International Association
for Cryptologic Research

Huawei German Research Center in Munich is responsible for advanced technical research, architecture evolution design and strategic technical planning. The Cyber Security and Privacy Lab is developing cutting-edge technologies, which are designed for supporting data protection and accountability in the Cloud, IoT and cloud-based networks.

To support our research activities, we are looking for an enthusiastic and highly motivated PhD student Security &Trust - Connected, Cooperative, Automated Mobility (m/f/d)

Research Topic

• Perform research and develop new solutions for Trust Management in the Next-Generation CCAM technologies.
• Contribute to new mechanisms for assessing dynamic trust relationship based on Zero Trust and Subjective Logic.
• Define a trust model and trust reasoning framework based on which involved entities can establish trust for cooperatively executing safety-critical functions.

Responsibilities

• Contribute to the research and development of technologies in the upcoming domain of Connected, Cooperative and Automated Mobility (CCAM).
• Being involved in international initiatives including industry groups such as 5GAA, Gaia-X, DIF and Horizon Europe research projects.

Your Profile

• Completed master studies (or equivalent) in computer science, information technology, electrical engineering, or mathematics;
• Exposure and understanding of data protection and security development technologies;
• Good programming skill;
• Excellent collaboration and communication skills;
• Fluent in English;

Closing date for applications:

Contact: Dr. Ioannis Krontiris (ioannis.krontiris@huawei.com)

More information: https://apply.workable.com/huawei-16/j/708737847F/

Applications are invited for a PhD position in the field of cryptography at the Universitat Pompeu Fabra in Barcelona, Spain. The applicant will be supervised by Carla Ràfols. The topic of research will be theoretical aspects of zero-knowledge proofs. The candidate should have completed his/her master´s degree by Oct. 2022 in computer science, mathematics or a related area. The starting date will be around Oct. 2022. Applications should start with a a short motivation letter, include a full CV, a copy of grade transcript(s) of completed studies and (when possible) one name of reference. To apply or request further information, please send an email to cryptophdupf (at) upf.edu. The review of applications will start end of May and continue until the position is filled.

Closing date for applications:

Contact: Carla Ràfols: cryptophdupf@upf.edu

1) Research The topic of this academic chair is the security of embedded systems. By systems we intend to mean: the component-level, the low-power/high-performance processor-level, and the architecture. The main component and focus is the hardware part but, as an extension, we anticipate a joint (collaborative) research with a specific focus on communication aspects and, possibly, embedded software aspects. The desired required areas of interest include, but are not limited to: - Hardware implementation of cryptographic algorithms/primitives - Implementation of physical security countermeasures - Technology-aware design of secure systems (emerging IC-manufacturing technologies) - Trusted computing (platforms, protocols) - Hardware roots of trust (PUF, TRNG) - Secure hardware/software codesign - System-on-chip security - IoT security (protocols implementation, network aspects) - Cyberphysical systems security - Embedded software security - Processor architecture security The successful applicant will benefit from existing research and experimental equipment of the laboratories of the Engineering and Sciences Faculty (electronics, network security, wireless communications, cryptography, ..) and the immediate involvement in the supervision of 5+ running PhD theses. 2) Education The teaching responsibilities of the prospective candidate will cover various types of activities, including lectures, tutorials and project-based learning at the Bachelor and Master’s level in the Brussels School of Engineering (Ecole Polytechnique de Bruxelles). Proven teaching skills with experience in teaching in English and in French will be considered as an asset. The appointed academic will take the responsibility of the following courses : Architecture and security of processors, Design of secure systems, Hardware security.

Closing date for applications:

Contact: jean-michel.dricot@ulb.be

More information: https://www.ulb.be/greffeintra/files/7734.pdf

The Centre for Hardware Security at TalTech, led by Prof. Samuel Pagliarini, invites applications for several fully-funded PhD positions. The Centre conducts research in the area of Hardware Security focusing on trustworthy integrated circuit (IC) design, electronic design automation (EDA) for secure systems, hardware trojans, reverse engineering, circuit obfuscation, crypto hardware, and other similar security topics. Successful candidates will have access to silicon fabrication in order to validate research ideas as it is already a practice of the Centre (see portfolio).

