International Association
for Cryptologic Research

Multiple positions are available. Candidates should have the expertise on applied crypto, ML, IoT/CPS security and programming skill.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou. Only short-listed candidates will be contacted for interview.

Closing date for applications:

Contact: Prof. Jianying Zhou (jianying_zhou@sutd.edu.sg)

More information: http://jianying.space/

(COVID-19 may slow down the process, but our hiring is not disrupted) The Cryptanalysis Taskforce at Nanyang Technological University in Singapore led by Prof. Jian Guo is seeking for candidates to fill 3 post-doctoral research fellow positions on symmetric-key cryptography, including but not limited to the following sub-areas:

• tool aided cryptanalysis, such as MILP, CP, STP, and SAT
• machine learning aided cryptanalysis and designs
• privacy-preserving friendly symmetric-key designs
• quantum cryptanalysis
• theory and Proof
• cryptanalysis against SHA-3 and AES

Established in 2014, the Cryptanalysis Taskforce is a group dedicated for research in symmetric-key cryptography. Since then, the team has been active in both publications in and services for IACR. It has done quite some cryptanalysis work on various important targets such as SHA-3, and is expanding its interests to the areas mentioned above, with strong funding support from the university and government agencies in Singapore. We offer competitive salary package with extremely low tax, as well as excellent environment dedicating for research in Singapore. The contract will be initially for 2 years, and has the possibility to be extended. Candidates are expected to have proven record of publications in IACR conferences. Interested candidates are to send their CV and 2 reference letters to Jian Guo. Review of applicants will start immediately until the positions are filled. More information about the Cryptanalysis Taskforce research group can be found via http://team.crypto.sg

Closing date for applications:

Contact: Asst Prof. Jian Guo, guojian@ntu.edu.sg

More information: http://team.crypto.sg

This paper presents a constant time hardware implementation of the NIST round 2 post-quantum cryptographic algorithm Streamlined NTRU Prime. We implement the entire KEM algorithm, including all steps for key generation, encapsulation and decapsulation, and all en- and decoding. We focus on optimizing the resources used, as well as applying optimization and parallelism available due to the hardware design. We show the core en- and decapsulation requires only a fraction of the total FPGA fabric resource cost, which is dominated by that of the hash function, and the en- and decoding algorithm. For the NIST Security Level 3, our implementation uses a total of 1841 slices on a Xilinx Zynq Ultrascale+ FPGA, together with 14 BRAMs and 19 DSPs. The maximum achieved frequency is 271 MHz, at which the key generation, encapsulation and decapsulation take 4808 μs, 524 μs and 958 μs respectively. To our knowledge, this work is the first full hardware implementation where the entire algorithm is implemented.

In this work, we propose different techniques that can be used to implement the ROLLO, and partially RQC, family of algorithms in a standalone, efficient and constant time library. For simplicity, we focus our attention on one specific instance of this family, ROLLO-I-128. For each of these techniques, we present explicit code (with intrinsics when required), or pseudo-code and performance measures to show their impact. More precisely, we use a combination of original and known results and describe procedures for Gaussian reduction of binary matrices, generation of vectors of given rank, multiplication with lazy reduction and inversion of polynomials in a composite Galois field. We also carry out a global performance analysis to show the impact of these improvements on ROLLO-I-128. Through the SUPERCOP framework, we compare it to other 128-bit secure KEMs in the NIST competition. To our knowledge, this is the first optimized full constant time implementation of ROLLO-I-128.

