International Association
for Cryptologic Research

Physical attacks, including passive Side-Channel Analysis and active Fault Injection Analysis, are considered among the most powerful threats against physical cryptographic implementations. These attacks are well known and research provides many specialized countermeasures to protect cryptographic implementations against them. Still, only a limited number of combined countermeasures, i.e., countermeasures that protect implementations against multiple attacks simultaneously, were proposed in the past. Due to increasing complexity and reciprocal effects, design of efficient and reliable combined countermeasures requires longstanding expertise in hardware design and security. With the help of formal security specifications and adversary models, automated verification can streamline development cycles, increase quality, and facilitate development of robust cryptographic implementations. In this work, we revise and refine formal security notions for combined protection mechanisms and specifically embed them in the context of hardware implementations. Based on this, we present the first automated verification framework that can verify physical security properties of hardware circuits with respect to combined physical attacks. To this end, we conduct several case studies to demonstrate the capabilities and advantages of our framework, analyzing secure building blocks (gadgets), S-boxes build from Toffoli gates, and the ParTI scheme. For the first time, we reveal security flaws in analyzed structures due to reciprocal effects, highlighting the importance of continuously integrating security verification into modern design and development cycles.

We tackle a challenging problem at the intersection of two emerging technologies: Post-quantum cryptography (PQC) and vehicle-to-vehicle (V2V) communications. Connected vehicles use V2V technology to exchange safety messages that allow them to increase proximity awareness, improving roadway safety. The integrity and authenticity of these messages is critical to prevent an adversary from abusing V2V technology to cause a collision, traffic jam, or other unsafe and/or disruptive situations. The IEEE 1609.2 standard (2016) specifies authentication mechanisms for V2V communications that rely on the elliptic curve digital signature algorithm (ECDSA) and are therefore not secure against quantum attackers. In this paper, we are the first to devise and evaluate PQC for authenticating messages in IEEE 1609.2. By analyzing the properties of the NIST PQC standardization finalists, as well as XMSS (RFC 8391), we propose three practical, ECDSA-PQ hybrid designs for use during the transition from classical to PQ-secure cryptography.

Privacy preservation is a sensitive issue in our modern society. It is becoming increasingly important in many applications in this ever-growing and highly connected digital era. Functional encryption is a computation on encrypted data paradigm that allows users to retrieve the evaluation of a function on encrypted data without revealing the data, thus effectively protecting users' privacy. However, existing functional encryption implementations are still very time-consuming for practical deployment, especially when applied to machine learning applications that involve a huge amount of data. In this paper, we present a high-performance implementation of inner-product functional encryption (IPFE) based on ring-learning with errors on graphics processing units. We propose novel techniques to parallelize the Gaussian sampling, which is one of the most time-consuming operations in the IPFE scheme. We further execute a systematic investigation to select the best strategy for implementing number theoretic transform and inverse number theoretic transform for different security levels. Compared to the existing AVX2 implementation of IPFE, our implementation on a RTX 2060 GPU device can achieve 34.24x, 40.02x, 156.30x, and 18.76x speed-up for Setup, Encrypt, KeyGen, and Decrypt respectively. Finally, we propose a fast privacy-preserving Support Vector Machine (SVM) application to classify data securely using our GPU-accelerated IPFE scheme. Experimental results show that our implementation can classify 100 inputs with 591 support vectors in 688 ms (less than a second), which is 33.12x faster than the AVX2 version which takes 23 seconds.

India's Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India's 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

Homomorphic encryption enables computation on encrypted data, and hence it has a great potential in privacy-preserving outsourcing of computations to the cloud. Hardware acceleration of homomorphic encryption is crucial as software implementations are very slow. In this paper we present design methodologies for building a programmable hardware accelerator for speeding up the cloud-side homomorphic evaluations on encrypted data. First, we propose a divide-and-conquer technique that enables homomorphic evaluations in the polynomial ring $R_{Q,2N} = \mathbb{Z}_{Q}[x]/(x^{2N} + 1)$ to use a hardware accelerator that has been built for the smaller ring $R_{Q,N} = \mathbb{Z}_{Q}[x]/(x^{N} + 1)$. The technique makes it possible to use a single hardware accelerator flexibly for supporting several homomorphic encryption parameter sets. Next, we present several architectural design methods that we use to realize the flexible and instruction-set accelerator architecture, which we call as `Medha'. At every level of the implementation hierarchy, we explore possibilities for parallel processing. Starting from hardware-friendly parallel algorithms for the basic building blocks, we gradually build heavily parallel RNS polynomial arithmetic units. Next, many of these parallel units are interconnected elegantly so that their interconnections require the minimum number of nets, therefore making the overall architecture placement-friendly on the platform. As homomorphic encryption is computation- as well as data-centric, the speed of homomorphic evaluations depends greatly on the way the data variables are handled. For Medha, we take a memory-conservative design approach and get rid of any off-chip memory access during homomorphic evaluations. Finally, we implement Medha in a Xilinx Alveo U250 FPGA and measure timing performances of the microcoded homomorphic addition, multiplication, key-switching, and rescaling routines for the leveled fully homomorphic encryption scheme RNS-HEAAN at 200 MHz clock frequency. For the large parameter sets $(\log Q, N) = (438, 2^{14})$ and $(546, 2^{15})$, Medha achieves accelerations by up to $68\times$ and $78\times$ times respectively compared to a highly optimized software implementation Microsoft SEAL running at 2.3 GHz.

