International Association
for Cryptologic Research

Contact tracing is an important mitigation tool for national health services to fight epidemics such as COVID-19. While many of the existing approaches for automated contact tracing focus on privacy-preserving decentralized solutions, the use of blockchain in these applications is often suggested for the transparency and immutability of the data being collected.

We present CovidBloc, a contact tracing system that implements the COVID 19 exposure database on Hyperledger Fabric Blockchain Network. Like most decentralized contact tracing application, the participants of the CovidBloc are: (1) a mobile application running on a bluetooth-equipped smartphone, (2) a web dashboard for health officials, and (3) a backend server acting as a repository for data being collected. We have implemented all components of CovidBloc to make it a fully functional contact tracing application. It is hosted at https://anonymous.4open.science/r/c6caad6d-62a4-463c-8301-472e421b931f/.

The mobile application for CovidBloc is developed for Android. The exposure notification system in our mobile application is implemented as per the recently released draft documentation by Google and Apple. The exposure notification API from Google and Apple is only available to a limited number of teams per country.

The backend server is an important component of any automated contact tracing system which acts as a repository for exposure data to be pushed by smartphones upon authorization by the health staff. Since adding or removing information on the server has privacy consequences, it is required that the server should not be trusted. The backend server for CovidBloc is implemented on Hyperledger Fabric Blockchain network.

In the current world of the Internet-of-things and edge computing, computations are increasingly performed locally on small connected systems. As such, those devices are often vulnerable to adversarial physical access, enabling a plethora of physical attacks which is a challenge even if such devices are built for security.

As cryptography is one of the cornerstones of secure communication among devices, the pertinence of fault attacks is becoming increasingly apparent in a setting where a device can be easily accessed in a physical manner. In particular, two recently proposed fault attacks, Statistical Ineffective Fault Attack (SIFA) and the Fault Template Attack (FTA) are shown to be formidable due to their capability to bypass the common duplication based countermeasures. Duplication based countermeasures, deployed to counter the Differential Fault Attack (DFA), work by duplicating the execution of the cipher followed by a comparison to sense the presence of any effective fault, followed by an appropriate recovery procedure. While a handful of countermeasures are proposed against SIFA, no such countermeasure is known to thwart FTA to date.

In this work, we propose a novel countermeasure based on duplication, which can protect against both SIFA and FTA. The proposal is also lightweight with only a marginally additional cost over simple duplication based countermeasures. Our countermeasure further protects against all known variants of DFA, including Selmke, Heyszl, Sigl’s attack from FDTC 2016. It does not inherently leak side-channel information and is easily adaptable for any symmetric key primitive. The validation of our countermeasure has been done through gate-level fault simulation.

Private Set Intersection (PSI) is a specified protocol of secure Multi-Party Computation (MPC). PSI allows two parties to obtain the intersection of their private sets while nothing else is revealed. In contrast to the great demand for PSI in real-world applications, there is still no evaluation results of different general practical PSI framework. Most existing PSI implmentations are based on C/C++, which also makes them hard to compute in parallel. %We focus on OT-based PSI in this work. Oblivious transfer (OT) allows a party to obliviously choose messages from others. Lots of PSI protocols have been proposed in recent years, which achieve good performance and are regarded as one of the most potential PSI species. In this paper, we propose a generic Java-based PSI framework and implement all up-to-date OT-based PSI protocols within the framework until now. We evaluate these OT-based PSI protocols and the dependent cryptographic primitives and provide the best combination of primitives for constructing a best-performed OT-based PSI from the ground up. Additional optimizations are also applied to the protocols in our framework, including both generic and custom-tailored ones. We adopt filters to significantly reduce the communication of OT-based PSI protocols. The implementations in our framework support concurrence by using the natural feature of Java, which avoids to manurally allocate threads when using C/C++. We believe that our framework benefits a lot for future MPC and PSI researches and helps the promotion of PSI-based applications.

