International Association
for Cryptologic Research

Discrete Gaussian distributions over lattices are central to lattice-based cryptography, and to the computational and mathematical aspects of lattices more broadly. The literature contains a wealth of useful theorems about the behavior of discrete Gaussians under convolutions and related operations. Yet despite their structural similarities, most of these theorems are formally incomparable, and their proofs tend to be monolithic and written nearly "from scratch,'' making them unnecessarily hard to verify, understand, and extend.

In this work we present a modular framework for analyzing linear operations on discrete Gaussian distributions. The framework abstracts away the particulars of Gaussians, and usually reduces proofs to the choice of appropriate linear transformations and elementary linear algebra. To showcase the approach, we establish several general properties of discrete Gaussians, and show how to obtain all prior convolution theorems (along with some new ones) as straightforward corollaries. As another application, we describe a self-reduction for Learning With Errors~(LWE) that uses a fixed number of samples to generate an unlimited number of additional ones (having somewhat larger error). The distinguishing features of our reduction are its simple analysis in our framework, and its exclusive use of discrete Gaussians without any loss in parameters relative to a prior mixed discrete-and-continuous approach.

As a contribution of independent interest, for subgaussian random matrices we prove a singular value concentration bound with explicitly stated constants, and we give tighter heuristics for specific distributions that are commonly used for generating lattice trapdoors. These bounds yield improvements in the concrete bit-security estimates for trapdoor lattice cryptosystems.

We study the encryption latency of the Gimli cipher, which has recently been submitted to NIST’s Lightweight Cryptography competition. We develop two optimized hardware engines for the 24 round Gimli permutation, characterized by a total latency or 3 and 4 cycles, respectively, in a range of frequencies up to 4.5 GHz. Specifically, we utilize Intel’s 10 nm FinFET process to synthesize a critical path of 15 logic levels, supporting a depth-3 Gimli pipeline capable of computing the result of the Gimli permutation in frequencies up to 3.9 GHz. On the same process technology, a depth-4 pipeline employs a critical path of 12 logic levels and can compute the Gimli permutation in frequencies up to 4.5 GHz. Gimli demonstrates a total unrolled data path latency of 715.9 psec. Compared to our AES implementation, our fastest pipelined Gimli engine demonstrates 3.39 times smaller latency. When compared to the latency of the PRINCE lightweight block cipher, the pipelined Gimli latency is 1.7 times smaller. The paper suggests that the Gimli cipher, and our proposed optimized implementations have the potential to provide breakthrough performance for latency critical applications, in domains such as data storage, networking, IoT and gaming.

The Institut for Geoinformatics (ifgi) at the Westfälischen Wilhelms-Universität Münster is seeking candidates for this post subject to the release of the project funds by the funding agency. The three-year position is part of a joint project on the “sovereign and intuitive management of personal location information (SIMPORT)”. The project aims to develop approaches, guidelines and software components that enable users to reclaim sovereignty over their personal location information.

Detailed information about the position is available at the included link.

Closing date for applications:

Contact: Prof. Dr. Christian Kray

More information: https://www.uni-muenster.de/Rektorat/Stellen/ausschreibungen/st_20201303_sk6.html

Responsibilities include but are not limited to conducting research in the areas of homomorphic encryption, post-quantum cryptography, privacy-preserving mechanisms applied to machine learning, and security proofs, and building software prototypes to demonstrate the feasibility of technical solutions. The ideal candidate will initiate and organize the design, development, execution, implementation, documentation and feasibility studies of scientific research projects to fuel SHIELD’s growth in secure computing and cloud product concepts and new business opportunities. They will also pioneer substantial new knowledge of state-of-the-art principles and theories, contribute to scientific literature and conferences, and participate in the development of intellectual property. Required Abilities: 1) Highly competent in interpersonal communication. 2) A self-starter with initiative and a strong drive to identify and resolve technical issues. 3) Able to clearly explain complex concepts and take the lead in team decision-making. Qualifications: 1) PhD in cryptography. 2) One or more publications on cryptography in a top-tier, peer-reviewed conference/journal. 3) Deep expertise in the state-of-the-art of partially-, somewhat-, and fully homomorphic encryption; experience implementing prototypes is a strong asset. 4) Thorough understanding of lattice-based cryptography, including the underlying security problems, parameter selection, implementation, and side-channel resistance. 5) Skill in developing software prototypes in any of the following programming languages: C++, C, Python, Go or Rust. Preferred Qualifications: 1) Familiarity with other post-quantum cryptography families (e.g. hash-based signatures, code-based, isogeny or multivariate quadratic cryptography). 2) Familiarity with the application of privacy-preserving cryptographic techniques to machine learning. 3) Familiarity with highly regulated industries, such as banking, government, and/or health care. For immediate consideration, please submit your CV/resume and transcripts to careers(at)shieldcrypto.com and include “Cryptographer” in the subject line.

