International Association
for Cryptologic Research

Most efficient zero-knowledge arguments lack a concrete security analysis, making parameter choices and efficiency comparisons challenging. This is even more true for non-interactive versions of these systems obtained via the Fiat-Shamir transform, for which the security guarantees generically derived from the interactive protocol are often too weak, even when assuming a random oracle.

This paper initiates the study of {\em state-restoration soundness} in the algebraic group model (AGM) of Fuchsbauer, Kiltz, and Loss (CRYPTO '18). This is a stronger notion of soundness for an interactive proof or argument which allows the prover to rewind the verifier, and which is tightly connected with the concrete soundness of the non-interactive argument obtained via the Fiat-Shamir transform.

We propose a general methodology to prove tight bounds on state-restoration soundness, and apply it to variants of Bulletproofs (Bootle et al, S\&P '18) and Sonic (Maller et al., CCS '19). To the best of our knowledge, our analysis of Bulletproofs gives the {\em first} non-trivial concrete security analysis for a non-constant round argument combined with the Fiat-Shamir transform.

Many organizations stand to benefit from pooling their data together in order to draw mutually beneficial insights -- e.g., for fraud detection across banks, better medical studies across hospitals, etc. However, such organizations are often prevented from sharing their data with each other by privacy concerns, regulatory hurdles, or business competition.

We present Senate, a system that allows multiple parties to collaboratively run analytical SQL queries without revealing their individual data to each other. Unlike prior works on secure multi-party computation (MPC) that assume that all parties are semi-honest, Senate protects the data even in the presence of malicious adversaries. At the heart of Senate lies a new MPC decomposition protocol that decomposes the cryptographic MPC computation into smaller units, some of which can be executed by subsets of parties and in parallel, while preserving its security guarantees. Senate then provides a new query planning algorithm that decomposes and plans the cryptographic computation effectively, achieving a performance of up to 145$\times$ faster than the state-of-the-art.

In this paper, we investigate the key dependency of differentials in block ciphers by examining the results of numerous experiments applied to the substitution-permutation network (SPN) structure using 4-bit S-boxes. In particular, we consider two cipher structures: a toy 16-bit SPN and a realistic 64-bit SPN. For both ciphers, we generate many different experimental results by inserting the S-boxes used in many lightweight cipher proposals and applying different forms of round key generation. It is demonstrated that, in most circumstances, with enough rounds in the cipher, the probability distribution (across all keys) of the differential probability follows the distribution expected in the theoretically ideal scenario. However, this does not occur consistently for all S-boxes and all approaches to round key generation. Consequently, it is possible that a cipher may have more susceptibility to differential cryptanalysis for some subset of the cipher keys than is implied when employing the standard assumptions used in analyzing a cipher’s security.

We introduce Vetted Encryption (VE), a novel cryptographic primitive, which addresses the following scenario: a receiver controls, or vets, who can send them encrypted messages. We model this as a filter publicly checking ciphertext validity, where the overhead does not grow with the number of senders. The filter receives one public key for verification, and every user receives one personal encryption key.

We present three versions: Anonymous, Identifiable, and Opaque VE (AVE, IVE and OVE), and concentrate on formal definitions, security notions and examples of instantiations based on preexisting primitives of the latter two. For IVE, the sender is identifiable both to the filter and the receiver, and we make the comparison with identity-based signcryption. For OVE, a sender is anonymous to the filter, but is identified to the receiver. OVE is comparable to group signatures with message recovery, with the important additional property of confidentiality of messages.

In this paper we examine the central question that is how well do side channel evaluation regimes capture the true security level of a product. Concretely, answering this question requires considering the optimality of the attack/evaluation strategy selected by the evaluator, and the various steps to instantiate it. We draw on a number of published works and discuss whether state-of-the-art solutions for the different steps of a side-channel security evaluation offer bounds or guarantees of optimality, or if they are inherently heuristic. We use this discussion to provide an informal rating of the steps' optimality and to put forward where risks of overstated security levels remain.

