International Association
for Cryptologic Research

In this paper we show several quantum chosen-plaintext attacks (qCPAs) on contracting Feistel structures. In the classical setting, a $d$-branch $r$-round contracting Feistel structure can be shown to be PRP-secure when $d$ is even and $r \geq 2d-1$, meaning it is secure against polynomial-time chosen-plaintext attacks. We propose a polynomial-time qCPA distinguisher on the $d$-branch $(2d-1)$-round contracting Feistel structure, which solves an open problem by Dong et al. In addition, we show a polynomial-time qCPA that recovers the keys of the $d$-branch $r$-round contracting Feistel structure when each round function $F^{(i)}_{k_i}$ has the form $F^{(i)}_{k_i}(x) = F_i(x \oplus k_i)$ for a public random function $F_i$. This is applicable to the Chinese block cipher standard {\texttt{SM4}}, which is a special case where $d=4$. Finally, in addition to quantum attacks under single-key setting, we also show related-key quantum attacks on balanced Feistel structures in the model that adversaries can only control part of the key difference in quantum superposition. Our related-key attacks on balanced Feistel structures can easily be extended to ones on contracting Feistel structures.

Classical protocols for reliable broadcast and consensus provide security guarantees as long as the number of corrupted parties $f$ is bounded by a single given threshold $t$. If $f > t$, these protocols are completely deemed insecure. We consider the relaxed notion of multi-threshold reliable broadcast and consensus where validity, consistency and termination are guaranteed as long as $f \le t_v$, $f \le t_c$ and $f \le t_t$ respectively. For consensus, we consider both variants of $(1-\epsilon)$-consensus and \emph{almost-surely terminating} consensus, where termination is guaranteed with probability $(1-\epsilon)$ and $1$, respectively. We give a very complete characterization for these primitives in the asynchronous setting and with no signatures: -Multi-threshold reliable broadcast is possible if and only if $\max\{t_c,t_v\} + 2t_t < n$. -Multi-threshold almost-surely consensus is possible if $\max\{t_c, t_v\} + 2t_t < n$, $2t_v + t_t < n$ and $t_t < n/3$. Assuming a global coin, it is possible if and only if $\max\{t_c, t_v\} + 2t_t < n$ and $2t_v + t_t < n$. -Multi-threshold $(1-\epsilon)$-consensus is possible if and only if $\max\{t_c, t_v\} + 2t_t < n$ and $2t_v + t_t < n$.

Strong Physical Unclonable Functions (PUFs), as a promising security primitive, are supposed to be a lightweight alternative to classical cryptography for purposes such as device authentication. Most of the proposed candidates, however, have been plagued by machine-learning attacks breaking their security claims. The Interpose PUF (iPUF), which has been introduced at CHES 2019, was explicitly designed with state-of-the-art machine-learning attacks in mind and is supposed to be impossible to break by classical and reliability attacks. In this paper, we analyze its vulnerability to reliability attacks. Despite the increased difficulty, these attacks are still feasible, against the original authors’ claim. We explain how adding constraints to the machine-learning objective streamlines reliability attacks and allows us to model all individual components of an iPUF successfully. In order to build a practical attack, we give several novel contributions. First, we demonstrate that reliability attacks can be performed not only with CMA-ES but also with gradient-based optimization. Second, we show that the switch to gradient-based reliability attacks makes it possible to combine reliability attacks, weight constraints, and Logistic Regression (LR) into a single optimization objective. This framework makes machine-learning attacks more efficient, as it exploits knowledge of responses and reliability information at the same time. Third, we show that a differentiable model of the iPUF exists and how it can be utilized in a combined reliability attack. We confirm that iPUFs are harder to break than regular XOR Arbiter PUFs. However, we are still able to break (1,10)-iPUF instances, which were originally assumed to be secure, with less than 10^7 PUF response queries.

In this work various approaches for constant time conditional branching in Montgomery ladder have been studied. A previous method appearing in a code for implementing X25519 has been formalized algorithmically. This algorithm is based on a conditional select operation. We consider a variant of this algorithm which groups together operations in a more convenient manner. Further, we provide a new implementation of the conditional select operation using the cmov operation such that cmov works only on registers. This provides a better guarantee of constant time behavior.

The industrial Internet of Things (IIoT) integrates sensors, instruments, equipment, and industrial applications, enabling traditional industries to automate and intelligently process data. To reduce the cost and demand of required service equipment, IIoT relies on cloud computing to further process and store data. However, the means for ensuring the privacy and confidentiality of the outsourced data and the maintenance of flexibility in the use of these data remain unclear. Public-key authenticated encryption with keyword search (PAEKS) is a variant of public-key encryption with keyword search that not only allows users to search encrypted data by specifying keywords but also prevents insider keyword guessing attacks (IKGAs). However, all current PAEKS schemes are based on the discrete logarithm assumption and are therefore vulnerable to quantum attacks. Additionally, the security of these schemes are only proven under random oracle and are considered insufficiently secure. In this study, we first introduce a generic PAEKS construction that enjoys the security under IKGAs in the standard model. Based on the framework, we propose a novel instantiation of quantum-resistant PAEKS that is based on ring learning with errors assumption. Compared with its state-of-the-art counterparts, our instantiation is more efficient and secure.