Lattice-based algorithms in cryptanalysis often search for a target vector satisfying integer linear constraints as a shortest or closest vector in some lattice. In this work, we observe that these formulations may discard non-linear information from the underlying application that can be used to distinguish the target vector even when it is far from being uniquely close or short.

We formalize lattice problems augmented with a predicate distinguishing a target vector and give algorithms for solving instances of these problems. We apply our techniques to lattice-based approaches for solving the Hidden Number Problem, a popular technique for recovering secret DSA or ECDSA keys in side-channel attacks, and demonstrate that our algorithms succeed in recovering the signing key for instances that were previously believed to be unsolvable using lattice approaches. We carried out extensive experiments using our estimation and solving framework, which we also make available with this work.

We discuss the setting of information-theoretically secure channel protocols where confidentiality of transmitted data should hold against unbounded adversaries. We argue that there are two possible scenarios: One is that the adversary is currently bounded, but stores today's communication and tries to break confidentiality later when obtaining more computational power or time. We call channel protocols protecting against such attacks future-secure. The other scenario is that the adversary already has extremely strong computational powers and may try to use that power to break current executions. We call channels withstanding such stronger attacks unconditionally-secure.

We discuss how to instantiate both future-secure and unconditionally-secure channels. To this end we first establish according confidentiality and integrity notions, then prove the well-known composition theorem to also hold in the information-theoretic setting: Chosen-plaintext security of the channel protocol, together with ciphertext integrity, implies the stronger chosen-ciphertext notion. We discuss how to build future-secure channel protocols by combining computational message authentication schemes like HMAC with one-time pad encryption. Chosen-ciphertext security follows easily from the generalized composition theorem. We also show that using one-time pad encryption with the unconditionally-secure Carter-Wegman MACs we obtain an unconditionally-secure channel protocol.

Semi-regular sequences over $\mathbb{F}_2$ are sequences of homogeneous elements of the algebra $ B^{(n)}=\mathbb{F}_2[X_1,...,X_n]/(X_1^2,...,X_n^2)$, which have as few relations between them as possible. It is believed that most such systems are semi-regular and this property has important consequences for understanding the complexity of Grobner basis algorithms such as F4 and F5 for solving such systems. In fact even in one of the simplest and most important cases, that of quadratic sequences of length $n$ in $n$ variables, the question of the existence of semi-regular sequences for all $n$ remains open. In this paper we present a new framework for the concept of semiregularity which we hope will allow the use of ideas and machinery from homological algebra to be applied to this interesting and important open question. First we introduce an analog of the Koszul complex and show that $\mathbb{F}_2$-semi-regularity can be characterized by the exactness of this complex. We show how the well known formula for the Hilbert series of a semiregular sequence can be deduced from the Koszul complex. Finally we show that the concept of first fall degree also has a natural description in terms of the Koszul complex.

Aggregate signcryption combines the functionalities of aggregate signature and encryption. Very recently, Zia & Ali [1] (Wireless Personal Communications, https://doi.org/10.1007/s11277-020-07637-z) proposed an elliptic curve cryptography (ECC) based multi-recipient aggregate signcryption scheme. The authors claimed that their scheme is correct, efficient, and secure against known attacks. However, by this comment, we show that their scheme is incorrect and the receiver(s) is unable to unsigncrypt the message.

A polynomial commitment scheme (PCS) provides the ability to commit to a polynomial over a finite field and prove its evaluation at points. A succinct PCS has commitment and evaluation proof size sublinear in the degree of the polynomial. An efficient PCS has sublinear proof verification. Recently, it has been shown that any efficient and succinct PCS can be used to construct a SNARK with similar security and efficiency characteristics. We define an additive PCS to capture a ``homomorphic" property of commitments over a computational group $\mathbb{G}$ of bounded size. All existing examples of additive schemes (e.g., Bulletproofs, KZG, DARK, Dory) are also what we call $m$-spanning, meaning that commitments to the monomials of degree less than $m$ generate $\mathbb{G}$. Our first technical result is a black-box transformation of any $m$-spanning additive PCS into a hiding PCS with a zero-knowledge evaluation proof. Our second technical result is that every additive succinct PCS supports efficient proof aggregation.