We propose a short signature scheme under the ring-SIS assumption in the standard model. Specifically, by revisiting an existing construction [Ducas and Micciancio, CRYPTO 2014], we demonstrate lattice-based signatures with improved reduction loss. As far as we know, there are no ways to use multiple tags in the signature simulation of security proof in the lattice tag-based signatures. We address the tag-collision possibility in the lattice setting, which improves reduction loss. Our scheme generates tags from messages by constructing a scheme under a mild security condition that is existentially unforgeable against random message attack with auxiliary information. Thus our scheme can reduce the signature size since it does not need to send tags with the signatures. Our scheme has short signature sizes of ?(1) and achieves tighter reduction loss than that of Ducas et al.’s scheme. Our proposed scheme has two variants. Our scheme with one property has tighter reduction and the same verification key size of ?(log ?) as that of Ducas et al.’s scheme, where ? is the security parameter. Our scheme with the other property achieves much tighter reduction loss of ?(?/?) and verification key size of ?(?), where ? is the number of signing queries.

Property-preserving hash (PPH) function is a class of hash functions that allows an evaluation of the property of inputs from their hash values. Boyle et al. at ITCS 2019 recently introduced it and considered the robustness of PPH against an adversary who accesses the internal randomness of PPH, and proposed two robust PPH constructions for a weak form of Hamming distance predicate. The second construction received attention for its short hash value, although it relies on an ad-hoc security assumption. The first construction, which is entirely hash-based and based on the classical collision-resistance assumption, has been largely overlooked. We study their first construction and discover its close connection to a seemingly different field of hash/MAC-based (adversarial) error detection using the theory of Combinatorial Group Testing (CGT). We show some consequences of this discovery. In particular, we show that some existing proposals in the field of CGT-based error detection can be converted into a PPH for the Hamming distance property, and they immediately improve and generalize Boyle et al.'s hash-based PPH proposal. We also show that the idea of Boyle et al. is useful in the context of a variant of CGT problem.

In this work we study and formalize security notions for algorithm substitution attacks (ASAs) on cryptographic puzzles. Puzzles are difficult problems that require an investment of computation, memory or some other related resource. They are heavily used as a building block for the consensus networks used by cryptocurrencies, where they include primitives such as proof-of-work, proof-of-space, and verifiable delay functions (VDFs). Due to economies of scale, these networks increasingly rely on a small number of companies to construct opaque hardware or software (e.g., GPU or FPGA images): this dependency raises concerns about cryptographic subversion. Unlike the algorithms considered by previous ASAs, cryptographic puzzles do not rely on secret keys and thus enable a very different set of attacks. We first explore the threat model for these systems and then propose concrete attacks that (1) selectively reduce a victim's solving capability (e.g., hashrate) and (2) exfiltrate puzzle solutions to an attacker. We then propose defenses, several of which can be applied to existing cryptocurrency hardware with minimal changes. Given that these attacks are relevant to all proof of work cryptocurrencies that have a combined market capitalization around a $1 trillion USD (March, 2022), we recommend that all vulnerable mining protocols consider making the suggested adaptations today.

{\sf TrCBC} is a variant of CBC-MAC which appeared in {\em Information Processing Letters}, 112(7):302-307, 2012. The authors claimed {\sf TrCBC} to be a secure message authentication code (MAC) with some interesting properties. If ${\sf TrCBC}$ is instantiated with a block cipher with block length $n$, then it requires $\lceil \lambda /n \rceil$ block cipher calls for authenticating a $\lambda$-bit message and requires a single key, which is the block cipher key. We show that with high probability, an adversary can forge {\sf TrCBC} with just three queries. The attack that we show can be applied to forge a large class of messages.

