International Association
for Cryptologic Research

The AWS Cryptography Group is looking for an Applied Scientist with knowledge of cryptographic computing technologies such as privacy preserving machine learning, fully and partially homomorphic encryption, secure multiparty computation, private information retrieval, and related technologies. You will use this knowledge to conceptualize how this technology can be integrated into internal infrastructure and public AWS services, develop prototypes, and provide customers with world-class security. The ideal candidate will have a strong understanding of cryptography, the ability to prototype solutions, and a passion to realize these technologies in AWS products and services. We encourage research and publication of results that apply to our customers most complex initiatives.

We are seeking a candidates who are innovative, look for new ideas everywhere, and are not limited by “not invented here”. They should think big, and have bold ideas for new ways to serve customers.

BASIC QUALIFICATIONS

• PhD in Computer Science or a closely related field
• Expert knowledge of cryptography and, in particular, cryptographic-computing techniques (homomorphic encryption, secure multiparty computation, etc.)
• Practical knowledge in one or more common development languages (C/C++, Java, Go, Rust, Python, etc.)
• Good written and verbal communication skills.

PREFERRED QUALIFICATIONS

• Basic knowledge of machine learning
• 5+ years of industry experience

Amazon is committed to a diverse and inclusive workplace. Amazon is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. For individuals with disabilities who would like to request an accommodation, please visit https://www.amazon.jobs/en/disability/us.

Closing date for applications:

Contact: Bill Horne

More information: https://amazon.jobs/en/internal/jobs/1397391/applied-cryptographer

Our Statistics and Privacy team focuses on establishing step-change improvements to advance our long-term business growth. The team's expertise spans many domains including statistics, machine learning and cryptography. We develop methodologies, design and prototype solutions, and partner with our engineering colleagues to launch these solutions such that millions of advertisers can benefit. Examples include internal and external experimentation platforms, ads delivery optimization for efficient causal outcomes, and the application of privacy enhancing technologies across our ads product stack.

We are looking for research interns to join our teams to drive forward new prototypes and methodologies. Interns will pursue novel applied research associated with privacy preserving machine learning, cryptography and internet technology, or causal inference and experimentation platforms. This work is critical to our long-term product development, and we expect interns to provide both scientific expertise and creative solutions to accelerate their project area.

Responsibilities

Assess potential opportunities and execute world-class research associated with your area of scientific expertise

Write high quality academic papers to advocate the research and innovations

Establish approaches to rigorously assess relative performance of new technologies or strategies

Learn new tools, systems and languages quickly as required by the particular project you are working on

Apply communication skills to engage diverse audiences on technical topics and nuanced insights

Minimum Qualifications

Currently has, or is in the process of obtaining, a PhD degree in statistics, computer science, electrical engineering, physics, quantitative social science, or a related quantitative field

Expertise in one of the following areas: privacy preserving machine learning, cryptography and internet technology, or causal inference and experimentation platforms

continued on application webpage, see https://www.facebook.com/careers/v2/jobs/270789727484557/

Closing date for applications:

Contact: Apply Online or reach out to Benjamin Case (bmcase {at} fb DOT com) or Sanjay Saravanan

More information: https://www.facebook.com/careers/v2/jobs/270789727484557/

The Institute of Applied Information Processing and Communications (aka IAIK) is the largest university institute in Austria for research and education in security and privacy. It has been active in this field for more than 30 years and currently employs more than 60 researchers. Within the "Secure Systems" area of our institute Sujoy Sinha Roy is establishing the new research group "Cryptographic Engineering”.

In order to complement our team, we are looking for a fulltime post-doctoral researcher:

Responsibilities:
The post-doctoral researcher will be working on the hardware acceleration of homomorphic encryption within the “Cyroptografic Engineering” group within the “Secure Systems” area at IAIK.

Required Qualifications:

A PhD (or close to completion) in computer science, information and computer engineering, software development, mathematics, or a related field.

Publications in top conferences, or submitted/accepted papers in top journals.

Experience with cryptography, programming, and digital circuit design (ASIC or FPGA) design

How to apply:
Applications, curriculum vitae and other documents should preferably be uploaded here https://free.formcloud.de/formcycle/form/provide/7780/. Please select 7050/postdoc_2021 as a reference number.

