$. In particular, Alice receives the classical output corresponding to the measurement of $U (\psi)$ while Bob receives no output. At the same time, the functionality guarantees that Bob remains oblivious to Alice's input $U$, while Alice learns nothing about $\psi$ more than what can be learned from the output of the computation. We present two concrete constructions, one secure against semi-honest parties and the other secure against malicious parties. Due to the no-go result mentioned above, we consider what is arguably the best possible notion obtainable in our model with respect to malicious adversaries: one-sided simulation security. This notion protects the input of one party (the quantum Bob) in the standard simulation-based sense, and protects the privacy of the other party's input (the classical Alice). We realize our protocol relying on the assumption of quantum secure injective homomorphic trapdoor one-way functions, which in turn rely on the learning with errors problem. As a result, we put forward a first, simple and modular construction of secure one-sided quantum two-party computation and quantum oblivious transfer over classical networks.

Multi-input functional encryption (MIFE) is a generalization of functional encryption and allows decryptor to learn only function values $f(x_{1},\ldots,x_{n})$ from ciphertexts of $x_{1},\ldots,x_{n}$. We present the first MIFE schemes for quadratic functions (MQFE) from pairings. We first observe that public-key MQFE can be obtained from inner product functional encryption in a relatively simple manner whereas obtaining secret-key MQFE from standard assumptions is completely nontrivial. The main contribution of this paper is to construct the first secret-key MQFE scheme that achieves indistinguishability-based selective security against unbounded collusion under the standard bilateral matrix Diffie-Hellman assumption. All previous MIFE schemes either support only inner products (linear functions) or rely on non-standard cryptographic assumptions such as indistinguishability obfuscation or multi-linear maps. Thus, our schemes are the first MIFE for functionality beyond linear functions from polynomial hardness of standard assumptions.

Physically unclonable functions (PUFs) are gaining attention as a promising cryptographic technique; the main applications using PUFs include challenge-response authentication and key generation (key storage). When a PUF is applied to these applications, min-entropy estimation is essential. Min-entropy is a measure of the lower bound of the unpredictability of PUF responses. A prominent scheme for estimating min-entropy is the National Institute of Standards and Technology (NIST) specification (SP) 800-90B. It includes several statistical tests and ten kinds of estimators aimed at estimating the min-entropy of random number generators (RNGs). Several studies have estimated the min-entropy of PUFs as well as those of RNGs by using SP 800-90B. In this paper, we point out two problems in this scheme to estimate the min-entropy of PUFs. One is that the estimation results vary widely by the ordering of the PUF responses. The other is that the entropy estimation suite of SP 800-90B can overestimate PUF min-entropy. Both problems are related to the cause of lower entropy due to variations in the manufacturing of circuits and transistors (except for the PUF sources, which are circuits and transistors used to extract intrinsic physical properties and to generate device unique responses), named ``multiple sources.'' We call these circuits and transistors ``entropy-loss sources'' in contrast to the PUF sources. We applied three orderings to the PUF responses of our static random-access memory (SRAM) PUF and our complementary metal-oxide-semiconductor (CMOS) image sensor with a PUF (CIS PUF): row-direction ordering, column-direction ordering, and random-shuffle ordering. We demonstrated that the estimated min-entropy varies with the ordering. In particular, we found that arranging the PUF responses in readout order results in the overestimation of the min-entropy. We used numerical simulation to create numerical PUFs with the entropy-loss source. We demonstrated that the entropy estimation suite overestimates their entropy.