International Association
for Cryptologic Research

In this paper,we investigate the security of binary secret LearningWithError (LWE). To do so, we improve the classical dual lattice attack. More precisely, we use the dual attack on a projected sublattice, which allows to generate instances of the LWE problem with a slightly bigger noise that correspond to a fraction of the secret key. Then, we search for the fraction of the secret key by computing the corresponding noise for each candidate using the constructed LWE samples. As secrets are binary vectors, we can perform the search step very efficiently by exploiting the re- cursive structure of the search space. This approach offers a trade-off between the cost of lattice reduction and the complexity of the search part which allows to speed up the attack. As an ap- plication we revisit the security estimates of the Fast Fully Homomorphic Encryption scheme over the Torus (TFHE) which is one of the fastest homomorphic encryption schemes based on the LWE problem. We provide an estimate of the complexity of our method for various parameters under three different cost models for lattice reduction and show that security level of the TFHE scheme should be re-evaluated according to the proposed improvement. Our estimates show that the cur- rent security level of the TFHE scheme should be reduced by 10 bits for the parameters proposed in the latest version of the scheme and by 7 bits for the recent update of the parameters that are used in the implementation, available online.

The typical battery supported IoT computing node has progressed in recent years from an 8-bit processor with limited memory resources, to a 32-bit processor with ample amounts of ROM and RAM. This is a game-changer for developers who no longer need to struggle with assembly language programming, but rather can bring to bear all of the tools of modern software engineering, including high level language compilers. At the same time curve based cryptography has matured to the extent that efficient curves and algorithms are now well known. However the dynamics of academic research are such that execution speed, mandating continued use of assembly language, trumps all other considerations. In this paper we report on the performance that can be expected from simple portable high-level language implementations across a wide range of contemporary architectures.

The concept of a self-tallying election (STE) scheme was first introduced by Kiayias et al and captures electronic voting schemes in which the tallying authorities are the voters of the election themselves. This type of electronic voting is particularly compatible with and suitable for (but not only) Blockchain governance, where governance is expected to be maintained in a fully distributed manner. In this work, we formalize the requirements for secure STE schemes in the Universal Composability (UC) framework. Our model captures the standard voting properties of eligibility, fairness, vote-privacy, and one voter-one vote. We present E-cclesia, a new family of STE schemes, and prove that it securely UC-realizes the STE functionality. We propose a first concrete instantiation of E-cclesia using RSA accumulators in combination with a Bitcoin-based time-lock encryption scheme. To this end, we provide en passant the first UC treatment of dynamic accumulators in the public setting as well as time lock encryption (TLE) schemes, and prove the equivalence of our UC definitions to the standard property-based accumulator definitions.

RC4 stream cipher uses two simple operations, swap for state evolution and double indirection for producing the key-stream output byte. The non-randomness produced by these RC4 operations are well known now. However, still there are many important cryptanalytic issues that remain open in RC4. In this paper we first prove the biases presented by Fluhrer and McGrew (FSE 2000) two decades ago. It is surprising that though the biases have been published long back, and there are many applications of them in cryptanalysis till recent days, the proof of the results have not been considered in a disciplined manner. In this paper, we complete that task and also show that any such bias immediately provides a glimpse of hidden variables in RC4. Further, we take up the biases of two non-consecutive key-stream bytes skipping one byte in between. We show the incompleteness of such a result presented by SenGupta et al (JoC, 2013) and produce novel results in this direction related to key-stream bytes and glimpses. Similarly, we show certain missed observation in the famous Glimpse theorem presented by Jenkins in 1996. Our results point out how biases of RC4 key-stream and the Glimpses of the RC4 hidden variables are related. It is evident from our results that the biases and glimpses are everywhere in RC4 and it needs further investigation. The new glimpses and biases that we identify in this paper can be exploited in improving practical attacks in the protocols that use RC4.

Today’s world is organized based on merit and value. A single global currency that’s decentralized is needed for a global economy. Bitcoin is a partial solution to this need, however it suffers from scalability problems which prevent it from being mass-adopted. Also, the deflationary nature of bitcoin motivates people to hoard and speculate on them instead of using them for day to day transactions. We propose a scalable, decentralized cryptocurrency that is based on Proof of Work. The solution involves having parallel chains in a closed network using a mechanism which rewards miners proportional to their effort in maintaining the network. The proposed design introduces a novel approach for solving scalability problem in blockchain network based on merged mining.