Requirements: We are looking for motivated candidates with a strong background in circuit design. PhD candidates must have completed a Master's degree (or be about to complete). Previous expertise on Hardware Security/Cryptography is not required but is highly desirable. The candidates are expected to have the following core skills:

Ability to describe digital circuitry (preferably in Verilog)

Ability to write C++/python scripts for building small EDA tools

Familiarity w/ Cadence tools for IC design (Genus, Innovus, Virtuoso, etc.) or equivalent tools from Siemens/Synopsys

Strong writing skills (English) that are compatible with doctoral-level requirements, i.e., writing academic papers and articles.

How to apply: Please submit your CV and transcripts to Prof. Pagliarini by email using the subject ‘PhD in Hardware Security’. Candidates with adequate backgrounds will be invited to interview over Skype. Applications are processed as they arrive. All positions have a tentative start date of September 2022. The nominal duration of a PhD degree is 4 years at TalTech. Salaries are approximately 1600 EUR/month (net), which allows for a comfortable standard of living in Tallinn.

Closing date for applications:

Contact: Samuel Pagliarini via email, name.lastname@taltech.ee

More information: https://ati.ttu.ee/~spagliar/timeline/index.html

Fully homomorphic encryption (FHE) allows arbitrary computations on encrypted data. The standard security requirement, IND-CPA security, ensures that the encrypted data remain private. However, it does not guarantee privacy for the computation performed on the encrypted data. Statistical circuit privacy offers a strong privacy guarantee for the computation process, namely that a homomorphically evaluated ciphertext does not leak any information on how the result of the computation was obtained. Malicious statistical circuit privacy requires this to hold even for maliciously generated keys and ciphertexts. Ostrovsky, Paskin and Paskin (CRYPTO 2014) constructed an FHE scheme achieving malicious statistical circuit privacy. Their construction, however, makes non-black-box use of a specific underlying FHE scheme, resulting in a circuit-private scheme with inherently high overhead. This work presents a conceptually different construction of maliciously circuit-private FHE from simple information-theoretical principles. Furthermore, our construction only makes black-box use of the underlying FHE scheme, opening the possibility of achieving practically efficient schemes. Finally, in contrast to the OPP scheme in our scheme, pre- and post-homomorphic ciphertexts are syntactically the same, enabling new applications in multi-hop settings.

This paper proposes a new single-trace side-channel attack on lattice-based post-quantum protocols. We target the ω-small polynomial sampling of NTRU, NTRU Prime, and CRYSTALS-DILITHIUM algorithm implementations (which are NIST Round-3 finalists and alternative candidates), and we demonstrate the vulnerabilities of their sub-routines to a power-based side-channel attack. Specifically, we reveal that the sorting implementation in NTRU/NTRU Prime and the shuffling in CRYSTALS-DILITHIUM's ω-small polynomial sampling process leaks information about the ‘-1’, '0’, or ’+1' assignments made to the coefficients. We further demonstrate that these assignments can be found within a single power measurement and that revealing them allows secret and session key recovery for NTRU/NTRU Prime, while reducing the challenge polynomial's entropy for CRYSTALS-DILITHIUM. We execute our proposed attacks on an ARM Cortex-M4 microcontroller running the reference software submissions from NIST Round-3 software packages. The results show that our attacks can extract coefficients with a success rate of 99.78% for NTRU and NTRU Prime, reducing the search space to 2^41 or below. For CRYSTALS-DILITHIUM, our attack recovers the coefficients’ signs with over 99.99% success, reducing rejected challenge polynomials’ entropy between 39 to 60 bits. Our work informs the proposers about the single-trace vulnerabilities of their software and urges them to develop single-trace resilient software for low-cost microcontrollers.

Over the past few years, deep-learning-based attacks have emerged as a de facto standard, thanks to their ability to break implementations of cryptographic primitives without pre-processing, even against widely used counter-measures such as hiding and masking. However, the recent works of Bronchain and Standaert at Tches 2020 questioned the soundness of such tools if used in a black-box setting to evaluate implementations protected with higher-order masking. On the opposite, white-box evaluations may be seen as possibly far from what a real-world adversary could do, thereby leading to too conservative security bounds. In this paper, we propose a new threat model that we name grey-box benefiting from a trade-off between black and white box models. Our grey-box model is closer to a real-world adversary, in the sense that it does not need to have access to the random nonces used by masking during the profiling phase like in a white-box model, while it does not need to learn the masking scheme as implicitly done in a black-box model. We show how to combine the power of deep learning with the prior knowledge of grey-box modeling. As a result, we show on simulations and experiments on public datasets how it allows to reduce by an order of magnitude the profiling complexity, i.e., the number of profiling traces needed to satisfyingly train a model, compared to a fully black-box model.