Closing date for applications:

Contact: Alhassan Khedr (CTO)

The chair of Security Engineering at Horst Görtz Institute for IT-Security (HGI) at Ruhr University Bochum (Germany) has openings for a post-doc position. We are looking for outstanding candidate with strong background in Electrical/Computer Engineering, and/or Cryptography. The available position is fully funded for two years with possible extensions depending on the candidate's performance. In addition to the usual computer and electrical engineering background, the candidate is expected to be familiar with side-channel analysis attacks, and be able to deal with FPGAs & hardware designs, e.g., VHDL/verilog, which is essential for the project. The candidate should show strong publication records, at least a publication in venues like CHES, EUROCRYPT, ASIACRYPT, CRYPTO, DATE & DAC.
Please send your application via e-mail as a single pdf containing a CV, list of publications, and copies of transcripts and certificates.

Closing date for applications:

Contact: amir (dot) moradi (at) rub (dot) de

The PCI Standards Council (PCI SCSC) was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. who share equally in governance and execution of the organisation’s work. Its stated aim is to bring payments industry stakeholders together to develop and drive adoption of data security standards and resources for safe payments worldwide. PCI SSC mandates in the PIN Security Requirements and Testing Procedures: V3 2018 that to achieve “Control Objective 5: Keys are used in a manner that prevents or detects their unauthorised usage”, that “Encrypted symmetric keys must be managed in structures called key blocks. The key usage must be cryptographically bound to the key using accepted methods.” This is PIN Security Requirement 18-3, which further details three acceptable methods of implementing this requirement but also states that these methods are not an exhaustive list. The Australian payments industry does not use key blocks to manage the symmetric keys used as PIN Encrypting Keys (PEK). The question of which other methods are acceptable has been raised, which has resulted in a PCI FAQ. The latest version of which is in the publicly available document PCI PTS PIN Security Requirements, Technical FQAs V3, February 2020, FAQ 27, and requires an independent expert to assess the equivalency of other methods. PCI has also produced several blogs on the case for key blocks and two Informational Supplements, PCI PTS PIN: Cryptographic Key Blocks June 2017 and PCI PIN Security Requirement: PIN Security Requirement 18-3 Key Blocks: June 2019. AusPayNet is seeking to engage an independent expert, who meets the requirements set out by PCI in the PIN Security FAQ 27. This expert must assess the Australian PEK key management methodologies and determine if they provide equivalent levels of protection that prevent or detect their unauthorised usage, as compared to key blocks. AusPayNet is seeking to have the work completed in Q2 2020. For more information or to provide a copy of your CV and some indicative costs.

Closing date for applications:

Contact: Arthur Van Der Merwe - avande22@myune.edu.au

1. Overall introduction. There are three Ph.D. position openings (full scholarship, tuition & very competitive stipend) at Dr. Jiafeng Harvest Xie's Security & Cryptography (SAC) Lab for the Fall of 2020, located at the Department of Electrical and Computer Engineering of Villanova University (PA, USA).

2. Research area. Post quantum cryptography hardware, fault detection/attack, and cryptanalysis.

3. Qualification. Preferred to have research experience in the areas of cryptographic engineering, fault detection, cryptanalysis, and VLSI design. Students from electrical/computer engineering, computer science, and cryptography (applied mathematics) or other related majors are WARMLY welcome! Programming skills such as HDL, C++, Python will be more favorable.

