International Association
for Cryptologic Research

In this work we present a new approach to verifiable decryption which converts a 2-party passively secure distributed decryption protocol into a 1-party proof of correct decryption. To introduce our idea, we first present a toy example for an ElGamal distributed decryption protocol before applying our method to a lattice-based scheme. This leads to an efficient lattice-based verifiable decryption with only one server; it has lightweight computations as we reduce the need of zero-knowledge proofs. We believe the flexibility of the general technique is interesting and provides attractive trade-offs between complexity and security, in particular for the interactive variant where the online phase can be very efficient.

Overview of Rabdan Academy: The Academy is a government-owned world class education institution established to coordinate and enhance learning outcomes for organizations and individuals in the safety, security, defense, emergency preparedness and crisis management sectors. Rabdan Academy was officially established under Law No. 7 for 2013, issued by President His Highness Sheikh Khalifa bin Zayed Al Nahyan in his capacity as Ruler of Abu Dhabi and is accredited by the UAE's Commission for Academic Accreditation (CAA) of the Ministry of Higher Education & Scientific Research. The academy is the first in UAE in providing learning in dual approach of combining academic and vocational education in one place whilst recognizing prior learning and experience and providing accredited and transferable credit from course to course and job to job. Key Objectives: To contribute and assist Rabdan Academy in achieving its Research Strategy and build an outstanding record in research related to contemporary issues related to Rabdan Academy’s mandate in developing safety, security, defence, emergency preparedness and crisis management (SSDEC) and ensuring students and activities are to positively contribute to improving the resilience of the nation. Key Responsibilities Reporting directly to the Assistant Dean of Research, the Researcher is responsible for producing peer reviewed research papers to be published in Quartile 1 Scopus Indexed Journals in arears related to safety, security, defence, emergency preparedness and crisis management (SSDEC), including but not limited to: • Carrying out approved scholarly research activities; • Contributing to RA related scholarship, research projects, and initiatives; * Working Closely with other colleagues from the homeland security Program on some projects with our stakeholders ( Ministry of defense, Ministry • Publish research papers in the top 10% most cited publications in its subject, to increase their work visibility, hence, number of citations; • Collaborate with other researchers to conduct joint researc

Closing date for applications:

Contact: Mr. Amir Adel - Recruitment Specialist

More information: https://ra.ac.ae/

The GOC group at MIS, University of Picardie Jules Verne is hiring a two-year postdoctoral researcher to work on the POSTCRYPTUM project, funded by the Agence Nationale de Recherche (ANR) and AID/DGA. This is a three-years project focused on algebraic cryptanalysis of public key cryptosystems, focused mainly on post-quantum schemes. For more details on the project, please check here: https://home.mis.u-picardie.fr/~ionica/postcryptum/Welcome.html The ideal candidate should hold a Phd degree in Computer Science or Mathematics, with a taste for cryptography, experimental mathematics and computation. He or she should have experience in one or several of the following areas: multivariate cryptography, coding theory, elliptic curves, polynomial system solving, Gröbner basis, linearization algorithms, linear algebra, exhaustive search, SAT solvers, hybrid methods for polynomial system solving. The starting date is flexible, but preferably around October 2021. For more information, please contact us (sorina.ionica@u-picardie.fr) before sending in your application.

Closing date for applications:

Contact: Sorina Ionica

More information: https://home.mis.u-picardie.fr/~ionica/postcryptum/Welcome.html

Seconize is an award winning Cyber Risk and Compliance Management Product Startup. We are currently looking to hire a seasoned Security Tester with below skills and requirements. 1. Security Testing of Telecom Products (3G/4G/GSM/5G) or related 2. Security Testing of IOT products, Proprietary Hardware , Networking Products 3. Thorough understanding of Cryptography protocols, techniques 4. Hands on Testing of PKI, Key Management, Cryptography Libraries and Implementations 5. Hands on experience with Standards such FIPS, NIST Security (SP 800-175b) OR ISO19790 or relevant 6. Ability to understand the business context of target applications and doing business logic testing 7. Ability to interact with Customers in a professional way 8. Minimum of 5 - 8 years of experience 8. Certifications like OSCP, CEH or relavant are mandatory The position is currently Remote (India-only), candidate should be ready to move to Bengaluru when needed.

Closing date for applications:

Contact: Sashank Dara

The IBM cryptography research group in Zurich is looking for a Ph.D. student and/or a post-doctoral scholar to work in the area of lattice-based zero-knowledge proofs.

