Information and Communications Security

The complexity and outsourcing trend of modern System-on-Chips (SoC) has made Hardware Trojan (HT) a real threat for the SoC security. In the state-of-the-art, many techniques have been proposed in order to detect the HT insertion. Side-channel based methods emerge as a good approach used for the HT detection. They can extract any difference in the power consumption, electromagnetic (EM) emanation, delay propagation, etc. caused by the HT insertion/modification in the genuine design. Therefore, they can be applied to detect the HT even when it is not activated. However, these methods are evaluated on overly simple design prototypes such as AES coprocessors. Moreover, the analytical approach used for these methods is limited by some statistical metrics such as the direct comparison of EM traces or the T-test coefficients. In this paper, we propose two new detection methodologies based on Machine Learning algorithms. The first method consists in applying the supervised Machine Learning (ML) algorithms on raw EM traces for the classification and detection of HT. It offers a detection rate close to 90% and false negative smaller than 5%. For the second method, we propose a method based on the Outlier/Novelty algorithms. This method combined with the T-test based signal processing technique, when compared with state-of-the-art, offers a better performance with a detection rate close to 100% and a false positive smaller than 1%. We have evaluated the performance of our method on a complex target design: RISC-V generic processors. The three HTs with the corresponding sizes of 0.53%, 0.27% and 0.1% of the RISC-V processors are inserted for the experimentation. The experimental results show that the inserted HTs, though minimalist, can be detected using our new methodology.

A primary concern in creating compartments (i.e., protection domains) for bare-metal systems is to adopt the applicable compartmentalization policy. Existing studies have proposed several typical policies in literature. However, neither of the policies consider the influence of unsafe functions on the compartment security that a vulnerable function would expose unpredictable attack surfaces, which could be exploited to manipulate any contents that are stored in the same compartment. In this paper, we design a machine learning-assisted compartmentalization scheme, which adopts a new policy that takes every function’s security into full account, to create compartments for bare-metal systems. First, the scheme takes advantage of the machine learning method to predict how likely a function holds an exploitable security bug. Second, the prediction results are used to create a new instrumented firmware that isolates vulnerable and normal functions into different compartments. Further, the scheme provides some optional optimization plans to the developer to improve the performance. The PoC of the scheme is incorporated into an LLVM-based compiler and evaluated on a Cortex-M based IoT device. Compared with the firmware adopting other typical policies, the firmware with the new policy not only shows better security but also assures the overhead basically unchanged.

Malware authors do their best to conceal their malicious software to increase its probability of spreading and to slow down analysis. One method used to conceal malware is packing, in which the original malware is completely hidden through compression or encryption, only to be reconstructed at run-time. In addition, packers can be metamorphic, meaning that the output of the packer will never be exactly the same, even if the same file is packed again. As the use of known off-the-shelf malware packers is declining, it is becoming increasingly more important to implement methods of detecting packed executables without having any known samples of a given packer. In this study, we evaluate the use of recurrent neural networks as a means to classify whether or not a file is packed by a metamorphic packer. We show that even with quite simple networks, it is possible to correctly distinguish packed executables from non-packed executables with an accuracy of up to $$89.36\%$$ 89.36 % when trained on a single packer, even for samples packed by previously unseen packers. Training the network on more packer raises this number to up to $$99.69\%$$ 99.69 % .

In this work, we study the privacy risk due to profile matching across online social networks (OSNs), in which anonymous profiles of OSN users are matched to their real identities using auxiliary information about them. We consider different attributes that are publicly shared by users. Such attributes include both strong identifiers such as user name and weak identifiers such as interest or sentiment variation between different posts of a user in different platforms. We study the effect of using different combinations of these attributes to profile matching in order to show the privacy threat in an extensive way. The proposed framework mainly relies on machine learning techniques and optimization algorithms. We evaluate the proposed framework on three datasets (Twitter - Foursquare, Google+ - Twitter, and Flickr) and show how profiles of the users in different OSNs can be matched with high probability by using the publicly shared attributes and/or the underlying graphical structure of the OSNs. We also show that the proposed framework notably provides higher precision values compared to state-of-the-art that relies on machine learning techniques. We believe that this work will be a valuable step to build a tool for the OSN users to understand their privacy risks due to their public sharings.

