International Association
for Cryptologic Research

Printed Electronics (PE) has a rapidly growing market, thus, the counterfeiting/overbuilding of PE components is anticipated to grow. The common solution for the counterfeiting is Physical Unclonable Functions (PUFs). In PUFs, a unique fingerprint is extracted from (irreproducible) process variations in the production and used in the authentication of valid components. Many commonly used PUFs are electrical PUFs by leveraging the impact of process variations on electrical properties of devices, circuits and chips. Hence, they add overhead to the production which results in additional costs. While such costs may be negligible for many application domains targeted by silicon-based VLSI technologies, they are detrimental to the ultra-low-cost PE applications. In this paper, we propose an optical PUF (iPUF) extracting a fingerprint from the optically visible variation of printed inks in the PE components. Since iPUF does not require any additional circuitry, the PUF production cost consists of merely acquisition, processing and saving an image of the circuit components, matching the requirements of ultra-low-cost margin applications of PE. To further decrease the storage costs for iPUF, we utilize image downscaling resulting in a compression rate of 484x, while still preserving the reliability and uniqueness of the fingerprints. The proposed fingerprint extraction methodology is applied to four datasets for evaluation. The results show that the process variation of the optical shapes of printed inks is suitable as an optical PUF to prevent counterfeiting in PE.

Public key encryption with keyword search (PEKS) was proposed by Boneh et al. in 2004; it allows users to search encrypted keywords without losing data privacy. Although extensive studies have been conducted on this topic, only a few focus on the insider keyword guessing attack that will cause users to leak sensitive information. More specifically, after receiving the trapdoor from the user, the malicious insider (e.g. server) can randomly encrypt possible keywords using the user's public key. Then, the insider can test whether the trapdoor corresponds to the selected keyword. To solve the above issue, we introduce the notion of designated-ciphertext searchable encryption (DCSE) in this work. Then, we propose a generic construction that employs an anonymous identity-based encryption and key encapsulation mechanism. Additionally, we demonstrated that our work satisfies the indistinguishability under chosen-keyword attack (IND-CKA) and indistinguishability under insider keyword guessing attack (IND-IKGA) in the standard model. Moreover, we provide an instantiation from the NTRU lattices. Compared with other state-of-the-art schemes, our scheme is not only more efficient and practical, it also provides more robust security.

Isogenies on elliptic curves are of great interest in post-quantum cryptography and appeal to more and more researchers. Many protocols have been proposed such as OIDH, SIDH and CSIDH with their own advantages. We now focus on the CSIDH which based on the Montgomery curves in finite fields Fp with p=3 mod 8 whose endomorphism ring is O. We try to change the form of elliptic curves into y^2=x^3+Ax^2-x and the characteristic of the prime field into p=7 mod 8 , which induce the endomorphism ring becomes O_K. Moreover, many propositions，including the formula of isogenies between elliptic curves of the special form and the unique of the representation of Fp-isomorphism class, are given to illustrate the rationality of our idea. An important point to notice that the efficiency can't be reduced because the only difference between our formula of isogenies and that of CSIDH is the sign of some items. Furthermore, we also give a proposition that the protocol based on our case can avoid the collision proposed in [17].

In this paper we present a system for maintaining a membership list of users in a group, designed for use in the Signal Messenger secure messaging app. The goal is to support private groups where membership information is readily available to all group members but hidden from the service provider or anyone outside the group. In the proposed solution, a central server stores the group membership in the form of encrypted entries. Members of the group authenticate to the server in a way that reveals only that they correspond to some encrypted entry, then read and write the encrypted entries.

Authentication in our design uses a primitive called a keyed-verification anonymous credential (KVAC), and we construct a new KVAC scheme based on an algebraic MAC, instantiated in a group $\G$ of prime order. The benefit of the new KVAC is that attributes may be elements in $\G$, whereas previous schemes could only support attributes that were integers modulo the order of $\G$. This enables us to encrypt group data using an efficient Elgamal-like encryption scheme, and to prove in zero-knowledge that the encrypted data is certified by a credential. Because encryption, authentication, and the associated proofs of knowledge are all instantiated in $\G$ the system is efficient, even for large groups.

Event date: 29 June to 1 July 2020
Submission deadline: 18 February 2020
Notification: 23 March 2020

Competition funded PhD studentship at the University of York.

Working with Prof. Kahrobaei (the Director of York Interdisciplinary Centre for Cyber Security) and Prof. Wade (the Director of the Centre for Future Health).

Topic: Fully Homomorphic Encryption for Secure Processing of Sensitive Video Game Data by Artificial Intelligence Systems". Application deadline: January 31, 2020.

