International Association
for Cryptologic Research

This paper describes a practical side-channel power analysis on CRYSTALS-Kyber key-encapsulation mechanism. In particular, we analyse the polynomial multiplication in the decapsulation phase to recover the secret key in a semi-static setting. The power analysis attack was performed against the KYBER512 implementation from pqm4 running on STM32F3 M4-cortex CPU.

We consider the related-tweak impossible differential cryptanalysis of \texttt{TweAES}. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme \texttt{ESTATE} which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of \texttt{TweAES}, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against \texttt{TweAES} based on one of these 5.5-round distinguishes. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against \texttt{TweAES}, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of \texttt{TweAES} in the design document. Our 8-round key recovery attack is the best one against \texttt{TweAES} in terms of the number of rounds and complexities so far.

The final exponentiation affects the efficiency of pairing computations especially on pairing-friendly curves with high embedding degree. We propose an efficient method for computing the hard part of the final exponentiation on the KSS18 curve at 192-bit security level. Implementations indicate that the computation of the final exponentiation can be 8.74% faster than the previously fastest result.

This paper presents the design and evaluation of Wendy, the first Byzantine consensus protocol that achieves optimal latency (two phases), linear authenticator complexity, and optimistic responsiveness. Wendy's core technical contribution is a novel aggregate signature scheme that allows leaders to prove, with constant pairing cost, that an operation did not commit. This No-commit proof addresses prior liveness concerns in protocols with linear authenticator complexity (including view change), allowing Wendy to commit operations in two-phases only.

A variety of post-quantum cryptographic schemes are currently undergoing standardization in the National Institute of Standards and Technology's post-quantum cryptography standardization process. It is well known from classical cryptography that actual implementations of cryptographic schemes can be attacked by exploiting side-channels, e.g. timing behavior, power consumption or emanation in the electromagnetic field. Although several of the reference implementations currently in the third and final standardization round are - to some extent - implemented in a timing-constant fashion, resistance against other side-channels is not taken into account yet. Implementing sufficient countermeasures, however, is challenging.

We therefore exemplarily examine CRYSTALS-Kyber, which is a lattice-based key encapsulation mechanism currently considered as a candidate for standardization. By analyzing the power consumption side-channel during message encoding we develop four more and compare six different implementations with an increasing degree of countermeasures.

We show that introducing randomization countermeasures is crucial as all examined implementations aiming at reducing the leakage by minimizing the Hamming distance of the processed intermediate values only are vulnerable against single-trace attacks when implemented on an ARM Cortex-M4.

Micropayments are one of the challenges in cryptocurrencies.

The problems in realizing micropayments in the blockchain are the low throughput and the high blockchain transaction fee.

As a solution, decentralized probabilistic micropayment has been proposed. The winning amount is registered in the blockchain, and the tickets are issued to be won with probability $p$, which allows us to aggregate approximately $\frac{1}{p}$ transactions into one.

Unfortunately, existing solutions do not allow for ticket transferability, and the smaller $p$, the more difficult it is to use them in the real world.

We propose a novel decentralized probabilistic micropayment Transferable Scheme. It allows tickets to be transferable among users. By allowing tickets to be transferable, we can make $p$ smaller.

We also propose a novel Proportional Fee Scheme. This is a scheme where each time a ticket is transferred, a portion of the blockchain transaction fee will be charged.

With the proportional fee scheme, users will have the advantage of sending money with a smaller fee than they would generally send through the blockchain.

For example, sending one dollar requires only ten cents.

This paper presents the first adaptively simulation secure functional encryption (FE) schemes for attribute-weighted sums. In such an FE scheme, encryption takes as input N pairs of attribute {(x_i, z_i )}_{i \in [N]} for some N \in \mathbb{N} where the attributes {x_i}_{i \in [N]} are public while the attributes {z_i}_{i \in [N]} are private. The indices i \in [N] are referred to as the slots. A secret key corresponds to some weight function f, and decryption recovers the weighted sum \sum_{i \in [N]} f(x_i)z_i. This is an important functionality with a wide range of potential real life applications. In the proposed FE schemes attributes are viewed as vectors and weight functions are arithmetic branching programs (ABP). We present two schemes with varying parameters and levels of adaptive security.

