International Association
for Cryptologic Research

We present TinyGarble2 – a C++ framework for privacy-preserving computation through the Yao’s Garbled Circuit (GC) protocol in both the honest-but-curious and the malicious security models. TinyGarble2 provides a rich library with arithmetic and logic building blocks for developing GC-based secure applications. The framework offers abstractions among three layers: the C++ program, the GC back-end and the Boolean logic representation of the function being computed. TinyGarble2 thus allowing the most optimized versions of all pertinent components. These abstractions, coupled with secure share transfer among the functions make TinyGarble2 the fastest and most memory-efficient GC framework. In addition, the framework provides a library for Convolutional Neural Networks (CNN). Our evaluations show that TinyGarble2 is the fastest among the current end-to-end GC frameworks while also being scalable in terms of memory footprint. Moreover, it performs 18× faster on the CNN LeNet-5 compared to the existing scalable frameworks.

TLS ensures confidentiality, integrity, and authenticity of communications. However, design, implementation, and cryptographic vulnerabilities can make TLS communication channels insecure. We need mechanisms that allow the channels to be kept secure even when a new vulnerability is discovered. We present MultiTLS, a middleware based on diversity and tunneling mechanisms that allows keeping communication channels secure even when new vulnerabilities are discovered. MultiTLS creates a secure communication channel through the encapsulation of k TLS channels, where each one uses a different cipher suite. We evaluated the performance of MultiTLS and concluded that it has the advantage of being easy to use and maintain since it does not modify any of its dependencies.

Broadcast Encryption with optimal parameters was a long-standing problem, whose first solution was provided in an elegant work by Boneh, Waters and Zhandry [BWZ14]. However, this work relied on multilinear maps of logarithmic degree, which is not considered a standard assumption. Recently, Agrawal and Yamada [AY20] improved this state of affairs by providing the first construction of optimal broadcast encryption from Bilinear Maps and Learning With Errors (LWE). However, their proof of security was in the generic bilinear group model. In this work, we improve upon their result by providing a new construction and proof in the standard model. In more detail, we rely on the Learning With Errors (LWE) assumption and the Knowledge of OrthogonALity Assumption (KOALA) [BW19] on bilinear groups.

Our construction combines three building blocks: a (computational) nearly linear secret sharing scheme with compact shares which we construct from LWE, an inner-product functional encryption scheme with special properties which is constructed from the bilinear Matrix Decision Diffie Hellman (MDDH) assumption, and a certain form of hyperplane obfuscation, which is constructed using the KOALA assumption. While similar to that of Agrawal and Yamada, our construction provides a new understanding of how to decompose the construction into simpler, modular building blocks with concrete and easy-to-understand security requirements for each one. We believe this sheds new light on the requirements for optimal broadcast encryption, which may lead to new constructions in the future.

SIDH and CSIDH are key exchange protocols based on isogenies and conjectured to be quantum-resistant. Since their protocols are similar to the classical Diffie–Hellman, they are vulnerable to the man-in-the-middle attack. A key exchange which is resistant to such an attack is called an authenticated key exchange (AKE), and many isogeny-based AKEs have been proposed. However, none of them are efficient in that they all have relatively large security losses. This is partially because the random self-reducibility of isogeny-based decisional problems has not been proved yet. In this paper, we show that the computational problem and the gap problem of CSIDH are random self-reducible. A gap problem is a computational problem given access to the corresponding decision oracle. Moreover, we propose a CSIDH-based AKE with small security loss, following the construction of Cohn-Gordon et al. at CRYPTO 2019, as an application of the random self-reducibility of the gap problem of CSIDH. Our AKE is proved to be the fastest CSIDH-based AKE when we aim at 110-bit security level.