4. Application process. Interested students can directly send the CV/resume to Dr. Jiafeng Harvest Xie's email: jiafeng.xie@villanova.edu.

5. Application information. The detailed application requirement is available at https://www1.villanova.edu/villanova/engineering/grad/admission/departmentalRequirements.html

6. Additional information. Villanova University is a private research university located in Radnor Township, a suburb northwest of Philadelphia, Pennsylvania. U.S. News & World Report ranks Villanova as tied for the 46th best National University in the U.S. for 2020.

7. PI introduction. Dr. Jiafeng Harvest Xie is currently an Assistant Professor at the Department of Electrical and Computer Engineering of Villanova University. His research interests include cryptographic engineering, hardware security, and VLSI digital design. He is the Best Paper Awardee of IEEE HOST 2019. He is also the Associate Editor for Microelectronics Journal, IEEE Access, and IEEE Trans. Circuits and Systems II.

Closing date for applications:

Contact: Dr. Jiafeng Harvest Xie, email: jiafeng.xie@villanova.edu

The Network and Information Security Group is currently looking for up to 2 motivated and talented researchers (Postdoctoral Researchers) to contribute to research projects related to applied cryptography, security and privacy. The successful candidates will be working on the following topics (but not limited to):

• Searchable Encryption and data structures enabling efficient search operations on encrypted data;
• Restricting the type of access given when granting access to search over one's data;
• Processing of encrypted data in outsourced and untrusted environments;
• Applying encrypted search techniques to SGX environments;
• Revocable Attribute-Based Encryption schemes and their application to cloud services;
• Functional Encryption;
• Privacy-Preserving Analytics;
• IoT Security.

Programming skills is a must.

The positions are strongly research-focused. Activities include conducting both theoretical and applied research, design of secure and/or privacy-preserving protocols, software development and validation, reading and writing scientific articles, presentation of the research results at seminars and conferences in Finland and abroad, acquiring (or assisting in acquiring) further funding.

Closing date for applications:

Contact: Antonis Michalas

Traditional Blockchain Sharding approaches can only tolerate up to n/3 of nodes being adversary because they rely on the hypergeometric distribution to make a failure (an adversary does not have n/3 of nodes globally but can manipulate the consensus of a Shard) hard to happen. The system must maintain a large Shard size (the number of nodes inside a Shard) to sustain the low failure probability so that only a small number of Shards may exist. In this paper, we present a new approach of Blockchain Sharding that can withstand up to n/2 of nodes being bad. We categorise the nodes into different classes, and every Shard has a fixed number of nodes from different classes. We prove that this design is much more secure than the traditional models (only have one class) and the Shard size can be reduced significantly. In this way, many more Shards can exist, and the transaction throughput can be largely increased. The improved Blockchain Sharding approach is promising to serve as the foundation for decentralised autonomous organisations and decentralised database.

We consider $n$-bit permutations with differential uniformity of 4 and null nonlinearity. We first show that the inverses of Gold functions have the interesting property that one component can be replaced by a linear function such that it still remains a permutation. This directly yields a construction of 4-uniform permutations with trivial nonlinearity in odd dimension. We further show their existence for all $n = 3$ and $n \geq 5$ based on a construction in [1]. In this context, we also show that 4-uniform 2-1 functions obtained from admissible sequences, as defined by Idrisova in [8], exist in every dimension $n = 3$ and $n \geq 5$. Such functions fulfill some necessary properties for being subfunctions of APN permutations. Finally, we use the 4-uniform permutations with null nonlinearity to construct some 4-uniform 2-1 functions from $\mathbb{F}_2^n$ to $\mathbb{F}_2^{n-1}$ which are not obtained from admissible sequences. This disproves a conjecture raised by Idrisova.

