International Association
for Cryptologic Research

We search for a talented Ph.D. student who is interested in the topic of privacy-preserving machine learning. Our ideal candidate has a M.Sc. degree with excellent grades from a well-renowned university and a background in machine learning and privacy-enhancing technologies. Knowledge in FPGA programming is a plus.

Ulm University is a young research university with a focus on natural sciences, medicine and technology. Located in an economically strong region, the University with its more than 10,000 students offers a dynamic work environment with attractive networking and development prospects. The Institute of Distributed Systems is a leading research group in areas like automotive security and privacy engineering.

Closing date for applications: 30 June 2019

Contact: Interested candidates should send their application to vs-jobs (at) uni-ulm.de.

More information: https://www.uni-ulm.de/in/vs/

*As a Cryptanalyst, you will:

- Analyze, evaluate and target any weaknesses security systems which range from single crypto-primitives to entire protocols, from classical ciphers to the newest lightweight or post-quantum schemes.

- Develop mathematical and statistical models to analyze and solve security data problems.

- Be involved in the analysis of developed cryptosystems within DarkMatter products.

- Collaborate with skillful software, hardware, and telecommunication engineers.

- Work closely with the secure communications team and other teams in the organization.

- Work with latest software and test your code on state-of-the-art High-Performance Devices.

- Conduct research in theoretical and practical cryptanalysis.

- Attend personalized in-house trainings with top cryptographers and international conferences and workshops.

*To bring your dream to life, you’ll need:

- PhD degree in Cryptography, Applied Cryptography, Information Theory and Mathematics, Computer Science or any relevant Engineering degree.

- Extensive experience in theoretical and practical cryptanalysis

Valuable publications in the field of cryptanalysis

- Extensive experience in performing side-channel attacks.

- Deep understanding of various hardware security vulnerabilities and threats.

Closing date for applications: 29 July 2019

Contact: Mehdi Messaoudi

Talent Acquisition Specialist

mehdi.messaoudi (at) darkmatter.ae

More information: https://boards.greenhouse.io/darkmatter/jobs/1090184

As a Post-Quantum Crypto Researcher, you will:

- Design, implement and deploy quantum-safe cryptographic algorithms covering both but not limited to: key exchange algorithms and digital signature schemes.

- Conduct research and development in lattice-based, code-based or hash-based cryptosystems.

- Perform security assessments of either crypto-primitives or cryptosystems at the theoretical and implementation level.

- Work closely with the secure communications team and other teams in the organization to design end-to-end secure communication protocols using state-of-the art and customized cryptographic algorithms and primitives.

- Be involved in the integration of developed cryptosystems within DarkMatter products.

To bring your dream to life, you’ll need:

- PhD degree in Cryptography, Applied Cryptography, Information Theory and Mathematics or Computer Science.

- Extensive experience developing in various programming languages.

Closing date for applications: 29 August 2019

Contact: Mehdi Messaoudi

Talent Acquisition Specialist

mehdi.messaoudi (at) darkmatter.ae

More information: https://boards.greenhouse.io/darkmatter/jobs/1030431

Cosmian is a young and ambitious software publisher started by three seasoned entrepreneurs, backed by a leading Venture Capital Fund and which has established strong ties with academic research (Paris-based Ecole Normale Superieure, in particular).

Our ambition is to solve the Private Data paradox: how to provide data intelligence to a rapidly rising data economy without compromising privacy.

Job Description

Your main responsibility will be to lead our cryptographic research and development. Cosmian implements the latest research in fully-homomorphic encryption, functional encryption and secure MPC, to provide better protection of privacy.

Your daily mission will include

- managing the collaborations with the academic and research worlds, working with some of the best world cryptographers including the crypto team from École Normale Supérieure Paris,

- understand how their latest research can be leveraged,

- design new implementation algorithms with Cosmian Rust/C++ developers,

- lead certification and/or patenting where appropriate,

- and more generally get our work known and recognized by a larger cryptography community.

The job is full-time and located in Paris, France. Remote work may be envisaged with specific requirements. The package includes stock options.

Required skills/qualifications

You must have a strong background in maths and in cryptography (Master and/or PhD) and must demonstrate

the ability to communicate complex ideas to a less maths-savvy audience.