The position is full time - 40 h per week and the employment duration is set for 18 months. Prefered starting date early 2021. The application deadline is February 15th 2021.

Closing date for applications:

Contact: Sujoy Sinha Roy – sujoy.sinharoy@iaik.tugraz.at

Chosen ciphertext security for lattice based encryption schemes is generally achieved through a generic transformation such as the Fujisaki-Okamoto transformation. This method requires full re-encryption of the plaintext during decapsulation, which typically dominates the cost of the latter procedure. In this work we show that it is possible to develop alternative transformations specifically designed for lattice based encryption schemes. We propose two novel chosen ciphertext transformations, $\mathtt{ETC1}$ and $\mathtt{ETC2}$, in which re-encryption is replaced by checking the error term of the input ciphertext. We show that our new ciphertext validity check can be securely applied to lattice based encryption schemes under specific conditions. For the NIST post-quantum standardization candidate Threebears we show a speed-up for decapsulation of up to $37.4\%$. Moreover, as our method only changes the validation check during decapsulation, it is fully backwards compatible with existing implementations of the Fujisaki-Okamoto transformation.

In this paper, we present the first side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 16 traces by deep learning-based power analysis without explicitly extracting the random mask at each execution. Since the presented method is not dependent on the mask, we can improve success probability by combining score vectors of multiple traces captured for the same ciphertext. This is an important advantage over previous attacks on LWE/LWR-based KEMs, which must rely on a single trace. Another advantage is that the presented method does not require a profiling device with deactivated countermeasure, or known secret key. Thus, if a device under attack is accessible, it can be used for profiling. This typically maximizes the classification accuracy of deep learning models. In addition, we discovered a leakage point in the primitive for masked logical shifting on arithmetic shares which has not been known before. We also present a new approach for secret key recovery, using maps from error-correcting codes. This approach can compensate for some errors in the recovered message.

We propose a smart contract that allows two mutually distrusting parties to transact any non-digital good or service on a blockchain. The contract acts as an escrow and settles disputes by letting parties wager that they can convince an arbiter they were the honest party. We analyze the contract as an extensive-form game and prove that the contract is secure in a strong game-theoretic sense if and only if the arbiter is biased in favor of honest parties. We show this is inherent to any contract that achieves game-theoretic security for interesting trades. We consider a generalization of the contract with different ways of paying back the wagers, and we can instantiate it to make a tradeoff between security and the size of the wager. By relaxing the security notion such that parties have only weak incentive to behave honestly, we can replace the arbiter by a random coin toss protocol. We implement the contract in Ethereum and estimate the amortized cost of running the contract as 2-3 USD for the seller and 4-5 USD for the buyer.

In a recent paper Géraud-Stewart and Naccache \cite{gsn2021} (GSN) described an non-interactive process allowing a prover $\mathcal P$ to convince a verifier $\mathcal V$ that a modulus $n$ is the product of two randomly generated primes ($p,q$) of about the same size. A heuristic argument conjectures that $\mathcal P$ cannot control $p,q$ to make $n$ easy to factor.

GSN's protocol relies upon elementary number-theoretic properties and can be implemented efficiently using very few operations. This contrasts with state-of-the-art zero-knowledge protocols for RSA modulus proper generation assessment.

This paper proposes an alternative process applicable in settings where $\mathcal P$ co-generates a modulus $n=p_1q_1p_2q_2$ with a certification authority $\mathcal V$. If $\mathcal P$ honestly cooperates with $\mathcal V$, then $\mathcal V$ will only learn the sub-products $n_1=p_1q_1$ and $n_2=p_2q_2$.

A heuristic argument conjectures that at least two of the factors of $n$ are beyond $\mathcal P$'s control. This makes $n$ appropriate for cryptographic use provided that \emph{at least one party} (of $\mathcal P$ and $\mathcal V$) is honest. This heuristic argument calls for further cryptanalysis.

