International Association
for Cryptologic Research

We are looking for talented and motivated Post-Docs to work on the ERC AdG project PROCONTRA: Smart-Contract Protocols: Theory for Applications. The project is about theoretical and applied aspects of blockchain and smart contracts.

The ideal candidates should have a PhD degree in cryptography (or related field) from a leading university, and a proven record of publications in top cryptography/security/TCS venues.

We offer competitive salary and a budget for conference travel and research visit.

The project is expected to start on Sep 1, 2020. There is no specific deadline for this call, but we will start looking at the applications from Jun 15th, 2020. Please apply using the link provided below.

Closing date for applications:

Contact: Stefan Dziembowski

More information: https://www.crypto.edu.pl/positions

We are looking for talented and motivated PhD students to work on the ERC AdG project PROCONTRA: Smart-Contract Protocols: Theory for Applications. The project is about theoretical and applied aspects of blockchain and smart contracts. It is mostly focused on theory, but it has also some programming tasks.

The ideal candidates should have an MSc degree in computer science or mathematics from a leading university, and be familiar with the probability theory, computational complexity, algebra, and number theory. The knowledge of cryptography, information theory, and game theory is a significant plus, but is not a prerequisite. The candidates must be fluent in written and spoken English

The successful candidates will be enrolled to the PhD program at the University of Warsaw (Poland). The deadline for the application to this program is Jun 28, 2020, but please contact the project’s PI (Stefan Dziembowski) before applying there. Please do it by Jun 15, 2020 via the web-form available at the address provided below.

Starting date: Oct 1, 2020
Expected salary: around 5,000 PLN/month (net)
Duration: 4 years (negotiable)

Closing date for applications:

Contact: Stefan Dziembowski

More information: https://www.crypto.edu.pl/positions

TU Wien (Vienna University of Technology), TU Graz (Graz University of Technology), and JKU Linz (Johannes Kepler University), are recruiting up to 15 doctoral candidates with a negotiable starting date for the joint doctoral program on Logical Methods in Computer Science (LogiCS), funded by the Austrian Science Fund (FWF). Application deadline: June 12, 2020 RESEARCH AREAS At the moment we are particularly looking for candidates interested in the following areas: * Automated Software Verification * Description Logics * Epistemic logic in distributed computing * Explainable AI * Fixed-Parameter Algorithms and Complexity * Formal Verification of hybrid systems * Knowledge Representation and Reasoning * Model Checking * Modeling and analysis of digital integrated circuits * Networking and Communication Technology * Normative Reasoning * Ontology-based Data Access * Security and Privacy * Scheduling and logic programming * Study of the Interaction between rules from a knowledge base and rules arising from machine learning * Topology in distributed computing * Quantified Boolean Formulas POSITIONS AND FUNDING * We are looking for 15 very strong doctoral students. * The doctoral positions are fully funded for at least 3 years according to the funding scheme of the Austrian Science Fund (FWF). (This entails an employment contract for 30h\week, 39.000 EUR gross per year) * The location of the research post is Vienna, or Graz, Austria.

Closing date for applications:

Contact: Mihaela Rozman, Technische Universitat Wien, Favoritenstrasse 9-11, 1040 Wien