SodsMPC is a quantum-safe smart contract system. SodsMPC permissioned servers (verification nodes) execute contracts by secure multi-party computation (MPC) protocols. MPC ensures the contract execution correctness while trivially keeping the \textit{data privacy}. Moreover, SodsMPC accomplishes the contract \textit{business logic privacy} while protecting the contract user \textit{anonymous identity} simultaneously. We express the logic of a contract by a finite state machine (FSM). A state transition of the FSM is represented by a \textit{blind polynomial} with secret-shared coefficients. When using MPC to compute this blind polynomial, the contract business logic privacy is obtained. These coefficients which control the logic are binary secret shares. We also propose a base conversion method among binary and integer secret shares by MPC. Our contract anonymity comes from the ``mixing-then-contract'' paradigm. The online phase of the SodsMPC mixing is a multiplication between a preprocessed permutation matrix and an input vector in the form of secret sharing, which accomplishes a fully randomized shuffle of the inputs and keeps the secret share form for the following contract execution. All SodsMPC components, including a verifiable secret sharing scheme, are quantum-safe, asynchronous, coping with $t<n/3$ compromised servers, and robust (tolerates Byzantine servers) in both preprocessing and online phases.

Adaptor signatures (AS) are an extension of digital signatures that enable the encoding of a cryptographic hard problem (e.g., discrete logarithm) within the signature itself. An AS scheme ensures that (i) the signature can be created only by the user knowing the solution to the cryptographic problem; (ii) the signature reveals the solution itself; (iii) the signature can be verified with the standard verification algorithm. These properties have made AS a salient building block for many blockchain applications, in particular, off-chain payment systems such as payment-channel networks, payment-channel hubs, atomic swaps or discrete log contracts. Current AS constructions, however, are not secure against adversaries with access to a quantum computer.

In this work, we present IAS, a construction for adaptor signatures that relies on standard cryptographic assumptions for isogenies, and builds upon the isogeny-based signature scheme CSI-FiSh. We formally prove the security of IAS against a quantum adversary. We have implemented IAS and our evaluation shows that IAS can be incorporated into current blockchains while requiring $\sim1500$ bytes of storage size on-chain and $\sim140$ milliseconds for digital signature verification. We also show how IAS can be seamlessly leveraged to build post-quantum off-chain payment applications such as payment-channel networks without harming their security and privacy.

This is an exciting opportunity to join the University of Birmingham’s Centre for Cyber Security and Privacy on an exciting EPSRC funded project ‘CAP-TEE: Capability Architectures in Trusted Execution’. Trusted Execution Environments (TEEs) shield computations using security-sensitive data (e.g. personal data, banking information, or encryption keys) inside a secure "enclave" from the rest of the untrusted operating system. A TEE protects its data and code even if an attacker has gained full root access to the untrusted parts of the system. Today, TEEs like ARM Trustzone and Intel SGX are therefore widely used in general-purposes devices, including most laptops and smartphones. But with increasingly widespread use, TEEs have proven vulnerable to a number of hardware and software-based attacks, often leading to the complete compromise of the protected data. In this project, we will use capability architectures (as e.g. developed by the CHERI project) to protect TEEs against such state-of-the-art attacks. We address a wide range of threats from software vulnerabilities such as buffer overflows to sophisticated hardware attacks like fault injection. CAP-TEE will provide a strong, open-source basis for the future generation of more secure TEEs. When developing such disruptive technologies, it is key to minimise the efforts for porting existing codebases to the new system to facilitate adoption in practice. In CAP-TEE, we therefore focus on techniques to ease the transition to our capability-enabled TEE. In industrial cases studies for the automotive and rail sector, we will demonstrate how complex code written in a memory-unsafe language like C(++) can be seamlessly moved to our platform to benefit from increased security without a full redesign. The successful candidate will be based at the School of Computer Science as part of the Centre for Cyber Security and Privacy and will be working closely with Dr David Oswald. The centre is recognised by NCSC and EPSRC as an Academic Centre of Excellence in Cyber Security Research. 