Fully Homomorphic Encryption (FHE) promises to revolutionise the way we deal with data. It enables researchers to analyze encrypted datasets and obtain useful outputs - safeguarding the privacy of the data providers and broadening the scope of available datasets at the same time. One of the most promising targets for FHE is video game telemetry - a form of data that has vast commercial and health-related potential but which is often hard to share because of issues relating to privacy, security and consent.

This competitively funded PhD studentship is advertised under the IGGI programme (http://www.iggi.org.uk/) - the largest doctoral training programme in advanced video game technology in the world. The student would focus on the theoretical and practical issues involved in implementing a fast and secure next-generation FHE analysis framework based on recent work from PI Delaram Kahrobaei (https://www.cs.york.ac.uk/research/cyber-security/people/). We will iterate development using test datasets from video games in close collaboration with our partners in the video game industry and focus on the secure, private extraction of data relating to worldwide cognitive health.

The student would engage with a full set of the training opportunities presented under the IGGI programme and would gain a broad understanding of the entire video game ecosystem - including design, analytics and applications. In addition, the work would require a deep understanding of the maths and computer science underlying FHE and the student would be supervised by world experts in the fields of both cryptography (PI Kahrobaei) and cognitive neuroscience and game analytics (PI Wade).

We expect candidate to have excellent mathematical skills and some experience in programming.

Closing date for applications:

Contact: Project enquiries: Professor Delaram Kahrobaei (delaram.kahrobaei@york.ac.uk) Professor Alex Wade (alex.wade@york.ac.uk) Application enquiries: apply@iggi.org.uk

More information: http://iggi.org.uk/apply

Project/Job description

Cryptology forms the backbone of modern digital security. While in theory it is known how to make secure cryptosystems that are asymptotically secure, a considerable gap with practice is demonstrated time and again by breaks of practical, implemented cryptosystems, deployed as part of a larger security ecosystem. The project “concrete cryptology” aims to provide concrete and meaningful security guarantees from low-level implementation to high-level deployment.

The postdoc will have considerable freedom in selecting specific problems to work on within the larger scope of the project. One focus is the effect that side-channel attacks that do not result in full key recovery have on security, including provable security, higher up the chain. Another focus is the effect that large-scale deployment deviating from some abstract ideal has.

Candidate Profile

We are looking for interested candidates who have completed, or are about to complete, a PhD degree in cryptology or a suitably related relevant field. We expect an excellent academic track record and will be looking for publications in the relevant venues. Previous experience with the analysis of practical implementations or deployed cryptosystems is an advantage, but a lack of such experience may be compensated for by a demonstrated ability to learn advanced topics in related areas. We are looking for a curious and creative mind.

Closing date for applications:

Contact: Martijn Stam

More information: https://www.simula.no/about/job/call-post-doctoral-fellow-concrete-cryptography

Closing Date: Sunday 5 January 2020 The Department of Computer Science at the University of Surrey, is looking for new faculty members at all academic career levels. I would appreciate your assistance in directing the information to truly outstanding candidates who might be interested in moving to Surrey. We are looking for people in the following areas: machine learning, distributed systems, cloud computing, programming-languages principles, robotics, and the intersection of security and AI, as well as the established areas of cyber security and AI research within the Department. The posts also provide an opportunity to expand our research in new directions including Dev Ops and human factors. The Department has an ambitious growth strategy and very strong student numbers. We are looking to attract talented individuals who will inspire, lead, and make a significant impact in their research and to student experience. The Department is part of a School with the Department of Electrical and Electronic Engineering. The post also provides opportunities to create links with the research centres across the School and the wider University. With respect to the senior positions there is an opportunity for some of the lecturer/senior lecturer posts to support those appointments. We encourage candidates seeking senior positions to engage in discussions with the Department on their vision for leading research. The senior posts will also provide leadership in the Department.

Closing date for applications:

Contact: Professor Helen Treharne Head of Computer Science Department h.treharne@surrey.ac.uk

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=091419

Event date: 3 August to 7 August 2020
Submission deadline: 17 February 2020
Notification: 4 May 2020

In this paper, we propose a new method to launch a more efficient algebraic cryptanalysis. Algebraic cryptanalysis aims at finding the secret key of a cipher by solving a collection of polynomial equations that describe the internal structure of the cipher, while chosen correlated plaintexts, as what appear in higher order differential cryptanalysis and its derivatives such as cube attack or integral cryptanalysis, forces many linear relation between intermediate state bits in the cipher. In this paper, we take these polynomial relations into account, so it become possible to simplify the equation system arising from algebraic cryptanalysis, and consequently solve the polynomial system more efficiently. We take advantage of Universal Proning technique to provide an efficient method to recover such linear polynomials. Another important parameter in algebraic cryptanalysis of ciphers is to effectively describe the cipher. We employ FWBW representation of S-boxes together with Universal Proning to help provide a more powerful algebraic cryptanalysis based on Gröbner-basis computation. We show our method is more efficient than doing algebraic cryptanalysis with MQ representation, and also than employing MQ together with Universal Proning. To show the effectiveness of our approach, we applied it for the cryptanalysis of several light weight block ciphers. A by-product of employing this approach is that we have achieved such an efficiency to algebraic cryptanalyse 12-round LBlock, 6-round MIBS, 7-round PRESENT and 9-round SKINNY light-weight block ciphers, so far.