Side-channel attacks based on machine learning have recently been introduced to recover the secret information from software and hardware implementations of mathematically secure algorithms. Convolutional Neural Networks (CNNs) have proven to outperform the template attacks due to their ability of handling misalignment in the symmetric algorithms leakage data traces. However, one of the limitations of deep learning algorithms is the requirement of huge datasets for model training. For evaluation scenarios, where limited leakage trace instances are available, simple machine learning with the selection of proper feature engineering, data splitting, and validation techniques, can be more effective. Moreover, limited analysis exists for public-key algorithms, especially on non-traditional implementations like those using Residue Number System (RNS). Template attacks are successful on RNS-based Elliptic Curve Cryptography (ECC), only if the aligned portion is used in templates. In this study, we present a systematic methodology for the evaluation of ECC cryptosystems with and without countermeasures against machine learning side-channel attacks using two attack models. RNS-based ECC datasets have been evaluated using four machine learning classifiers and comparison is provided with existing state-of-the-art template attacks. Moreover, we analyze the impact of raw features and advanced hybrid feature engineering techniques, along with the effect of splitting ratio. We discuss the metrics and procedures that can be used for accurate classification on the imbalance datasets. The experimental results demonstrate that, for ECC RNS datasets, the efficiency of simple machine learning algorithms is better than the complex deep learning techniques when such datasets are not so huge.

I describe a non-interactive transaction scheme for Mimblewimble protocol, so as to overcome the usability issue of the Mimblewimble wallet. With the Diffie–Hellman, we can use an Ephemeral Key shared between the sender and the receiver, a public nonce R is added to the output for that, removing the interactive cooperation procedure. And an additional one-time public key P' is used to lock the output to make it only spendable for the receiver, i.e. the owner of P'. The new data R and P' can be committed into the bulletproof to avoid the miner’s modification. Furtherly, to keep Mimblewimble privacy character, the Stealth Address is used in this new transaction scheme. All the cost of these new features is 66-bytes additional data (the public nonce R and the one-time public key P') in each output, and 64-bytes additional signature data in each input. That is about 12% payload size increasing in a typical single input double outputs Mimblewimble transaction.

This paper constructs unbounded simulation sound proofs for boolean circuit satisfiability under standard assumptions with proof size O(n+d) bilinear group elements, where d is the depth and n is the input size of the circuit. Our technical contribution is to add unbounded simulation soundness to a recent NIZK of González and Ràfols (ASIACRYPT'19) with very small overhead. We give two different constructions: the first one is more efficient but not tight, and the second one is tight. Our new scheme can be used to construct Signatures of Knowledge based on standard assumptions that also can be composed universally with other cryptographic protocols/primitives.

As an independent contribution we also detail a simple formula to encode Boolean circuits as Quadratic Arithmetic Programs.

We present the implementation of Grover's algorithm in a quantum simulator to perform a quantum search for preimages of two scaled hash functions, whose design only uses modular addition, word rotation, and bitwise exclusive or. Our implementation provides the means to assess with precision the scaling of the number of gates and depth of a full-fledged quantum circuit designed to find the preimages of a given hash digest. The detailed construction of the quantum oracle shows that the presence of AND gates, OR gates, shifts of bits and the reuse of the initial state along the computation, require extra quantum resources as compared with other hash functions based on modular additions, XOR gates and rotations. We also track the entanglement entropy present in the quantum register at every step along the computation, showing that it becomes maximal at the inner core of the first action of the quantum oracle, which implies that no classical simulation based on Tensor Networks would be of relevance. Finally, we show that strategies that suggest a shortcut based on sampling the quantum register after a few steps of Grover's algorithm can only provide some marginal practical advantage in terms of error mitigation.

In the conference “Fast Software Encryption 2015”, a new line of research was proposed by introducing the first small-state stream cipher (SSC). The goal was to design lightweight stream ciphers for hardware application by going beyond the rule that the internal state size must be at least twice the intended security level. Time-memory-data trade-off (TMDTO) attacks and fast correlation attacks (FCA) were successfully applied to all proposed SSCs which can be implemented by less than 1000 gate equivalents in hardware. It is possible to increase the security of stream ciphers against FCA by exploiting more complicated functions for the nonlinear feedback shift register and the output function, but we use lightweight functions to design the lightest SSC in the world while providing more security against FCA. Our proposed cipher provides 80-bit security against TMDTO distinguishing attacks, while Lizard and Plantlet provide only 60-bit and 58-bit security against distinguishing attacks, respectively. Our main contribution is to propose a lightweight round key function with a very long period that increases the security of SSCs against FCA.

