International Association
for Cryptologic Research

Post-quantum schemes are expected to replace existing public-key schemes within a decade in billions of devices. To facilitate the transition, the US National Institute for Standards and Technology (NIST) is running a standardization process. Multivariate signatures is one of the main categories in NIST's post-quantum cryptography competition. Among the four candidates in this category, the LUOV and Rainbow schemes are based on the Oil and Vinegar scheme, first introduced in 1997 which has withstood over two decades of cryptanalysis. Beyond mathematical security and efficiency, security against side-channel attacks is a major concern in the competition. The current sentiment is that post-quantum schemes may be more resistant to fault-injection attacks due to their large key sizes and the lack of algebraic structure. We show that this is not true.

We introduce a novel hybrid attack, QuantumHammer, and demonstrate it on the constant-time implementation of LUOV currently in Round 2 of the NIST post-quantum competition. The QuantumHammer attack is a combination of two attacks, a bit-tracing attack enabled via Rowhammer fault injection and a divide and conquer attack that uses bit-tracing as an oracle. Using bit-tracing, an attacker with access to faulty signatures collected using Rowhammer attack, can recover secret key bits albeit slowly. We employ a divide and conquer attack which exploits the structure in the key generation part of LUOV and solves the system of equations for the secret key more efficiently with few key bits recovered via bit-tracing.

We have demonstrated the first successful in-the-wild attack on LUOV recovering all 11K key bits with less than 4 hours of an active Rowhammer attack. The post-processing part is highly parallel and thus can be trivially sped up using modest resources. QuantumHammer does not make any unrealistic assumptions, only requires software co-location (no physical access), and therefore can be used to target shared cloud servers or in other sandboxed environments.

An oblivious linear function evaluation protocol, or OLE, is a two-party protocol for the function $f(x) = ax + b$, where a sender inputs the field elements $a,b$, and a receiver inputs $x$ and learns $f(x)$. OLE can be used to build secret-shared multiplication, and is an essential component of many secure computation applications including general-purpose multi-party computation, private set intersection and more.

In this work, we present several efficient OLE protocols from the ring learning with errors (RLWE) assumption. Technically, we build two new passively secure protocols, which build upon recent advances in homomorphic secret sharing from (R)LWE (Boyle et al., Eurocrypt 2019), with optimizations tailored to the setting of OLE. We upgrade these to active security using efficient amortized zero-knowledge techniques for lattice relations (Baum et al., Crypto 2018), and design new variants of zero-knowledge arguments that are necessary for some of our constructions.

Our protocols offer several advantages over existing constructions. Firstly, they have the lowest communication complexity amongst previous, practical protocols from RLWE and other assumptions; secondly, they are conceptually very simple, and have just one round of interaction for the case of OLE where $b$ is randomly chosen. We demonstrate this with an implementation of one of our passively secure protocols, which can perform more than 1 million OLEs per second over the ring $\mathbb{Z}_m$, for a 120-bit modulus $m$, on standard hardware.

Let $\mathbb{F}_{\!p}$ be a prime finite field ($p > 5$) and $E_b\!: y_0^2 = x_0^3 + b$ be an elliptic $\mathbb{F}_{\!p}$-curve of $j$-invariant $0$. In this article we produce the simplified SWU hashing to curves $E_b$ having an $\mathbb{F}_{\!p^2}$-isogeny of degree $5$. This condition is fulfilled for some Barreto--Naehrig curves, including BN512 from the standard ISO/IEC 15946-5. Moreover, we show how to implement the simplified SWU hashing in constant time (for any $j$-invariant), namely without quadratic residuosity tests and inversions in $\mathbb{F}_{\!p}$. Thus in addition to the protection against timing attacks, the new hashing $h\!: \mathbb{F}_{\!p} \to E_b(\mathbb{F}_{\!p})$ turns out to be much more efficient than the (universal) SWU hashing, which generally requires to perform $2$ quadratic residuosity tests.

Presenting a new technology to fit quantum-randomness into a lump of matter where the randomness is held through the molecular bonds of seeded macro-molecules, and reliably measured in two or more sufficiently exact duplicates, serving as a large reservoir for quantum-grade randomness to support cryptographic protocols.