Smart contracts often need to verify identity-related information of their users. However, such information is typically confidential, and its verification requires access to off-chain resources. Given the isolation and privacy limitations of blockchain technologies, this presents a problem for on-chain verification. In this paper, we show how CL-signature-based anonymous credentials can be verified in smart contracts using the example of Hyperledger Indy, a decentralized credential management platform, and Ethereum, a smart contract-enabled blockchain. Therefore, we first outline how smart contract-based verification can be integrated in the Hyperledger Indy credential management routine and, then, provide a technical evaluation based on a proof-of-concept implementation of CL-signature verification on Ethereum. While our results demonstrate technical feasibility of smart contract-based verification of anonymous credentials, they also reveal technical barriers for its real-world usage.

The EU GDPR has two main goals: Protecting individuals from personal data abuse and simplifying the free movement of personal data. Privacy-enhancing technologies promise to fulfill both goals simultaneously. A particularly effective and versatile technology solution is multi-party computation (MPC). It allows protecting data during a computation involving multiple parties.

This paper aims for a better understanding of the role of MPC in the GDPR. Although MPC is relatively mature, little research was dedicated to its GDPR compliance. First, we try to give an understanding of MPC for legal scholars and policymakers. Then, we examine the GDPR relevant provisions regarding MPC with a technical audience in mind. Finally, we devise a test that can assess the impact of a given MPC solution with regard to the GDPR.

The test consists of several questions, which a controller can answer without the help of a technical or legal expert. Going through the questions will classify the MPC solution as (1) a means of avoiding the GDPR, (2) Data Protection by Design, or (3) having no legal benefits. Two concrete case studies should provide a blueprint on how to apply the test. We hope that this work also contributes to an interdisciplinary discussion of MPC certification and standardization.

Current side-channel evaluation methodologies exhibit a gap between inefficient tools offering strong theoretical guarantees and efficient tools only offering heuristic (sometimes case-specific) guarantees. Profiled attacks based on the empirical leakage distribution correspond to the first category. Bronchain et al. showed at Crypto 2019 that they allow bounding the worst-case security level of an implementation, but the bounds become loose as the leakage dimensionality increases. Template attacks and machine learning models are examples of the second category. In view of the increasing popularity of such parametric tools in the literature, a natural question is whether the information they can extract (with a given choice of set of models) can be bounded. In this paper, we first show that a metric conjectured to be useful for this purpose, the hypothetical information, does not offer such a general bound. It only does when the assumptions exploited by a parametric model match the true leakage distribution. We therefore introduce a new metric, the training information, that provides the guarantees that were conjectured for the hypothetical information for practically-relevant models. We next initiate a study of the convergence rates of profiled side-channel distinguishers which clarifies, to the best of our knowledge for the first time, the parameters that influence the complexity of a profiling. On the one hand, the latter has practical consequences for evaluators as it can guide them in choosing the appropriate modeling tool depending on the implementation (e.g., protected or not) and contexts (e.g., granting them access to the countermeasures’ randomness or not). It also allows anticipating the amount of measurements needed to guarantee a sufficient model quality. On the other hand, our results connect and exhibit differences between side-channel analysis and statistical learning theory.

Differential attack is a basic cryptanalysis method for block ciphers that exploits the high probability relations between the input and output differences. The existing work in quantum differential cryptanalysis of block ciphers focuses on resource estimation to recover the last round subkeys on the basis of existing relations constructed on classical computers. To find such relations using quantum computer, we propose a method to search the high probability differential and impossible differential characteristics using quantum computer. The method explores all possible input and output difference pairs simultaneously using superposition of qubits. The proposed method is used to design the quantum circuit to search the differential characteristics for a toy cipher smallGIFT. The branch-and-bound based method is used to validate differential and impossible differential characteristics obtained using proposed method.

