International Association
for Cryptologic Research

Event date: 16 September 2021
Submission deadline: 1 June 2021
Notification: 14 July 2021

Dynamic searchable symmetric encryption (DSSE) has been widely recognized as a promising technique to delegate update and search queries over an outsourced database to an untrusted server while guaranteeing the privacy of data. Many efforts on DSSE have been devoted to obtaining a good tradeoff between security and performance. However, it appears that all existing DSSE works miss studying on what will happen if the DSSE client issues irrational update queries carelessly, such as duplicate update queries and delete queries to remove non-existent entries (that have been considered by many popular database system in the setting of plaintext). In this scenario, we find that (1) most prior works lose their claimed correctness or security, and (2) no single approach can achieve correctness, forward and backward security, and practical performance at the same time. To address this problem, we study for the first time the notion of robustness of DSSE. Generally, we say that a DSSE scheme is robust if it can keep the same correctness and security even in the case of misoperations. Then, we introduce a new cryptographic primitive named key-updatable pseudo-random function and apply this primitive to constructing ROSE, a robust DSSE scheme with forward and backward security. Finally, we demonstrate the efficiency of ROSE by analyzing its computation and communication complexities and testing its search performance. The experimental results show that ROSE has a very efficient search performance over a large dataset.

In an electronic voting procedure, mixing networks are used to ensure anonymity of the casted votes. Each node of the network re-encrypts the input list of ciphertexts and randomly permutes it in a process named shuffle, and must prove (in zero-knowledge) that the process was applied honestly. To maintain security of such a process in a post-quantum scenario, new proofs are based on different mathematical assumptions, such as lattice-based problems. Nonetheless, the best lattice-based protocols to ensure verifiable shuffling have linear communication complexity on $N$, the number of shuffled ciphertexts.

In this paper we propose the first sub-linear (on $N$) post-quantum zero-knowledge argument for the correctness of a shuffle, for which we have mainly used two ideas: arithmetic circuit satisfiability results from Baum \textit{et al.} (CRYPTO'2018) and Bene$\check{\text{s}}$ networks to model a permutation of $N$ elements. The achieved communication complexity of our protocol with respect to $N$ is $\mathcal{O}(\sqrt{N}\log^2(N))$, but we will also highlight its dependency on other important parameters of the underlying lattice ingredients.

Xifrat was a cryptosystem proposed about half a month ago. This paper demonstrate an attack that computes the mixing function without knowing its key.

In the wake of the global COVID-19 pandemic, video conference systems have become essential for not only business purposes, but also private, academic, and educational uses. Among the various systems, Zoom is the most widely deployed video conference system. In October 2020, Zoom Video Communications rolled out their end-to-end encryption (E2EE) to protect conversations in a meeting from even insiders, namely, the service provider Zoom. In this study, we conduct thorough security evaluations of the E2EE of Zoom (version 2.3.1) by analyzing their cryptographic protocols. We discover several attacks more powerful than those expected by Zoom according to their whitepaper. Specifically, if insiders collude with meeting participants, they can impersonate any Zoom user in target meetings, whereas Zoom indicates that they can impersonate only the current meeting participants. Besides, even without relying on malicious participants, insiders can impersonate any Zoom user in target meetings though they cannot decrypt meeting streams. In addition, we demonstrate several impersonation attacks by meeting participants or insiders colluding with meeting participants. Although these attacks may be beyond the scope of the security claims made by Zoom or may be already mentioned in the whitepaper, we reveal the details of the attack procedures and their feasibility in the real-world setting and propose effective countermeasures in this paper. Our findings are not an immediate threat to the E2EE of Zoom; however, we believe that these security evaluations are of value for deeply understanding the security of E2EE of Zoom.

Polynomial multiplication is one of the most time-consuming operations utilized in lattice-based post-quantum cryptography (PQC) schemes. CRYSTALS-KYBER is a lattice-based key encapsulation mechanism (KEM) and it was recently announced as one of the four finalists at round three in NIST's PQC Standardization. Therefore, efficient implementations of polynomial multiplication operation are crucial for high-performance CRYSTALS-KYBER applications. In this paper, we propose three different hardware architectures (lightweight, balanced, high-performance) that implement the NTT, Inverse NTT (INTT) and polynomial multiplication operations for the CRYSTALS-KYBER scheme. The proposed architectures include a unified butterfly structure for optimizing polynomial multiplication and can be utilized for accelerating the key generation, encryption and decryption operations of CRYSTALS-KYBER. Our high-performance hardware with 16 butterfly units shows up to 112×, 132× and 109× improved performance for NTT, INTT and polynomial multiplication, respectively, compared to the high-speed software implementations on Cortex-M4.

