International Association
for Cryptologic Research

The recently proposed CSIDH primitive is a promising candidate for post quantum static-static key exchanges with very small keys. However, until now there is only a variable-time proof-of-concept implementation by Castryck, Lange, Martindale, Panny, and Renes, recently optimized by Meyer and Reith, that can leak various information about the private key. Therefore, we present a constant-time implementation that samples key elements only from intervals of nonnegative numbers and uses dummy isogenies, which prevents certain kinds of side-channel attacks. We apply several optimizations, e.g. SIMBA and Elligator, in order to get a more efficient implementation.

We present an approach and a tool to answer the need for effective, generic and easily applicable protections against side-channel attacks. The protection mechanism is based on code polymorphism, so that the observable behaviour of the protected component is variable and unpredictable to the attacker. Our approach combines lightweight specialized runtime code generation with the optimization capabilities of static compilation. It is extensively configurable. Experimental results show that programs secured by our approach present strong security levels and meet the performance requirements of constrained systems.

Past few years have seen the emergence of Machine Learning and Deep Learning algorithms as promising tools for profiling attacks, especially Convolutional Neural Networks (CNN). The latters have indeed been shown to overcome countermeasures such as de-synchronization or masking. However, CNNs are not widely used yet and Gaussian Templates are usually preferred. Though their efficiency is highly impacted by the countermeasures previously mentioned, their relevance relies on theoretical and physical justifications fairly recognized among the Side Channel community. Instead, the efficiency of CNNs still raises a certain scepticism as they act as a black-box tool. This scepticism is not specific to the Side Channel Analysis context: understanding to what extent CNNs would be so powerful and how they learn to recognize discriminative features for classification problems is still an open problem. Some methods have been proposed by the computer vision community, without satisfying performance in this field. However, methods based on Sensitivity Analysis particularly fit our problem. We propose to apply one of them called Gradient Visualization that uses the derivatives of a CNN model with respect to an input trace in order to accurately identify temporal moments where sensitive information leaks. In this paper, we theoretically show that this method may be used to efficiently localize Points of Interest in the SCA context. The efficiency of the proposed method does not depend on the particular countermeasure that may be applied to the measured traces as long as the profiled CNN can still learn in presence of such difficulties. In addition, the characterization can be made for each trace individually. We verified the soundness of our proposed method on simulated data and on experimental traces from a public Side Channel database. Eventually we empirically show that Sensitivity Analysis is at least as well as state-of-the-art characterization methods, in presence (or not) of countermeasures.

Cryptographic implementations on embedded systems need to be protected against physical attacks. Today, this means that apart from incorporating countermeasures against side-channel analysis, implementations must also withstand fault attacks and combined attacks. Recent proposals in this area have shown that there is a big tradeoff between the implementation cost and the strength of the adversary model. In this work, we introduce a new combined countermeasure M&M that combines Masking with information-theoretic MAC tags and infective computation. It works in a stronger adversary model than the existing scheme ParTI, yet is a lot less costly to implement than the provably secure MPC-based scheme CAPA. We demonstrate M&M with a SCA- and DFA-secure implementation of the AES block cipher. We evaluate the side-channel leakage of the second-order secure design with a non-specific t-test and use simulation to validate the fault resistance.

A set $S \subseteq \mathbb{F}_2^n$ is called degree-$d$ zero-sum if the sum $\sum_{s \in S} f(s)$ vanishes for all $n$-bit Boolean functions of algebraic degree at most $d$. Those sets correspond to the supports of the $n$-bit Boolean functions of degree at most $n-d-1$. We prove some results on the existence of degree-$d$ zero-sum sets of full rank, i.e., those that contain $n$ linearly independent elements, and show relations to degree-1 annihilator spaces of Boolean functions and semi-orthogonal matrices. We are particularly interested in the smallest of such sets and prove bounds on the minimum number of elements in a degree-$d$ zero-sum set of rank $n$.