There is a growing demand for network-level anonymity for delegates at global organizations such as the UN and Red Cross. Numerous anonymous communication (AC) systems have been proposed over the last few decades to provide anonymity over the internet; however, they either introduce high latency overhead, provide weaker anonymity guarantees, or are difficult to be deployed at the organizational networks. Recently, the PriFi system introduced a client/relay/server model that suitably utilizes the organizational network topology and proposes a low-latency, strong-anonymity AC protocol. Using an efficient lattice-based (almost) key-homomorphic pseudorandom function and Netwon's power sums, we present a novel AC protocol OrgAn in this client/relay/server model that provides strong anonymity against a global adversary controlling the majority of the network. OrgAn's cryptographic design allows it to overcome several major problems with any realistic PriFi instantiation: (a) unlike PriFi, OrgAn avoids frequent, interactive, slot-agreement protocol among the servers; (b) a PriFi relay has to receive frequent communication from the servers which can not only become a latency bottleneck but also reveal the access pattern to the servers and increases the chance of server collusion/coercion, while OrgAn servers are absent from any real-time process. We demonstrate how to make this public-key cryptographic solution scale equally well as the symmetric-cryptographic PriFi with practical pre-computation and storage requirements. Through a prototype implementation we show that OrgAn provides similar throughput and end-to-end latency guarantees as PriFi, while still discounting the setup challenges in PriFi.

A new fundamental 4-round property against AES, called the zero-difference property, was introduced by R{\o}njom, Bardeh and Helleseth at Asiacrypt 2017. Our work characterizes it in a simple way by exploiting the notion of related differences which was introduced and well analyzed by AES designers. We then are interested in the way of extending the 4-round property by considering some further properties of related differences over the AES linear layer, generalizing the zero-difference property. This results in a new key recovery attack on 7-round AES which is the first attack on 7-round AES by exploiting the zero-difference property.

Secure messaging applications are deployed on devices that can be compromised, lost, stolen, or corrupted in many ways. Thus, recovering from attacks to get back to a clean state is essential and known as healing. Signal is a widely-known, privacy-friendly messaging application, that uses key-ratcheting mechanism updates keys at each stage to provide end-to-end channel security, forward secrecy, and post-compromise security. We strengthen this last property, by providing a faster healing. Signal needs up to two full chains of messages before recovering, our protocol enables recovery after the equivalent of a chain of only one message. We also provide an extra protection against session-hijacking attacks. We do so, while building on the pre-existing Signal backbone, without weakening its other security assumptions, and still being compatible with Signal's out-of-order message handling feature. Our implementation results show that, while slower than Signal (as expected), MARSHAL's spectacular gain in healing speed comes at a surprisingly low cost, with individual stages (including key-derivation, encryption, and decryption) taking less than 6 ms.

Let $q$ be an odd prime power and ${\mathbb F}_{q^3}$ be the finite field with $q^3$ elements. In this paper, we propose two classes of permutation trinomials of ${\mathbb F}_{q^3}$ for an arbitrary odd characteristic based on the multivariate method and some subtle manipulation of solving equations with low degrees over finite fields. Moreover, we demonstrate that these two classes of permutation trinomials are QM inequivalent to all known permutation polynomials over ${\mathbb F}_{q^3}$. To the best of our knowledge, this paper is the first to study the construction of nonlinearized permutation trinomials of ${\mathbb F}_{q^3}$ with at least one coefficient lying in ${\mathbb F}_{q^3}\backslash{\mathbb F}_{q}$.

Physical attacks, including passive Side-Channel Analysis and active Fault Injection Analysis, are considered among the most powerful threats against physical cryptographic implementations. These attacks are well known and research provides many specialized countermeasures to protect cryptographic implementations against them. Still, only a limited number of combined countermeasures, i.e., countermeasures that protect implementations against multiple attacks simultaneously, were proposed in the past. Due to increasing complexity and reciprocal effects, design of efficient and reliable combined countermeasures requires longstanding expertise in hardware design and security. With the help of formal security specifications and adversary models, automated verification can streamline development cycles, increase quality, and facilitate development of robust cryptographic implementations. In this work, we revise and refine formal security notions for combined protection mechanisms and specifically embed them in the context of hardware implementations. Based on this, we present the first automated verification framework that can verify physical security properties of hardware circuits with respect to combined physical attacks. To this end, we conduct several case studies to demonstrate the capabilities and advantages of our framework, analyzing secure building blocks (gadgets), S-boxes build from Toffoli gates, and the ParTI scheme. For the first time, we reveal security flaws in analyzed structures due to reciprocal effects, highlighting the importance of continuously integrating security verification into modern design and development cycles.