A working command of French is not mandatory.

Closing date for applications: 1 October 2019

Contact: Bruno GRIEDER, bruno.grieder (at) cosmian.com, +33 6 33 27 46 85

or

Raphaël AUPHAN, raphael.auphan (at) cosmian.com

More information: https://cosmian.com/chief_scientist/

Pompeu Fabra University and Nokia Bell Labs announce 4 Marie Sk?odowska­-Curie European PhD Positions for the ITN BAnDIT H2020 project. PhD students will be supervised by researchers from UPF and Bell Labs (effectively spending 50% of the time at each institution), and collaborating with both Rovira i Virgili University and Caelum Labs for secondments.

We are looking for highly motivated young researchers with a Master degree (or equivalent) in Computer Science, Engineering, Mathematics, Economics or related disciplines, willing to study and do research at the leading edge of blockchain technologies.

PhD students will be appointed for 36 months. All the fellowships provide a highly competitive remuneration package, complemented by mobility and family allowances (for eligible candidates).

The evaluation committee will assess candidates on a continuous basis until the positions are filled. First evaluation will be at the end of May , and afterwards regularly at the end of every month until all candidates are selected. Once evaluated will be contacted, and if pre-selected interviews will be arranged either via telco or by inviting you to one of the partners. Selected ESRs will be published on the website.

Closing date for applications:

Contact: bandit (at) upf.edu

More information: https://www.upf.edu/web/bandit

Event date: 15 July to 19 July 2019

Event date: 21 August to 24 August 2019
Submission deadline: 31 May 2019
Notification: 30 June 2019

Event date: 3 December to 7 December 2019
Submission deadline: 30 June 2019
Notification: 1 August 2019

In CT-RSA 2019, Bauer et al. have analyzed the case when the public key is reused for the NewHope key encapsulation mechanism (KEM), a second-round candidate in the NIST Post-quantum Standard process. They proposed an elegant method to recover coefficients ranging from -6 to 4 in the secret key. We repeat their experiment but there are two fundamental problems. First, even for coefficients in [-6,4] we cannot recover at least 262 of them in each secret key with 1024 coefficients. Second, for the coefficient outside [-6,4], they suggested an exhaustive search. But for each secret key on average there are 10 coefficients that need to be exhaustively searched, and each of them has 6 possibilities. This makes Bauer et al.'s method highly inefficient. We propose an improved method, which with 99.22% probability can recover all the elements ranging from -6 to 4 in the secret key. Then, inspired by Ding et al.'s key mismatch attack, we propose an efficient strategy which with a probability of 96.88% succeeds in recovering all the coefficients in the secret key. Experiments show that our proposed method is very efficient, which completes the attack in about 137.56 ms using the NewHope parameters.

We introduce and study the notion of keyless fuzzy search (KlFS) which allows to mask a publicly available database in such a way that any third party can retrieve content if and only if it possesses some data that is “close to” the encrypted data – no cryptographic keys are involved. We devise a formal security model that asks a scheme not to leak any information about the data and the queries except for some well-defined leakage function if attackers cannot guess the right query to make. In particular, our definition implies that recovering high entropy data protected with a KlFS scheme is costly. We propose two KlFS schemes: both use locality-sensitive hashes (LSH), cryptographic hashes and symmetric encryption as building blocks. The first scheme is generic and works for abstract plaintext domains. The second scheme is specifically suited for databases of images. To demonstrate the feasibility of our KlFS for images, we implemented and evaluated a prototype system that supports image search by object similarity on a masked database.

Secure channel establishment protocols such as TLS are some of the most important cryptographic protocols, enabling the encryption of Internet traffic. Reducing the latency (the number of interactions between parties) in such protocols has become an important design goal to improve user experience. The most important protocols addressing this goal are TLS 1.3 over TCP Fast Open (TFO), Google’s QUIC over UDP, and QUIC[TLS] (a new design for QUIC that uses TLS 1.3 key exchange) over UDP. There have been a number of formal security analyses for TLS 1.3 and QUIC, but their security, when layered with their underlying transport protocols, cannot be easily compared. Our work is the first to thoroughly compare the security and availability properties of these protocols. Towards this goal, we develop novel security models that permit “layered” security analysis. In addition to the standard goals of server authentication and data privacy and integrity, we consider the goals of IP spoofing prevention, key exchange packet integrity, secure channel header integrity, and reset authentication, which capture a range of practical threats not usually taken into account by existing security models that focus mainly on the crypto cores of the protocols. Equipped with our new models we provide a detailed comparison of the above three protocols. We hope that our results will help protocol designers in their future protocol analyses and practitioners to better understand the advantages and limitations of novel secure channel establishment protocols.