(a) We first present a one-slot scheme that achieves adaptive security in the simulation-based security model against a bounded number of ciphertext queries and an arbitrary polynomial number of secret key queries both before and after the ciphertext queries. This is the best possible level of security one can achieve in the adaptive simulation-based framework. From the relations between the simulation-based and indistinguishability-based security frameworks for FE, it follows that the proposed FE scheme also achieves indistinguishability- based adaptive security against an a-priori unbounded number of ciphertext queries and an arbitrary polynomial number of secret key queries both before and after the ciphertext queries. Moreover, the scheme enjoys compact ciphertexts that do not grow with the number of appearances of the attributes within the weight functions.

(b) Next, bootstrapping from the one-slot scheme, we present an unbounded-slot scheme that achieves simulation-based adaptive security against a bounded number of ciphertext and pre-ciphertext secret key queries while supporting an a-priori unbounded number of post-ciphertext secret key queries. The scheme achieves public parameters and secret key sizes independent of the number of slots N and a secret key can decrypt a ciphertext for any a-priori unbounded N. Further, just like the one-slot scheme, this scheme also has the ciphertext size independent of the number of appearances of the attributes within the weight functions. However, all the parameters of the scheme, namely, the master public key, ciphertexts, and secret keys scale linearly with the bound on the number of pre-ciphertext secret key queries.

Our schemes are built upon asymmetric bilinear groups of prime order and the security is derived under the standard (bilateral) k-Linear (k-Lin) assumption. Our work resolves an open problem posed by Abdalla, Gong, and Wee in CRYPTO 2020, where they presented an unbounded-slot FE scheme for attribute-weighted sum achieving only semi-adaptive simulation security. At a technical level, our work extends the recent adaptive security framework of Lin and Luo [EUROCRYPT 2020], devised to achieve compact ciphertexts in the context of indistinguishability-based payload-hiding security, into the setting of simulation-based adaptive attribute-hiding security.

Let $n=2m$. In the present paper, we study the binomial Boolean functions of the form $$f_{a,b}(x) = \mathrm{Tr}_1^{n}(a x^{2^m-1 }) +\mathrm{Tr}_1^{2}(bx^{\frac{2^n-1}{3} }), $$ where $m$ is an even positive integer, $a\in \mathbb{F}_{2^n}^*$ and $b\in \mathbb{F}_4^*$. We show that $ f_{a,b}$ is a bent function if the Kloosterman sum $$K_{m}\left(a^{2^m+1}\right)=1+ \sum_{x\in \mathbb{F}_{2^m}^*} (-1)^{\mathrm{Tr}_1^{m}(a^{2^m+1} x+ \frac{1}{x})}$$ equals $4$, thus settling an open problem of Mesnager. The proof employs tools including computing Walsh coefficients of Boolean functions via multiplicative characters, divisibility properties of Gauss sums, and graph theory.

Black-box accumulation (BBA) is a cryptographic protocol that allows users to accumulate and redeem points, e.g. in payment systems, and offers provable security and privacy guarantees. Loosely speaking, the transactions of users remain unlinkable, while adversaries cannot claim a false amount of points or use points from other users. Attempts to spend the same points multiple times (double spending) reveal the identity of the misbehaving user and an undeniable proof of guilt. Known instantiations of BBA rely on classical number-theoretic assumptions, which are not post-quantum secure. In this work, we propose the first lattice-based instantiation of BBA, which is plausibly post- quantum secure. It relies on the hardness of the Learning with Errors (LWE) and Short Integer Solution (SIS) assumptions and is secure in the Random Oracle Model (ROM). Our work shows that a lattice-based instantiation of BBA can be realized with a communication cost per transaction of about 199 MB if built on the zero-knowledge protocol by Yang et al. (CRYPTO 2019) and the CL-type signature of Libert et al. (ASIACRYPT 2017). Without any zero-knowledge overhead, our protocol requires 1.8 MB communication.