The best existing pairing-based traitor tracing schemes have $O(\sqrt{N})$-sized parameters, which has stood since 2006. This intuitively seems to be consistent with the fact that pairings allow for degree-2 computations, yielding a quadratic compression.

In this work, we show that this intuition is false by building a tracing scheme from pairings with $O(\sqrt[3]{N})$-sized parameters. We additionally give schemes with a variety of parameter size trade-offs, including a scheme with constant-size ciphertexts and public keys (but linear-sized secret keys). All of our schemes make black-box use of the pairings. We obtain our schemes by developing a number of new traitor tracing techniques, giving the first significant parameter improvements in pairings-based traitor tracing in over a decade.

While many similarities between Machine Learning and cryptanalysis tasks exists, so far no major result in cryptanalysis has been reached with the aid of Machine Learning techniques. One exception is the recent work of Gohr, presented at Crypto 2019, where for the first time, conventional cryptanalysis was combined with the use of neural networks to build a more efficient distinguisher and, consequently, a key recovery attack on Speck32/64. On the same line, in this work we propose two Deep Learning (DL) based distinguishers against the Tiny Encryption Algorithm (TEA) and its evolution RAIDEN. Both ciphers have twice block and key size compared to Speck32/64. We show how these two distinguishers outperform a conventional statistical distinguisher, with no prior information on the cipher, and a differential distinguisher based on the differential trails presented by Biryukov and Velichkov at FSE 2014. We also present some variations of the DL-based distinguishers, discuss some of their extra features, and propose some directions for future research.

In recent years, many papers have shown that deep learning can be beneficial for profiled side-channel analysis. However, in order to obtain good performances with deep learning, an attacker needs a lot of data for training. The training data should be as similar as possible to the data that will be obtained during the attack, a condition that may not be easily met in real-world scenarios. It is thus of interest to analyse different scenarios where the attack makes use of ``imperfect" training data.

The typical situation in side-channel is that the attacker has access to an unlabelled dataset of measurements from the target device (obtained with the key he actually wants to recover) and, depending on the context, he may also take profit of a labelled dataset (say profiling data) obtained on the same device (with known or chosen key(s)). In this paper, we extend the attacker models and investigate the situation where an attacker additionally has access to a neural network that has been pre-trained on some other dataset not fully corresponding to the attack one. The attacker can then either directly use the pre-trained network to attack, or if profiling data is available, train a new network, or adapt a pre-trained one using transfer learning.

We made many experiments to compare the attack metrics obtained in both cases on various setups (different probe positions, channels, devices, size of datasets). Our results show that in many cases, a lack of training data can be counterbalanced by additional "imperfect" data coming from another setup.

Security amplification is a fundamental problem in cryptography. In this work, we study security amplification for functional encryption (FE). We show two main results:

1) For any constant epsilon in (0,1), we can amplify any FE scheme for P/poly which is epsilon-secure against all polynomial sized adversaries to a fully secure FE scheme for P/poly, unconditionally. 2) For any constant epsilon in (0,1), we can amplify any FE scheme for P/poly which is epsilon-secure against subexponential sized adversaries to a fully subexponentially secure FE scheme for P/poly, unconditionally.

Furthermore, both of our amplification results preserve compactness of the underlying FE scheme. Previously, amplification results for FE were only known assuming subexponentially secure LWE.

Along the way, we introduce a new form of homomorphic secret sharing called set homomorphic secret sharing that may be of independent interest. Additionally, we introduce a new technique, which allows one to argue security amplification of nested primitives, and prove a general theorem that can be used to analyze the security amplification of parallel repetitions.

We introduce garbled encryption, a relaxation of secret-key multi-input functional encryption (MiFE) where a function key can be used to jointly compute upon only a particular subset of all possible tuples of ciphertexts. We construct garbled encryption for general functionalities based on one-way functions.

We show that garbled encryption can be used to build a self-processing private sensor data system where after a one-time trusted setup phase, sensors deployed in the field can periodically broadcast encrypted readings of private data that can be computed upon by anyone holding function keys to learn processed output, without any interaction. Such a system can be used to periodically check, e.g., whether a cluster of servers are in an "alarm" state.

We implement our garbled encryption scheme and find that it performs quite well, with function evaluations in the microseconds. The performance of our scheme was tested on a standard commodity laptop.