The ideal candidate should have:

Very good implementation skills – preferably in C or C++

A solid mathematical background – e.g. abstract algebra and some basic familiarity with algebraic number theory is a plus

High motivation for creating efficient theoretical cryptographic designs and turning them into prototypes and high-quality optimized implementations

Papers in top cryptography conferences (for the post-doc position)

Prior experience working with ZK proofs (not necessarily lattice-based) is a plus

This position is funded by a European ERC project, and all its output will be open source and patent-free. So a positive attitude towards contributing to the open source community is also a requirement.

The IBM research lab is located in Ruschlikon, a lakeside town that is reachable in 10 minutes by direct public transport from central Zurich. English is the working language at the lab, and it is also widely understood and spoken in Zurich and its surrounding regions.

The group offers very good working conditions, with the majority of our time being spent purely on research activities. It is also currently one of the leading research groups in quantum-safe cryptography, with some of its members (Luca de Feo, Vadim Lyubashevsky, and Gregor Seiler) significantly contributing to the invention, design, and implementation of several finalists in the ongoing NIST post-quantum standardization effort.

To apply, please include a C.V., a brief motivation letter, and the names and email addresses of two references. If you have contributed to open source projects, please include a link to the repository and a brief explanation of your role. The starting date is flexible, but the sooner the better.

Closing date for applications:

Contact: If interested, please send the application to: Vadim Lyubashevsky; vad@zurich.ibm.com; with "ZK APPLICATION" as the subject line

Event date: 31 May to 2 June 2021
Submission deadline: 27 May 2021
Notification: 29 May 2021

Event date: 27 October to
Submission deadline: 21 June 2021
Notification: 19 July 2021

Event date: 15 August 2021
Submission deadline: 1 June 2021
Notification: 1 July 2021

The Cybersecurity research group, headed by Elisabeth Oswald, is a relatively new group established in Austria's sunny south. The group currently features a diverse range of members (from France, Iran, India, and China). Current members work on topics such as leakage profiling, advanced leakage simulators, attacks (utilising deep learning), statistical foundations, and hardware aspects of side channels. The group receives funding from the ERC, as well as local funding, and thus offers a supportive research environment (both financially as well as from a human perspective).

The group is looking to grow by two more members: one post doc and one doctoral student. The group is particularly keen to expand their existing coverage of topics and seeks researchers with an interest in

• compilers/languages to support the secure implementation of cryptographic primitives
• machine/deep learning
• secure implementations w.r.t. the RISC-V instruction set

A good candidate for the Post-doc position will have some existing publications in relevant venues (IACR conferences or workshops, journals, or system security venues), enjoy working with people in an international context, and love water, sun, and mountains.

A good candidate for the PhD position will have a background in either computer science, maths, or statistics (an MSc level degree is required), will ideally have done some project in a crypto/security related topic, enjoy working with people in an international context, and love water, sun, and mountains.

The funding for the Post-Doc Position is available until 31.08.2023. The funding for the PhD position is for 40 months. Rates are set according to a standard collective agreement for such positions (Kollektivvertrag), but the salary for the Post-Doc position can be adjusted depending on previous experience.

Don't hesitate to get in touch with Elisabeth Oswald for informal enquiries, or to apply!

Closing date for applications:

Contact: Please contact Elisabeth . Oswald @ aau . at

More information: http://www.cybersecurityresearch.at

The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells, for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may wonder if the dual attack suffers the same drawbacks, or if it is a better method for solving BDD(P).

In this work we provide an overview of cost estimates for dual algorithms for solving these ''classical'' closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space $2^{0.293d + o(d)}$. For the distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance approximately the Gaussian heuristic from the lattice, we obtain the same complexity in the single-target model, and we obtain query time and space complexities of $2^{0.195d + o(d)}$ in the multi-target setting, where we are given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost estimates for the dual attack in dimensions $50$ to $80$, which confirm our heuristic assumptions, and show that the hidden order terms in the asymptotic estimates are quite small.

Our main take-away message is that the dual attack appears to mirror the approximate Voronoi cell line of work -- whereas using approximate Voronoi cells works well for approximate CVP(P) but scales poorly for BDD(P), the dual approach scales well for BDD(P) instances but performs poorly on approximate CVP(P).

During the last years, many Physical Zero-knowledge Proof(ZKP) protocols for Nikoli’s puzzles have been designed. In this paper, we propose two ZKP protocols for the two Nikoli’s puzzles called Nurikabe and Hitori. These two puzzles have some similarities, since in their rules at least one condition requires that some cells are connected to each other, horizontally or vertically. The novelty in this paper is to propose two techniques that allow us to prove such connectivity without leaking any information about a solution.