More information: https://logic-cs.at/phd/

Noroff University College seeks to appoint new academic staff in the area of Cyber Security. You will join a team of international staff with whom you will be expected to work in very close collaboration, in undertaking research in the area and engaging in the delivery and management of the newly launched Bachelor in Cyber Security. This degree has a shared common first year with the Digital Forensics and Applied Data Science Bachelors degrees within the Faculty. As such, evidence of prior teamwork and excellent communication skills are essential. Candidates should have a postgraduate qualification (preferably Ph.D) in Computer Science, Computer Security or a related field. The ability to teach a variety of subjects is essential, in particular a range of information security related subjects. Relevant skills and experience in the following areas are required for this post: ● Penetration testing practice and procedures - practical and research experience; ● A demonstrable technical skillset and experience relating to tools, techniques, methodologies, standards, and models for Computer Network Attack (CNO), Computer Network Defence (CND) and Computer Network Exploitation (CNE). ● Exposure to and willingness to teach one or more of the following specialist topics:  Penetration Testing  Web Security  Vulnerability Management  Exploit Development/Bug Hunting  Applied Cryptography  Information Security Principles  Incident Response and Management Compensation to commensurate with the candidate’s qualifications and relevant experience. Closing date for this application is 31 May 2020. We interview continuously and suitable candidates will be contacted to take part in the interview process. For full job description and application form, please visit our website on https://www.noroff.no/om/ledige-stillinger

Closing date for applications:

Contact: Ezanne van Niekerk - jobs@noroff.no '

More information: https://www.noroff.no/om/ledige-stillinger

We give a framework for relating the concrete security of a “reference” protocol (say, one appearing in an academic paper) to that of some derived, “real” protocol (say, appearing in a cryptographic standard). It is based on the indifferentiability framework of Maurer, Renner, and Holenstein (MRH), whose application has been exclusively focused upon non-interactive cryptographic primitives, e.g., hash functions and Feistel networks. Our extension of MRH is supported by a clearly defined execution model and two composition lemmata, all formalized in a modern pseudocode language. Together, these allow for precise statements about game-based security properties of cryptographic objects (interactive or not) at various levels of abstraction. As a real-world application, we design and prove tight security bounds for a potential TLS 1.3 extension that integrates the SPAKE2 password-authenticated key-exchange into the handshake.

We present a new methodology for building formally verified cryptographic libraries that are optimized for multiple architectures. In particular, we show how to write and verify generic crypto code in the F* programming language that exploits single-instruction multiple data (SIMD) parallelism. We show how this code can be compiled to platforms that supports vector instructions, including ARM Neon and Intel AVX, AVX2, and AVX512. We apply our methodology to obtain verified vectorized implementations on all these platforms for the Chacha20 encryption algorithm, the Poly1305 one-time MAC, and the SHA-2 and Blake2 families of hash algorithms.

A distinctive feature of our approach is that we aggressively share code and verification effort between scalar and vectorized code, between vectorized code for different platforms, and between implementations of different cryptographic primitives. By doing so, we significantly reduce the manual effort needed to add new implementations to our verified library. In this paper, we describe our methodology and verification results, evaluate the performance of our code, and describe its integration into the larger HACL⋆ crypto library. Our vectorized code has already been incorporated into several software projects, including the Firefox web browser.

At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an `all-in-one' differential cryptanalysis approach, which considers all the output differences effect under the same input difference.

Usually, the all-in-one differential cryptanalysis is more effective than that only uses one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr's work, we try to simulate the all-in-one differentials for such non-Markov ciphers through deep learning. As proof of works, we trained several distinguishing attacks following machine learning simulated all-in-one differential approach. We present 8-round differntial distinguishers for Gimli-Hash and Gimli-Cipher, each with trivial complexity. Finally, we explore more on choosing an efficient machine learning model and show a three layer neural network can be used.

We present a methodology for finding minimal number of output shares in $d + 1$ TI by modeling the sharing as set covering problem and using different discrete optimization techniques to find solutions. We demonstrate the results of our technique by providing optimal or near-optimal sharings of several classes of Boolean functions of any degree up to 8 variables, for first and second order TI. These solutions present new lower bounds for the total number of shares for these types of functions

Zero-knowledge proofs of satisfiability of linear equations over a group are often used as a building block of more complex protocols. In particular, in an asymmetric bilinear group we often have two commitments in different sides of the pairing, and we want to prove that they open to the same value. This problem was tackled by González, Hevia and Ràfols (ASIACRYPT 2015), who presented an aggregated proof, in the QA-NIZK setting, consisting of only four group elements. In this work, we present a more efficient proof, which is based on the same assumptions and consists of three group elements. We argue that our construction is optimal in terms of proof size.