Closing date for applications:

Contact: Dr David Oswald

More information: https://www.jobs.ac.uk/job/CCF964/research-felllow-in-cyber-security

CISPA is looking for candidates that hold a doctoral degree in computer science or related areas and have an outstanding research track record in all areas related to efficient algorithms and the foundations of theoretical computer science, including theory of cryptography, differential privacy, algorithmic fairness, computational complexity, data structures and the design of efficient algorithms.

CISPA offers two main types of faculty positions.

Tenure track: these positions are intended for candidates with excellent research credentials and the potential to pursue a program of innovative research. The positions are comparable to tenure-track positions at a leading university, and come with two full time research staff positions and generous support for other expenses.

Tenured: these positions are intended for established leading researchers with an outstanding scientific track record, and can be compared to an endowed chair at a leading university. All applicants are expected to build up a research team that pursues an internationally visible research agenda. Candidates for senior positions must be internationally renowned scientists.

All applicants are strongly encouraged to submit their complete application by November 30, 2020 for full consideration. However, applications will continue to be accepted until December 10, 2020.

CISPA values diversity and is committed to equality. We provide special support for dual-career couples. We highly encourage female researchers to apply. For more information about CISPA, see https://cispa.saarland

Closing date for applications:

Contact: scientific-recruiting@cispa.saarland

More information: https://jobs.cispa.saarland/jobs/department/faculty-14

CISPA is looking for candidates that hold a doctoral degree in computer science or related areas and have an outstanding research track record in all areas related to information security and privacy , especially in the fields of software security, security of critical infrastructure and embedded systems.

CISPA offers two main types of faculty positions.

Tenure track: these positions are intended for candidates with excellent research credentials and the potential to pursue a program of innovative research. The positions are comparable to tenure-track positions at a leading university, and come with two full time research staff positions and generous support for other expenses.

Tenured: these positions are intended for established leading researchers with an outstanding scientific track record, and can be compared to an endowed chair at a leading university. All applicants are expected to build up a research team that pursues an internationally visible research agenda. Candidates for senior positions must be internationally renowned scientists.

All applicants are strongly encouraged to submit their complete application by November 30, 2020 for full consideration. However, applications will continue to be accepted until December 10, 2020.

CISPA values diversity and is committed to equality. We provide special support for dual-career couples. We highly encourage female researchers to apply. For more information about CISPA, see https://cispa.saarland

Closing date for applications:

Contact: scientific-recruiting@cispa.saarland

More information: https://jobs.cispa.saarland/de_DE/jobs/department/faculty-14

Prof. Fan Zhang at the Dept. of Computer Science at Duke University, Durham, NC is looking for multiple PhD students to work on related topics in security, privacy, and applied cryptography, including:

• Blockchain and smart contract security
• Trusted hardware security
• Scalable and fair consensus protocols
• Privacy enhancing technology (e.g., anonymous communication)

The positions start in 2021 Fall. Visit http://fanzhang.me to learn more about Prof. Zhang and his research.

Closing date for applications:

Contact: Fan Zhang

More information: https://www.fanzhang.me/opening/ads.html

Symmetric Key and Lightweight Cryptography Lab (SyLLab) at Nanyang Technological University (Singapore) is looking for candidates for 2 Research Fellow / Post-Doc positions (from fresh Post-Docs to Senior Research Fellow, flexible contract duration) on various topics, such as symmetric-key design/cryptanalysis, lightweight cryptography, cryptography for automotive industry, side-channel analysis, machine learning aided cryptanalysis. Candidates are expected to have a proven record of publications in top cryptography/security venues. Salaries are competitive and are determined according to the successful applicants' accomplishments, experience and qualifications. Interested applicants should send their detailed CVs, cover letter and references to Prof. Thomas Peyrin (thomas.peyrin@ntu.edu.sg). Review of applications starts immediately and will continue until positions are filled.