CRAFT is a lightweight tweakable block cipher proposed at FSE 2019, which allows countermeasures against Differential Fault Attacks to be integrated into the cipher at the algorithmic level with ease. CRAFT employs a lightweight and involutory S-box and linear layer, such that the encryption function can be turned into decryption at a low cost. Besides, the tweakey schedule algorithm of CRAFT is extremely simple, where four 64-bit round tweakeys are generated and repeatedly used. Due to a combination of these features which makes CRAFT exceedingly lightweight, we find that some input difference at a particular position can be preserved through any number of rounds if the input pair follows certain truncated differential trails. Interestingly, in contrast to traditional differential analysis, the validity of this invariant property is affected by the positions where the constant additions take place. We use this property to construct ``weak-tweakey'' truncated differential distinguishes of CRAFT in the single-key model. Subsequently, we show how the tweak additions allow us to convert these weak-tweakey distinguishers into ordinary secret-key distinguishers based on which key-recovery attacks can be performed. Moreover, we show how to construct MILP models to search for truncated differential distinguishers exploiting this invariant property. As a result, we find a 15-round truncated differential distinguisher of CRAFT and extend it to a 19-round key-recovery attack with $2^{60.99}$ data, $2^{68}$ memory, $2^{94.59}$ time complexity, and success probability 80.66%. Also, we find a 14-round distinguisher with probability $2^{-43}$ (experimentally verified), a 16-round distinguisher with probability $2^{-55}$, and a 20-round weak-key distinguisher ($2^{118}$ weak keys) with probability $2^{-63}$. Experiments on round-reduced versions of the distinguishers show that the experimental probabilities are sometimes higher than predicted. Finally, we note that our result is far from threatening the security of the full CRAFT.

The University of St. Gallen in Switzerland and the chair of Cyber Security invites applications from PhD holders in the area of cryptography and information security. The researcher will join a group of researchers focusing in applied and theoretical cryptography, network and information security and privacy-preservation led by Prof. Katerina Mitrokotsa. We are affiliated to the Department of Computer Science (DCS) and the Institute of Computer Science. More precisely, the student shall be working on investigating efficient authentication and verifiable delegation of computation mechanisms that provide: i) provable security guarantees, and ii) rigorous privacy guarantees. The overall aim of the PhD position will be to design and evaluate provably secure cryptographic protocols for privacy-preserving authentication and verifiable delegation of computation protocols. The research shall also consider the case where multiple clients outsource jointly computations to untrusted cloud servers.
Research area: Research areas include but are not limited to:

• Verifiable computation
• Secure Multi Party Computation
• Privacy-preserving authentication
• Cryptographic primitives

Your Profile

• A MsC degree in Computer Science, Applied Mathematics or a relevant field;
• Strong mathematical and algorithmic CS background;
• Good skills in programming is beneficial;
• Excellent written and verbal communication skills in English

Deadline for applications: 30 September
Starting date: Fall 2020 or by mutual agreement

Closing date for applications:

Contact: Katerina Mitrokotsa

More information: https://jobs.unisg.ch/offene-stellen/phd-position-in-information-security-and-cryptography-m-w-d/6366821b-4848-4217-90d2-78e6b1096162

The IMDEA Software Institute invites applications for tenure-track (Assistant Professor) positions. We are primarily interested in excellent candidates in Systems, including Distributed Systems, Embedded Systems, etc.; Data Science, including machine learning; Security and Privacy; Software Engineering>; and Cyber-Physical Systems. Exceptional candidates in other topics within the research areas of the Institute will also be considered. Tenured-level (Associate and Full Professor) applications are also welcome.

The primary mission of the IMDEA Software Institute is to perform research of excellence at the highest international level in the area of software development technologies. It is one of the highest ranked institutions worldwide in its main topic areas.

All positions require a doctoral degree in CS or closely related area, earned by the expected start date. Candidates for tenure-track positions will have shown exceptional promise in research and ability to work independently as well as collaboratively. Candidates for tenured positions must have an outstanding research record, recognized international stature, and demonstrated leadership. Experience in graduate student supervision is also valued at this level.

For full consideration, complete applications must be received by December 1, 2020 but will continue to be accepted until the positions are filled.

The institute is located in the vibrant area of Madrid, Spain. It offers an ideal working environment, combining the best aspects of a research center and a university department. The institute offers institutional funding and also encourages participation in national and international research projects. The working language at the institute is English.

Salaries at the Institute are internationally competitive, established on an individual basis, and include social security provisions, and in particular access to an excellent public health care system.

COVID Note: The Institute continues working and hiring, while strictly adopting all recommended hea

Closing date for applications:

Contact: hiring@software.imdea.org

More information: https://software.imdea.org/open_positions/call_for_faculty.html

We are seeking to recruit a post-doctoral research assistant to work in the area of cryptography. The position is available now until 1 June 2022.

The PDRA will work alongside Dr. Martin Albrecht, Dr. Rachel Player and other cryptographic researchers at Royal Holloway on topics in lattice-based cryptography. This post is part of the EU H2020 PROMETHEUS project (http://prometheuscrypt.gforge.inria.fr) for building privacy preserving systems from advanced lattice primitives. Our research focus within this project is on cryptanalysis and implementations, but applicants with a strong background in other areas such as protocol/primitive design are also encouraged to apply.