This paper tells the origin story of Rescue, a family of cryptographic algorithms in the Marvellous cryptoverse.

A cryptographic framework, called encryption switching protocol (ESP), has been proposed recently, which enables ciphertexts encrypted under \emph{different} schemes to be converted to the same scheme without revealing the plaintexts. This solves a major issue in privacy-preserving applications, in which users can now encrypt their data under different schemes and still be able to process their encrypted data together. In this paper, we propose an improvement to ESP. In particular, we consider the multi-exponentiation with encrypted bases argument ({\sf MEB}) protocol, which is not only the essential component and efficiency bottleneck of ESP, but also has tremendous potential in many applications and can be used to speed up many intricate cryptographic protocols, such as proof of knowledge of a double logarithm. Based on our analysis and experiments, our proposed {\sf MEB} protocol can reduce the communication cost by $36\%$ when compared to the original protocol and reduce the computation cost of the verifier by $20\% - 47\%$ depending on the settings of experimental parameters. This is particularly useful for verifiers with weak computing power. We also provide a formal security proof to confirm the security of the improved {\sf MEB} protocol.

Security and Scalability are two major challenges that IoT is currently facing. Access control to critical IoT infrastructure is considered as top security challenge that IoT faces. Data generated by IoT devices may be driving many hard real time systems, thus it is of utmost importance to guarantee integrity and authenticity of the data and resources at the first place itself. Due to heterogeneous and constrained nature of IoT devices, traditional IoT security frameworks are not able to deliver scalable, efficient and manageable mechanisms to meet the requirements of IoT devices. On the other hand Blockchain technology has shown great potential to bridge the missing gap towards building a truly decentralized, trustworthy, secure and scalable environment for IoT. Allowing access to IoT resources and data managed through Blockchain will provide an additional security layer backed by the strongest cryptographic algorithms available. In this work we present a reputation driven dynamic access control framework for small scale IoT applications based on Proof of Authority Blockchain, we name it as Rep-ACM. In RepACM framework we build two major services, one for Reputation building (for better IoT device behaviour regulations) and other for Misbehaviour detection (for detecting any Misbehaviour on object resource usage). Both of these services work in coordination with other services of proposed framework to determine who can access what and under what conditions access should be granted. For Proof of Concept (PoC) we created private Ethereum network consisting of two Raspberry Pi single board computers, one desktop computer and a laptop as nodes. We configured Ethereum protocol to use Istanbul Byzantine Fault Tolerance (IBFT) as Proof of Authority (PoA) consensus mechanism for performance optimization in constrained environment. We deployed our model on private network for feasibility and performance analysis.

With the ongoing developments in artificial intelligence (AI), big data, and cloud services, fully homomorphic encryption (FHE) is being considered as a solution for preserving the privacy and security in machine learning systems. Currently, the existing FHE schemes are constructed using lattice-based cryptography. In state-of-the-art algorithms, a huge amount of computational resources are required for homomorphic multiplications and the corresponding bootstrapping that is necessary to refresh the ciphertext for a larger number of operations. Therefore, it is necessary to discover a new innovative approach for FHE that can reduce the computational complexity for practical applications. In this paper, we propose a code-based homomorphic operation scheme. Linear codes are closed under the addition, however, achieving multiplicative homomorphic operations with linear codes has been impossible until now. We strive to solve this problem by proposing a fully homomorphic code scheme that can support both addition and multiplication simultaneously using the Reed-Muller (RM) codes. This can be considered as a preceding step for constructing code-based FHE schemes. As the order of RM codes increases after multiplication, a bootstrapping technique is required to reduce the order of intermediate RM codes to accomplish a large number of operations. We propose a bootstrapping technique to preserve the order of RM codes after the addition or multiplication by proposing three consecutive transformations that create a one-to-one relationship between computations on messages and that on the corresponding codewords in RM codes.