It was recently proved that twisted Reed--Solomon codes represent a family of codes which contain a large amount of MDS codes, non-equivalent to Reed--Solomon codes. As a consequence, they were proposed as an alternative to Goppa codes for the McEliece cryptosystem, resulting to a potential reduction of key sizes. In this paper, an efficient key-recovery attack is given on this variant of the McEliece cryptosystem. The algorithm is based on the recovery of the structure of subfield subcodes of twisted Reed--Solomon codes, and it always succeeds. Its correctness is proved, and it is shown that the attack breaks the system for all practical parameters in $O(n^4)$ field operations. A practical implementation is also provided and retrieves a valid private key from the public key within just a few minutes, for parameters claiming a security level of $128$ bits. We also discuss a potential repair of the scheme and an application of the attack to GPT cryptosystems using twisted Gabidulin codes.

Recent algorithmic improvements of discrete logarithm computation in special extension fields threaten the security of pairing-friendly curves used in practice. A possible answer to this delicate situation is to propose alternative curves that are immune to these attacks, without compromising the efficiency of the pairing computation too much. We follow this direction, and focus on embedding degrees 5 to 8; we extend the Cocks-Pinch algorithm to obtain pairing-friendly curves with an efficient ate pairing. We carefully select our curve parameters so as to thwart possible attacks by “special” or “tower” Number Field Sieve algorithms. We target a 128-bit security level, and back this security claim by time estimates for the DLP computation. We also compare the efficiency of the optimal ate pairing computation on these curves to k = 12 curves (Barreto–Naehrig,Barreto–Lynn–Scott), k = 16 curves (Kachisa–Schaefer–Scott) and k = 1 curves (Chatterjee–Menezes–Rodríguez-Henríquez).

Bent functions are optimal combinatorial objects and have been attracted their research for four decades. Secondary constructions play a central role in constructing bent functions since a complete classification of this class of functions is elusive. This paper is devoted to establish a relationship between the secondary constructions and the composition of Boolean functions. We firstly prove that some well-known secondary constructions of bent functions, can be described by the composition of a plateaued Boolean function and some bent functions. Then their dual functions can be calculated by the Lagrange interpolation formula. By following this observation, two secondary constructions of bent functions are presented. We show that they are inequivalent to the known ones, and may generate bent functions outside the primary classes $\mathcal{M}$ and $% \mathcal{PS}$. These results show that the method we present in this paper is genetic and unified and therefore can be applied to the constructions of Boolean functions with other cryptographical criteria.

The concrete efficiency of secure computation has been the focus of many recent works. In this work, we present protocols for secure $3$-party computation (3PC) tolerating one corruption in the offline-online paradigm, with the most efficient online phase in concrete terms, considering semi-honest and malicious adversaries.

In the semi-honest setting, our protocol requires communication of $2$ ring elements for a ring of integers modulo $2^l$ per multiplication gate during the online phase, attaining a per-party cost of less than one element. This is achieved for the first time in the regime of 3PC. In the malicious setting, our protocol requires communication of $4$ elements per multiplication gate during the online phase, beating the state-of-the-art protocol by $5$ elements. We boost the security of our protocols in the malicious setting to achieve fairness without affecting the stated online complexity.

We apply our techniques from $3$PC in the regime of secure server-aided machine-learning (ML) inference for a range of prediction functions-- linear regression, linear SVM regression, logistic regression, and linear SVM classification. Our setting considers a model-owner with trained model parameters and a client with a query, with the latter willing to learn the prediction of her query based on the model parameters of the former. The inputs and computation are outsourced to a set of three non-colluding servers. Our constructions catering to both semi-honest and the malicious world, invariably perform better than the existing constructions.