With the advent of the Internet of Things (IoT), e-health has become one of the main topics of research. Due to the sensitivity of patient information, patient privacy seems challenging. Nowadays, patient data is usually stored in the cloud in healthcare programs, making it difficult for users to have enough control over their data. The recent increment in announced cases of security and surveillance breaches compromising patients' privacy call into question the conventional model, in which third-parties gather and control immense amounts of patients' Healthcare data. In this work, we try to resolve the issues mentioned above by using blockchain technology. We propose a blockchain-based protocol suitable for e-health applications that does not require trust in a third party and provides an efficient privacy-preserving access control mechanism. Transactions in our proposed system, unlike Bitcoin, are not entirely financial, and we do not use conventional methods for consensus operations in blockchain like Proof of Work (PoW). It is not suitable for IoT applications because IoT devices have resources-constraints. Usage of appropriate consensus method helps us to increase network security and efficiency, as well as reducing network cost, i.e., bandwidth and processor usage. Finally, we provide security and privacy analysis of our proposed protocol.

Isogeny-based cryptography is known as one of the promising approaches to the emerging post-quantum public key cryptography. In cryptography, an IDentification (ID) protocol is a primitive that allows someone's identity to be confirmed. We present an efficient variation of the isogeny-based interactive ID scheme used in the base form of the CSI-FiSh signature [BKV19], which was initially proposed by Couveignes-Rostovtsev-Stolbunov [Cou06, RS06}, to support a larger challenge space, and consequently achieve a better soundness error rate in each execution. To this end, we prolong the public key of the basic ID protocol with some $\it{well-formed}$ elements that are generated by particular factors of the secret key. Due to the need for a well-formed (or structured) public key, the (secret and public) keys are generated by a trusted authority. Our analysis shows that, for a particular security parameter, by extending a public key of size 64 B to 2.1 MB, the prover and verifier of our ID protocol can be more than 14$\times$ faster than the basic ID protocol which has a binary challenge space, and moreover, the proof in our case will be about 13.5$\times$ shorter. Using standard techniques, we also turn the presented ID protocol into a signature scheme that is as efficient as the state-of-the-art CSI-FiSh signature, and is existentially unforgeable under chosen message attacks in the (quantum) random oracle model. However, in our signature scheme, a verifier should get the public key of a signer from a trusted authority, which is standard in a wide range of current uses of signatures. Finally, we show how to eliminate the need for a trusted authority in our proposed ID protocol.

We introduce report and trace ring signature schemes, balancing the desire for signer anonymity with the ability to report malicious behaviour and subsequently revoke anonymity. We contribute a formal security model for report and trace ring signatures that incorporates established properties of anonymity, unforgeability and traceability, and captures a new notion of reporter anonymity. We present a construction of a report and trace ring signature scheme, proving its security and analysing its efficiency, comparing with the state of the art in the accountable ring signatures literature. Our analysis demonstrates that our report and trace scheme is efficient, particularly for the choice of cryptographic primitives that we use to instantiate our construction. We contextualise our new primitive with respect to related work, and highlight, in particular, that report and trace ring signature schemes protect the identity of the reporter even after tracing is complete.

Password-based authentication is a central tool for end-user security. As part of this, password hashing is used to ensure the security of passwords at rest. If quantum computers become available at sufficient size, they are able to significantly speed up the computation of preimages of hash functions. Using Grover's algorithm, at most, a square-root speedup can be achieved, and thus it is expected that quantum password guessing also admits a square-root speedup. However, password inputs are not uniformly distributed but highly biased. Moreover, typical password attacks do not only compromise a random user's password but address a large fraction of all users' passwords within a database of millions of users.

In this work, we study those quantum large-scale password guessing attacks for the first time. In comparison to classical attacks, we still gain a square-root speedup in the quantum setting when attacking a constant fraction of all passwords, even considering strongly biased password distributions as they appear in real-world password breaches. We verify the accuracy of our theoretical predictions using the LinkedIn leak and derive specific recommendations for password hashing and password security for a quantum computer era.