The motivation for studying those objects comes from the fact that degree-$d$ zero-sum sets of full rank can be used to build linear mappings that preserve special kinds of \emph{nonlinear invariants}, similar to those obtained from orthogonal matrices and exploited by Todo, Leander and Sasaki for breaking the block ciphers Midori, Scream and iScream.

Seminal results by Luby and Rackoff show that the 3-round Feistel cipher is secure against chosen-plaintext attacks (CPAs), and the 4-round version is secure against chosen-ciphertext attacks (CCAs). However, the security significantly changes when we consider attacks in the quantum setting, where the adversary can make superposition queries. By using Simon's algorithm that detects a secret cycle-period in polynomial-time, Kuwakado and Morii showed that the 3-round version is insecure against quantum CPA by presenting a polynomial-time distinguisher. Since then, Simon's algorithm has been heavily used against various symmetric-key constructions. However, its applications are still not fully explored.

In this paper, based on Simon's algorithm, we first formalize a sufficient condition of a quantum distinguisher against block ciphers so that it works even if there are multiple collisions other than the real period. This distinguisher is similar to the one proposed by Santoli and Schaffner, and it does not recover the period. Instead, we focus on the dimension of the space obtained from Simon's quantum circuit. This eliminates the need to evaluate the probability of collisions, which was needed in the work by Kaplan et al. at CRYPTO 2016. Based on this, we continue the investigation of the security of Feistel ciphers in the quantum setting. We show a quantum CCA distinguisher against the 4-round Feistel cipher. This extends the result of Kuwakado and Morii by one round, and follows the intuition of the result by Luby and Rackoff where the CCA setting can extend the number of rounds by one. We also consider more practical cases where the round functions are composed of a public function and XORing the subkeys. We show the results of both distinguishing and key recovery attacks against these constructions.

We describe a variation of the Schnorr-Lyubashevsky approach to devising signature schemes that is adapted to rank based cryptography. This new approach enables us to obtain a randomization of the signature, which previously seemed difficult to derive for code-based cryptography. We provide a detailed analysis of attacks and an EUF-CMA proof for our scheme. Our scheme relies on the security of the Ideal Rank Support Learning and the Ideal Rank Syndrome problems and a newly introduced problem: Product Spaces Subspaces Indistinguishability, for which we give a detailed analysis. Overall the parameters we propose are efficient and comparable in terms of signature size to the Dilithium lattice-based scheme, with a signature size of less than 4kB for a public key of size less than 20kB.

The website for Crypto 2019 is now live at crypto.iacr.org/2019. The call for papers can be found at crypto.iacr.org/2019/callforpapers.html.

The conference will take place in Santa Barbara, USA on August 18-22, 2019.

Event date: 4 November to 6 November 2019

The Department of Computer Science at the University of Warwick is seeking to recruit an assistant professor in the broad areas of systems and security. Preferably the candidate should have expertise in at least one of the following: system security, applied cryptography, computational science and engineering, real-time and embedded systems. Candidates with interest and a track record in solving real-world problems and/or experience of working with industry are particularly encouraged to apply.

The Department is one of the UK’s most prominent and research-active Computer Science departments, and is an international leader in research and teaching. Ranked 2nd in the most recent Research Excellence Framework out of all UK departments in the CS subject, and ranked top in the 2018 National Student Survey within the Russell Group of research intensive UK universities, the Department is 3rd in the Times and Sunday Times Good University Guide 2019 league table for Computer Science.

Closing date for applications: 10 January 2019

Contact: Informal enquires can be addressed to Professor Ranko Lazic (R.S.Lazic (at) warwick.ac.uk), Professor Stephen Jarvis (Stephen.Jarvis (at) warwick.ac.uk), or Professor Feng Hao (Feng.Hao (at) warwick.ac.uk).

More information: https://atsv7.wcn.co.uk/search_engine/jobs.cgi?owner=5062452&ownertype=fair&jcode=1786691&vt_template=1457&adminview=1

The Computer Science & Engineering (CSE) Department at the University of Connecticut invites applications for the Synchrony-Financial Endowed Chair in Cybersecurity, a tenure-track faculty position at the associate or full professor level. The position has an expected start date of August 23, 2019. This position seeks to advance education and research in Computer Science with a particular emphasis in Cybersecurity or related specialties.