We propose a new lattice-based digital signature scheme $$\textsf {MLWRSign} $$ MLWRSign by modifying $$\textsf {Dilithium} $$ Dilithium , which is one of the second-round candidates of NIST’s call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.

We present the first constant-round, multicast, tree-based Ring-LWE group key exchange protocol with logarithmic communication and memory complexity. Our protocol achieves post-quantum security through a reduction to a Diffie-Hellman-like decisional analogue to the decisional Ring-LWE problem. We also present a sequential, multicast, tree-based Ring-LWE group key exchange protocol with constant communication and memory complexity but a logarithmic number of rounds.

Cryptocurrencies are a new form of digital asset and are being widely used throughout the world. A variety of cryptocurrency-based botnets have been proposed and developed to utilize cryptocurrencies as new command and control (C&C) platforms. Most existing cryptocurrency-based botnets are bonded with the cryptocurrency client, which generates abnormal P2P traffic that can be easily detected and blocked. In addition, the commands embedded in transaction records can be easily traced, since the transaction records in a cryptocurrency network are usually publicly available. In this paper, we propose CoinBot, a novel botnet that based on the cryptocurrency networks. CoinBot is characterized by low cost, high resilience, stealthiness, and anti-traceability. Different from other cryptocurrency-based botnet, CoinBot utilizes Web2.0 services to achieve a dynamic addressing service for obtaining commands. As such, there is no need to run a cryptocurrency wallet application and hardcode a botmaster’s sensitive information in CoinBot, and the communications between the botmaster and the bots are hidden under legitimate HTTP/S traffic. Furthermore, we propose a cleaning scheme to prevent commands from being permanently recorded in the blockchain, thereby decreasing the risk of channel exposure. CoinBot is a generic model that can be applied to different kinds of cryptocurrency networks. We believe this model will be highly attractive to botmasters and could pose a considerable threat to cybersecurity. Therefore, we provide defensive suggestions to mitigate similar threats in the future.

Trusted Execution Environment (TEE) has been widely used as an approach to provide an isolated storage and computation environment for various protocols, and thus security features of TEE determine how to design these protocols. In practice, however, new TEE-based protocols are often designed empirically, and a lack of comprehensive analysis against real threat models easily results in vulnerabilities and attacks. Unlike most past work focusing on communication channels or secure enclaves, we present a formal model for TEE-based protocols, which includes a detailed threat model taking into account attacks from both network and TEE-based platforms together with a scalable multiset-rewriting modelling framework instantiated by Tamarin. Based on the proposed threat model and formalism, we use Tamarin to systematically and automatically analyze related offline and web-based protocols considering all combination of threats. The results and comparison highlight the protocols’ advantages and weaknesses inherited from TEE-based platforms. Moreover, we also capture some vulnerabilities that are difficult to be found under the traditional threat model and propose corresponding fixes.

The primitive of deniable encryption aims to protect the privacy of communicated data in the scenario of coercion by allowing the sender (or receiver or both of them) to open the ciphertext transmitted into a different message. There are two types of deniability, namely, multi-distributional deniability and full deniability, and the later provides better security guarantees than the former one. However, all existing schemes under the framework of full deniability are less efficient. In this paper, we first propose a new public key encryption scheme in which the ciphertexts could be decrypted by the receiver depending on the decision of the sender. Additionally, building on this encryption, we construct a new public-key sender-deniable encryption scheme under the framework of full deniability. Compared with Canetti et al.’s party scheme, the proposed scheme is superior in both efficiency andeniability.

Many blockchain researches focus on the privacy protection. However, criminals can leverage strong privacy protection of the blockchain to do illegal crimes (such as ransomware) without being punished. These crimes have caused huge losses to society and users. Implementing identity tracing is an important step in dealing with issues arising from privacy protection. In this paper, we propose a blockchain traceable scheme with oversight function (BTSOF). The design of BTSOF builds on SkyEye (Tianjun Ma et al., Cryptology ePrint Archive 2020). In BTSOF, the regulator must obtain the consent of the committee to enable tracing. Moreover, we construct a non-interactive verifiable multi-secret sharing scheme (VMSS scheme) and leverage the VMSS scheme to design a distributed multi-key generation (DMKG) protocol for the Cramer-Shoup public key encryption scheme. The DMKG protocol is used in the design of BTSOF. We provide the security definition and security proof of the VMSS scheme and DMKG protocol.