Closing date for applications:

Contact: Martin Albrecht

More information: https://martinralbrecht.wordpress.com/2020/06/26/postdoc-at-royal-holloway-on-lattice-based-cryptography-3/

We are looking for talented and motivated Post-docs to work on the ERC AdG project PROCONTRA: Smart-Contract Protocols: Theory for Applications. The project is about theoretical and applied aspects of blockchain and smart contracts.

The ideal candidates should have a PhD degree in cryptography (or related field) from a leading university, and a proven record of publications in top cryptography/security/TCS venues.

We offer competitive salary, a budget for conference travel and research visit, and membership in a young and vibrant team with several international contacts (for more see: www.crypto.edu.pl).

A successful candidate will be given a substantial academic freedom and can work on a variety of research problems related to the main theme of the project.

There is no specific deadline for this call, but we will start looking at the applications from Oct 15th, 2020.

Closing date for applications:

Contact: Stefan Dziembowski

More information: https://www.crypto.edu.pl/positions

What we are always looking for?
CISPA constantly seeks applications from outstanding students regardless of their national origin or citizenship. Currently we are looking for students interested in applied cryptography and topics like:

• privacy-preserving signatures,
• anonymous credentials,
• eID and ePassport security.

Admission to the Computer Science graduate program is highly competitive. A successful Master’s degree from a top-tier, research-oriented institution of higher education in a subject relevant to our research is required. Applicants should have an outstanding academic record, proficiency in spoken and written English, and strong letters of recommendation from their academic advisors.

What we offer?
CISPA maintains an open, international and diverse work environment. Every Ph.D. student is a member of a research group lead by his or her supervisor. Admitted students are as a rule paid employees of CISPA with a full time contract (TV-L E 13). The working language is English.

How to apply?
https://jobs.cispa.saarland/jobs/detail/phd-students-in-all-areas-related-to-cybersecurity-privacy-cryptography-and-machine-learning-1

Closing date for applications:

Contact: Lucjan Hanzlik (hanzlik@cispa.saarland)

More information: https://jobs.cispa.saarland/jobs/detail/phd-students-in-all-areas-related-to-cybersecurity-privacy-cryptography-and-machine-learning-1

The University of St. Gallen in Switzerland and the chair of Cyber Security invites applications from PhD holders in the area of cryptography and information security. The researcher will join a group of researchers focusing in applied and theoretical cryptography, network and information security and privacy-preservation led by Prof. Katerina Mitrokotsa. We are affiliated to the Department of Computer Science (DCS) and the Institute of Computer Science.
The position has an attractive salary and located in beautiful St. Gallen and Switzerland.
Research area: Research areas include but are not limited to:

• Verifiable computation
• Secure Multi Party Computation
• Privacy-preserving authentication
• Cryptographic primitives

Your Profile

• A PhD degree in Cryptography, information security;
• Strong mathematical and algorithmic CS background;
• Strong publication record;
• Good skills in programming is beneficial;
• Excellent written and verbal communication skills in English

Deadline for applications: 30 September
Starting date: Fall 2020 or by mutual agreement
How to apply Submit your application through the online application system

Closing date for applications:

Contact: Katerina Mitrokotsa

More information: https://jobs.unisg.ch/offene-stellen/postdoc-fellow-in-cryptography-information-security/707c8a38-0c75-436e-b1b2-4ee6629d1323

We are looking for Research Fellow (Post-Doc), to join our group. The applicants should have background and be interested in working on different aspects of lattice based cryptography, in particular on:

• security proofs for lattice-based schemes,
• building and implementing lattice-based constructions,
• cryptanalysis and side channels attacks.

The research will take place in the Embedded Security and Cryptography (EMSEC) team, within the IRISA computer science institute located in Rennes, France.
To apply please send us by email your detailed CV (with publication list). The positions has flexible starting date. Review of applications will start immediately until the positions are filled.