The successful candidate will be expected to develop and sustain an internationally-recognized and externally-funded research program in at least one established or emerging cybersecurity field. The position offers the successful candidate the Synchrony Financial Chair for Cybersecurity, an endowed chair in cybersecurity. The individual appointed to the Chair will be a nationally or internationally recognized researcher, scholar, and teacher, and will have made significant contributions to security fields.

The successful candidate must also share a deep commitment to effective instruction at the undergraduate and graduate levels, development of innovative courses and mentoring of students in research, outreach, and professional development. It is the expectation that the candidate will broaden participation among members of under-represented groups; demonstrate through their teaching, research, and/or public engagement the richness of diversity in the learning experience; integrate multicultural experiences into instructional methods and research tools; and provide leadership in developing pedagogical techniques designed to meet the needs of diverse learning styles and intellectual interests.

This is a full-time, 9-month, tenure track position. Employment is conditional upon the timely completion of an approved I-9 (Employment Eligibility Verification Form). Salary and rank will be commensurate with qualifications.

Closing date for applications: 21 March 2019

More information: https://academicjobsonline.org/ajo/jobs/12084

Applications are open for a PhD studentship looking at Post-Quantum Cryptography.

Research supervision

If successful, you will conduct your research under the supervision of the Chair of Cyber Security Professor Delaram Kahrobaei: https://sites.google.com/a/nyu.edu/delaram-kahrobaei/ at University of York.

Award funding

If successful, you will be supported for three years. Funding includes:

? £14,777 (2018/19 rate) per year stipend

? UK/EU tuition fees

? RTSG (training/consumables/travel) provision

Funding requirements

To be considered for this funding you must:

? meet the entrance requirements for a PhD in Computer Science

? be eligible to pay UK/EU fees

We will look favourably on applicants that can demonstrate knowledge of cryptography, algebra, quantum computation, and who have strong programming and mathematical skills.

Apply for this studentship

1. Apply to study

? You must apply online for a full-time PhD in Computer Science.

? You must quote the project title (Post-Quantum Cryptography Studentship) in your application.

? There is no need to write a full formal research proposal (2,000-3,000 words) in your application to study as this studentship is for a specific project.

2. Provide a personal statement. As part of your application please provide a personal statement of 500-1,000 words with your initial thoughts on the research topic.

Interviews are expected to take place within approximately 14 days of the closing date.

The studentship must begin as soon as possible.

Closing date for applications: 7 January 2019

Contact: Project enquiries

Professor Delaram Kahrobaei, Chair of Cyber Security (delaram.kahrobaei (at) york.ac.uk):

https://sites.google.com/a/nyu.edu/delaram-kahrobaei/

Application enquiries

cs-pg-admissions (at) york.ac.uk

More information: https://www.cs.york.ac.uk/postgraduate/research-degrees/phdstudentships/

The University of Bristol’s Department of Computer Science is seeking to recruit up to two faculty members at the Lecturer, Senior Lecturer, or Reader level in the field of Cryptography. These positions are similar to (tenured) Assistant/ Associate Professor positions in North America and are on full-time, open-ended contracts.

The University of Bristol is a UK Academic Centre of Excellence in Cyber Security Research. The successful candidates will be expected to play a major role in strengthening and growing cryptography research and teaching at Bristol.

Our current expertise spans much of cryptography with emphasis on protocol-level security and secure implementations of cryptography (in particular, side-channel resistance, compiler techniques and microarchitectural support). Academics with expertise in any area of cryptography are encouraged to apply, and we are particularly interested in those specialising in

Symmetric-key cryptography

Post-quantum cryptography

High-assurance cryptography

Applicants with expertise that covers more than one of these areas and/or intersects with our existing strengths are also strongly encouraged.