The QC-MDPC code-based KEM BIKE is one of the Round-2 candidates of the NIST PQC standardization project. Its specification document describes a version that is claimed to have IND-CCA security. The security proof uses the Fujisaki-Okamoto transformation and a de-coder that targeted a Decoding Failure Rate (DFR) of 2^{-128} (for Level-1 security). However, there are several aspects that need to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2^{-128} does not necessarily imply that the underlying PKE is \delta correct with \delta=2^{-128}, as required.

In this paper, we handle the necessary aspects in the definitions of the KEM to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of a message-agnostic PKE for which decryption failures are independent of the encrypted message. We show that all the PKE underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.

In the recent trend of CAESAR competition and NIST light-weight competition, cryptographic community have witnessed the submissions of several cryptographic schemes that are build on public random permutations. Recently, in CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing beyond birthday bound PRFs from public random permutations and they proposed two instances of such PRFs. In this work, we extend this research direction by proposing a nonce-based MAC build from public random permutations. We show that our proposed MAC achieves $2n/3$ bit security (with respect to the state size of the permutation) and the bound is essentially tight. Moreover, the security of the MAC degrades gracefully with the repetition of the nonce.

Side-channel leakage detection methods based on statistical tests, such as t-test or chi^2-test, provide high confidence in the presence of leakage with a large number of traces. However, practical limitations on testing time and equipment may set an upper-bound on the number of traces available, turning the number of traces into a limiting factor in side-channel leakage detection. We describe a statistical technique, based on statistical bootstrapping, that significantly improves the effectiveness of leakage detection using a limited set of traces. Bootstrapping generates additional sample sets from an initial set by assuming that it is representative of the entire population. The additional sample sets are then used to conduct additional leakage detection tests, and we show how to combine the results of these tests. The proposed technique, applied to side-channel leakage detection, can significantly reduce the number of traces required to detect leakage by one, or more orders of magnitude. Furthermore, for an existing measured sample set, the method can significantly increase the confidence of existing leakage hypotheses over a traditional (non-bootstrap) leakage detection test. This paper introduces the bootstrapping technique for leakage detection, applies it to three practical cases, and describes techniques for its efficient computation.

The existence of some structure in a code can lead to the decrease of security of the whole system built on it. Often subcodes are used to ``disguise'' the code as a ``general-looking'' one. However, the security of subcodes, whose Hadamard square is equal to the square of the base code, is reduced to the security of this code, i.e. this condition is undesirable. The paper finds the limiting conditions on the number of vectors of degree $ r $ removing of which retains this weakness for Reed--Muller subcodes and, accordingly, conditions for it to vanish. For $ r = 2 $ the exact structure of all resistant subcodes was found. For an arbitrary code $ RM(r, m) $, the desired number was estimated from both sides. Finally, the ratio of subcodes, whose Hadamard square is not equal to the square of the original code, was proven to tend to zero if additional conditions on the codimension of the subcode and the parameter $ r $ are imposed and $ m \rightarrow \infty $. Thus, the implementation of checks proposed in the paper helps to immediately filter out some insecure subcodes.

Cryptographic implementations deployed in real world devices often aim at (provable) security against the powerful class of side-channel attacks while keeping reasonable performances. Last year at Asiacrypt, a new formal verification tool named tightPROVE was put forward to exactly determine whether a masked implementation is secure in the well-deployed probing security model for any given security order t. Also recently, a compiler named Usuba was proposed to automatically generate bitsliced implementations of cryptographic primitives. This paper goes one step further in the security and performances achievements with a new automatic tool named Tornado. In a nutshell, from the high-level description of a cryptographic primitive, Tornado produces a functionally equivalent bitsliced masked implementation at any desired order proven secure in the probing model, but additionally in the so-called register probing model which much better fits the reality of software implementations. This framework is obtained by the integration of Usuba with tightPROVE+, which extends tightPROVE with the ability to verify the security of implementations in the register probing model and to fix them with inserting refresh gadgets at carefully chosen locations accordingly. We demonstrate Tornado on the lightweight cryptographic primitives selected to the second round of the NIST competition and which somehow claimed to be masking friendly. It advantageously displays performances of the resulting masked implementations for several masking orders and proves their security in the register probing model.