We have (fully funded) multiple PhD positions in the areas of applied cryptography beginning from Fall 2021 (August 2021) or Spring 2021 (January 2021) at University of South Florida (USF). USF is a Rank-1 Research University (rank 31 of CS departments at US public universities per according Academic Analytics on Scholarly Research Index) and offers a competitive salary with an excellent working environment, all within close proximity of high-tech industry and beautiful beaches of Sunny Florida. Tampa/Orlando area is a key part of the Florida High Technology Corridor and harbors major tech and research companies. The qualified candidate will have opportunities for research internship and joint-projects with lead-industrial companies. Topics include:

Trustworthy and Scalable Blockchains

• New cryptographic schemes for consensus and distributed transactions in Blockchains
• Practical quantum-safe cryptographic deployments for Blockchains

Secure and Reliable Internet of Things and Systems (IoT)

• Lightweight cryptography for IoT
• Efficient cryptography for vehicular and unmanned aerial systems
• Efficient digital signatures

Privacy-Enhancing Technologies

• Searchable encryption, Oblivious RAM, and multi-party computation

Trustworthy Machine Learning (TML)

• Privacy-Preserving Machine Learning
• Adversarial Machine Learning

Requirements:

• A BS degree in ECE/CS with a high-GPA
• Very good programming skills (e.g., C, C++), familiarity with Linux
• MS degree in ECE/CS/Math is a big plus. Publications in security and privacy are highly desirable

Please send (by e-mail) to below contact information:

• Transcripts
• Curriculum vitae
• Three reference letters (send by referees)
• Research statement
• GRE and TOEFL

Closing date for applications:

Contact: Dr. Attila A. Yavuz
Email: attilaayavuz@usf.edu
Webpage : http://www.csee.usf.edu/~attilaayavuz/

More information: http://www.csee.usf.edu/~attilaayavuz/article/PositionDescrption_at_USF.pdf

The Cryptography and Privacy Engineering Group (ENCRYPTO) @Department of Computer Science @Technical University of Darmstadt offers a full position for a Postdoctoral Researcher in Cryptography & Privacy Engineering, available immediately and for initially up to 2.5 years.

Our mission is to demonstrate that privacy can be efficiently protected in real-world applications via cryptographic protocols.

TU Darmstadt is a top research university for IT security, cryptography and computer science in Europe. The position is based in the City of Science Darmstadt, which is very international, livable and well-connected in the Rhine-Main area around Frankfurt. Initially, no knowledge of German is necessary and TU Darmstadt offers corresponding support.

Job description

As postdoc @ENCRYPTO, you conduct research, build prototype implementations, and publish and present the results at top venues. You are involved in project management, teaching, co-advise PhD students and supervise thesis students & student research assistants. The position is co-funded by the ERC Starting Grant “Privacy-preserving Services on the Internet” (PSOTI), where we build privacy-preserving services on the Internet, which includes designing protocols for privately processing data among untrusted service providers using secure multi-party computation and implementing a scalable framework.

Your profile

• Completed PhD degree (or equivalent) at a top university in IT security, computer science, applied mathematics, electrical engineering, or a similar area
• Publications at top venues (CORE rank A*/A) for IT security/applied cryptography (e.g., S&P, CCS, NDSS, USENIX SEC, EUROCRYPT), ideally on cryptographic protocols and secure computation
• Experience in software development, project management and supervising students
• Self-motivated, reliable, creative, can work in a team, and want to do excellent research on challenging scientific problems with practical relevance
• The working language at ENCRYPTO is English, so you must be able to discuss/write/present scientific results in English, whereas German is not required.

Closing date for applications:

Contact: Thomas Schneider (schneider@encrypto.cs.tu-darmstadt.de)

More information: https://encrypto.de/POSTDOC

The Department of Computer Science and Engineering at National Sun Yat-sen University invites applications for tenure-track positions from February 2021 or August 2021. Applicants in areas of information security and artificial intelligence are sought. Applicants for assistant professorship must demonstrate strong research potential, in addition to good teaching ability. Applicants for associate professorship and professorship must have an exceptional record of research achievement. All successful candidates are expected to conduct both research and teaching activities. The department offers BS, MS and Ph. D. degrees in Computer Science and Engineering. The official language of teaching is Chinese, and English teaching is encouraged by the university. For more information, please visit our website: https://cse.nsysu.edu.tw/index.php?Lang=en Applications should include a curriculum vitae, recent publications, and reference letters from at least three people who can comment on the applicant's professional qualification. Other supporting material is welcome. Applications should be sent to: Faculty Recruiting Committee Department of Computer Science and Engineering National Sun Yat-sen University Kaohsiung, Taiwan 80424 Email:srkuang@cse.nsysu.edu.tw TEL:+886-7-5252000 ext. 4340 FAX:+886-7-5254301 The deadline for applications is October 31, 2020, and will continue to receive documents as appropriate until February 28, 2021.