In this paper, we present a concretely efficient protocol for private set intersection (PSI) in the multi-party setting using oblivious pseudorandom function (OPRF). In fact, we generalize the approach used in the work of Chase and Miao [CRYPTO 2020] towards deploying a lightweight multi-point OPRF construction for two-party PSI. Our protocol only includes oblivious transfer (OT) extension and garbled Bloom filter as its main ingredients and avoids computationally expensive operations. From a communication pattern perspective, our protocol consists of two types of interactions. The first type is performed over a star-like communication graph in which one designated party interacts with all other parties via performing OTs as the sender. Besides, parties communicate through a path-like communication graph that involves sending a garbled Bloom filter from the first party to its neighboring party following the last one. This design makes our protocol to be highly scalable due to the independence of each party's complexity from the number of participating parties and thus causes a communication and computation complexities of $O(n\lambda k)$ where $n$ is the set size, $k$ is the number of hash functions, and $\lambda$ is the security parameter. Moreover, the asymptotic complexity of the designated party is $O(tn\lambda)$ which linearly scales with the number of parties. We prove the security of our protocol against semi-honest adversaries.

Since 2015, a crypto-engineering challenge is organized every year in cooperation with CHES.

This year the CHES Challenge has two tracks:

• A hardware security challenge: HACK@CHES 2021
• A white-box cryptography challenge: The WhibOx Contest 2021

HACK@CHES 2021 challenges participants to discover hardware vulnerabilities in an SoC. Winners will be awarded with fame and a 2000$ cash prize. Challenge website: https://hackatevent.org/hackches21/

The WhibOx Contest 2021 challenges participants to design and/or break white-box implementations of ECDSA. Winners will be awarded with fame and a 2000$ cash prize. Challenge website: https://whibox-contest.github.io/2021/

Spread the word and have fun!

We are seeking a core protocol engineer to help implement the Subspace Network (https://subspace.network), a radically decentralized, next-generation blockchain written in Rust, using the Substrate framework. Subspace employs a novel proof-of-storage consensus algorithm and a decoupled execution framework, which allows it to scale far beyond existing blockchains, without sacrificing security or decentralization. Subspace Labs is an early-stage, venture-backed startup with a globally distributed team. To learn more visit our website and read the technical whitepaper.

Responsibilities

• Become a leading contributor and core maintainer of the Subspace Network
• Implement a series of novel consensus, execution, and scalability proposals
• Maintain the highest standards of distributed open-source software development including modular design, comprehensive testing, proper documentation, and responsive support.

Requirements

• Experience with current blockchain technologies and landscape
• Theoretical background in distributed systems, such as consensus algorithms, as well as cryptographic fundamentals
• Strong knowledge of a modern systems programming language, such as Rust, C++, or Go and willing to learn Rust.
• Experience working with large open-source codebases

Nice to Have

• Familiarity with the Rust language and its ecosystem
• Familiarity with Substrate and the Polkadot ecosystem
• Experience implementing blockchain consensus protocols
• A passion for decentralized, peer-to-peer systems and Web3 technologies

Benefits

• A remote work environment with a high degree of autonomy and agency
• You will play a critical role in implementing a new layer one blockchain
• Salary and options befitting an early hire at a venture-backed startup

Closing date for applications:

Contact: Jeremiah Wagstaff

More information: https://jobs.lever.co/subspacelabs/7f6a654b-60a8-4740-aa19-36b9f7a9e624?lever-origin=applied&lever-source%5B%5D=IACR%20Jobs

Guaranteeing the confidentiality of sensitive information held or communicated by an object involves the use of various security mechanisms, such as authentication or encryption. These mechanisms rely on cryptographic algorithms that are secure from a mathematical point of view, but whose physical implementation may contain vulnerabilities that can be exploited by a malicious person. For instance, reducing the supply voltage or increasing the clock frequency of an integrated circuit beyond the limits for which it has been designed is a mean to introduce faults into its operations. It is then possible at low cost to recover all or part of the data memory, to bypass checks of passwords or access rights.