FORS is the underlying hash-based few-time signing scheme in SPHINCS+, one of the nine signature schemes which advanced to round 2 of the NIST Post-Quantum Cryptography standardization competition. In this paper, we analyze the security of FORS with respect to adaptive chosen message attacks. We show that in such a setting, the security of FORS decreases significantly with each signed message when compared to its security against non-adaptive chosen message attacks. We propose a chaining mechanism that with slightly more computation, dynamically binds the Obtain Random Subset (ORS) generation with signing, hence, eliminating the oine advantage of adaptive chosen message adversaries. We apply our chaining mechanism to FORS and present DFORS whose security against adaptive chosen message attacks is equal to the non-adaptive security of FORS. In a nutshell, using SPHINCS+-128s parameters, FORS provides 75-bit security and DFORS achieves 150-bit security with respect to adaptive chosen message attacks after signing one message. We note that our analysis does not affect the claimed security of SPHINCS+. Nevertheless, this work provides a better understanding of FORS and other HORS variants and furnishes a solution if new adaptive cryptanalytic techniques on SPHINCS+ emerge.

Genome-Wide Association Studies (GWAS) seek to identify genetic variants associated with a trait, and have been a powerful approach for understanding complex diseases. A critical challenge for GWAS has been the dependence on individual-level data that typically have strict privacy requirements, creating an urgent need for methods that preserve the individual-level privacy of participants. Here, we present a privacy-preserving framework based on several advances in homomorphic encryption and demonstrate that it can perform an accurate GWAS analysis for a real dataset of more than 25,000 individuals, keeping all individual data encrypted and requiring no user interactions. Our extrapolations show that it can evaluate GWAS of 100,000 individuals and 500,000 SNPs in 5.6 hours on a single server node (or in 11 minutes on 31 server nodes running in parallel). Our performance results are more than one order of magnitude faster than prior state-of-the-art results using secure multi-party computation, which requires continuous user interactions, with the accuracy of both solutions being similar. Our homomorphic encryption advances can also be applied to other domains where large-scale statistical analyses over encrypted data are needed.

Fire alarm and signaling systems are a networked system of fire detectors, fire control units, automated fire extinguishers, and fire notification appliances. Malfunction of these safety-critical cyber-physical systems may lead to chaotic evacuations, property damages, and even loss of human life. Therefore, reliability is one of the most crucial factors for fire detectors. Indeed, even a single report of a fire cannot be ignored considering the importance of early fire detection and suppression. In this paper, we show that wide-area smoke detectors, which are globally installed in critical infrastructures such as airports, sports facilities, and auditoriums, have significant vulnerabilities in terms of reliability; one can remotely and stealthily induce false fire alarms and suppress real fire alarms with a minimal attacker capability using simple equipment. The practicality and generalizability of these vulnerabilities has been assessed based on the demonstration of two types of sensor attacks on two commercial-off-the-shelf optical beam smoke detectors from different manufacturers. Further, the practical considerations of building stealthy attack equipment has been analyzed, and an extensive survey of almost all optical beam smoke detectors on the market has been conducted. In addition, we show that the current standards of the fire alarm network connecting the detector and a control unit exacerbate the problem, making it impossible or very difficult to mitigate the threats we found. Finally, we discuss hardware and software-based possible countermeasures for both wide-area smoke detectors and the fire alarm network; the effectiveness of one of the countermeasures is experimentally evaluated.