Game-playing proofs constitute a powerful framework for classical cryptographic security arguments, most notably applied in the context of indifferentiability. An essential ingredient in such proofs is lazy sampling of random primitives. We develop a quantum game-playing proof framework by generalizing two recently developed proof techniques. First, we describe how Zhandry's compressed quantum oracles [Zha18] can be used to do quantum lazy sampling from non-uniform function distributions. Second, we observe how Unruh's one-way-to-hiding lemma [Unr14] can also be applied to compressed oracles, providing a quantum counterpart to the fundamental lemma of game-playing.

Subsequently, we use our game-playing framework to prove quantum indifferentiability of the sponge construction, assuming a random internal function or a random permutation. Our results upgrade post-quantum security of SHA-3 to the same level that is proven against classical adversaries.

Secure integer comparison has been one of the first problems introduced in cryptography, both for its simplicity to describe and for its applications. The first formulation of the problem was to enable two parties to compare their inputs without revealing the exact value of those inputs, also called the Millionaires' problem. The recent rise of fully homomorphic encryption has given a new formulation to this problem. In this new setting, one party blindly computes an encryption of the boolean $(a<b)$ given only ciphertexts encrypting $a$ and $b$.

In this paper, we present new solutions for the problem of secure integer comparison in both of these settings. The underlying idea for both schemes is to avoid decomposing the integers in binary in order to improve the performances. Our fully homomorphic based solution is inspired by Bourse et al, and makes use of the fast bootstrapping techniques recently developpedto obtain scalability for large integers while preserving high efficiency. On the other hand, our solution to the original Millionaires' problem is inspired by the protocol of Carlton et al, based on partially homomorphic encryption. We tweak their protocol in order to minimize the number of interactions required, while preserving the advantage of comparing non-binary integers.

Both our techniques provide efficient solutions to the problem of secure integer comparison for large (even a-priori unbounded in our first scenario) integers with minimum interaction.

While common symmetric primitives like the AES and SHA3 are optimized for efficient hardware and software implementations, a range of emerging applications using advanced cryptographic protocols such as multi-party computation and zero-knowledge proofs require optimization with respect to a different metric: arithmetic complexity. We propose two families of symmetric primitives --- Vision and Rescue --- designed specifically to have a compact algebraic description optimizing the advanced cryptographic protocols that employ them. Vision operates on a small number of binary field elements and adopts the overall design strategy, and thus the security rationale, of the AES: it is a substitution permutation network whose nonlinear layer composes finite field inversion with an affine transform. To make the same security rationale work for prime fields, the nonlinear layer of Rescue consists of a low-degree power map in even steps and its high-degree inverse in odd ones. The algebraic simplicity of the proposed ciphers raises the need for careful cryptanalysis, with a particular focus on algebraic attacks. After providing an elaborate security analysis, we proceed to evaluate the performance of our ciphers with respect to three use cases: the ZK-STARK proof system, proof systems based on Rank-One Constraint Satisfaction (R1CS) systems; and Multi-Party Computation (MPC) with masked operations.

In this work, we demonstrate the use the CKKS homomorphic encryption scheme to train a large number of logistic regression models simultaneously, as needed to run a genome-wide association study (GWAS) on encrypted data. Our implementation can train more than 30,000 models (each with four features) in about 20 minutes. To that end, we rely on a similar iterative Nesterov procedure to what was used by Kim, Song, Kim, Lee, and Cheon to train a single model [KSKLC18].

We adapt this method to train many models simultaneously using the SIMD capabilities of the CKKS scheme. We also performed a thorough validation of this iterative method and evaluated its suitability both as a generic method for computing logistic regression models, and specifically for GWAS.

KNOT is a Round 1 submission of the ongoing NIST lightweight cryptography project. In this short note, we show that the preimage security of KNOT-Hash instances with squeezing rate half the state size is lower than the claimed security. Our attack exploits the non-randomness properties of the KNOT Sbox which reduce the preimage complexities.

In particular, if $2n$ is the squeezing rate then the preimage security is approximately $(\text{log\textsubscript{2}}(\frac{3}{4}))^{-n} \times 2^{\frac{3n}{4}} \times (\text{log\textsubscript{2}}(3))^{\frac{n}{2}}$. For $n = 64$, 96 and 128, the former bound translates to $2^{125.28}$, $2^{187.92}$ and $2^{250.57}$, respectively.