Circular security is the most elementary form of key-dependent message (KDM) security, which allows us to securely encrypt only a copy of secret key bits. In this work, we show that circular security is ¥emph{complete} for KDM security in the sense that an encryption scheme satisfying this security notion can be transformed into one satisfying KDM security with respect to all functions computable by a-priori bounded-size circuits (bounded-KDM security). This result holds in the presence of any number of keys and in any of secret-key/public-key and CPA/CCA settings. Such a completeness result was previously shown by Applebaum (EUROCRYPT 2011) for KDM security with respect to projection functions (projection-KDM security) that allows us to securely encrypt both a copy and a negation of secret key bits.

Besides amplifying the strength of KDM security, our transformation in fact can start from an encryption scheme satisfying circular security against ¥emph{CPA} attacks and results in one satisfying bounded-KDM security against ¥emph{CCA} attacks. This result improves the recent result by Kitagawa and Matsuda (TCC 2019) showing a CPA-to-CCA transformation for KDM secure public-key encryption schemes.

We are seeking multiple Ph.D. students and Post-Doc scholars on architectural and hardware security for a joint funded project of Prof. Amro Awad and Prof. Aydin Aysu at NC State University. The positions are in the broad area of computer architecture and hardware security. The candidates will be part of a project that is collaborative between two research groups (led by Prof. Awad and Prof. Aysu) at NC State and are expected to work on the intersection between hardware security and emerging computing architectures.

The project will explore the security aspects of hardware accelerators. The goal of this project is to identify efficient solutions for defending against a wide set of attacks (e.g., side-channel attacks) targeting hardware accelerators. We will also investigate different challenges and security concerns related to the programming models and run-time environments of particular interest to our funding agency. More information will be shared with the applicants.

PhD Applicants: Following are the minimum requirements for PhD applicants:

GPA >= 3.8 -- among top 10% of your graduating class.

Strong background in computer architecture (experience in GPUs/FPGAs is preferred)

Familiarity with Linux environment, and background in OS (experience in device drivers is preferred)

Self-motivated and independent

US citizenship is preferred due to the nature of the project, but exceptions will be made on a case-by-case basis.

Post-Doc Applicants:

We are also hiring post-doctoral scholars to lead some of the efforts in this project. Post-Doc candidates should have PhD with focus on computer architecture or systems with familiarity with hardware accelerators (e.g., FPGA and GPUs). The positions are available immediately and thus candidates who are already in the US are preferred.

Links to research groups:

Prof. Awad: https://sacagroup.github.io/

Prof. Aysu: https://research.ece.ncsu.edu/aaysu/

Closing date for applications:

Contact: Amro Awad (ajawad@ncsu.edu) and Aydin Aysu (aaysu@ncsu.edu)

The IMDEA Software Institute offers a postdoc position in the area of cryptography, in the context of the project "Cryptographic Primitives for Randomness Generation and Privacy". The postdoc will work under the supervision of Dario Fiore and Ignacio Cascudo, in the following topics and their application to blockchain systems: Zero knowledge proofs, and Random beacon generation.

Who should apply? Applicants should have a PhD in cryptography or a related topic. Experience in the research topics of the projects is highly valued.

Working at IMDEA Software The position is based in Madrid, Spain, where the IMDEA Software Institute is situated. The institute provides for travel expenses and an internationally competitive salary. The working language at the institute is English.

Dates The position has guaranteed funding for at least 2 years. The preferred starting date is around the end of 2020, but starting dates in early 2021 are also possible.

How to apply? Applicants interested in the position should submit their application at https://careers.software.imdea.org/ using reference code 2020-09-postdoc-cryptoprimitives. Deadline for applications is October 23rd, 2020. Review of applications will begin immediately.

Closing date for applications:

Contact: For enquiries about the position, please contact: dario.fiore (at) imdea.org and/or ignacio.cascudo (at) imdea.org

More information: https://software.imdea.org/open_positions/2020-09-postdoc-cryptoprimitives.html

Cryptography, Security & Privacy Research Group at Koç University has one opening at the post-doctoral researcher level. Accepted applicants may receive competitive salary, housing (accommodation) support, health insurance, computer, travel support, and lunch meal card.