These attacks, called fault injection attack (FIA), are carried out in practice using a laser beam or a near-field probe radiating a pulsed electromagnetic field. Numerous FIA countermeasures have been proposed, mainly based on redundancy, and considering one injection faulting only one single sensitive variable. However, we have recently shown that a single injection could fault several successive assembler instructions, and consequently several variables, and it is also known that several injections, also faulting several variables, can be carried out.

This questions redundancy as a protection strategy, with software counter-measures, or even hardware counter-measures such as memory with error correcting code, or dual-core processor in lockstep mode. The first objective of the thesis is evaluating the resistance of this kind of protection, first in a practical way, then using preferably static simulations, or dynamic ones. The second objective is evaluating, and if necessary improving, resilience-based countermeasures, in particular infective countermeasures.

Closing date for applications:

Contact: Laurent Sauvage

More information: https://www.adum.fr/as/ed/voirproposition.pl?langue=&site=TelecomPT&matricule_prop=36459

Applications are invited for one PhD student position at the IMDEA Software Institute (Madrid, Spain). Selected candidates will work with Marco Guarnieri (https://mguarnieri.github.io, marco dot guarnieri at imdea dot org) on the testing (specifically fuzzing) and verification of hardware-level defenses against microarchitectural attacks. The specific topic of the research will be determined based on the common interests of the candidate and the supervisor.

Who should apply?

Ideal candidates have earned (or are in their last year of) a Master's degree in Computer Science, Computer Engineering, or Mathematics, with experience and interest in at least one of the following areas:

• Computer security
• Testing (and fuzzing in particular)
• Computer architectures
• Program analysis and verification
• Formal methods
• Logics

Solid programming skills will be highly valued. The position requires good teamwork and communication skills, including excellent spoken and written English.

Working at IMDEA Software

The IMDEA Software Institute is ranked among the best European research institutes in the areas of Programming Languages and Computer Security. Located in the Montegancedo Science and Technology Park, it perfectly combines the sunny and vibrant city of Madrid with cutting edge research and inspiring working environment. The institute provides an internationally competitive stipend, access to an excellent public health care system, unemployment benefits, retirement benefits, and support for research related travel. The working language at the institute is English. Knowledge of Spanish is not required.

Dates

The duration of the position is intended to be for the duration of the doctoral studies. The ideal starting period is summer/fall 2021. Deadline for applications is April 30th, 2021. Review of applications will begin immediately, and continue until the positions are filled.

How to apply?

See http://software.imdea.org/open_positions/2021-04-phd-uarchsec-testing.html

Closing date for applications:

Contact: Marco Guarnieri (marco dot guarnieri at imdea dot org)

More information: http://software.imdea.org/open_positions/2021-04-phd-uarchsec-testing.html

Applications are invited for one PhD student position at the IMDEA Software Institute (Madrid, Spain). Selected candidates will work with Marco Guarnieri (https://mguarnieri.github.io) on the design, verification, and implementation of compiler-level countermeasures against microarchitectural and side-channel attacks. The specific topic of the research will be determined based on the common interests of the candidate and the supervisor.

Who should apply?

Ideal candidates have earned (or are in their last year of) a Master's degree in Computer Science, Computer Engineering, or Mathematics, with experience and interest in at least one of the following areas:

• Computer security
• Programming languages and compilers
• Program analysis and verification
• Formal methods
• Logics

Solid programming skills will be highly valued. The position requires good teamwork and communication skills, including excellent spoken and written English.

Working at IMDEA Software

The IMDEA Software Institute is ranked among the best European research institutes in the areas of Programming Languages and Computer Security. Located in the Montegancedo Science and Technology Park, it perfectly combines the sunny and vibrant city of Madrid with cutting edge research and inspiring working environment. The institute provides an internationally competitive stipend, access to an excellent public health care system, unemployment benefits, retirement benefits, and support for research related travel. The working language at the institute is English. Knowledge of Spanish is not required.

Dates

The duration of the position is intended to be for the duration of the doctoral studies. The ideal starting period is summer/fall 2021. Deadline for applications is April 30th, 2021. Review of applications will begin immediately, and continue until the positions are filled.

How to apply?