Closing date for applications:

Contact: Email: srkuang@cse.nsysu.edu.tw TEL:+886-7-5252000 ext. 4340 FAX:+886-7-5254301

More information: https://cse.nsysu.edu.tw/index.php?Lang=en

Event date: 4 November to 6 November 2020
Submission deadline: 30 September 2020
Notification: 19 October 2020

Event date: 7 June to 11 June 2021
Submission deadline: 21 August 2020
Notification: 24 October 2020

Event date: 14 December to 16 December 2020
Submission deadline: 20 September 2020
Notification: 30 September 2020

The program chairs and the program committee of Crypto 2020 are pleased to announce the Best Paper and Best Paper by Early Career Researchers Awards to be presented at Crypto next week:

Best Paper Awards

• "Chosen Ciphertext Security from Injective Trapdoor Functions", by Susan Hohenberger, Venkata Koppula, and Brent Waters
• "Breaking the Decisional Diffie-Hellman Problem for Class Group Actions using Genus Theory", by Wouter Castryck, Jana Sotáková, and Frederik Vercauteren
• "Improved Differential-Linear Attacks with Applications to ARX Ciphers", by Christof Beierle, Gregor Leander, and Yosuke Todo

Best Paper by Early Career Researchers Award

• "Handling Adaptive Compromise for Practical Encryption Schemes", by Joseph Jaeger and Nirvan Tyagi

Congratulations to all authors!

The Best Paper Awards will be presented during a special session on Tuesday 18 Aug at 16:25 UTC, and the Best Paper by Early Career Researchers Award will be presented on Monday 17 Aug at 15:15 UTC.

To register and for more information about the Crypto 2020 technical program and attendance details, please visit: https://crypto.iacr.org/2020/

Event date: 22 March to 26 March 2021
Submission deadline: 15 September 2020
Notification: 10 November 2020

In 2017, Ward Beullenset al.submitted Lifted Unbalanced Oil andVinegar, which is a modification to the Unbalanced Oil and Vinegar Schemeby Patarin. Previously, Dinget al.proposed the Subfield Differential Attack which prompted a change of parameters by the authors of LUOV for the sec-ond round of the NIST post quantum standardization competition. In this paper we propose a modification to the Subfield Differential Attack called the Nested Subset Differential Attack which fully breaks half of the pa-rameter sets put forward. We also show by experimentation that this attack ispractically possible to do in under 210 minutes for the level I security param-eters and not just a theoretical attack. The Nested Subset Differential attack isa large improvement of the Subfield differential attack which can be used inreal world circumstances. Moreover, we will only use what is called the "lifted"structure of LUOV, and our attack can be thought as a development of solving"lifted" quadratic systems.

We provide a novel electro-magnetic (EM) side-channel resistant symmetric-key authentication mechanism for small devices that uses a Benes network to permute the on-board authentication-key before computing a MAC of a challenge with the key. The permutation itself is derived from the challenge using a hash function acting as a random oracle. The solution has interesting applications such as forgery detection of currency bills.

This paper reports on the computation of a discrete logarithm in the finite field $\mathbb{F}_{2^{30750}}$, breaking by a large margin the previous record, which was set in January 2014 by a computation in $\mathbb{F}_{2^{9234}}$. The present computation made essential use of the elimination step of the quasi-polynomial algorithm due to Granger, Kleinjung and Zumbr\"agel, and is the first large-scale experiment to truly test and successfully demonstrate its potential when applied recursively, which is when it leads to the stated complexity. It required the equivalent of about $2900$ core years on a single core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is comparable to the approximately $3100$ core years expended for the discrete logarithm record for prime fields, set in a field of bit-length $795$, and demonstrates just how much easier the problem is for this level of computational effort. In order to make the computation feasible we introduced several innovative techniques for the elimination of small degree irreducible elements, which meant that we avoided performing any costly Gr\"obner basis computations, in contrast to all previous records since early 2013. While such computations are crucial to the $L(\frac{1}{4} + o(1))$ complexity algorithms, they were simply too slow for our purposes. Finally, this computation should serve as a serious deterrent to cryptographers who are still proposing to rely on the discrete logarithm security of such finite fields in applications, despite the existence of two quasi-polynomial algorithms and the prospect of even faster algorithms being developed.

The ability to query a database privately is nowadays ubiquitous via an encrypted channel. With the advent of homomorphic encryption, there is a want to expand the notion of privacy in this context to querying privately on the database with the database learning as little to no information of the query data or its result. The ability to compute the intersection from at least two parties’ sets that are kept private only to themselves is known as private set intersection (PSI) and should be considered a fundamental operation in several homomorphic computation scenarios to do useful work; not least for the ability to implement queries on a database. We outline in this paper a novel highly configurable PSI structure to be used in private querying providing the possibility that even the exact query itself can be protected from the database if required. As well as complex database lookups, there is also a more complex partial matching. The outline of the system design is discussed and we report preliminary results on some of the fundamental operations. We demonstrate that this technology is emerging as a viable given response to lookup queries and partially matching on an encrypted database with over a million entries in approximately 9 minutes.