Your duties include performing research on cryptography, security, and privacy in line with our research group's focus, and direct graduate and undergraduate students in their research and teaching. The project funding is related to cryptography, game theory and mechanism design, and blockchain technologies.

Applicants are expected to have already obtained their Ph.D. degrees in Computer Science or related discipline with a thesis topic related to the duties above.

For more information about joining our group and projects, visit

https://crypto.ku.edu.tr/work-with-us/

Submit your application via email including

• full CV,
• sample publications,
• a detailed research proposal,
• and 2-3 reference letters sent directly by the referees.

Application and start dates are flexible.

Closing date for applications:

Contact: Assoc. Prof. Alptekin Küpçü
https://mysite.ku.edu.tr/akupcu/

More information: https://crypto.ku.edu.tr/work-with-us/

The Network and Information Security Group is currently looking for several motivated and talented PostDoctoral researchers to contribute to research projects related to applied cryptography, hardware security, security and privacy. The successful candidates will primarily be working on the following topics (but not limited to):

• Differential Privacy;
• Functional Encryption;
• Privacy-Preserving Analytics;
• Privacy-Preserving Machine Learning;
• Searchable Encryption and data structures enabling efficient search operations on encrypted data;
• Processing of encrypted data in outsourced and untrusted environments;
• IoT Security and Applications to Smart Cities.

Programming skills is a must.

The positions are principa research-focused. Activities include:

• Conducting both theoretical and applied research;
• Design of secure and/or privacy-preserving protocols;
• Software development and validation;
• Reading and writing scientific articles;
• Presentation of the research results at seminars and conferences in Finland and abroad;
• Acquiring (or assisting in acquiring) further funding.

Successful candidates will be working in EU and industrial research projects. Topics will be spanning from the theoretical foundations of cryptography to the design and implementation of provable secure communication protocols with direct applications to smart cities, cloud computing and eHealth.

To apply please send the following:

• Your latest CV;
• A research statement (max 2 pages long);
• The three best papers you have co-authored.

Closing date for applications:

Contact:

• Antonis Michalas (Provable Security and Privacy): antonios.michalas@tuni.fi

When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that they should be checked to see that $p-1$ and $q-1$ are relatively prime to the public exponent $e$, and regenerated if this is not the case. If this is not done, then the calculation of the decrypt exponent will fail. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in the RSA key generation implementation in the CNG API of a preview release of the Windows 10 operating system makes this question of more than purely hypothetical value. Without a well defined decrypt exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decrypt exponent is no longer well defined, it is in fact possible to recover the plaintext, or a small number of potential plaintexts if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and use this to give a plaintext recovery algorithm. The runtime of the algorithm scales linearly in the magnitude of the public exponent, in practice this is manageable as there are only a few small public exponents that are used. This algorithm has been implemented in a publicly available python script. We further discuss the software bug that lead to this and derive lessons that can be used while testing randomized functions in cryptographic software. Specifically, we derive an explicit formula that describes the trade off between number of iterations of tests of a randomized cryptographic functions and the potential number of users affected by a bug dependent on the random values.

The Joux-Vitse Crossbred algorithm's aim is to efficiently solve a system of semi-regular multivariate polynomials. For random polynomials, this is thought to be at least hard for a classical computer to solve. In this work, the algorithm is described in detail, a bivariate generating series to test the admissibility of parameters in F_2 is investigated and from this, a new series for F_q, q > 2 is presented. In addition, a complexity estimate is given for both F_2 and F_q, q > 2, which is compared to an estimate presented by Samardijska et al. Their estimate is shown to be an upper bound for the Crossbred algorithm. By obtaining optimal parameters using the previous results, the cost of theoretically applying Crossbred, FES and Hybrid-F5 to polynomial systems of various sizes of various numbers of variables and q was plotted. Overall, it was determined that for larger fields, the Crossbred algorithm provides an improved asymptotic complexity over FES. However, it does not provide any improvement over Hybrid-F5.