The Department of Computer Science and Engineering at National Sun Yat-sen University invites applications for tenure-track positions from February 2021 or August 2021. Applicants in areas of information security and artificial intelligence are sought. Applicants for assistant professorship must demonstrate strong research potential, in addition to good teaching ability. Applicants for associate professorship and professorship must have an exceptional record of research achievement. All successful candidates are expected to conduct both research and teaching activities. The department offers BS, MS and Ph. D. degrees in Computer Science and Engineering. The official language of teaching is Chinese, and English teaching is encouraged by the university. For more information, please visit our website: https://cse.nsysu.edu.tw/index.php?Lang=en Applications should include a curriculum vitae, recent publications, and reference letters from at least three people who can comment on the applicant's professional qualification. Other supporting material is welcome. Applications should be sent to: Faculty Recruiting Committee Department of Computer Science and Engineering National Sun Yat-sen University Kaohsiung, Taiwan 80424 Email:srkuang@cse.nsysu.edu.tw TEL:+886-7-5252000 ext. 4340 FAX:+886-7-5254301 The deadline for applications is October 31, 2020, and will continue to receive documents as appropriate until February 28, 2021.

Closing date for applications:

Contact: Email: srkuang@cse.nsysu.edu.tw TEL:+886-7-5252000 ext. 4340 FAX:+886-7-5254301

More information: https://cse.nsysu.edu.tw/index.php?Lang=en

The University of Cologne invites applications for a Professorship (f/m/d) for IT Security (W2) in the Department of Mathematics and Computer Science, starting at earliest convenience.
The successful candidate has a proven track record of high-quality scientific publications in one of, but not limited to, the following areas:
- Cryptography and its protocols
- Quantum and post-quantum cryptography
- Software security
- Security of embedded systems
- Security of the Internet of Things and of cyber physical systems
- Security of autonomous systems and related technologies

Please apply with the usual documents (curriculum vitae, list of publications and teaching activities, copies of certificates of academic examinations and appointments) via the University of Cologne’s Academic Job Portal (https://professorships.uni-koeln.de) no later than September 22, 2020. Your application should be addressed to the Dean of the Faculty of Mathematics and Natural Sciences.
For further details please find complete job announcement in the Academic Job Portal of the University.

Closing date for applications:

Contact: Dean of the Faculty of Mathematics and Natural Sciences, Prof. Dr. Paul H. M. van Loosdrecht (email: mnf-berufungen@uni-koeln.de)

More information: https://professorships.uni-koeln.de

The call for contributed talks for Real World Crypto has now been posted: https://rwc.iacr.org/2021/contributed.php

RWC 2021 will be held Jan 11-13 in Amsterdam.

The University of St. Gallen in Switzerland and the chair of Cyber Security invites applications from PhD holders in the area of cryptography and information security. The researcher will join a group of researchers focusing in applied and theoretical cryptography, network and information security and privacy-preservation led by Prof. Katerina Mitrokotsa. We are affiliated to the Department of Computer Science (DCS) and the Institute of Computer Science.

Research area: Research areas include but are not limited to:

• Verifiable computation
• Secure Multi Party Computation
• Privacy-preserving authentication
• Cryptographic primitives
• Differential privacy

Your Profile

• A Ph.D. degree in Computer Science, Applied Mathematics or a relevant field
• Competitive research record in cryptography or information security
• Strong mathematical and algorithmic CS background
• Good skills in programming is beneficial
• Excellent written and verbal communication skills in English

Deadline for applications: 31 August
Starting date: Fall 2020 or by mutual agreement

Closing date for applications:

Contact: Prof. Katerina Mitrokotsa

More information: http://direktlink.prospective.ch/?view=7716a2ff-927c-4fb5-aa35-90e310e2f4f3

Qualification: - Candidates should have a Ph.D. Degree (CS or EE), and strong background on • Artificial Intelligence/Machine Learning, Federated Learning, Edge/Fog Computation, Internet-of-Things, Cryptographic Protocols, Applied Cryptography - Strong publication record (major journals or top conference papers). - Good written and oral communication skills. - Work experience in relevant research projects is preferable. The initial appointment will be for 1 year but it can be extended depending on the availability of funding and the candidate's performance. These positions come with attractive salary and benefits. The travel support will also be provided to attend international conferences or to visit oversea universities. How to apply: Interested candidates kindly send their CV to Prof. Tony Q.S. Quek (email: tonyquek@sutd.edu.sg). Initial screening of applications will begin immediately and the position will remain open until filled. Only shortlist will be notified.

Closing date for applications:

Contact: Prof. Tony Q.S. Quek (email: tonyquek@sutd.edu.sg)

The Centre for Hardware Security at TalTech (https://www.taltech.ee/en/) invites applications for a postdoctoral research position in post quantum cryptography. We are looking for motivated individuals with a strong background in circuit design, especially with experience in ASICs and/or hardware implementation of crypto cores. The end goal of the project is to validate a PQC algorithm in silicon.