The Gimli permutation was proposed in CHES 2017, which is distinguished from other well-known permutation-based primitives for its cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. The above two facts have been exploited by \mbox{Liu-Isobe-Meier} to mount a distinguishing attack on 14 rounds of Gimli permutation with time complexity 1 by utilizing the internal difference. Inspired by the \mbox{14-round} distinguisher, we demonstrate that it is feasible to extend it to the full Gimli permutation with time complexity $2^{129}$ by further taking advantage of its weak diffusion. The corresponding technique is named as hybrid zero internal differential since the internal difference and XOR difference are simultaneously traced. Our distinguisher can be interpreted as a variant of the common differential distinguisher and \mbox{zero-sum} distinguisher. Apart from the permutation itself, combined with some new properties of the SP-box, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced \mbox{Gimli-Hash} and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attack on 2-round Gimli-Hash is practical and it can reach up to 5 rounds. For Gimli-XOF-128, our preimage attack can reach up to 9 rounds. To the best of our knowledge, this is the first attack on the full Gimli permutation and our preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 are the best so far. Since Gimli is included in the second round candidates in NIST's Lightweight Cryptography Standardization process, we expect that our analysis can advance the understanding of Gimli. It should be emphasized that this work can not threaten the security of the hash scheme and authenticated encryption scheme built on Gimli.

We present ZeroJoin, a practical privacy-enhancing protocol for blockchain transactions. ZeroJoin can be considered a combination of ZeroCoin and CoinJoin. It borrows ideas from both but attempts to overcome some of their drawbacks. Like ZeroCoin, our protocol uses zero-knowledge proofs and a pool of participants. However, unlike ZeroCoin, our proofs are very efficient, and our pool size is not monotonously increasing. Thus, our protocol overcomes the two major drawbacks of ZeroCoin. Our approach can also be considered a non-interactive variant of CoinJoin, where the interaction is replaced by a public transaction on the blockchain. The security of ZeroJoin is based on the Decision Diffie-Hellman (DDH) assumption. We also present ErgoMix, a practical implementation of ZeroJoin on top of Ergo, a smart contract platform based on Sigma protocols. While ZeroJoin contains the key ideas, it leaves open the practical issue of handling fees. The key contribution of ErgoMix is a novel approach to handle fee in ZeroJoin.

Successful contact tracing effectively facilitates the fight against pandemics of highly contagious diseases such as COVID-19. Existing efforts either rely on effective yet privacy-invasive surveillance infrastructure, or focus on privacy-preserving decentralised solutions which may limit their effectiveness. The former collects vast amounts of sensitive data such as identity, location and social interactions of every user, which allows function creep. The latter relies on users' willingness to share their risk scores with authorities, which limits their ability to quickly identify people at-risk and to run analytics. We propose a practical solution that aims to strike a balance between functionality and privacy: one that does not collect sensitive information, such as, location data, while at the same time allowing effective tracing and notifying the close contacts of infected users. To protect users' privacy, our solution uses local proximity tracing based on broadcasting and recording constantly changing anonymous public keys via short-range communication, for example, Bluetooth. These public keys are used to establish a shared secret key between two people in close contact. These three keys are then used to generate two unique per-user-per-contact hashes: one for infection registration and one for health status query. These hashes are never revealed to the public. To support functionality, risk score computation is performed centrally, which provides the health authorities with minimal, yet insightful and actionable data. Data minimization is achieved by the use of per-user-per-contact hashes and by enforcing role separation. In our design, the health authorities and the GPs act as proxies, while the matching between hashes is outsourced to a third-party, i.e. the matching service. This separation ensures that out-of-scope information, such as social interaction within the population, is hidden from the health authorities and, at the same time, the matching service does not learn sensitive information about the users. Our solution requires a degree of trust in the entities involved that is considerably lower w.r.t. centralised alternatives.

The down-scaling of circuit technology has led to stronger leakage currents in CMOS standard cells. This source of power consumption is data dependent and can be utilized to extract secrets from cryptographic devices. We propose Balanced Static Power Logic (BSPL), the first leakage-balancing approach that achieves optimal data-independence with respect to drain-source leakage. We re-design fundamental standard cells in such a way that their leakage current is essentially constant, irrespective of inputs and outputs, barring process variations. Even in presence of considerable intra-die variations, modeled by Monte Carlo simulations, BSPL gates still maintain a significantly reduced mutual information between the circuit’s input and conducted leakage current.