Functional encryption (FE) gives the power to retain control of sensitive information and is particularly suitable in several practical real-world use cases. Using this primitive, anyone having a specific functional decryption key (derived from some master secret key) could only obtain the evaluation of an authorized function f over a message m, given its encryption. For many scenarios, the data owner is always different from the functionality owner, such that a classical implementation of functional encryption naturally implies an interactive key generation protocol between an entity owning the function f and another one managing the master secret key. We focus on this particular phase and consider the case where the function needs to be secret.In this paper, we introduce the new notion of blind functional encryption in which, during an interactive key generation protocol, the master secret key owner does not learn anything about the function f. Our new notion can be seen as a generalisation of the existing concepts of blind IBE/ABE. After a deep study of this new property and its relation with other security notions, we show how to obtain a generic blind FE from any non-blind FE, using homomorphic encryption and zero-knowledge proofs of knowledge. We finally illustrate such construction by giving an efficient instantiation in the case of the inner product functionality.

In this paper, we propose a lattice-based HIBE scheme in the standard model with faster trapdoor delegation. It is proven secure under the Learning With Errors assumption. Inspired by Canetti et al.’s transformation (Eurocrypt’03), an HIBE can be converted into a forward-secure public-key encryption (FS-PKE) scheme, and the efficiency of key update relies on the efficiency of trapdoor delegation. For applications, our HIBE with faster delegation can be used to generate a lattice-based FS-PKE with faster key update. Furthermore, we also obtain a lattice-based forward-secure signature (FSS) scheme combining HIBE-like key-update technique with Zhang et al.’s short signature construction in the standard model (Crypto’16).

A Virtual Private Network (VPN) helps to mitigate security and privacy risks of data transmitting on unsecured network such as public Wi-Fi. However, despite awareness of public Wi-Fi risks becoming increasingly common, the use of VPN when using public Wi-Fi is low. To increase adoption, understanding factors driving user decision to adopt a VPN app is an important first step. This study is the first to achieve this objective using discrete choice experiments (DCEs) to elicit individual preferences of specific attributes of a VPN app. The experiments were run in the United Kingdom (UK) and Japan (JP). We first interviewed participants (15 UK, 17 JP) to identify common attributes of a VPN app which they considered important. The results were used to design and run a DCE in each country. Participants (149 UK, 94 JP) were shown a series of two hypothetical VPN apps, varying in features, and were asked to choose one which they preferred. Customer review rating, followed by price of a VPN app, significantly affected the decision to choose which VPN app to download and install. A change from a rating of 3 to 4–5 stars increased the probability of choosing an app by 33% in the UK and 14% in Japan. Unsurprisingly, price was a deterrent. Recommendations by friends, source of product reviews, and the presence of in-app ads also played a role but to a lesser extent. To actually use a VPN app, participants considered Internet speed, connection stability, battery level on mobile devices, and the presence of in-app ads as key drivers. Participants in the UK and in Japan prioritized these attributes differently, suggesting possible influences from cultural differences.

The Transport Layer Security (TLS) 1.3 protocol supports a fast zero round-trip time (0-RTT) session resumption mechanism, enabling clients to send data in their first flight of messages. This protocol has been designed with Web infrastructure in mind, and requires these first messages to not change any state on the server side, as it is susceptible to replay attacks. This is disastrous for common IoT scenarios, where sensors often transmit state-changing data to servers. As bandwidth is a huge concern in the IoT, the field stands to benefit significantly from an efficient session resumption protocol that does not suffer from these limitations. Building on the observation that in IoT scenarios the set of clients is often bounded and fairly static, we propose rTLS (ratchet TLS), an efficient 0-RTT session resumption protocol that dramatically decreases bandwidth overhead, while adding forward secrecy and break-in resilience, and is not susceptible against replay attacks.