Closing date for applications:

Contact: Thomas Peyrin: thomas.peyrin@ntu.edu.sg

Our Computational Privacy Group at Imperial College London is offering fully funded PhD positions for 2021 to study privacy, data protection, and the impact of algorithms on society.

Topics of current interests include, for instance, individual privacy in large-scale behavioral datasets; re-identification attacks against privacy-preserving data systems or aggregates, privacy of machine learning models, privacy engineering solutions such as differential privacy and query-based systems, ethics and fairness in AI, and computational social science.

For full details, please consult https://cpg.doc.ic.ac.uk/openings/

Deadline: Nov 1th 2020 (first deadline)

Recommended prerequisites. MSc or MEng (4y BEng will be considered) in computer science, statistics, mathematics, physics, electrical engineering, or a related field. Experience in data science, statistics and/or machine learning is a plus.

We encourage all qualified candidates to apply, in particular women, disabled, BAME, and LGBTQIA+ candidates.

About Imperial. Imperial College London, ranked 9th globally, is one of the top universities in the world. A full-time PhD at the South Kensington Campus takes 3-4 years, is fully funded and usually starts in October or January.

Closing date for applications:

Contact:
demontjoye@imperial.ac.uk
- Using as subject: “PhD Application 2020: YOUR NAME”
- Including a link (e.g. Imperial’s Filedrop system or Dropbox) to your CV and transcripts for each degree

More information: https://cpg.doc.ic.ac.uk/openings/

We provide a formal proof for the indifferentiability of SKINNY-HASH internal function from a random oracle. SKINNY-HASH is a family of function-based sponge hash functions, and it was selected as one of the second round candidates of the NIST lightweight cryptography competition. Its internal function is constructed from the tweakable block cipher SKINNY. The construction of the internal function is very simple and the designers claim $n$-bit security, where $n$ is the block length of SKINNY. However, a formal security proof of this claim is not given in the original specification of SKINNY-HASH. In this paper, we formally prove that the internal function of SKINNY-HASH has $n$-bit security, i.e., it is indifferentiable from a random oracle up to $O(2^n)$ queries, substantiating the security claim of the designers.

The deadline for nominating IACR members for the 2021 IACR Fellows class is extended to December 1st for this year.

The IACR Fellows Program recognizes outstanding IACR members for technical and professional contributions to the field of cryptology.

Information about nominating a Fellow is available here.

The contributions of this paper are twofold. First, we simplify the description of the Unbalanced Oil and Vinegar scheme (UOV) and its Rainbow variant, which makes it easier to understand the scheme and the existing attacks. We hope that this will make UOV and Rainbow more approachable for cryptanalysts. Secondly, we give two new attacks against the UOV and Rainbow signature schemes; the intersection attack that applies to both UOV and Rainbow and the rectangular MinRank attack that applies only to Rainbow. Our attacks are more powerful than existing attacks. In particular, we estimate that compared to previously known attacks, our new attacks reduce the cost of a key recovery by a factor of $2^{17}$, $2^{53}$, and $2^{73}$ for the parameter sets submitted to the second round of the NIST PQC standardization project targeting the security levels I, III, and V respectively. For the third round parameters, the cost is reduced by a factor of $2^{20}$, $2^{40}$, and $2^{55}$ respectively. This means all these parameter sets fall short of the security requirements set out by NIST.

Dynamic searchable symmetric encryption (SSE) supports updates and keyword searches in tandem on outsourced symmetrically encrypted data, while aiming to minimize the information revealed to the (untrusted) host server. The literature on dynamic SSE has identified two crucial security properties in this regard - forward and backward privacy. Forward privacy makes it hard for the server to correlate an update operation with previously executed search operations. Backward privacy limits the amount of information learnt by the server about documents that have already been deleted from the database.