Zero-knowledge (ZK) proofs with an optimal memory footprint have attracted a lot of attention, because such protocols can easily prove very large computation with a small memory requirement. Such ZK protocol only needs O(M) memory for both parties, where M is the memory required to verify the statement in the clear. In this paper, we propose several new ZK protocols in this setting, which improve the concrete efficiency and, at the same time, enable sublinear amortized communication for circuits with some notion of relaxed uniformity. 1. In the circuit-based model, where the computation is represented as a circuit over a field, our ZK protocol achieves a communication complexity of 1 field element per non-linear gate for any field size while keeping the computation very cheap. We implemented our protocol, which shows extremely high efficiency and affordability. Compared to the previous best-known implementation, we achieve 6×–7× improvement in computation and 3×– 7× improvement in communication. When running on intro-level AWS instances, our protocol only needs one US dollar to prove one trillion AND gates (or 2.5 US dollars for one trillion multiplication gates over a 61-bit field). 2. In the setting where part of the computation can be represented as a set of polynomials, we can achieve communication sublinear to the polynomial size: the communication only depends on the input size and the highest degree of all polynomials, independent of the number of polynomials and the number of multiplications in the polynomials. Using the improved ZK protocol, we can prove matrix multiplication with communication proportional to the input size, rather than the number of multiplications. Proving the multiplication of two 1024 × 1024 matrices, our implementation, with one thread and 1 GB of memory, only needs 10 seconds and communicates 25 MB, 35× faster than the state-of-the-art protocol Virgo that would need more than 140 GB of memory for the same task.

The subfield construction is one of the most promising methods to construct maximum distance separable (MDS) diffusion layers for block ciphers and cryptographic hash functions. In this paper, we give a generalization of this method and investigate the efficiency of our generalization. As a result, we provide several best MDS diffusions with respect to the number of XORs that the diffusion needs. For instance, we give (i) an involutory MDS diffusion $\mathbb{F}_{2^8}^{3} \rightarrow \mathbb{F}_{2^8}^{3}$ by 85 XORs and (ii) an involutory MDS diffusion $\mathbb{F}_{2^8}^{4} \rightarrow \mathbb{F}_{2^8}^{4}$ by 122 XORs, and hence present new records to the literature. Furthermore, we interpret the coding theoretical background of our generalization.

Logic access control enforces who can read and write data; the enforcement is typically performed by a fully trusted entity. At TCC 2016, Damgård et al. proposed Access Control Encryption (ACE) schemes where a predicate function decides whether or not users can read (decrypt) and write (encrypt) data, while the message secrecy and the users' anonymity are preserved against malicious parties. Subsequently several ACE constructions with an arbitrary identity-based access policy have been proposed, but they have huge ciphertext and key sizes and/or rely on indistinguishability obfuscation. At IEEE S&P 2021, Wang and Chow proposed a Cross-Domain ACE scheme with constant-size ciphertext and arbitrary identity-based policy; the key generators are separated into two distinct parties, called Sender Authority and Receiver Authority. In this paper, we improve over their work with a novel construction that provides a more expressive access control policy based on attributes rather than on identities, the security of which relies on standard assumptions. Our construction combines Structure-Preserving Signatures, Non-Interactive Zero-Knowledge proofs, and Re-randomizable Ciphertext-Policy Attribute-Based Encryption schemes. The sizes of ciphertexts and encryption and decryption keys are constant and thus independent of the number of receivers and their attributes. Not only is our system more flexible, it also is more efficient and results in shorter keys.

In 2020 Bernstein, De Feo, Leroux, and Smith presented a new odd-degree $\ell$-isogeny computation method called Velusqrt. This method has complexity $\tilde{O}(\sqrt{\ell})$, compared to the complexity of $\tilde{O}(\ell)$ of the classical Vélu method. In this paper application of the Velusqrt method to Huff's and general Huff's curves is presented. It is showed how to compute odd-degree isogeny on Huff's and general Huff's curves using Velusqrt algorithm and $x$-line arithmetic for different compression functions.

This paper introduces a practical evaluation procedure based on autoencoders for profiled side-channel analysis evaluations. An autoencoder is a learning model able to pre-process leakage traces improving in this way the guessing entropy. Nevertheless, this learning model's design should aim to code the leakage distribution to avoid relevant information being removed. For this reason, we propose an autoencoder built upon dilated convolutions. When using these learning models, the evaluation produces new assets, e.g., new versions of the dataset and new models based on learning algorithms. Our procedure comprises meaningful metrics and visualization techniques, namely signal-to-noise ratio and weight visualization, to evaluate those assets' effectiveness. After applying our procedure and our new autoencoder architecture to the ASCAD random key database, our results outperform state-of-the-art.