Most malwares use evasion technologies to prevent themselves from being analyzed by sandbox systems. For example, they would hide their maliciousness if the presence of Virtual Machine (VM) is detected. A popular idea of detecting VM is to utilize the difference in instruction semantics between virtual environment and physical environment. Semantic detection has been widely studied, but existing works either have limited detection range (e.g. detect VMs on specific hypervisor) or cost too much time. And most methods are not available for various kinds of VMs while introducing acceptable performance overhead.In this paper, we proposed FindPiDicators, a new approach to select a few indicators (e.g. registers) and cases (instruction execution) through complete experiments and statistical analysis. Using FindPiDicators, we obtain PiDicators, a lightweight artifact that consists of some test cases and indicators. We use PiDicators to detect the presence of VM and it offers several benefits. 1) It could accurately detect VM without the influence of operating system, hardware environment and hypervisor. 2) PiDicators does not rely on API calls, thus it is transparent and hard to resist. 3) The detection based on PiDicators is time-efficient, for only 31 cases are considered and four registers’ values are required for each case.

This paper describes a Heterogeneous Confidential Computing (HCC) system composed of a CPU Trusted Computing Environment and a hardware accelerator. We implement two AES-GCM hardware engines with high-bandwidth and low-latency that are designed for end-to-end encryption of DMA transfers. Our solution minimizes changes to the hardware platform and to the application and SW stack. We prototyped and report the performance of protected image classification with proposed encrypted-DMA on an Intel Arria-10 FPGA.

We discuss the setting of information-theoretically secure channel protocols where confidentiality of transmitted data should hold against unbounded adversaries. We argue that there are two possible scenarios: One is that the adversary is currently bounded, but stores today’s communication and tries to break confidentiality later when obtaining more computational power or time. We call channel protocols protecting against such attacks future-secure. The other scenario is that the adversary already has extremely strong computational powers and may try to use that power to break current executions. We call channels withstanding such stronger attacks unconditionally-secure.We discuss how to instantiate both future-secure and unconditionally-secure channels. To this end we first establish according confidentiality and integrity notions, then prove the well-known composition theorem to also hold in the information-theoretic setting: Chosen-plaintext security of the channel protocol, together with ciphertext integrity, implies the stronger chosen-ciphertext notion. We discuss how to build future-secure channel protocols by combining computational message authentication schemes like HMAC with one-time pad encryption. Chosen-ciphertext security follows easily from the generalized composition theorem. We also show that using one-time pad encryption with the unconditionally-secure Carter-Wegman MACs we obtain an unconditionally-secure channel protocol.

Oblivious Parallel RAM (OPRAM) enables multiple clients to synchronously make read and write accesses to shared memory (more generally, any data-store) whilst hiding the access patterns from the owner/provider of that shared memory. Prior work is best suited to the setting of multiple processors (or cores) within a single client device, and consequently there are shortcomings when applying that work to the multi-client setting where distinct client devices may not trust each other, or may simply wish to minimise – for legal reasons or otherwise – the volume of data that is leaked to other client devices. In prior constructions, obliviousness from the storage provider is achieved by passing accesses between the clients in one or more sorting networks, both before and after the logical access is made to the shared memory: this process inherently leaks the contents of the accesses to those other clients.In this paper we address this issue by introducing the notion of client obliviousness for OPRAM, which asks that clients should only learn as much as is necessary for the scheme to function correctly. We provide an instantiation using established tools, with careful analysis to show that our new notion and regular OPRAM security are met. In the process, we give new insight into the use of the OPRAM model in the context of outsourced storage.

Learning with Errors (LWE) and Ring-LWE (RLWE) problems allow the construction of efficient key exchange and public-key encryption schemes. However, while improving the security through the use of error distributions with large standard deviations, the decryption failure rate increases as well. Currently, the independence of individual coefficient failures is assumed to estimate the overall decryption failure rate of many LWE/RLWE schemes. However, previous work has shown that this assumption is not correct. This assumption leads to wrong estimates of the decryption failure probability and consequently of the security level of the LWE/RLWE cryptosystem. An exploration of the influence of the LWE/RLWE parameters on the stochastic dependence among the coefficients is still missing. In this paper, we propose a method to analyze the stochastic dependence between decryption failures in LWE/RLWE cryptosystems. We present two main contributions. First, we use statistical methods to analyze the influence of fixing the norm of the error distribution on the stochastic dependence among decryption failures. The results have shown that fixing the norm of the error distribution indeed reduces the stochastic dependence of decryption failures. Therefore, the independence assumption gives a very close approximation to the true behavior of the cryptosystem. Second, we analyze and explore the influence of the LWE/RLWE parameters on the stochastic dependence. This exploration gives designers of LWE/RLWE based schemes the opportunity to compare different schemes with respect to the inaccuracy made by using the independence assumption. This work shows that the stochastic dependence depends on three LWE/RLWE parameters in different ways: i) it increases with higher lattice dimensions (n) and higher standard deviations of the error distribution ( $$\sqrt{k/2}$$ k / 2 ); and ii) it decreases with higher modulus (q).