In this article we put forward an encryption mechanism that dwells on the problem of identifying the correct subset of primes from a known set. By utilizing our specially constructed public key when computing the ciphertext equation, the decryption mechanism can correctly output the shared secret parameter. The scheme has short key length, no decryption failure issues, plaintext-to-ciphertext expansion of one-to-two as well as uses \simple" mathematics in order to achieve maximum simplicity in design, such that even practitioners with limited mathematical background will be able to understand the arithmetic. Due to in-existence of efficient algorithms running upon a quantum computer to obtain the roots of our ciphertext equation and also to retrieve the private key from the public key, our encryption mechanism can be a probable candidate for seamless post quantum drop-in replacement for current traditional asymmetric schemes.

Authenticity can be compromised by information leaked via side-channels (e.g., power consumption). Examples of attacks include direct key recoveries and attacks against the tag verification which may lead to forgeries. At FSE 2018, Berti et al. described two authenticated encryption schemes which provide authenticity assuming a “leak-free implementation” of a Tweakable Block Cipher (TBC). Precisely, security is guaranteed even if all the intermediate computations of the target implementation are leaked in full but the TBC long-term key. Yet, while a leak-free implementation reasonably models strongly protected implementations of a TBC, it remains an idealized physical assumption that may be too demanding in many cases, in particular, if hardware engineers mitigate the leakage to a good extent but (due to performance constraints) do not reach leak-freeness. In this paper, we get rid of this important limitation by introducing the notion of “Strong Unpredictability with Leakage” for BC's and TBC's. It captures the hardness for an adversary to provide a fresh and valid input/output pair for a (T)BC, even having oracle access to the (T)BC, its inverse and their leakages. This definition is game-based and may be verified/falsified by laboratories. Based on it, we then provide two Message Authentication Codes (MAC) which are secure if the (T)BC on which they rely are implemented in a way that maintains a sufficient unpredictability. Thus, we improve the theoretical foundations of leakage-resilient MAC and extend them towards engineering constraints that are easier to achieve in practice.

At ESORICS 2017, Buldas et al. proposed an efficient (software only) server supported signature scheme, geared to mobile devices, termed Smart-ID. A major component of their design is a clone detection mechanism, which allows a server to detect the existence of clones of a client's private key share. We point out a flaw in this mechanism. We show that, under a realistic race condition, an attacker which holds a password camouflaged private share can lunch an online dictionary attack such that (i)if all its password guesses are wrong, it is very likely that the attack will not be detected, and (ii) if one of its guesses is correct, it can generate signatures on messages of its choice, and the attack will \emph{not} be detected. We propose an improvement of Smart-ID to thwart the attack we present.

Gaussian sampling over the integers is a crucial tool in lattice-based cryptography, but has proven over the recent years to be surprisingly challenging to perform in a generic, efficient and provable secure manner. In this work, we present a modular framework for generating discrete Gaussians with arbitrary center and standard deviation. Our framework is extremely simple, and it is precisely this simplicity that allowed us to make it easy to implement, provably secure, portable, efficient, and provably resistant against timing attacks. Our sampler is a good candidate for any trapdoor sampling and it is actually the one that has been recently implemented in the Falcon signature scheme. Our second contribution aims at systematizing the detection of implementation errors in Gaussian samplers. We provide a statistical testing suite for discrete Gaussians called SAGA (Statistically Acceptable GAussian). In a nutshell, our two contributions take a step towards trustable and robust Gaussian sampling real-world implementations.

The Montgomery ladder has a conditional statement. Existing constant time implementations of the Montgomery ladder are based on constant time conditional swaps or conditional selection of field elements. Implementations of the underlying field arithmetic require a multi-limb representation of the field elements. So, a swap or a selection of two field elements require a number of data movement operations which is proportional to the number of limbs. In this work, we introduce a new method for constant time implementation of the conditional statement. Our method does not require any swap or selection of field elements. Further, the number of involved data movement operations in our method is independent of the size of the underlying field. This leads to substantial savings in the number of data movement operations required for Montgomery ladder computation. We have implemented the new idea using 64-bit arithmetic for Curve25519 and Curve448, two elliptic curves which have been proposed in the Transport Layer Security, Version 1.3. Timing measurements on the Skylake and the Kaby Lake processors of Intel show that for Curve25519 about $11\%$ and for Curve448 about $13\%$ speed-ups are achieved.