Closing date for applications:

Contact: Adeline Roux-Langlois / adeline.roux-langlois@irisa.fr

We seek a Research Project Manager to support and coordinate our research on problems within the field of consensus while assembling a team of world-class researchers. Research at Protocol Labs We’re not an ordinary Research Lab. We’re working hard to build the core protocols of the decentralized web pursuant to our vision for the future of the Internet. As part of our research team, you’ll be enabling outcomes at the forefront of our mission. Our research team is granted both the freedom to develop knowledge by working on novel applications and a responsibility to contribute those skills toward advancing the flagship projects of Protocol Labs and the research endeavors of leading institutions in the field. You’ll feel at home working with us if your knowledge and optimism enable you to craft creative solutions working around evolving needs. What will the ConsensusLab do The goal of ConsensusLab will be to focus on long-term research problems facing Filecoin and other Protocol Labs projects related to secure, scalable consensus mechanisms. As ConsensusLab Lead you will… Coordinate with teammates across the research and project teams to drive progress against the goals we want ConsensusLab to accomplish, driving consensus research to support multiple autonomous projects within the company Track and coordinate the known problems that must be solved to hit those goals, the proposed solutions to those problems, the interactions and constraints that proposed solutions have on each other, and the effects design requirements have on proposed solutions. Assemble a team of researchers to drive progress against these problems. You may be a fit for this role if you have... Strong organizational and project management skills A familiarity with consensus research, in which you explored security or scalability of a system with byzantine or rational actors A love of supporting others in their efforts to learn and push the boundaries of human knowledge Bonus points... You’ve applied game theory, mechanism design, or agent-based modeling to fault tolerant system You’ve previously managed a team of researchers working on novel consensus algorithms

Closing date for applications:

Contact: Ed Burns

More information: https://jobs.lever.co/protocol/45adb8e8-4f5b-4da5-9c25-d1b84f3792e9

Several postdoctoral positions are available in the following areas:

• Post-quantum (including lattice-based) zero-knowledge proofs.
• Fast implementation of fully homomorphic encryption and lattice-based cryptography.
• Adversarial machine learning, broadly defined

Closing date for applications:

Contact: Jonathan Katz

This paper introduces the PoSH Consensus protocol, a novel work-in-progress construction for achieving Sybil-resistant Nakamoto-style probabilistic consensus on the contents of a cryptocurrency ledger in a permissionless decentralized network where parties stake their hardware’s computational power towards participation in leader election. PoSH aims to establish an openly mintable cryptocurrency that eliminates the requirement for block rewards and disincentivizes mining pools.

MPC functionalities are increasingly specified in high-level languages, where control-flow constructions such as conditional statements are extensively used. Today, concretely efficient MPC protocols are circuit-based and must evaluate all conditional branches at high cost to hide the taken branch.

The Goldreich-Micali-Wigderson, or GMW, protocol is a foundational circuit-based technique that realizes MPC for p players and is secure against up to p - 1 semi-honest corruptions. While GMW requires communication rounds proportional to the computed circuit’s depth, it is effective in many natural settings.

Our main contribution is MOTIF (Minimizing OTs for IFs), a novel GMW extension that evaluates conditional branches almost for free by amortizing Oblivious Transfers (OTs) across branches. That is, we simultaneously evaluate multiple independent AND gates, one gate from each mutually exclusive branch, by representing them as a single cheap vector-scalar multiplication (VS) gate.

For 2PC with b branches, we simultaneously evaluate up to b AND gates using only two 1-out-of-2 OTs of b-bit secrets. This is a factor ~b improvement over the state-of-the-art 2b 1-out-of-2 OTs of 1-bit secrets. Our factor b improvement generalizes to the multiparty setting as well: b AND gates consume only p(p - 1) 1-out-of-2 OTs of b-bit secrets.

We implemented our approach and report its performance. For 2PC and a circuit with 16 branches, each comparing two length-65000 bitstrings, MOTIF outperforms standard GMW in terms of communication by ~9.4x. Total wall-clock time is improved by 4.1 - 9.2x depending on network settings.

Our work is in the semi-honest model, tolerating all-but-one corruptions.

Biometric databases collect entire countries worth of citizens' sensitive information with few cryptographic protections. The critical required functionality is proximity search, the ability to search for all records close to a queried value, that is within a bounded distance. Biometrics usually operate in high dimensional space where an exponential number (in the dimension) of values are close.

This work builds searchable encryption that supports proximity queries for the Hamming metric. The Hamming metric is frequently used for the iris biometric. Searchable encryption schemes have leakage, which is information revealed to the database server such as identifiers of records returned which is known as access pattern leakage.

Prior work on proximity searchable encryption falls into two classes: 1) Li et al. (INFOCOM 2010) and Boldyreva and Chenette (FSE 2014) support only a polynomial number of close values, 2) Kim et al. (SCN 2018) leak the distance between the query and all stored records. The first class is not feasible due to the exponential number of close values. The second class allows the server to compute geometry of the space, enabling attacks akin to those on nearest neighbor schemes (Kornaropoulos et al. IEEE S&P 2019, 2020).