Broadcast is a fundamental primitive in distributed computing. It allows a sender to consistently distribute a message among $n$ recipients. The seminal result of Pease et al. [JACM'80] shows that in a complete network of synchronous bilateral channels, broadcast is achievable if and only if the number of corruptions is bounded by $t < n/3$. To overcome this bound, a fascinating line of works, Fitzi and Maurer [STOC'00], Considine et al. [JC'05] and Raykov [ICALP'15], proposed strengthening the communication network by assuming partial synchronous broadcast channels, which guarantee consistency among a subset of recipients.

We extend this line of research to the asynchronous setting. We consider reliable broadcast protocols assuming a communication network which provides each subset of $b$ parties with reliable broadcast channels. A natural question is to investigate the trade-off between the size $b$ and the corruption threshold $t$. We answer this question by showing feasibility and impossibility results: 1) A reliable broadcast protocol that: For $3 \le b \le 4$, is secure up to $t < n/2$ corruptions; For $b > 4$ even, is secure up to $t < \left(\frac{b-4}{b-2} n + \frac{8}{b-2}\right)$ corruptions; For $b > 4$ odd, is secure up to $t < \left(\frac{b-3}{b-1} n + \frac{6}{b-1}\right)$ corruptions. 2) A nonstop reliable broadcast, where parties are guaranteed to obtain output as in reliable broadcast but may need to run forever, secure up to $t < \frac{b-1}{b+1} n$ corruptions. 3) There is no protocol for (nonstop) reliable broadcast secure up to $t \ge \frac{b-1}{b+1} n$ corruptions, implying that the reliable broadcast protocol is asymptotically optimal, and the nonstop reliable broadcast protocol is optimal.

We present a computer-verified formalization of the post-quantum security proof of the Fujisaki-Okamoto transform (as analyzed by Hövelmanns, Kiltz, Schäge, and Unruh, PKC 2020). The formalization is done in quantum relational Hoare logic and checked in the qrhl-tool (Unruh, POPL 2019).

As cloud computing matures, Machine Learning as a Service(MLaaS) has received more attention. In many scenarios, sensitive information also has a demand for MLaaS, but it should not be exposed to others, which brings a dilemma. In order to solve this dilemma, many works have proposed some privacy-protected machine learning frameworks. Compared with plain-text tasks, cipher-text inference has higher computation and communication overhead. In addition to the difficulties caused by cipher-text calculations, the nonlinear activation functions in machine learning models are not friendly to Homomorphic Encryption(HE) and Secure Multi-Party Computation(MPC). The nonlinear activation function can effectively improve the performance of the network, and it seems that the high overhead brought by it is inevitable. In order to solve this problem, this paper re-explains the mechanism of the nonlinear activation function in forward propagation from another perspective, and based on this observation, proposed a dynamic parameters combination scheme as an alternative, called DPC. DPC allows the decoupling of nonlinear operations and linear operations in neural networks. This work further uses this feature to design the HE-based framework and MPC-based framework, so that non-linear operations can be completed locally by the user through pre-computation, which greatly improves the efficiency of privacy protection data prediction. The evaluation result shows that the linear neural networks with DPC can perform high accuracy. Without other optimizations, the HE-based proposed in this work shows 2x faster executions than CryptoNets only relying on the advantage of the DPC. The MPC-based framework proposed in this work can achieve similar efficiency to plain-text prediction, and has advantages over other work in terms of communication complexity and computational complexity.

The security of Internet of Things (IoT) devices relies on fundamental concepts such as cryptographically protected firmware updates. In this context attackers usually have physical access to a device and therefore side-channel attacks have to be considered. This makes the protection of required cryptographic keys and implementations challenging, especially for commercial off-the-shelf (COTS) microcontrollers that typically have no hardware countermeasures. In this work, we demonstrate how unprotected hardware AES engines of COTS microcontrollers can be efficiently protected against side-channel attacks by constructing a leakage resilient pseudo random function (LR-PRF). Using this side-channel protected building block, we implement a leakage resilient authenticated encryption with associated data (AEAD) scheme that enables secured firmware updates. We use concepts from leakage resilience to retrofit side-channel protection on unprotected hardware AES engines by means of software-only modifications. The LR-PRF construction leverages frequent key changes and low data complexity together with key dependent noise from parallel hardware to protect against side-channel attacks. Contrary to most other protection mechanisms such as time-based hiding, no additional true randomness is required. Our concept relies on parallel S-boxes in the AES hardware implementation, a feature that is fortunately present in many microcontrollers as a measure to increase performance. In a case study, we implement the protected AEAD scheme for two popular ARM Cortex-M microcontrollers with differing parallelism. We evaluate the protection capabilities in realistic IoT attack scenarios, where non-invasive EM probes or power consumption measurements are employed by the attacker. We show that the concept provides the side-channel hardening that is required for the long-term security of IoT devices.