Linkable ring signature (LRS) plays a major role in the Monero-type cryptocurrencies, as it provides the anonymity of initiator and the prevention of double spending in transactions. In this paper, we propose SLRS: a simpler and modular construction of linkable ring signature scheme, which only use standard ring signature as component, without any additional one-time signatures or zero-knowledge proofs. SLRS is more efficient than existing schemes in both generation and verification. Moreover, we use SLRS to construct an efficient and compact position-preserving linkable multi-ring signature to support application in Monero-type cryptocurrencies. We also give the security proofs, implementation as well as the performance comparisons between SLRS, Ring-CT and Ring-CT 3.0 in size and efficiency.

Proof of Work is a prevalent mechanism to prove investmentof time in blockchain projects. However the use of massive parallelismand specialized hardware gives an unfair advantage to a small portion ofnodes and raises environmental and economical concerns. In this paperwe provide an implementation study of two Verifiable Delay Functions, anew cryptographic primitive achieving Proof of Work goals in an unpar-allelizable way. We provide simulation results and an optimization basedon a multiexponentiation algorithm.

In the modified CTR (CounTeR) mode known as CTR2, nonces are encrypted before constructing sequences of counters from them. This way we have only probabilistic guarantees for non-overlapping of the sequences. We show that these guarantees, and therefore the security guarantees of CTR2, are strong enough in two standard scenarios: random nonces and non-repeating nonces. We also show how to extend CTR2 to an authenticated encryption mode which we call CHE (Counter-Hash-Encrypt). To extend, we use one invocation of polynomial hashing and one additional block encryption.

The hardness of highly-structured computational problems gives rise to a variety of public-key primitives. On one hand, the structure exhibited by such problems underlies the basic functionality of public-key primitives, but on the other hand it may endanger public-key cryptography in its entirety via potential algorithmic advances. This subtle interplay initiated a fundamental line of research on whether structure is inherently necessary for cryptography, starting with Rudich's early work (PhD Thesis '88) and recently leading to that of Bitansky, Degwekar and Vaikuntanathan (CRYPTO '17).

Identifying the structure of computational problems with their corresponding complexity classes, Bitansky et al. proved that a variety of public-key primitives (e.g., public-key encryption, oblivious transfer and even functional encryption) cannot be used in a black-box manner to construct either any hard language that has $\mathsf{NP}$-verifiers both for the language itself and for its complement, or any hard language (and even promise problem) that has a statistical zero-knowledge proof system -- corresponding to hardness in the structured classes $\mathsf{NP} \cap \mathsf{coNP}$ or $\mathsf{SZK}$, respectively, from a black-box perspective.

In this work we prove that the same variety of public-key primitives do not inherently require even very little structure in a black-box manner: We prove that they do not imply any hard language that has multi-prover interactive proof systems both for the language and for its complement -- corresponding to hardness in the class $\mathsf{MIP} \cap \mathsf{coMIP}$ from a black-box perspective. Conceptually, given that $\mathsf{MIP} = \mathsf{NEXP}$, our result rules out languages with very little structure.

Already the cases of languages that have $\mathsf{IP}$ or $\mathsf{AM}$ proof systems both for the language itself and for its complement, which we rule out as immediate corollaries, lead to intriguing insights. For the case of $\mathsf{IP}$, where our result can be circumvented using non-black-box techniques, we reveal a gap between black-box and non-black-box techniques. For the case of $\mathsf{AM}$, where circumventing our result via non-black-box techniques would be a major development, we both strengthen and unify the proofs of Bitansky et al. for languages that have $\mathsf{NP}$-verifiers both for the language itself and for its complement and for languages that have a statistical zero-knowledge proof system.

We study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case: the Quasi-Polynomial algorithms, the Number Field Sieve and its many variants, and the Function Field Sieve. We adapt the latter to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones.

Existing Nakamoto-style blockchains (NSBs) rely on some sort of synchrony assumption to offer any type of safety guarantees. A basic requirement is that when a party produces a new block, then all previously produced blocks should be known to that party, as otherwise the new block might not append the current head of the chain, creating a fork. In practice, however, the network delay for parties to receive messages is not a known constant, but rather varies over time. The consequence is that the parameters of the blockchain need to be set such that the time between the generation of two blocks is typically larger than the network delay (e.g., $10$ minutes in Bitcoin) to guarantee security even under bad network conditions. This results in lost efficiency for two reasons: (1) Since blocks are produced less often, there is low throughput. Furthermore, (2) blocks can only be considered final, and thus the transactions inside confirmed, once they are extended by sufficiently many other blocks, which incurs a waiting time that is a multiple of 10 minutes. This is true even if the actual network delay is only $1$ second, meaning that NSBs are slow even under good network conditions.