See https://software.imdea.org/open_positions/2021-04-phd-uarchsec-compilers.html

Closing date for applications:

Contact: Marco Guarnieri (marco dot guarnieri at Imdea dot org)

In the final phase of the post-quantum cryptography standardization effort, the focus has been extended to include the side-channel resistance of the candidates. While some of the schemes have been already extensively analyzed in this regard, there is no such study yet of the finalist Kyber.

In this work, we demonstrate the first completely masked implementation of Kyber which is protected against first- and higher-order attacks. To the best of our knowledge, this results in the first higher-order masked implementation of any post-quantum secure key encapsulation mechanism algorithm. This is realized by introducing two new techniques. First, we propose a higher-order algorithm for the one-bit compression operation. This is based on a masked bit-sliced binary-search that can be applied to prime moduli. Second, we propose a technique which enables one to compare uncompressed masked polynomials with compressed public polynomials. This avoids the costly masking of the ciphertext compression while being able to be instantiated at arbitrary orders.

We show performance results for first-, second- and third-order protected implementations on the Arm Cortex-M0+. Notably, our implementation of first-order masked Kyber decapsulation requires 12.2 million cycles. This is a factor 2.2 overhead compared to an unprotected implementation. We experimentally show that the first-order implementation of our new modules is hardened against attacks using 100,000 traces and mechanically verify the security in a fine-grained leakage model using the verification tool scVerif.

The developments in the areas of strong Physical Unclonable Functions (PUFs) predicate an ongoing struggle between designers and attackers. Such a combat motivated the atmosphere of open research, hence enhancing PUF designs in the presence of Machine Learning (ML) attacks. As an example of this controversy, at CHES 2019, a novel delay-based PUF (iPUF) has been introduced and claimed to be resistant against various ML and reliability attacks. At CHES 2020, a new divide-and-conquer modeling attack (splitting iPUF) has been presented showing the vulnerability of even large iPUF variants. Such attacks and analyses are naturally examined purely in the simulation domain, where some metrics like uniformity are assumed to be ideal. This assumption is motivated by a common belief that implementation defects (such as bias) may ease the attacks. In this paper, we highlight the critical role of uniformity in the success of ML attacks, and for the first time present a case where the bias originating from implementation defects hardens certain learning problems in complex PUF architectures. We present the result of our investigations conducted on a cluster of 100 Xilinx Artix 7 FPGAs, showing the incapability of the splitting iPUF attack to model even small iPUF instances when facing a slight non-uniformity. In fact, our findings imply that non-ideal conditions due to implementation defects should also be considered when developing an attack vector on complex PUF architectures like iPUF. On the other hand, we observe a relatively low uniqueness even when following the suggestions made by the iPUF’s original authors with respect to the FPGA implementations, which indeed questions the promised physical unclonability.

Apple's offline file-sharing service AirDrop is integrated into more than 1.5 billion end-user devices worldwide. We discovered two design flaws in the underlying protocol that allow attackers to learn the phone numbers and email addresses of both sender and receiver devices. As a remediation, we study the applicability of private set intersection (PSI) to mutual authentication, which is similar to contact discovery in mobile messengers. We propose a novel optimized PSI-based protocol called PrivateDrop that addresses the specific challenges of offline resource-constrained operation and integrates seamlessly into the current AirDrop protocol stack. Using our native PrivateDrop implementation for iOS and macOS, we experimentally demonstrate that PrivateDrop preserves AirDrop's exemplary user experience with an authentication delay well below one second. We responsibly disclosed our findings to Apple and open-sourced our PrivateDrop implementation.

With the rise of lattice cryptography, (negacyclic) convolution has received increased attention. E.g., the NTRU scheme internally employs cyclic polynomial multiplication, which is equivalent to the standard convolution, on the other hand, many Ring-LWE-based cryptosystems perform negacyclic polynomial multiplication. A method by Crandall implements an efficient negacyclic convolution over a finite field of prime order using an extended Discrete Galois Transform (DGT) – a finite field analogy to Discrete Fourier Transform (DFT). Compared to DGT, the classical DFT runs faster by an order of magnitude, however, it suffers from inevitable rounding errors due to finite floating-point number representation. In a recent Fully Homomorphic Encryption (FHE) scheme by Chillotti et al. named TFHE, small errors are acceptable (although not welcome), therefore we decided to investigate the application of DFT for negacyclic convolution.