Location-based services (LBSs) are widely deployed in commercial services. These services always depend on a service provider, e.g., a cloud server, to store the enormous amounts of geospatial data and to process various queries. For example, a Yelp user can retrieve a list of recommended cafés by submitting her/his current location to the service provider. While LBSs offer tremendous benefits, it is vital to safeguard users’ privacy against untrusted service providers. However, no prior secure k nearest neighbor query processing schemes satisfy the three security requirements of one-time, oblivious, and unlinkable. In particular, we are concerned with the problem of item exclusion: how to match one data query with each item on the cloud no more than once in an oblivious and unlinkable manner. In this paper, we propose the first secure k nearest neighbor query processing scheme, Obaq, that satisfies the above requirements. Obaq first introduces an item identifier into an existing secure k nearest neighbor query processing scheme. Each data owner inserts an item identifier and her/his location information into a secure index, and each data user transfers the identifier of a previously received data item and location information into a specific range. Then, Obaq excludes corresponding items via privacy-preserving range querying. We define strong index privacy and strong token privacy and formally prove the security of Obaq in the random oracle model. We further evaluate the performance of Obaq using a prototype and a real-world dataset. The experimental results show that Obaq is highly efficient and practical in terms of computational cost, communication overhead, and response delay.

Cube attack, proposed by Dinur and Shamir at EUROCRYPT 2009, is one of general and powerful cryptanalytic techniques against symmetric-key cryptosystems. However, it is quite time consuming to search for large cubes using the existing techniques, e.g., random walk, and practically infeasible to execute the cube attack when the size of cube exceeds an experimental range, e.g., 50. Thus, how to find favorite cubes is still an intractable problem. In this paper, a new general method of searching for cubes in cube attacks, called iterative walk, is proposed. Iterative walk takes the technique numeric mapping proposed at CRYPTO 2017 as a tool, which is used to test cubes and find out the best cubes among them. This new method consists of two concrete techniques, called incremental iterative walk and decremental iterative walk, respectively. Both of them split the process of searching for cubes with large size into several iterative processes, each of which aims at searching for a ‘best’ set of input variables with small size. After each iterative process, the input variables in the obtained ‘best’ set are added to (or dropped from) the cube in incremental (or decremental) iterative walk. As illustrations, we apply it to the authenticated encryption cipher ACORN v3, which was selected as one of seven finalists of CAESAR competition. Some new distinguishing attacks on round reduced variants of ACORN v3 are obtained.

In this paper, we extend the concept of bias amplifiers and show how they can be used to detect badly broken noise sources both in the production and service phases of a true random number generator. We also develop a theoretical framework that supports the experimental results obtained in this paper.

Securing Neural Network (NN) computations through the use of Fully Homomorphic Encryption (FHE) is the subject of a growing interest in both communities. Among different possible approaches to that topic, our work focuses on applying FHE to hide the model of a neural network-based system in the case of a plain input. In this paper, using the TFHE homomorphic encryption scheme, we propose an efficient method for an $$\mathsf {argmin}$$ argmin computation on an arbitrary number of encrypted inputs and an asymptotically faster - though levelled - equivalent scheme. Using these schemes and a unifying framework for LWE-based homomorphic encryption schemes (Chimera), we implement a practically efficient, homomorphic speaker recognition system using the embedding-based neural net system VGGVox. This work can be applied to all other similar Euclidean embedding-based recognition systems (e.g. Google’s FaceNet). While maintaining the best-in-class classification rate of the VGGVox system, we demonstrate a speaker-recognition system that can classify a speech sample as coming from one out of 50 hidden speaker models in less than one minute.