We propose to adapt ”low-algebra” digital signature schemes SPHINCS+ and PICNIC, present in the NIST-PQC contest, to the limitations of resource-bounded low-end devices. For this, we replaced the cryptographic primitives (hash functions and symmetric ciphers) of these schemes with lightweight alternatives presented in the NIST-LWC contest. With these specifically conceived primitives, we improve the performance of the signature schemes and still preserve the NIST’s security levels. Regarding SPHINCS+, besides replacing the hash function, we also take into consideration relaxing some parameters and introduce a new notion: security as life expectancy. Furthermore, we also introduce an attack to the SPHINCS+ scheme that takes advantage of the usage of FORS on this scheme and the way its leaves are calculated. Also, we give some solutions on how to avoid this attack. Additionally, a modification of PICNIC is introduced as PICNIC+WOTS where PICNIC is used to generate the secret keys for several WOTS+ signatures significantly reducing the size and signature time of each signature.

Modern implantable cardiologic devices communicate via radio frequency techniques and nearby gateways to a backend server on the internet. Those implanted devices, gateways, and servers form an ecosystem of proprietary hardware and protocols that process sensitive medical data and is often vital for patients’ health.

This paper analyzes the security of this Ecosystem, from technical gateway aspects, via the programmer, to configure the implanted device, up to the processing of personal medical data from large cardiological device producers. Based on a real-world attacker model, we evaluated different devices and found several severe vulnerabilities. Furthermore, we could purchase a fully functional programmer for implantable cardiological devices, allowing us to re-program such devices or even induce electric shocks on untampered implanted devices.

Additionally, we sent several Art. 15 and Art. 20 GDPR inquiries to manufacturers of implantable cardiologic devices, revealing non-conforming processes and a lack of awareness about patients’ rights and companies’ obligations. This, and the fact that many vulnerabilities are still to be found after many vulnerability disclosures in recent years, present a worrying security state of the whole ecosystem.

We are the Blockchain Infrastructure Team, and we are building the foundation used by other projects at the Status Network. We are researching consensus algorithms, Multi-Party Computation techniques, ZKPs and other cutting-edge solutions with the aim to take the blockchain technology to the next level of security, decentralization and scalability for a wide range of use cases. We are currently in a research phase, working with models and simulations. In the near future, we will start implementing the research. You will have the opportunity to participate in developing -and improving- the state of the art of blockchain technologies, as well as turning it into a reality

Key Responsibilities:

This role is dedicated to pure research

Primarily, ensuring that solutions are sound and diving deeper into their formal definition.

Additionally, he/she would be regularly going through papers, bringing new ideas and staying up-to-date.

Designing, specifying and verifying distributed systems by leveraging formal and experimental techniques.

Conducting theoretical and practical analysis of the performance of distributed systems.

Designing and analysing incentive systems.

Researching new techniques for designing, analysing and implementing dependable distributed systems.

Publishing and presenting research results both internally and externally.

Key Responsibilities:

Strong background in Computer Science and Math, or a related area.

Academic background (The ability to analyze, digest and improve the State of the Art in our fields of interest. Specifically, familiarity with formal proofs and/or the scientific method.)

Distributed Systems with a focus on Blockchain

Analysis of algorithms Familiarity with Python and/or complex systems modeling software

Deep knowledge of algorithms (much more academic, such as have dealt with papers, moving from research to pragmatic implementation)

Experience in analysing the correctness and security of distributed systems.

Familiarity with the application of formal method techniques.

Comfortable with “reverse engineering” code

Closing date for applications:

Contact: Angel via discord @ LilChiChi#0021 Or LinkedIn https://www.linkedin.com/in/angelrgutierrez/

More information: https://jobs.status.im/jobs/23946

The Institute of Cybersecurity and Cryptology (iC2) at the University of Wollongong is looking for outstanding PhD students who are interested in digital finance, blockchain, and cryptocurrencies. We offer scholarships, including living expenses for up to $50,000/annum AUD (tax free) plus a tuition waiver. There are 12 positions in total. If you have any questions, please contact Prof. Willy Susilo at (wsusilo@uow.edu.au). Or else, please send your cover letter and CV to Dr. Yannan Li (yannan@uow.edu.au) asap to secure your spot. Applications will be assessed immediately. Join us in this exciting journey! #UOW