PCS proof aggregation reduces the task of proving evaluations of multiple commitments at multiple independent points to the task of proving the evaluation of a single ``aggregate" commitment at a single point. We present two flavors of aggregation: private and public. In private aggregation the prover has a private witness consisting of openings of the input commitments. In public aggregation, the prover/verifier share the same inputs, which includes non-interactive evaluation proofs for each input commitment. Our public aggregation protocol applies to any additive succinct PCS. Our private aggregation protocol applies more broadly to any succinct PCS that supports an efficient $\textit{linear combination scheme}$: a protocol for verifiably aggregating commitments into a new commitment to their linear combination. This includes non-additive schemes such as the post-quantum FRI-based PCS.

We apply these results to the Halo proof carrying data (PCD) system. Halo was originally built using the Bulletproofs inner-product argument as the underlying PCS, and was recently generalized to work with the KZG PCS. We show that Halo can be instantiated with any PCS that supports efficient PCS aggregation, private or public. Thus, our results show that efficient (zero-knowledge) SNARKs and PCD can be constructed from any succinct PCS that has an efficient linear combination scheme, even if the PCS itself is inefficient. These results yield new Halo-like PCD systems from PCS constructions beyond Bulletproofs and KZG, including DARK, FRI, and Dory. The post-quantum Halo instantiation from FRI is particularly surprising as FRI is not additive.

Prime integers are the backbone of most public key cryptosystems. Attacks often go after the primes themselves, as in the case of all factoring and index calculus algorithms. Primes are time sensitive cryptographic material and should be periodically changed. Unfortunately many systems use fixed primes for a variety of reasons, including the difficulty of generating trusted, random, cryptographically secure primes. This is particularly concerning in the case of discrete log based cryptosystems. This paper describes a variant of provable prime generation, intended for discrete logarithm based cryptography, based off Pocklington's theorem with improved efficiency, flexibility and security.

Recently, as the number of IoT (Internet of Things) devices has increased, the use of lightweight cryptographic algorithms that are suitable for environments with scarce resources has also increased. Consequently, the safety of such cryptographic algorithms is becoming increasingly important. Among them, side-channel analysis methods are very realistic threats. In this paper, we propose a novel differential fault attack method on the Lightweight Encryption Algorithm (LEA) cipher which became the ISO/IEC international standard lightweight cryptographic algorithm in 2019. Previously proposed differential fault attack methods on the LEA used the Single Bit Flip model, making it difficult to apply to real devices. The proposed attack method uses a more realistic attacker assumption, the Random Word Error model. We demonstrate that the proposed attack method can be implemented on real devices using an electromagnetic fault injection setup. Our attack method has the weakest attacker assumption among attack methods proposed to date. In addition, the number of required fault-injected ciphertexts and the number of key candidates for which exhaustive search is performed are the least among all existing methods. Therefore, when implementing the LEA cipher on IoT deivces, designers must apply appropriate countermeasures against fault injection attacks.

Event date: 10 December to 15 June 2021
Submission deadline: 15 June 2021

Event date: 6 July to 8 July 2021
Submission deadline: 16 February 2021
Notification: 15 April 2021

Event date: 7 July to

Project Title: Social and Societal Foundations of Cryptography: The Case of Large-Scale Protests. The Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway seeks to recruit PhD students who will explore the social and societal foundations of cryptography. Cryptography is a field that actively interrogates its foundations. These foundations are, unsurprisingly and sensibly, understood to be of the complexity-theoretic and mathematical variety. However, cryptographic security notions -- and everything that depends on them -- do not exist in a vacuum, they have reasons to be. While the immediate objects of cryptography are not social relations, it presumes and models them. This fact is readily acknowledged in the introductions of cryptographic papers which illustrate the utility of the work by reference to some social situation where several parties have conflicting ends but a need or desire to interact. Yet, this part of the definitional work has not received the same rigour from the cryptographic community as complexity-theoretic and mathematical questions. This project aims to take first steps towards remedying this situation by grounding cryptographic security notions in findings emerging from ethnographic fieldwork in adversarial situations. In particular, it considers protesters in large-scale protests and aims to understand their security needs, practices and the technologies they rely upon. The project then also analyses these technologies, i.e. attempts to break their security, and proposes new solutions based on the findings from fieldwork. By bringing cryptographic security notions to *the field*, the project provokes a series of security questions about, for example, confidentiality and anonymity in online and offline networks, trust relations and how to establish them, onboarding and authentication practices. We seek applicants with either a background in mathematics and/or computer science or related disciplines or a background in ethnography or experience using related qualitative social science methods