Deep learning represents a powerful set of techniques for profiling side-channel analysis. The results in the last few years show that neural network architectures like multilayer perceptron and convolutional neural networks give strong attack performance where it is possible to break targets protected with various countermeasures. Considering that deep learning techniques commonly have a plethora of hyperparameters to tune, it is clear that such top attack results can come with a high price in preparing the attack. This is especially problematic as the side-channel community commonly uses random search or grid search techniques to look for the best hyperparameters.

In this paper, we propose to use reinforcement learning to tune the convolutional neural network hyperparameters. In our framework, we investigate the Q-Learning paradigm and develop two reward functions that use side-channel metrics. We mount an investigation on three commonly used datasets and two leakage models where the results show that reinforcement learning can find convolutional neural networks exhibiting top performance while having small numbers of trainable parameters. We note that our approach is automated and can be easily adapted to different datasets. Finally, several of our newly developed architectures outperform the current state-of-the-art results.

Relay attacks pose a serious security threat to wireless systems, such as, contactless payment systems, keyless entry systems, or smart access control systems. Distance bounding protocols, which allow an entity to not only authenticate another entity but also determine whether it is physically close by, effectively mitigate relay attacks. However, secure implementation of distance bounding protocols, especially of the time critical challenge-response phase, has been a challenging task. In this paper, we design and implement a secure and accurate distance bounding protocol based on Narrow-Band signals, such as Bluetooth Low Energy (BLE), to particularly mitigate relay attacks. Narrow-Band ranging, specifically, phase-based ranging, enables accurate distance measurement, but it is vulnerable to phase rollover attacks. In our solution, we mitigate phase rollover attacks by also measuring time-of-flight (ToF) to detect the delay introduced by such attacks. Therefore, our protocol effectively combines the best of both worlds: phase-based ranging for accuracy and time-of-flight (ToF) measurement for security. To demonstrate the feasibility and practicality of our solution, we prototype it on NXP KW36 BLE chips and evaluate its performance and relay attack resistance. The obtained precision and accuracy of the presented ranging solution are 2.5 cm and 30 cm, respectively, in wireless measurements.

We propose a privacy-preserving Naive Bayes classifier and apply it to the problem of private text classification. In this setting, a party (Alice) holds a text message, while another party (Bob) holds a classifier. At the end of the protocol, Alice will only learn the result of the classifier applied to her text input and Bob learns nothing. Our solution is based on Secure Multiparty Computation (SMC). Our Rust implementation provides a fast and secure solution for the classification of unstructured text. Applying our solution to the case of spam detection (the solution is generic, and can be used in any other scenario in which the Naive Bayes classifier can be employed), we can classify an SMS as spam or ham in less than 340ms in the case where the dictionary size of Bob's model includes all words ($n = 5200$) and Alice's SMS has at most $m = 160$ unigrams. In the case with $n = 369$ and $m = 8$ (the average of a spam SMS in the database), our solution takes only 21ms.

In this work we introduce Banquet, a digital signature scheme with post-quantum security, constructed using only symmetric-key primitives. The design is based on the MPC-in-head paradigm also used by Picnic (CCS 2017) and BBQ (SAC 2019). Like BBQ, Banquet uses only standardized primitives, namely AES and SHA-3, but signatures are more than 50% shorter, making them competitive with Picnic (which uses a non-standard block cipher to improve performance). The MPC protocol in Banquet uses a new technique to verify correctness of the AES S-box computations, which is efficient because the cost is amortized with a batch verification strategy. Our implementation and benchmarks also show that both signing and verification can be done in under 10ms on a current x64 CPU. We also explore the parameter space to show the range of trade-offs that are possible with the Banquet design, and show that Banquet can nearly match the signature sizes possible with Picnic (albeit with slower, but still practical run times) or have speed within a factor of two of Picnic (at the cost of larger signatures).