The primary goal of this paper is to suggest a method for fast negacyclic convolution over integer coefficients using an extended DFT. The key contribution is a thorough analysis of error propagation, as a result of which we derive parameter bounds that can guarantee even error-free results. We also suggest a setup that admits rare errors, which allows to increase the degree of the polynomials and/or their maximum norm at a fixed floating-point precision. Finally, we run benchmarks with parameters derived from a practical TFHE setup. We achieve around 24× better times than the generic NTL library (comparable to Crandall’s method) and around 4× better times than a naı̈ve approach with DFT, with no errors.

Side-channel attacks can break mathematically secure cryptographic systems leading to a major concern in applied cryptography. While the cryptanalysis and security evaluation of Post-Quantum Cryptography (PQC) have already received an increasing research effort, a cost analysis of efficient side-channel countermeasures is still lacking. In this work, we propose a masked HW/SW codesign of the NIST PQC finalists Kyber and Saber, suitable for their different characteristics. Among others, we present a novel masked ciphertext compression algorithm for non-power-of-two moduli. To accelerate linear performance bottlenecks, we developed a generic Number Theoretic Transform (NTT) multiplier, which, in contrast to previously published accelerators, is also efficient and suitable for schemes not based on NTT. For the critical non-linear operations, masked HW accelerators were developed, allowing a secure execution using RISC-V instruction set extensions. Our experimental results show a cycle count reduction factor of 3.18 for Kyber (K:245k/E:319k/D:339k) and 2.66 for Saber (K:229k/E:308k/D:347k) compared to the latest optimized ARM Cortex-M4 implementations. While Saber performs slightly better for the key generation and encapsulation, Kyber has slight performance advantages for the decapsulation. The masking overhead for the first-order secure decapsulation operation including randomness generation is around 4.14 for Kyber (D:1403k) and 2.63 for Saber (D:915k).

In this work, we present a zero knowledge argument for general arithmetic circuits that is public-coin and constant rounds, so it can be made non-interactive and publicly verifiable with the Fiat-Shamir heuristic. The construction is based on the MPC-in-the-head paradigm, in which the prover jointly emulates all MPC protocol participants and can provide advice in the form of Beaver triples whose accuracy must be checked by the verifier. Our construction follows the Beaver triple sacrificing approach used by Baum and Nof [PKC 2020]. Our improvements reduce the communication per multiplication gate from 4 to 2 field elements, matching the performance of the cut-and-choose approach taken by Katz, Kolesnikov, and Wang [CCS 2018] and with lower additive overhead for some parameter settings. We implement our protocol and analyze its cost on Picnic-style post-quantum digital signatures based on the AES family of circuits.

ROLLO is a candidate to the second round of NIST Post-Quantum Cryptography standardization process. In the last update in April 2020, there was a key encapsulation mechanism (ROLLO-I) and a public-key encryption scheme (ROLLO-II). In this paper, we propose an attack to recover the syndrome during the decapsulation process of ROLLO-I. From this syndrome, we explain how to perform a private key-recovery. We target two constant-time implementations: the C reference implementation and a C implementation available on GitHub. By getting power measurements during the execution of the Gaussian elimination function, we are able to extract on a single trace each element of the syndrome. This attack can also be applied to the decryption process of ROLLO-II.

Block ciphers have been extremely predominant in the area of cryptography and due to the paradigm shift towards devices of resource constrained nature, lightweight block ciphers have totally influenced the field and has been a go-to option ever since. The growth of resource constrained devices have put forth a dire need for the security solutions that are feasible in terms of resources without taking a toll on the security that they offer. As the world is starting to move towards Internet of Things (IoT), data security and privacy in this environment is a major concern. This is due to the reason that a huge number of devices that operate in this environment are resource constrained. Because of their resource-constrained nature, advanced mainstream cryptographic ciphers and techniques do not perform as efficiently on such devices. This has led to the boom in the field of 'lightweight cryptography' which aims at developing cryptographic techniques that perform efficiently in a resource constrained environment. Over the period of past two decades or so, a bulk of lightweight block ciphers have been proposed due to the growing need and demand in lightweight cryptography. In this paper, we review the state-of-the-art lightweight block ciphers, present a comprehensive design niche, give a detailed taxonomy with multiple classifications and present future research directions.