The application should include:

a cover letter

your CV (including contact information for two references)

a one-page Research Statement detailing your research plans and their impact on the research profile of the Department; and

a one-page Teaching Statement detailing how you intend to contribute to teaching in the Department

The closing date to apply is 31st January 2019. Interviews are expected to take place in the first half of March 2019

Closing date for applications: 31 January 2019

Contact: Bogdan Warinschi (Professor of Computer Science, Department of Computer Science, csxbw (at) bristol.ac.uk) or

Seth Bullock (Head of Department, Department of Computer Science, bullock (at) bristol.ac.uk)

More information: https://bit.do/eCPzo

Event date: 7 July to 12 July 2019
Submission deadline: 15 January 2019
Notification: 3 April 2019

Event date: 5 June to 7 June 2019
Submission deadline: 30 March 2019
Notification: 30 April 2019

Event date: 18 May to 19 May 2019
Submission deadline: 2 February 2019
Notification: 1 April 2019

In this paper, we present a cryptanalysis of round reduced Keccak-384 for 2 rounds. The best known preimage attack for this variant of Keccak has the time complexity $2^{129}$. In our analysis, we find a preimage in the time complexity of $2^{89}$ and almost same memory is required.

In a recent work, Katz et al. (CANS'17) generalized the notion of Broadcast Encryption to define Subset Predicate Encryption (SPE) that emulates \emph{subset containment} predicate in the encrypted domain. They proposed two selective secure constructions of SPE in the small universe settings. Their first construction is based on $q$-type assumption while the second one is based on DBDH. % which can be converted to large universe using random oracle. Both achieve constant size secret key while the ciphertext size depends on the size of the privileged set. They also showed some black-box transformation of SPE to well-known primitives like WIBE and ABE to establish the richness of the SPE structure.

This work investigates the question of large universe realization of SPE scheme based on static assumption without random oracle. We propose two constructions both of which achieve constant size secret key. First construction $\mathsf{SPE}_1$, instantiated in composite order bilinear groups, achieves constant size ciphertext and is proven secure in a restricted version of selective security model under the subgroup decision assumption (SDP). Our main construction $\mathsf{SPE}_2$ is adaptive secure in the prime order bilinear group under the symmetric external Diffie-Hellman assumption (SXDH). Thus $\mathsf{SPE}_2$ is the first large universe instantiation of SPE to achieve adaptive security without random oracle. Both our constructions have efficient decryption function suggesting their practical applicability. Thus the primitives like WIBE and ABE resulting through black-box transformation of our constructions become more practical.

Adversary models have been integral to the design of provably-secure cryptographic schemes or protocols. However, their use in other computer science research disciplines is relatively limited, particularly in the case of applied security research (e.g., mobile app and vulnerability studies). In this study, we conduct a survey of prominent adversary models used in the seminal field of cryptography, and more recent mobile and Internet of Things (IoT) research. Motivated by the findings from the cryptography survey, we propose a classification scheme for common app-based adversaries used in mobile security research, and classify key papers using the proposed scheme. Finally, we discuss recent work involving adversary models in the contemporary research field of IoT. We contribute recommendations to aid researchers working in applied (IoT) security based upon our findings from the mobile and cryptography literature. The key recommendation is for authors to clearly define adversary goals, assumptions and capabilities.

We present batching techniques for cryptographic accumulators and vector commitments in groups of unknown order. Our techniques are tailored for decentralized settings where no trusted accumulator manager exists and updates to the accumulator are processed in batches. We develop techniques for non-interactively aggregating membership proofs that can be verified with a constant number of group operations. We also provide a constant sized batch non-membership proof for a large number of elements. These proofs can be used to build a positional vector commitment with constant sized openings and constant sized public parameters. As a core building block for our batching techniques we develop several succinct proofs for groups of unknown order. These include a proof that an exponentiation was done correctly and a zero-knowledge proof of knowledge of an integer discrete logarithm between two group elements. We use these new constructions to design a stateless blockchain, where nodes only need a constant storage. Further we show that our vector commitment can be used to significantly reduce the size of IOP instantiations, such as STARKs.