We analyze and implement the SIDH PoK-based construction from De Feo, Dobson, Galbraith, and Zobernigl. We improve the SIDH-PoK built-in functions to allow an efficient constant-time implementation. After that, we combine it with Fiat-Shamir transform to get an SIDH PoK-based signature scheme that we short label as SIDH-sign. We suggest SIDH-sign-p377, SIDH-sign-p546, and SIDH-sign-p697 as instances that provide security compared to NIST L1, L3, and L5. To the best of our knowledge, the three proposed instances provide the best performance among digital signature schemes based on isogenies.

Event date: to
Submission deadline: 1 October 2022

Event date: 25 September to 28 September 2022
Submission deadline: 20 May 2022
Notification: 15 July 2022

Event date: to
Submission deadline: 1 November 2022

Event date: 23 September 2022
Submission deadline: 10 June 2022
Notification: 15 July 2022

Event date: to
Submission deadline: 2 May 2022
Notification: 1 December 2022

Institute for Advancing Intelligence (IAI) of TCG-CREST is offering Ph.D. program in broad areas of Computer Science and Mathematics with a special focus on Cryptography and Security, Quantum Information and Quantum Cryptography, Mathematical Applications, Artificial Intelligence and Machine Learning. All students who passed or are in their final year pursuing M.Tech / M.E / M.Sc / M.Stat / M.Math or equivalent degree in Computer Science, Information Technology, Electronics, Mathematics, Statistics, Data Science, Physics or other areas of Quantitative Sciences may apply. The degree will be awarded in collaboration with either Chennai Mathematical Institute (CMI) or Ramakrishna Mission Vivekananda Educational and Research Institute (RKMVERI) or NIT Durgapur. Candidates will be selected based on their performance in a written test followed by an interview. The written test will be held on 28th May, 2022 and the session will start in August 2022. The online application portal is open until 15th May, 2022. Interested candidates are requested to apply online by filling up the application form provided on the admission page (https://www.tcgcrest.org/iai-admission-2022/ ). All the necessary details regarding our admissions process are available therein.

Closing date for applications:

Contact: Dr. Avijit Dutta +91 70035 59134 /avijit.dutta@tcgcrest.org https://www.tcgcrest.org/people/avijit-dutta/

More information: https://www.tcgcrest.org/iai-admission-2022/

Passionate about cryptography? Want to work on designing, reviewing and implementing cryptography to solve impactful security and privacy problems? Follow the link or contact me directly!

Closing date for applications:

Contact: Yannick Sierra at apple.com

More information: https://jobs.apple.com/en-us/details/200312812/cryptographic-engineer

Polynomial multiplication algorithms such as Toom-Cook and the Number Theoretic Transform are fundamental building blocks for lattice-based post-quantum cryptography. In this work, we present correlation power analysis-based side-channel analysis methodologies targeting every polynomial multiplication strategy for all lattice-based post-quantum key encapsulation mechanisms in the final round of the NIST post-quantum standardization procedure. We perform practical experiments on real side-channel measurements demonstrating that our method allows to extract the secret key from all lattice-based post-quantum key encapsulation mechanisms. Our analysis demonstrates that the used polynomial multiplication strategy can significantly impact the time complexity of the attack.

This paper reviews, from bottom to top, a polynomial-time algorithm to correct t errors in classical binary Goppa codes defined by squarefree degree-t polynomials. The proof is factored through a proof of a simple Reed--Solomon decoder, and the algorithm is simpler than Patterson's algorithm. All algorithm layers are expressed as Sage scripts. The paper also covers the use of decoding inside the Classic McEliece cryptosystem, including reliable recognition of valid inputs.

The Module Learning With Errors problem (M-LWE) is a core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency. The problem is parameterized by a secret distribution as well as an error distribution. There is a gap between the choices of those distributions for theoretical hardness results (standard formulation of M-LWE, i.e., uniform secret modulo $q$ and Gaussian error) and practical schemes (small bounded secret and error). In this work, we make progress towards narrowing this gap. More precisely, we prove that M-LWE with $\eta$-bounded secret for any $2 \leq \eta \ll q$ and Gaussian error, in both its search and decision variants, is at least as hard as the standard formulation of M-LWE, provided that the module rank $d$ is at least logarithmic in the ring degree $n$. We also prove that the search version of M-LWE with large uniform secret and uniform $\eta$-bounded error is at least as hard as the standard M-LWE problem, if the number of samples $m$ is close to the module rank $d$ and with further restrictions on $\eta$. The latter result can be extended to provide the hardness of M-LWE with uniform $\eta$-bounded secret and error under specific parameter conditions.