In 2017 Kyung-Ah Shim et al. proposed a multivariate signature scheme called Himq-3 which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems. The Himq-3 signature scheme can be classified into the oil vinegar signature scheme family. Similar to the rainbow signature scheme, the Himq-3 signature scheme uses a multilayer structure to shorten the signature size. Moreover the signing process is very fast due to a special system called L-inveritble cycle system that is used to invert the central map. In this paper, we provide a complete cryptanalysis to the Himq-3 signature scheme. We describe a new attack method called the singularity attack. This attack is based on the observation that the variables in the L-invertible cycle system are not allowed to be zero in a valid signature. For the completeness, we show step by step how variables and layers can be separated so that signature forgery can be performed. We claim that the complexity of our attack is much lower than the proposed security level.

Software vulnerabilities in emerging systems, such as the Internet of Things (IoT), allow for multiple attack vectors that are exploited by adversaries for malicious intents. One of such vectors is malware, where limited efforts have been dedicated to IoT malware analysis, characterization, and understanding. In this paper, we analyze recent IoT malware through the lenses of static analysis. Towards this, we reverse-engineer and perform a detailed analysis of almost 2,900 IoT malware samples of eight different architectures across multiple analysis directions. We conduct string analysis, unveiling operation, unique textual characteristics, and network dependencies. Through the control flow graph analysis, we unveil unique graph-theoretic features. Through the function analysis, we address obfuscation by function approximation. We then pursue two applications based on our analysis: 1) Combining various analysis aspects, we reconstruct the infection lifecycle of various prominent malware families, and 2) using multiple classes of features obtained from our static analysis, we design a machine learning-based detection model with features that are robust and an average detection rate of 99.8%.

More and more industrial devices are connected to IP-based networks, as this is essential for the success of Industry 4.0. However, this interconnection also results in an increased attack surface for various network-based attacks. One of the easiest attacks to carry out are DoS attacks, in which the attacked target is overloaded due to high network traffic and corresponding CPU load. Therefore, the attacked device can no longer provide its regular services. This is especially critical for devices, which perform Real-Time (RT) operations in industrial processes. To protect against DoS attacks, there is the possibility of throttling network traffic at the perimeter, e.g. by a firewall, to develop robust device architectures. In this paper, we analyze various concepts for secure device architectures and compare them with regard to their robustness against DoS attacks. Here, special attention is paid to how the control process of an industrial controller behaves during the attack. For this purpose, we compare different schedulers on single-core and dual-core Linux-based systems, as well as a heterogeneous multi-core architecture under various network loads and additional system stress.

In recent years, with the problem of network security is getting worse, the network threat situation assessment becomes an important approach to solve these problems. Aiming at the traditional methods based on data category tag that has high modeling cost, low efficiency, and a long period in the network threat situation assessment, this paper proposes a Variational-Generative (V-G) network assessment method. Firstly, we design the V-G network which is composed of VAE’s encoder and GAN’s discriminator and obtain the reconstruction error of each layer network by training the network collection layer of the V-G network with normal network traffic. Then, conduct the reconstruction error learning by the 3-layer variational autoencoder of the output layer and calculate the abnormal threshold of the training. Moreover, carry out the group threat testing with the test dataset contains abnormal network traffic and calculate the threat probability of each test group. Finally, obtain the Threat Situation Value (TSV) according to the threat probability and the threat impact. The simulation results show that compared with the other methods, this proposed method can evaluate the overall situation of network security threat more intuitively and has a stronger characterization ability for network threats.

The National Institute of Standards and Technology (NIST) started the standardization process for lightweight cryptography algorithms in 2018. By the end of the first round, 32 submissions have been selected as 2nd round candidates. NIST allowed designers of 2nd round submissions to provide small updates on both their specifications and implementation packages. In this work, we introduce a benchmarking framework for evaluating the performance of NIST Lightweight Cryptography (LWC) candidates on embedded platforms. We show the features and application of the framework and explain its design rationale. Moreover, we provide information on how we aim to present up-to-date performance figures throughout the NIST LWC competition. In this paper, we present an excerpt of our software benchmarking results regarding speed and memory requirements of selected ciphers. All up-to-date results, including benchmarking different test cases for multiple variants of each 2nd round algorithm on five different microcontrollers, are periodically published to a public website. While initially only the reference implementations were available, the ability of automatically testing the performance of the candidate algorithms on multiple platforms becomes especially relevant as more optimized implementations are developed. Finally, we show how the framework can be extended in different directions: support for more target platforms can be easily added, different kinds of algorithms can be tested, and other test metrics can be acquired. The focus of this paper should rather lay on the framework design and testing methodology than on the current results, especially for reference code.