To date, work on forward and backward private SSE has focused mainly on single keyword search. However, for any SSE scheme to be truly practical, it should at least support conjunctive keyword search. In this setting, most prior SSE constructions with sub-linear search complexity do not support dynamic databases. The only exception is the scheme of Kamara and Moataz (EUROCRYPT'17); however it only achieves forward privacy. Achieving both forward and backward privacy, which is the most desirable security notion for any dynamic SSE scheme, has remained open in the setting of conjunctive keyword search.

In this work, we develop the first forward and backward private SSE scheme for conjunctive keyword searches. Our proposed scheme, called Oblivious Dynamic Cross Tags (or ODXT in short) scales to very large arbitrarily-structured databases (including both attribute-value and free-text databases). ODXT provides a realistic trade-off between performance and security by efficiently supporting fast updates and conjunctive keyword searches over very large databases, while incurring only moderate access pattern leakages to the server that conform to existing notions of forward and backward privacy. We precisely define the leakage profile of ODXT, and present a detailed formal analysis of its security. We then demonstrate the practicality of ODXT by developing a prototype implementation and evaluating its performance on real world databases containing millions of documents.

We introduce a new primitive in information-theoretic cryptography, namely zero-communication reductions (ZCR), with different levels of security. We relate ZCR to several other important primitives, and obtain new results on upper and lower bounds. In particular, we obtain new upper bounds for PSM, CDS and OT complexity of functions, which are exponential in the information complexity of the functions. These upper bounds complement the results of Beimel et al. (2014) which broke the circuit-complexity barrier for ``high complexity'' functions; our results break the barrier of input size for ``low complexity'' functions. We also show that lower bounds on secure ZCR can be used to establish lower bounds for OT-complexity. We recover the known (linear) lower bounds on OT-complexity by Beimal and Malkin (2004) via this new route. We also formulate the lower bound problem for secure ZCR in purely linear-algebraic terms, by defining the invertible rank of a matrix. We present an Invertible Rank Conjecture, proving which will establish super-linear lower bounds for OT-complexity (and if accompanied by an explicit construction, will provide explicit functions with super-linear circuit lower bounds).

We report the homomorphic evaluation of the SM4 symmetric block-cipher based on BGV homomorphic encryption scheme. We implement bootstrapping and non-bootstrapping homomorphic evaluation of the 32-rounds SM4 based on HELib with about 128-bit security level. Our ways refer to and are similar as the AES homomorphic evaluation. The implementation uses packed ciphertexts and bytes in slots. The S-Box evaluation is similar as the AES evaluation method, and the Linear Transform layer uses the permutation of the bytes in states. Since the rounds are more than the AES and the SM4's feistel structer is different with the AES, the depths and levels of homomorphic evaluation of the SM4 are much more than AES, so need larger parameter(non-bootstrapping) and more bootstrapping. Our bootstrapping implementaion(3 ciphertexts, 360 blocks) runs about 1.5 hours on Macbook Pro(MacOS catalina 10.15, 16G), and the non-bootstrapping(1 ciphertext, 480 block) implementation runs about 6 hours on Macbook Pro(MacOS catalina 10.15, 16G).

Quantum copy protection uses the unclonability of quantum states to construct quantum software that provably cannot be pirated. Copy protection would be immensely useful, but unfortunately little is known about how to achieve it in general. In this work, we make progress on this goal, by giving the following results: –We show how to copy protect any program that cannot be learned from its input/output behavior, relative to a classical oracle. This improves on Aaronson [CCC’09], which achieves the same relative to a quantum oracle. By instantiating the oracle with post-quantum candidate obfuscation schemes, we obtain a heuristic construction of copy protection. –We show, roughly, that any program which can be watermarked can be copy detected, a weaker version of copy protection that does not prevent copying, but guarantees that any copying can be detected. Our scheme relies on the security of the assumed watermarking, plus the assumed existence of public key quantum money. Our construction is general, applicable to many recent watermarking schemes.