Closing date for applications:

Contact: Prof. Willy Susilo and Dr. Yannan Li

Cape Privacy is looking for a Machine Learning Privacy Researcher/Engineer to help build Cape Privacy's innovative SaaS-based encrypted learning platform. This product sits at the intersection of data science, machine learning, privacy, and cryptography; allowing organizations to enhance ML models through privacy-preserving collaboration. Responsibilities include working with our Product team and other researchers & engineers to bring the product vision to reality. Ideal candidates will have an MS or higher in machine learning, data science, privacy or cryptography; and academic or commercial experience in privacy-preserving technologies.

Closing date for applications:

Contact: David Besemer, VP Engineering

More information: https://capeinc.bamboohr.com/jobs/view.php?id=32

The Research group on Cryptology and Information Security (GiCSI) of the Spanish National Research Council is seeking highly motivated professionals in conducting research in the area of cryptographic privacy-enhancing technologies, blockchain-based protocols and security protocols. The selected candidate will part of GiCSI’s team in the context of the H2020 SPIRS (Secure Platform for Ict systems Rooted at the Silicon manufacturing process) project. This project encompasses the complete design of a platform, so-called SPIRS platform, which integrates a hardware dedicated Root of Trust (RoT) and a processor core with the capability of offering a full suite of security services. Furthermore, the SPIRS platform will be able to leverage this capability to support privacy-respectful attestation mechanisms and enable trusted communication channels across 5G infrastructures. RoT is implemented in hardware with a dedicated circuitry to extract a unique digital identifier for the SPIRS platform during its entire lifetime. To build a complete solution, the project also features a Trusted Execution Environment (TEE), secure boot, and runtime integrity. Furthermore, resilience and privacy protection are major concerns in this project, and it endeavors to the design of a decentralized trust management framework targeted to minimize the impact of Single Point of Failure (SPOF) risks and achieve adequate security and privacy tradeoffs. To facilitate the tasks of validation and testing, SPIRS platform is conceived as an open platform that can easily integrate other building blocks and facilities upgrades. The project goes beyond the construction of the SPIRS platform and it provides solutions to integrate it in the deployment of cryptographic protocols and network infrastructures in a trustworthy way, leveraging the RoT provided by the platform. To validate SPIRS results, the project considers two different scenarios: Industry 4.0 and 5G Technologies.

Closing date for applications:

Contact: David Arroyo Guardeño, Ph. D. Research group on Cryptology and Information Security (GiCSI) Institute of Physical and Information Technologies (ITEFI) Spanish National Research Council (CSIC) https://dargcsic.github.io/

More information: https://dargcsic.github.io/posts/2021-09-21-spirs

In this work, we show how weak key forgeries against polynomial hash based Authenticated Encryption (AE) schemes, such as AES-GCM, can be leveraged to launch partitioning oracle attacks. Partitioning oracle attacks were recently introduced by Len et al. (Usenix'21) as a new class of decryption error oracle which, conceptually, takes a ciphertext as input and outputs whether or not the decryption key belongs to some known subset of keys. Partitioning oracle attacks allow an adversary to query multiple keys simultaneously, leading to practical attacks against low entropy keys (e.g. those derived from passwords).

Weak key forgeries were given a systematic treatment in the work of Procter and Cid (FSE'13), who showed how to construct MAC forgeries that effectively test whether the decryption key is in some (arbitrary) set of target keys. Consequently, it would appear that weak key forgeries naturally lend themselves to constructing partition oracles; we show that this is indeed the case, and discuss some practical applications of such an attack. Our attack applies in settings where AE schemes are used with static session keys, and has the particular advantage that an attacker has full control over the underlying plaintexts, allowing any format checks on underlying plaintexts to be met -- including those designed to mitigate against partitioning oracle attacks.

Prior work demonstrated that key commitment is an important security property of AE schemes, in particular settings. Our results suggest that resistance to weak key forgeries should be considered a related design goal. Lastly, our results reinforce the message that weak passwords should never be used to derive encryption keys.