In cloud-based outsourced storage systems, many users wish to securely store their files for later retrieval, and additionally to share them with other users. These retrieving users may not be online at the point of the file upload, and in fact they may never come online at all. In this asynchoronous environment, key transport appears to be at odds with any demands for forward secrecy. Recently, Boyd et al. (ISC 2018) presented a protocol that allows an initiator to use a modified key encapsulation primitive, denoted a blinded KEM (BKEM), to transport a file encryption key to potentially many recipients via the (untrusted) storage server, in a way that gives some guarantees of forward secrecy. Until now all known constructions of BKEMs are built using RSA and DDH, and thus are only secure in the classical setting. We further the understanding of secure key transport protocols in two aspects. First, we show how to generically build blinded KEMs from homomorphic encryption schemes with certain prop- erties. Second, we construct the first post-quantum secure blinded KEMs, and the security of our constructions are based on hard lattice problems.

A bent function is a Boolean function in even number of variables which is on the maximal Hamming distance from the set of affine Boolean functions. It is called self-dual if it coincides with its dual. It is called anti-self-dual if it is equal to the negation of its dual. A mapping of the set of all Boolean functions in n variables to itself is said to be isometric if it preserves the Hamming distance. In this paper we study isometric mappings which preserve self-duality and anti-self-duality of a Boolean bent function. The complete characterization of these mappings is obtained for n>2. Based on this result, the set of isometric mappings which preserve the Rayleigh quotient of the Sylvester Hadamard matrix, is characterized. The Rayleigh quotient measures the Hamming distnace between bent function and its dual, so as a corollary, all isometric mappings which preserve bentness and the Hamming distance between bent function and its dual are described.

If I commission a long computation, how can I check that the result is correct without re-doing the computation myself? This is the question that efficient verifiable computation deals with. In this work, we address the issue of verifying the computation as it unfolds. That is, at any intermediate point in the computation, I would like to see a proof that the current state is correct. Ideally, these proofs should be short, non-interactive, and easy to verify. In addition, the proof at each step should be generated efficiently by updating the previous proof, without recomputing the entire proof from scratch. This notion, known as incrementally verifiable computation, was introduced by Valiant [TCC 08] about a decade ago. Existing solutions follow the approach of recursive proof composition and can be based on strong and non-falsifiable cryptographic assumptions (so-called ``knowledge assumptions'').

In this work, we present a new framework for constructing incrementally verifiable computation schemes in both the publicly verifiable and designated-verifier settings. Our designated-verifier scheme is based on somewhat homomorphic encryption (which can be based on Learning with Errors) and our publicly verifiable scheme is based on the notion of zero-testable homomorphic encryption, which can be constructed from ideal multi-linear maps [Paneth and Rothblum, TCC 17].

Our framework is anchored around the new notion of a probabilistically checkable proof (PCP) with incremental local updates. An incrementally updatable PCP proves the correctness of an ongoing computation, where after each computation step, the value of every symbol can be updated locally without reading any other symbol. This update results in a new PCP for the correctness of the next step in the computation. Our primary technical contribution is constructing such an incrementally updatable PCP. We show how to combine updatable PCPs with recently suggested (ordinary) verifiable computation to obtain our results.

Most electronic voting systems today satisfy the basic requirements of privacy, unreusability, eligibility and fairness in a natural and rather straightforward way. However, receipt-freeness, incoercibility and universal verifiability are much harder to implement and in many cases they require a large amount of computation and communication overhead. In this work, we propose a blockchain-based voting system which achieves all the properties expected from secure elections without requiring too much from the voter. Coercion resistance and receipt-freeness are ensured by means of a randomizer token -- a tamper-resistance source of randomness which acts as a black box in constructing the ballot for the user. Universal verifiability is ensured by the append-only structure of the blockchain, thus minimizing the trust placed in election authorities. Additionally, the system has linear overhead when tallying the votes, hence it is scalable and practical for large scale elections.

White-box cryptography was first introduced by Chow et al. in $2002$ as a software technique for implementing cryptographic algorithms in a secure way that protects secret keys in an untrusted environment. Ever since, Chow et al.'s design has been subject to the well-known Differential Computation Analysis (DCA). To resist DCA, a natural approach that white-box designers investigated is to apply the common side-channel countermeasures such as masking. In this paper, we suggest applying the well-studied leakage detection methods to assess the security of masked white-box implementations. Then, we extend some well-known side-channel attacks (i.e. the bucketing computational analysis, the mutual information analysis, and the collision attack) to the higher-order case to defeat higher-order masked white-box implementations. To illustrate the effectiveness of these attacks, we perform a practical evaluation against a first-order masked white-box implementation. The obtained results have demonstrated the practicability of these attacks in a real-world scenario.