Requirements for postdoctoral research position: Having a PhD degree is mandatory for this position but candidates close to the completion of a PhD are also highly encouraged to apply. The ideal candidate should have a track record in the topic or in a closely related field, as well as in-depth knowledge of digital IC design tools (genus, innovus, design compiler, ICC, etc.)
General conditions: Funding for this position is project-based and is already in place. Candidates with adequate backgrounds will be invited to interview over Skype. This position has an immediate start date (but a future start date can be arranged given the current situation w/ coronavirus). Salary is commensurate with experience.
How to apply: Please submit your CV to Prof. Pagliarini by email (samuel.pagliarini@taltech.ee) using the subject ‘PQC postdoc position’.

Closing date for applications:

Contact: Samuel Pagliarini (samuel.pagliarini@taltech.ee)

More information: https://ati.ttu.ee/~spagliar/

The ongoing COVID-19 pandemic has caused health organizations to consider using digital contact tracing to help monitor and contain the spread of COVID-19. Due to this urgent need, many different groups have developed secure and private contact tracing phone apps. However, these apps have not been widely deployed, in part because they do not meet the needs of healthcare officials.

We present HABIT, a contact tracing system using a wearable hardware device designed specifically with the goals of public health officials in mind. Unlike current approaches, we use a dedicated hardware device instead of a phone app for proximity detection. Our use of a hardware device allows us to substantially improve the accuracy of proximity detection, achieve strong security and privacy guarantees that cannot be compromised by remote attackers, and have a more usable system, while only making our system minimally harder to deploy compared to a phone app in centralized organizations such as hospitals, universities, and companies.

The efficacy of our system is currently being evaluated in a pilot study at Yale University in collaboration with the Yale School of Public Health.

A report on the selection process of the STARK friendly hash (SFH) function for standardization by the Ethereum Foundation. The outcome of this process, described here, is our recommendation to use the Rescue function over a prime field of size approximately $ 2^{61}$ in sponge mode with $12$ field elements per state.

With an Appendix by Jean-Charles Faugere and Ludovic Perret of CryptoNext Security.

As secure processors such as Intel SGX (with hyperthreading) become widely adopted, there is a growing appetite for private analytics on big data. Most prior works on data-oblivious algorithms adopt the classical PRAM model to capture parallelism. However, it is widely understood that PRAM does not best capture realistic multicore processors, nor does it reflect parallel programming models adopted in practice.

In this paper, we initiate the study of parallel data oblivious algorithms on realistic multicores, best captured by the binary fork-join model of computation. We first show that data-oblivious sorting can be accomplished by a binary fork-join algorithm with optimal total work and optimal (cache-oblivious) cache complexity, and in O(log n log log n) span (i.e., parallel time) that matches the best-known insecure algorithm. Using our sorting algorithm as a core primitive, we show how to data-obliviously simulate general PRAM algorithms in the binary fork-join model with non-trivial efficiency. We also present results for several applications including list ranking, Euler tour, tree contraction, connected components, and minimum spanning forest. For a subset of these applications, our data-oblivious algorithms asymptotically outperform the best known insecure algorithms. For other applications, we show data oblivious algorithms whose performance bounds match the best known insecure algorithms.

Complementing these asymptotically efficient results, we present a practical variant of our sorting algorithm that is self-contained and potentially implementable. It has optimal caching cost, and it is only a log log n factor off from optimal work and about a log n factor off in terms of span; moreover, it achieves small constant factors in its bounds.

Montgomery’s and Barrett’s modular multiplication algorithms are widely used in modular exponentiation algorithms, e.g. to compute RSA or ECC operations. While Montgomery’s multiplication algorithm has been studied extensively in the literature and many side-channel attacks have been detected, to our best knowledge no thorough analysis exists for Barrett’s multiplication algorithm. This article closes this gap. For both Montgomery’s and Barrett’s multiplication algorithm, differences of the execution times are caused by conditional integer subtractions, so-called extra reductions. Barrett’s multiplication algorithm allows even two extra reductions, and this feature increases the mathematical difficulties significantly.

We formulate and analyse a two-dimensional Markov process, from which we deduce relevant stochastic properties of Barrett’s multiplication algorithm within modular exponentiation algorithms. This allows to transfer the timing attacks and local timing attacks (where a second side-channel attack exhibits the execution times of the particular modular squarings and multiplications) on Montgomery’s multiplication algorithm to attacks on Barrett’s algorithm. However, there are also differences. Barrett’s multiplication algorithm requires additional attack substeps, and the attack efficiency is much more sensitive to variations of the parameters. We treat timing attacks on RSA with CRT, on RSA without CRT, and on Diffie-Hellman, as well as local timing attacks against these algorithms in the presence of basis blinding. Experiments confirm our theoretical results.