Closing date for applications:

Contact: The studentship includes * Tuition fees: * Maintenance: £21,285 for each academic year. The CDT in Cyber Security for the Everyday can offer up to ten studentships per year, three of which can be awarded to international students (which includes EU and EEA.) contact Prof Martin Albrecht

TU Berlin, Faculty IV (Electrical Engineering and Computer Science), Institute for Software Engineering and Theoretical Computer Science and the Berlin Institute for Foundations of Learning and Data (BIFOLD) invites applications for the position of a University Professorship - salary grade W3 in the field of "Machine Learning and IT Security". Faculty IV Reference number: IV-756/20 (starting at the earliest possible / unlimited / closing date for applications 04/01/21) Working field: We are seeking qualified applicants who based on previous work will conduct independent research and teaching in two or more of the following areas: (i) Machine Learning for IT-Security (ii) for IT-Security for Machine Learning (iii) Scalable IT-Security (iv) Security fo Data Science Systems and Platforms. Requirements: Applicants must fulfill the appointment requirements according to §100 BerlHG. The prerequisites are a completed scientific university degree with a focus on computer science, the special qualification for scientific work (usually proven by a doctorate) in the field of machine learning/IT security, additional scientific achievements (habilitation or equivalent scientific achievements) as well as pedagogical aptitude and experience, to be given proof of by a teaching portfolio (for more information see TUB website, quick access no. 144242). Research experience in the areas outlined in the job description, experience in national and international research cooperations (proven by relevant stays abroad and/or significant participation in projects) are also required. Teaching will be conducted in both German and English. For the complete job posting, please follow the link https://stellenticket.de/86502/TUB/?lang=en.

Closing date for applications:

Contact: Ms. Anita Hummel

More information: https://stellenticket.de/86502/TUB/?lang=en

Axelar is building a decentralized network that connects dApp builders with blockchain ecosystems, applications and users for frictionless cross-chain communication. Our team consists of experienced engineers and researchers in distributed systems, cryptography, and consensus. We’re growing our team and looking for engineers who’re interested in building the new financial stack from the ground up.

• Understanding of public and secret key: encryption, signatures (Ed25519, ECDSA, etc.).
• Knowledge of networking technologies, specifically TCP/IP, RPC and the related protocols.
• Knowledge of operating systems, file systems, and memory on macOS and Linux.
• Experience with engineering security practices.
• Ability to find, exploit and fix bugs, security vulnerabilities in software.
• General knowledge of blockchain technologies.
• Experience with Go and/or Rust.
• Bonus: understanding of elliptic curve cryptography, multi-party computation and threshold schemes.

More info at: https://axelar.network

Closing date for applications:

Contact: Sergey Gorbunov: sergey [at] axelar [dot] network

More information: https://axelar.network

The Ira A. Fulton Schools of Engineering at Arizona State University (ASU) seek applicants for a tenure-track/tenured faculty position in the intersection of Distributed Systems / Blockchain / Security in the School of Computing, Informatics, and Decision Systems Engineering (CIDSE). Areas of interest include, but are not limited to: the robustness, security, and resilience of distributed systems; secure distributed consensus algorithms; internet-scale distributed security; distributed cybersecurity approaches; theory and applications of blockchains and cryptography; secure distributed learning; game-theoretic approaches to cybersecurity; secure multiparty computation, data management, and cryptography; the distributed Internet of Things; and other emerging areas covering various intersections of distributed systems, blockchain, and cybersecurity. Application deadline is January 15, 2021.