EUROCRYPT 2020 is the 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques and one of the three general conferences of the International Association for Cryptologic Research (IACR).

Due to the current novel coronavirus outbreak, EUROCRYPT 2020 has been converted into an all-digital event, which will be taking place online during 11-15 May 2020.

Registration. The registration site (https://eurocrypt.iacr.org/2020/registration.php) for EUROCRYPT 2020 virtual attendance is now open. There will be no cost for virtual attendance itself but you have to register. If you have not already paid your IACR membership fee (USD 50 for regular members or USD 25 for student members) by attending a previous IACR event in 2020, you will need to pay that fee as part of registering for EUROCRYPT 2020.

Program. The program for EUROCRYPT 2020 is already available online (https://eurocrypt.iacr.org/2020/program.php). Sessions will be conducted as panel discussions in which authors give a very brief overview (5 minutes) of their papers, and then take live questions from the panel moderators and audience. There will also be links to papers and videos of longer talks by authors on their papers.

More details about virtual participation can be found here: https://eurocrypt.iacr.org/2020/participation.php

Event date: 20 June to 21 June 2020
Submission deadline: 28 May 2020

Event date: 5 May 2020

Status is building a communications tool with extreme security, coercion resistance and privacy in mind. As a protocol engineer in the Vac team, you will help us research and develop new and existing technologies in secure messaging.

Closing date for applications:

Contact: Ceri Power CA29 FB53 97E3 0232 106A  2DE6 9F07 1B10 A0D1 12EB

More information: https://grnh.se/c967211f1us

One funded PhD position (International/EU/UK) in hardware security with attractive travel grant for attending conferences.

Closing date: 8th May

We expect the PhD candidate to have a strong background in programming, digital circuit design, hardware/software implementation of algorithms, etc.

For more information on 'Why PhD with us?' see my website. https://www.cs.bham.ac.uk/~sinharos/

The PhD will be working with Dr. Sujoy Sinha Roy and will be based at the Security and Privacy group of the University of Birmingham's School of Computer Science. The National Cyber Security Centre (NCSC) and the Engineering and Physical Sciences Research Council (EPSRC) jointly recognise the research group as an Academic Centre of Excellence in Cyber Security Research (ACE-CSR).

If you are interested in the PhD position, please contact Dr. Sujoy Sinha Roy with a CV. For more information, please visit https://www.cs.bham.ac.uk/~sinharos/

Closing date for applications:

Contact: Dr. Sujoy Sinha Roy

BED: BOTNET ECONOMIC DISRUPTION VIA DARK WEB MARKETPLACE INFILTRATION Every year, cyber-attacks result in costs of hundreds of billions of dollars worldwide. One of the core facilitators of attacks are botnets, which are networks of infected computing devices. This PhD project will investigate a novel interdisciplinary approach for defending against botnets. BED will utilize research from the fields of network security, business economics and law, along with specialized research in botnet monitoring. The goal of BED is to: -identify and infiltrate botnet marketplaces with an emphasis on the dark web, -model the business economy of botnets, -Analyze the influence of botnet-specific parameters to the economy model -propose a botnet economy disruption plan. The PhD candidate will join the growing AAU cyber-security network in Copenhagen and work together with an interdisciplinary group of experts. The candidate will be able to collaborate with leading security experts worldwide and present their findings in top conferences all over the world. Supervisors: Jens Myrup Pedersen, Emmanouil Vasilomanolakis and Morten Falch Workplace: Campus Copenhagen

Closing date for applications:

Contact: Emmanouil Vasilomanolakis

More information: https://www.stillinger.aau.dk/vis-stilling/?vacancy=1098638

The Department of Computer Science at the University of Surrey is looking for a new permanent faculty member at lecturer level. I would appreciate your assistance in bringing this to the attention of outstanding candidates who may be interested in moving to Surrey.

We seek to appoint a lecturer in one or more of the following areas: machine learning, cloud computing, programming-languages principles, and the intersection of security and AI, which are already areas of research within the Department. We are also interested in candidates who have experience in data science, edge networks, social computing and DevOps security, in order to expand our research in new directions.