Verifiable delay function (VDF) has been a hot topic in recent cryptography research since the Ethereum researchers announced that they intended to use it in Ethereum 2.0. VDF has many applications in decentralized systems. This paper tries to organize the development path of VDF and related applications. We compare the performance of the four state-of-art VDFs by theoretical analysis and experimental verification. And through experiments, the influence of different type of groups and different hardware conditions on VDF performance are compared. In the end, we concluded that Wesolowski VDF is more suitable for decentralized clock applications that require higher time accuracy. Meanwhile, modular N multiplicative cyclic group is more suitable for constructing VDF that requires higher time accuracy while the class group is more suitable for applications with limited space. Besides, the effect of hardware on various VDFs is basically the same if the four VDFs use the same group and in the case of the same number of evaluation steps. Generally speaking, it might have a constant multiple improvement on the performance of VDF.

In 2019, Gu Chunsheng introduced Integer-RLWE, a variant of RLWE devoid of some of its efficiency flaws. Most notably, he proposes a setting where n can be an arbitrary positive integer, contrarily to the typical construction $$n = 2^k$$ n = 2 k . In this paper, we analyze the new problem and implement the classical meet-in-the-middle and lattice-based attacks. We then use the peculiarity of the construction of n to build an improved lattice-based attack in cases where n is composite with an odd divisor. For example, for parameters $$n = 2000$$ n = 2000 and $$q = 2^{33}$$ q = 2 33 , we reduce the estimated complexity of the attack from $$2^{288}$$ 2 288 to $$2^{164}$$ 2 164 . We also present reproducible experiments confirming our theoretical results.

This paper proposes a family of hyperelliptic curves of genus two for public-key cryptographic primitives. Being subfield curves, the members of this family are easy to generate. Although slightly slower than elliptic curves at the same security level, hyperelliptic curves of our family exhibit performance comparable to widely used hyperelliptic curves over prime fields.

We propose a leakage-resilient inner-product functional encryption scheme (IPFE) in the bounded-retrieval model (BRM). This is the first leakage-resilient functional encryption scheme in the BRM. In our leakage model, an adversary is allowed to obtain at most l-bit knowledge from each secret key. And our scheme can flexibly tolerate arbitrarily leakage bound l, by only increasing the size of secret keys, while keeping all other parts small and independent of l.Technically, we develop a new notion: Inner-product hash proof system (IP-HPS). IP-HPS is a variant of traditional hash proof systems. Its output of decapsulation is an inner-product value, instead of the encapsulated key. We propose an IP-HPS scheme under DDH-assumption. Then we show how to make an IP-HPS scheme to tolerate $$l'$$ l ′ -bit leakage, and we can achieve arbitrary large $$l'$$ l ′ by only increasing the size of secret keys. Finally, we show how to build a leakage-resilient IPFE in the BRM with leakage bound $$l=\frac{l'}{n}$$ l = l ′ n from our IP-HPS scheme.

Double ratchet protocol was first proposed and used in Signal’s end to end encryption and later widely applied by WhatsApp, Facebook and other popular applications. Asynchronous Ratchet Tree (ART) is the new group messaging protocol based on ratchet and is the first protocol that applied forward secrecy (FS) and post-compromised-security (PCS) in group key exchange. However, anonymity is not considered which is crucial for privacy preserving solutions. Thus, it is meaningful to provide anonymous features while applying FS and PCS. In this paper we propose “Anonymous Asynchronous Ratchet Tree (AART)” to improve the structure of ART to achieve anonymity in group messaging while retaining FS and PCS. Also, we formalize the definitions of anonymity as Internal Group Anonymity (IGA) and External Group Anonymity (EGA). We prove that our AART satisfies IGA and EGA as well as FS and PCS.