MuSig is a multi-signature scheme for Schnorr signatures, which supports key aggregation and is secure in the plain public key model. Standard derandomization techniques for discrete logarithm-based signatures such as RFC 6979, which make the signing procedure immune to catastrophic failures in the randomness generation, are not applicable to multi-signatures as an attacker could trick an honest user into producing two different partial signatures with the same randomness, which would reveal the user's secret key.

In this paper, we propose a variant of MuSig in which signers generate their nonce deterministically as a pseudorandom function of the message and all signers' public keys and prove that they did so by providing a non-interactive zero-knowledge proof to their cosigners. The resulting scheme, which we call MuSig-DN, is the first Schnorr multi-signature scheme with deterministic signing. Therefore its signing protocol is robust against failures in the randomness generation as well as attacks trying to exploit the statefulness of the signing procedure, e.g., virtual machine rewinding attacks. As an additional benefit, a signing session in MuSig-DN requires only two rounds instead of three as required by all previous Schnorr multi-signatures including MuSig. To instantiate our construction, we identify a suitable algebraic pseudorandom function and provide an efficient implementation of this function as an arithmetic circuit. This makes it possible to realize MuSig-DN efficiently using zero-knowledge proof frameworks for arithmetic circuits which support inputs given in Pedersen commitments, e.g., Bulletproofs. We demonstrate the practicality of our technique by implementing it for the secp256k1 elliptic curve used in Bitcoin.

Differential cryptanalysis of block ciphers require the identification of differential characteristics (trails) that occur with high probabilities. The effort required to search for these characteristics increases exponentially as the number of rounds and block size increases. Differentials, which are clusters of differential characteristics sharing the same input and output differences, can be constructed to improve the overall distinguishing probability, thus improving the efficiency of a key recovery attack. Matsui's branch-and-bound algorithm that automates the search for differential characteristics is commonly used to construct these differentials. However, the algorithm is still inefficient when enumerating a large number of characteristics, especially for block ciphers with large block sizes or number of rounds. In this paper, we improve upon the differential search by proposing a GPU-accelerated branch-and-bound framework that is more efficient and cost-effective as compared to its CPU counterpart. Efficiency is optimized by parallelizing all operations involved in a typical branch-and-bound algorithm by completing the entire search without transferring intermediate results back to the CPU. The meet-in-the-middle (MITM) approach is also adopted for further performance gains. We analyze the proposed framework in terms of both financial and computational costs based on simulations on the Google Cloud VM environment. When optimizing for performance, the proposed framework can achieve up to 90x speedup while saving up to 47% of the running cost as compared to a single CPU core. If cost-saving is the goal, the proposed framework can save up to 83% of the running cost while retaining a speedup of up to 40x as compared to single CPU core. The proposed framework is then applied to 128-bit TRIFLE-BC, 64-bit PRESENT and 64-bit GIFT, leading to the discovery of improved differentials. Notably, we identified the best differentials for PRESENT and 64-bit GIFT to date, with probabilities of $2^{-61.7964}$ and $2^{-60.66}$ for 16 and 13 rounds respectively. Although the differential probability for 43 rounds of TRIFLE-BC was not significantly improved, we were able to construct larger differentials with approximately 5.8x more characteristics than existing ones. Thus, the proposed GPU framework is currently the most efficient approach for enumerating 128-bit block cipher differentials, especially for a large number of rounds.

A new post-quantum, hash-based signature (HBS) scheme is introduced. In known HBS, the size and cost of each signature increase as the total number of messages one wishes to authenticate increase. In real-world applications, requiring large volumes of signatures, they can become impractical. This paper studies HBS in a blockchain: a public, decentralized database. The proposed HBS scheme shows that, when all signatures are known, quite the opposite is possible: the signatures can become more efficient as the number of signatures grows. Authenticating large volumes of messages results less costly on average than authenticating only a few.

We show that verifiable voting systems require a security notion beyond individual- and universal-verifiability plus cast-as-intended.