The Department is renowned for its security and artificial intelligence research, with publications in leading venues in artificial intelligence (TNNLS, TEVC, CBY, TSP, Machine Learning, Neural Computation, Bioinformatics, IJCAI, AAMAS), programming languages (FASE, PODC), security (CCS, S&P, Esorics, Euro S&P, CSF, TDSC, TIFS ), cryptography (Crypto, Eurocrypt), cloud computing and networking (InfoCOM, Trans. Networking), and web & social computing (WWW, ICWSM, and Web Science)

Notably,

we are active within professional organisations, working groups and technical committees of several standardisation bodies, such the IEEE Computational Intelligence Society, ISO, IETF, LoRa Alliance, IEEE Standards WG, ETSI, W3C, and leading the IET WG on e-voting

we host major international conferences such as ESORICS, ACNS, WCCI and GECCO,

we are leading European collaborative research on TPMs

our research on Bio-inspired Swarm Robotics research has been reported by the BBC https://www.bbc.co.uk/programmes/p022brpj and TechXplore https://techxplore.com/news/2020-04-bio-inspired-algorithms-collaborative-behaviors-robot.html

we have worked with the UK Parliament on understanding digital citizen engagement

we have developed methodologies for Enabling Serverless Deployment of Large-Scale AI Workloads

We encourage ambitious post-docs and early career lecturers to apply.

Closing date for applications:

Contact: Professor Helen Treharne, Head of Department, (h.treharne@surrey.ac.uk)

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=020820

Contact tracing is one of the most important interventions to mitigate the spread of COVID-19/SARS-CoV-2. Smartphone-facilitated digital contact tracing may help to increase tracing capabilities as well as extend the coverage to those contacts one does not know in person. The emerging consensus is that a decentralized approach with local Bluetooth Low Energy (BLE) communication to detect contagion-relevant proximity, together with cryptographic protections, is necessary to guarantee the privacy of the users of such a system.

However, current decentralized protocols, including DP3T and the protocol by Canetti, Trachtenberg and Varia, do not sufficiently protect infected users from having their status revealed to their contacts, which may raise fear of stigmatization.

By taking a dual approach, we propose a new and practical solution with stronger privacy guarantees even against active adversaries. In particular, we solve the aforementioned problem with additional pseudorandom warning identities that are associated to the broadcasted public identity, but this association is only known to a non-colluding dedicated server, which does not learn to whom the public identity belongs. Then, only these anonymous warning identities are published.

Moreover, our solution allows warned contacts to prove that they have been in contact with infected users, an important feature in times of restricted testing capacities. Among other additional security measures, we detail how the use of secret sharing can prevent the unnecessary and potentially panic-inducing warning of contacts that have only been around the infected person for a very brief time period.

Multiple protocols implementing exciting cryptographic functionalities using blockchains such as time-lock encryption, one-time programs and fair multi-party computation assume the existence of a cryptographic primitive called extractable witness encryption. Unfortunately, there are no known efficient constructions (or even constructions based on any well studied assumptions) of extractable witness encryption. In this work, we propose a protocol that uses a blockchain itself to provide a functionality that is effectively the same as extractable witness encryption. By making small adjustments to the blockchain code, it is possible to easily implement applications that rely on extractable witness encryption and existed only as theoretical designs until now. There is also potential for new applications. As a key building block, our protocol uses a new and highly efficient batched dynamic proactive secret sharing scheme which may be of independent interest. We provide a proof-of-concept implementation of the extractable witness encryption construction and the underlying dynamic proactive secret sharing protocol.

We propose a new encoding algorithm for the simultaneous differential multidimensional scalar point multiplication algorithm $d$-MUL. Previous encoding algorithms are known to have major drawbacks in their efficient and secure implementation. Some of these drawbacks have been avoided in a recent paper in 2018 at a cost of losing the general functionality of the point multiplication algorithm. In this paper, we address these issues. Our new encoding algorithm takes the binary representations of scalars as input, and constructs a compact binary sequence and a permutation, which explicitly determines a regular sequence of group operations to be performed in $d$-MUL. Our algorithm simply slides windows of size two over the scalars and it is very efficient. As a result, while preserving the full generality of $d$-MUL, we successfully eliminate the recursive integer matrix computations in the originally proposed encoding algorithms. We also expect that our new encoding algorithm will make it easier to implement $d$-MUL in constant time. Our results can be seen as the efficient and full generalization of the one dimensional Montgomery ladder to arbitrary dimension.