More details at https://apply.interfolio.com/81408. For further information or questions about this position please contact Professor Yan Shoshitaishvili at (yans@asu.edu)

Closing date for applications:

Contact: Yan Shoshitaishvili (yans@asu.edu); Ni Trieu (nitrieu@asu.edu)

More information: https://apply.interfolio.com/81408

We present passive attacks against CKKS, the homomorphic encryption scheme for arithmetic on approximate numbers presented at Asiacrypt 2017. The attack is both theoretically efficient (running in expected polynomial time) and very practical, leading to complete key recovery with high probability and very modest running times. We implemented and tested the attack against major open source homomorphic encryption libraries, including \HEAAN, \SEAL, \HElib\ and \PALISADE, and when computing several functions that often arise in applications of the CKKS scheme to machine learning on encrypted data, like mean and variance computations, and approximation of logistic and exponential functions using their Maclaurin series.

The attack shows that the traditional formulation of \INDCPA\ security (or indistinguishability against chosen plaintext attacks) achieved by CKKS does not adequately capture security against passive adversaries when applied to approximate encryption schemes, and that a different, stronger definition is required to evaluate the security of such schemes.

We provide a solid theoretical basis for the security evaluation of homomorphic encryption on approximate numbers (against passive attacks) by proposing new definitions, that naturally extend the traditional notion of \INDCPA\ security to the approximate computation setting. We propose both indistinguishability-based and simulation-based variants, as well as restricted versions of the definitions that limit the order and number of adversarial queries (as may be enforced by some applications). We prove implications and separations among different definitional variants, and discuss possible modifications to CKKS that may serve as a countermeasure to our attacks.

An oblivious PRF, or OPRF, is a protocol between a client and a server, where the server has a key $k$ for a secure pseudorandom function $F$, and the client has an input $x$ for the function. At the end of the protocol the client learns $F(k,x)$, and nothing else, and the server learns nothing. An OPRF is verifiable if the client is convinced that the server has evaluated the PRF correctly with respect to a prior commitment to $k$. OPRFs and verifiable OPRFs have numerous applications, such as private-set-intersection protocols, password-based key-exchange protocols, and defense against denial-of-service attacks. Existing OPRF constructions use RSA-, Diffie-Hellman-, and lattice-type assumptions. The first two are not post-quantum secure.

In this paper we construct OPRFs and verifiable OPRFs from isogenies. Our main construction uses isogenies of supersingular elliptic curves over $\mathbb{F}_{p^{2}}$ and tries to adapt the Diffie-Hellman OPRF to that setting. However, a recent attack on supersingular-isogeny systems due to Galbraith et al. [ASIACRYPT 2016] makes this approach difficult to secure. To overcome this attack, and to validate the server's response, we develop two new zero-knowledge protocols that convince each party that its peer has sent valid messages. With these protocols in place, we obtain an OPRF in the SIDH setting and prove its security in the UC framework.

Our second construction is an adaptation of the Naor-Reingold PRF to commutative group actions. Combining it with recent constructions of oblivious transfer from isogenies, we obtain an OPRF in the CSIDH setting.

Access and search pattern leakage from range queries are detrimental to the security of encrypted databases, as evidenced by a large body of work on efficient attacks that reconstruct one-dimensional databases. Recently, the first attack in two-dimensions showed that higher-dimensional databases are also in danger. This attack requires complete information for reconstruction. In this paper, we develop reconstructions that require less information. We present an order reconstruction attack that only depends on access pattern leakage, and empirically show that the order allows the attacker to infer the geometry of the underlying data. Notably, this attack achieves full database reconstruction when the 1D horizontal and vertical projections of the points are dense. We also give an approximate database reconstruction attack that is distribution-agnostic and works with any subset of the possible responses, given the order of the database. We support our results with experiments on real-world databases with queries drawn from various distributions. Our attack is effective, e.g. we achieve good reconstructions with 15% percent of the queries under a Gaussian distribution.