By revisiting recent neural-network based modeling attacks on XOR Arbiter PUFs from the literature, we show that XOR Arbiter PUFs and Interpose PUFs can be attacked faster, up to larger security parameters, and with orders of magnitude fewer challenge-response pairs than previously known. To support our claim, we discuss the differences and similarities of recently proposed modeling attacks and offer a fair comparison of the performance of these attacks by implementing all of them using the popular machine learning framework Keras and comparing their performance against the well-studied Logistic Regression attack. Our findings show that neural-network-based modeling attacks have the potential to outperform traditional modeling attacks on PUFs and must hence become part of the standard toolbox for PUF security analysis; the code and discussion in this paper can serve as a basis for the extension of our results to PUF designs beyond the scope of this work.

Quantum computers can solve or accelerate specific problems that were not possible with classical computers. Grover's search algorithm, a representative quantum algorithm, finds a specific solution from $N$ unsorted data with $O(\sqrt{N})$ queries. This quantum algorithm can be used to recover the key of symmetric cryptography. In this paper, we present a practical quantum attack using Grover's search to recover the key of ciphers (Caesar and Vigenère). The proposed quantum attack is simulated with quantum programming tools (ProjectQ and Qiskit) provided by IBM. Finally, we minimize the use of quantum resources and recover the key with a high probability.

Protocols for password-based authenticated key exchange (PAKE) allow two users sharing only a short, low-entropy password to establish a secure session with a cryptographically strong key. The challenge in designing such protocols is that they must resist offline dictionary attacks in which an attacker exhaustively enumerates the dictionary of likely passwords in an attempt to match the used password. In this paper, we study the resilience of one particular PAKE against these attacks. Indeed, we focus on the Secure Remote Password (SRP) protocol that was designed by T. Wu in 1998. Despite its lack of formal security proof, SRP has become a de-facto standard. For more than 20 years, many projects have turned towards SRP for their authentication solution, thanks to the availability of open-source implementations with no restrictive licenses. Of particular interest, we mention the Stanford reference implementation (in C and Java) and the OpenSSL one (in C).

In this paper, we analyze the security of the SRP implementation inside the OpenSSL library. In particular, we identify that this implementation is vulnerable to offline dictionary attacks. Indeed, we exploit a call for a function computing modular exponentiation of big numbers in OpenSSL. In the SRP protocol, this function leads to the call of a non-constant time function, thereby leaking some information about the used password when leveraging cache-based \textsc{Flush+Reload} timing attack. Then, we show that our attack is practical, since it only requires one single trace, despite the noise of cache measurements. In addition, the attack is quite efficient as the reduction of some common dictionaries is very fast using modern resources at negligible cost. We also prove that the scope of our vulnerability is not only limited to OpenSSL, since many other projects, including Stanford's, ProtonMail and Apple Homekit, rely on OpenSSL, which makes them vulnerable. We find that our flaw might also impact projects written in Python, Erlang, JavaScript and Ruby, as long as they load the OpenSSL dynamic library for their big number operations. We disclosed our attack to OpenSSL who acknowledged the attack and timely fixed the vulnerability.

The security of code-based cryptography usually relies on the hardness of the syndrome decoding (SD) problem for the Hamming weight. The best generic algorithms are all improvements of an old algorithm by Prange, and they are known under the name of Information Set Decoding (ISD) algorithms. This work aims to extend ISD algorithms’ scope by changing the underlying weight function and alphabet size of SD. More precisely, we show how to use Wagner’s algorithm in the ISD framework to solve SD for a wide range of weight functions. We also calculate the asymptotic complexities of ISD algorithms, both for the classical and quantum case. We then apply our results to the Lee metric, which is currently receiving a significant amount of attention. By providing the parameters of SD for the Lee weight for which decoding seems to be the hardest, our study could have several applications for designing code-based cryptosystems and their security analysis, especially against quantum adversaries.

In this study, we propose an efficient sorting method for encrypted data using fully homomorphic encryption (FHE). The proposed method extends the existing 2-way sorting method by applying the $k$-way sorting network for any prime $k$ to reduce the depth in terms of comparison operation from $O(\log_2^2 n)$ to $O(k\log_k^2 n)$, thereby improving performance. We apply this method to approximate FHE which is widely used due to its efficiency of homomorphic arithmetic operations. In order to build up the $k$-way sorting network, the $k$-sorter, which sorts $k$-numbers with a minimal comparison depth, is used as a building block.

The approximate homomorphic comparison, which is the only type of comparison working on approximate FHE, cannot be used for the construction of the $k$-sorter as it is because the result of the comparison is not binary, unlike the comparison in conventional bit-wise FHEs. To overcome this problem, we propose an efficient $k$-sorter construction utilizing the features of approximate homomorphic comparison. Also, we propose an efficient construction of a $k$-way sorting network using cryptographic SIMD operations. To use the proposed method most efficiently, we propose an estimation formula that finds the appropriate $k$ that is expected to reduce the total time cost when the parameters of the approximating comparisons and the performance of the operations provided by the approximate FHE are given. We also show the implementation results of the proposed method, and it shows that sorting $5^6=15625$ data using $5$-way sorting network can be about $23.3\%$ faster than sorting $2^{14}=16384$ data using $2$-way.