We tackle a challenging problem at the intersection of two emerging technologies: Post-quantum cryptography (PQC) and vehicle-to-vehicle (V2V) communications. Connected vehicles use V2V technology to exchange safety messages that allow them to increase proximity awareness, improving roadway safety. The integrity and authenticity of these messages is critical to prevent an adversary from abusing V2V technology to cause a collision, traffic jam, or other unsafe and/or disruptive situations. The IEEE 1609.2 standard (2016) specifies authentication mechanisms for V2V communications that rely on the elliptic curve digital signature algorithm (ECDSA) and are therefore not secure against quantum attackers. In this paper, we are the first to devise and evaluate PQC for authenticating messages in IEEE 1609.2. By analyzing the properties of the NIST PQC standardization finalists, as well as XMSS (RFC 8391), we propose three practical, ECDSA-PQ hybrid designs for use during the transition from classical to PQ-secure cryptography.

Privacy preservation is a sensitive issue in our modern society. It is becoming increasingly important in many applications in this ever-growing and highly connected digital era. Functional encryption is a computation on encrypted data paradigm that allows users to retrieve the evaluation of a function on encrypted data without revealing the data, thus effectively protecting users' privacy. However, existing functional encryption implementations are still very time-consuming for practical deployment, especially when applied to machine learning applications that involve a huge amount of data. In this paper, we present a high-performance implementation of inner-product functional encryption (IPFE) based on ring-learning with errors on graphics processing units. We propose novel techniques to parallelize the Gaussian sampling, which is one of the most time-consuming operations in the IPFE scheme. We further execute a systematic investigation to select the best strategy for implementing number theoretic transform and inverse number theoretic transform for different security levels. Compared to the existing AVX2 implementation of IPFE, our implementation on a RTX 2060 GPU device can achieve 34.24x, 40.02x, 156.30x, and 18.76x speed-up for Setup, Encrypt, KeyGen, and Decrypt respectively. Finally, we propose a fast privacy-preserving Support Vector Machine (SVM) application to classify data securely using our GPU-accelerated IPFE scheme. Experimental results show that our implementation can classify 100 inputs with 591 support vectors in 688 ms (less than a second), which is 33.12x faster than the AVX2 version which takes 23 seconds.

India's Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India's 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies.

Homomorphic encryption enables computation on encrypted data, and hence it has a great potential in privacy-preserving outsourcing of computations to the cloud. Hardware acceleration of homomorphic encryption is crucial as software implementations are very slow. In this paper we present design methodologies for building a programmable hardware accelerator for speeding up the cloud-side homomorphic evaluations on encrypted data. First, we propose a divide-and-conquer technique that enables homomorphic evaluations in the polynomial ring $R_{Q,2N} = \mathbb{Z}_{Q}[x]/(x^{2N} + 1)$ to use a hardware accelerator that has been built for the smaller ring $R_{Q,N} = \mathbb{Z}_{Q}[x]/(x^{N} + 1)$. The technique makes it possible to use a single hardware accelerator flexibly for supporting several homomorphic encryption parameter sets. Next, we present several architectural design methods that we use to realize the flexible and instruction-set accelerator architecture, which we call as `Medha'. At every level of the implementation hierarchy, we explore possibilities for parallel processing. Starting from hardware-friendly parallel algorithms for the basic building blocks, we gradually build heavily parallel RNS polynomial arithmetic units. Next, many of these parallel units are interconnected elegantly so that their interconnections require the minimum number of nets, therefore making the overall architecture placement-friendly on the platform. As homomorphic encryption is computation- as well as data-centric, the speed of homomorphic evaluations depends greatly on the way the data variables are handled. For Medha, we take a memory-conservative design approach and get rid of any off-chip memory access during homomorphic evaluations. Finally, we implement Medha in a Xilinx Alveo U250 FPGA and measure timing performances of the microcoded homomorphic addition, multiplication, key-switching, and rescaling routines for the leveled fully homomorphic encryption scheme RNS-HEAAN at 200 MHz clock frequency. For the large parameter sets $(\log Q, N) = (438, 2^{14})$ and $(546, 2^{15})$, Medha achieves accelerations by up to $68\times$ and $78\times$ times respectively compared to a highly optimized software implementation Microsoft SEAL running at 2.3 GHz.