We show how the Bitcoin protocol can be adjusted such that we preserve Bitcoin's security guarantees in the worst case, and in addition, our protocol can produce blocks arbitrarily fast and achieve optimistic responsiveness. The latter means that in periods without corruption, the confirmation time only depends on the (unknown) actual network delay instead of the known upper bound. Technically, we propose an approach where blocks are treated differently in the ``longest chain rule''. The crucial parameter of our protocol is a weight function assigning different weight to blocks according to their hash value. We present a framework for analyzing different weight functions, in which we prove all statements at the appropriate level of abstraction. This allows us to quickly derive protocol guarantees for different weight functions. We exemplify the usefulness of our framework by capturing the classical Bitcoin protocol as well as exponentially growing functions as special cases, where the latter provide the above mentioned guarantees, including optimistic responsiveness.

Cellular Automata (CA) have recently evolved as a good cryptographic primitive. It plays an important role in the construction of new fast, efficient and secure stream ciphers. Several studies have been made on CA based stream ciphers and we observe that the cryptographic strength of a CA based stream cipher increases with the increase in the neighbourhood radii if appropriate CA rules are employed. The current work explores the cryptographic feasibility of 5-neighbourhood CA rules also referred to as pentavalent rules. A new CA based stream cipher, CARPenter, which uses pentavalent rules have been proposed. The cipher incorporates maximum length null-boundary linear CA and a non-linear CA along with a good non-linear mixing function. This is implemented in hardware as well as software and exhibits good cryptographic properties which makes the cipher resistant to almost all attacks on stream ciphers, but with the cost of additional computing requirements. This cipher uses 16 cycles for initialization, which is the least number of cycles when compared to other existing stream ciphers.

We give a new proof that the decryption failure rate of NewHope512 is at most $2^{-398.8}$. As in previous work, this failure rate is with respect to random, honestly generated, secret key and ciphertext pairs. However, our technique can also be applied to a fixed secret key. We demonstrate our technique on some subsets of the NewHope1024 key space, and we identify a large subset of NewHope1024 keys with failure rates of no more than $2^{-439.5}$.

Blockchain technologies enable decentralized applications (DApps) that run on distributed infrastructures without any central authority. All transactions for communication and data storage are public and can be verified by all participants. DApps interacting with a smart contract typically require client-side code, which is not part of the smart contract, and therefore do not hold the same verifiability properties. Following the vision of a verifiable DApp, we propose SmartDHX, a Diffie-Hellman key exchange (DHKE) scheme, fully implemented as a smart contract. That is, SmartDHX communicates only via the Ethereum blockchain and provides both backend and client-side code with the smart contract. The application code can therefore be verified and deployed without external trust requirements. By executing DHKE on-chain, we gain a number of properties, including asynchronicity as well as message integrity and authenticity. We generalize the two-party SmartDHX to emphasize that our approach is able to handle complex cryptographic protocols. In our analysis, we expose an efficiency tradeoff when executed on chain. In particular, we provide a proof-of-concept implementation and analyze the runtime and transaction fees. Since DHKE is used by many cryptographic algorithms, SmartDHX contributes a fundamental building block in the domain of DApps.

Recently, a logic locking approach termed `CAS-Lock' was proposed to simultaneously counter Boolean satisfiability (SAT) and bypass attacks. The technique modifies the AND/OR tree structure in Anti-SAT to achieve non-trivial output corruptibility while maintaining resistance to both SAT and bypass attacks. An attack against CAS-Lock (dubbed `CAS-Unlock') was also recently proposed on a naive implementation of CAS-Lock. It relies on setting key values to all 1's or 0's to break CAS-Lock. In this short paper, we evaluate this attack's ineffectiveness and describe a misinterpretation of CAS-Lock's implementation.