Masking is a popular technique to protect cryptographic implementations against side-channel attacks and comes in several variants including Boolean and arithmetic masking. Some masked implementations require conversion between these two variants, which is increasingly the case for masking of post-quantum encryption and signature schemes. One way to perform Arithmetic to Boolean (A2B) mask conversion is a table-based approach first introduced by Coron and Tchulkine, and later corrected and adapted by Debraize in CHES 2012. In this work, we show both analytically and experimentally that the table-based A2B conversion algorithm proposed by Debraize does not achieve the claimed resistance against differential power analysis due to a non-uniform masking of an intermediate variable. This non-uniformity is hard to find analytically but leads to clear leakage in experimental validation. To address the non-uniform masking issue, we propose two new A2B conversions: one that maintains efficiency at the cost of additional memory and one that trades efficiency for a reduced memory footprint. We give analytical and experimental evidence for their security, and will make their implementations, which are shown to be free from side-channel leakage in 100.000 power traces collected on the ARM Cortex-M4, available online. We conclude that when designing side-channel protection mechanisms, it is of paramount importance to perform both a theoretical analysis and an experimental validation of the method.

Technology Innovation Institute - Cryptography Research Centre

In our connected digital world, secure and reliable cryptography is the foundation of digital information security and data integrity. We address the world’s most pressing cryptographic questions. Our work covers post-quantum cryptography, lightweight cryptography, cloud encryption schemes, secure protocols, quantum cryptographic technologies and cryptanalysis.

As a Vulnerability Researcher you will be in charge of:

conducting internal security evaluations of our cryptographic libraries and IP cores, writing proof-of-concepts, and supporting the corresponding SW/HW development teams to fix the vulnerabilities

continuously improving our tools and methodologies for security analysis/ pentesting/bug hunting/attack modeling

reviewing state-of-the-art publications and investigating new potential attack vectors/defenses for SW or HW implementations

putting your black hat on, figuring our how to break things, and assessing the design and development of fixes/countermeasures

Must have:

BS/MS degree in computer science/computer engineering or 3+ years of relevant experience in the industry

Hands-on experience with common SW and HW attacks, measurement techniques, and security technologies

Deep understanding of modern cryptography and common SW/HW security issues (e.g., CWE list)

Experience with X86/ARM/RISC-V assembly, VHDL/Verilog, and (system-level) C/Rust software development

Ability to work collaboratively and remotely with others

Nice to have:

PhD in embedded security (or closely related subject)

Proven expertise (CVEs, publications, tools) in SW/HW offensive security research

Closing date for applications:

Contact:
Mehdi Messaoudi
Talent Acquisition Manager
mehdi.messaoudi@tii.ae

More information: https://tii.ae/

Technology Innovation Institute - Cryptography Research Centre

In our connected digital world, secure and reliable cryptography is the foundation of digital information security and data integrity. We address the world’s most pressing cryptographic questions. Our work covers post-quantum cryptography, lightweight cryptography, cloud encryption schemes, secure protocols, quantum cryptographic technologies and cryptanalysis.

As a Lead Hardware Security Researcher you will be in charge of:

being responsible of multiple research projects and leading a team of security researchers

planning and conducting internal security evaluations of our cryptographic libraries and IP cores

keeping up-to-date with the best practices and advances in the industry/academia in order to guide the development of our tools and methodologies for security analysis/pentesting/bug hunting/attack modelling

providing a technical interface point and consultation on specific areas of security expertise

putting your black hat on, figuring our how to break things, and guiding the design and development of fixes/countermeasures

Must have:

BS/MS degree in computer science/computer engineering or 7+ years of relevant experience in the industry

Hands-on experience with common SW and HW attacks, measurement techniques, and security technologies

Deep understanding of modern cryptography and common SW/HW security issues (e.g., CWE list)

Experience with X86/ARM/RISC-V assembly, VHDL/Verilog, and (system-level) C/Rust software development

Proven expertise (CVEs, publications, tools) in SW/HW security research

Ability to manage teams and to work independently without supervision

Have good communication skills and the ability to interact with a diverse range of colleagues and partners

Closing date for applications:

Contact:

Mehdi Messaoudi
Talent Acquisition Manager
mehdi.messaoudi@tii.ae

More information: https://tii.ae/

Funded position for PhD in the Mathematics of Post-Quantum Cryptography, to work on theoretical questions. The research will be on some or all of the following: isogenies, algebraic geometry, codes, lattices. The ideal candidate will have a strong undergraduate mathematics knowledge including abstract algebra, number theory and geometry. An MSc is a plus. Experience with computer programming and cryptography is also desirable. This is part of a collaboration with the group of Prof. Steven Galbraith at the University of Auckland and interaction with this group is expected.

Closing date for applications:

Contact: Prof. Felipe Voloch

More information: http://www.math.canterbury.ac.nz/~f.voloch/prospective.html