We build proximity search out of a new variant of inner product encryption called multi-point inner product encryption (MPIPE). MPIPE is built from function-hiding, secret-key, inner product predicate encryption (Shen, Shi, and Waters, TCC 2009). Our construction leaks access pattern and when two database records are the same distance from the queried point.

In most applications of searchable encryption the data distribution is not known a priori, making it prudent to consider leakage in a variety of settings. However, biometrics' statistics are well studied and static. Frequently in biometric search at most one record is returned. In this setting, access pattern leakage and the additional leakage of distance equality is unlikely to be harmful.

We also introduce a technique for reducing key size of a class of inner product encryption schemes based on dual pairing vector spaces. Our technique splits these vector spaces into multiple, smaller components, yielding keys that are a linear number of group elements instead of quadratic. We instantiate this technique on the scheme of Okamoto and Takashima (Eurocrypt, 2012) and show security under the same assumption (decisional linear).

Program watermarking enables users to embed an arbitrary string called a mark into a program while preserving the functionality of the program. Adversaries cannot remove the mark without destroying the functionality. Although there exist generic constructions of watermarking schemes for public-key cryptographic (PKC) primitives, those schemes are constructed from scratch and not efficient.

In this work, we present a general framework to equip a broad class of PKC primitives with an efficient watermarking scheme. The class consists of PKC primitives that have a canonical all-but-one (ABO) reduction. Canonical ABO reductions are standard techniques to prove selective security of PKC primitives, where adversaries must commit a target attribute at the beginning of the security game. Thus, we can obtain watermarking schemes for many existing efficient PKC schemes from standard cryptographic assumptions via our framework. Most well-known selectively secure PKC schemes have canonical ABO reductions. Notably, we can achieve watermarking for public-key encryption whose ciphertexts and secret-keys are constant-size, and that is chosen-ciphertext secure.

Our approach accommodates the canonical ABO reduction technique to the puncturable pseudorandom function (PRF) technique, which is used to achieve watermarkable PRFs. We find that canonical ABO reductions are compatible with such puncturable PRF-based watermarking schemes.

Kansal and Dutta recently proposed a multisignature scheme at AFRICACRYPT 2020. This is the first lattice-based multisignature scheme that generates a multisignature in only a single round of interaction and supports public key aggregation. In this letter, we provide a cryptanalysis of this multisignature scheme and demonstrate that the scheme does not satisfy unforgeability requirements. We present an attack strategy to demonstrate that if an adversary obtains a sufficient number of signatures from a signer, he/she can recover the private key of the signer in polynomial time. We also uncover the root cause of the attack and provide a possible solution for this attack to aid future designs of secure multisignature schemes.

Post-Compromise Security, or PCS, refers to the ability of a given protocol to recover—by means of normal protocol operations—from the exposure of local states of its (otherwise honest) participants. While PCS in the two-party setting has attracted a lot of attention recently, the problem of achieving PCS in the group setting—called group ratcheting here—is much less understood. On the one hand, one can achieve excellent security by simply executing, in parallel, a two-party ratcheting protocol (e.g., Signal) for each pair of members in a group. However, this incurs $\mathcal{O}(n)$ communication overhead for every message sent, where $n$ is the group size. On the other hand, several related protocols were recently developed in the context of the IETF Messaging Layer Security (MLS) effort that improve the communication overhead per message to $\mathcal{O}(\log n)$. However, this reduction of communication overhead involves a great restriction: group members are not allowed to send and recover from exposures concurrently such that reaching PCS is delayed up to $n$ communication time slots (potentially even more).

In this work we formally study the trade-off between PCS, concurrency, and communication overhead in the context of group ratcheting. Since our main result is a lower bound, we define the cleanest and most restrictive setting where the tension already occurs: static groups equipped with a synchronous (and authenticated) broadcast channel, where up to $t$ arbitrary parties can concurrently send messages in any given round. Already in this setting, we show in a symbolic execution model that PCS requires $\Omega(t)$ communication overhead per message. Our symbolic model permits as building blocks black-box use of (even "dual") PRFs, (even key-updatable) PKE (with functionality and security of HIBE), and broadcast encryption, capturing all tools used in previous constructions, but prohibiting the use of exotic primitives.

To complement our result, we also prove an almost matching upper bound of $\mathcal{O}(t\cdot(1+\log(n/t)))$, which smoothly increases from $\mathcal{O}(\log n)$ with no concurrency, to $\mathcal{O}(n)$ with unbounded concurrency, matching the previously known protocols.