Quadratic AB (almost bent) functions are characterized by the property that the duals of their component functions are bent functions. We prove that these duals are also quadratic and illustrate that these bent duals may give rise to vectorial bent functions (in certain cases having a maximal output dimension). It is then natural to investigate when the linear combinations of quadratic bent duals again yield quadratic bent functions. A necessary and sufficient condition for ensuring the bentness of these linear combinations is provided, by introducing a useful transform that acts on the Walsh spectrum of dual functions. Moreover, we provide a rather detailed analysis related to the structure of quadratic AB functions in the spectral domain, more precisely with respect to their Walsh supports, their intersection, and restrictions of these bent duals to suitable subspaces. It turns out that the AB property is quite complicated even in the quadratic case. However, using the established facts in this article, we could for the first time provide the design of quadratic AB functions in the spectral domain by identifying (using computer simulations) suitable sets of bent dual functions which give rise to possibly new quadratic AB functions in a generic manner. Using a simple non-exhaustive search for suitable sets of defining bent duals $f_1, \ldots,f_5$ on $\mathbb{F}_2^4$, we could easily identify 60 quadratic AB functions $F:\mathbb{F}_2^5 \rightarrow \mathbb{F}_2^5$. It turns out that all these functions are CCZ-equivalent to the Gold AB function but none of these functions is a permutation. On the other hand, when $n=7$, the same approach provides several AB functions which are {\bf not} CCZ-equivalent to Gold functions.

Modern cryptography must satisfy a myriad of security properties, ranging from sound hardness assumptions to correct and secure implementations that resist side-channel cryptanalysis. Curve-based cryptography is not different in this regard, and substantial progress in the last few decades has been achieved in both selecting parameters and devising secure implementation strategies. In this context, the security of implementations of field inversion is sometimes overlooked in the research literature, because (i) the approach based on Fermat's Little Theorem (FLT) suffices performance-wise for many parameters used in practice; (ii) it is typically invoked only at the very end of scalar multiplication or pairing computation, with a small impact in performance; (iii) it is challenging to implement securely for general parameters without a significant performance penalty. However, field inversion can process sensitive information and must be protected with side-channel countermeasures like any other cryptographic operation, as illustrated by recent attacks. In this work, we focus on timing attacks against field inversion for primes of cryptographic interest, both in the case when FLT-based inversion can be efficiently implemented or not. We extend the Fiat-Cryptography framework, which synthesizes provably correct-by-construction implementations, to implement the Bernstein-Yang constant-time inversion algorithm as a step toward this goal. This allows a correct implementation of prime field inversion to be conveniently synthesized for any prime. We benchmark the implementations across a range of primes for curve-based cryptography and they outperform traditional FLT-based approaches in most cases, with observed speedups up to 2.5 for the largest parameters.

Typically, unconditionally secure computation using a (k,n) threshold secret sharing scheme is considered impossible when n<2k-1. Therefore, in our previous work, we first took the approach of finding the conditions required for secure computation under the setting of n<2k-1 and showed that secure computation using a secret sharing scheme can be realized with a semi-honest adversary under the following three preconditions: (1) the result of secure computation does not include 0; (2) random numbers reconstructed by each server are fixed; and (3) each server holds random numbers unknown to the adversary and holds shares of random numbers that make up the random numbers unknown to the adversary. In this paper, we show that by leaving condition (3), secure computation with information-theoretic security against a semi-honest adversary is possible with k&#8804;n<2k-1. In addition, we clarify the advantage of using secret information that has been encrypted with a random number as input to secure computation. One of the advantages is the acceleration of the computation time. Namely, we divide the computation process into a preprocessing phase and an online phase and shift the cost of communication to the preprocessing phase. Thus, for computations such as inner product operations, we realize a faster online phase, compared with conventional methods.

Cube attack has recently been proved as the most effective approach of attacking Trivium. So far, the attack against the highest round-reduced Trivium was given in EUROCRYPT 2020, where key-recovery attacks on 840-, 841-, and 842-round Trivium were presented. By revealing the relation between three-subset division property without unknown subset and the monomials of superpolys, Hu et al. obtained more attacks on 840-, 841-, and 842-round Trivium with lower complexities in ASIACRYPT 2020. In this short paper, we will present a key-recovery cube attack against 843-round Trivium.