International Association
for Cryptologic Research

There are two Ph.D. positions opening at Dr. Jiafeng Harvest Xie's research group at the Department of Electrical and Computer Engineering of Villanova University, Villanova, PA (west of Philadelphia), USA. The research topics of this position primarily focused on hardware implementation and security issues related to the post-quantum cryptosystems and AI systems. Interested ones are warmly welcomed to send their resume/CV to Dr. Xie through email: jiafeng.xie@villanova.edu

Requirements: preferred to be at the majors of Computer Science, Computer Engineering, Electrical Engineering and related others. Familiar with fault attack and analysis will be desirable. Proficiency in programming languages such as C/C++ and HDLs (FPGA development skills and experience are big plus). Good at English communication and writing. Great enthusiasm of doing research oriented tasks. Excellent team work member. Degree: both B.S. and M.S. graduates or similar are warmly welcomed to apply. Start date: Summer 2021 and Fall 2021 are both ok. It is always better to apply as early as possible. Positions are open until they are filled. The 2021 U.S. News & World Report ranks Villanova as tied for the 53th best National University in the U.S (Famous Alumni includes the First Lady of the United States, etc.). Brief introduction of Dr. Xie: Dr. Jiafeng Harvest Xie is currently an Assistant Professor at the Department of Electrical and Computer Engineering of Villanova University. His research interests include cryptographic engineering, hardware security, and VLSI digital design. He is the Best Paper Awardee of IEEE HOST 2019. He has served the Associate Editor for Microelectronics Journal, IEEE Access, and IEEE Trans. Circuits and Systems II. He has also been awarded the 2019 IEEE Access Outstanding Associate Editor. Contact: Jiafeng Harvest Xie (jiafeng.xie@villanova.edu) Contact: Jiafeng Harvest Xie

Closing date for applications:

Contact: Dr. Jiafeng Xie (jiafeng.xie@villanova.edu)

More information: https://www1.villanova.edu/villanova/engineering/departments/ece/facultyStaff/biodetail.html?mail=jiafeng.xie@villanova.edu&xsl=bio_long

I am looking for highly motivated and qualified candidates to fill Ph.D. positions for research in applied cryptography. Topics include:

• Design of extended features for lattice based post-quantum schemes.
• Attacks / countermeasures for post-quantum schemes.
• Efficient software and hardware implementation of post-quantum schemes.

Candidates should have a degree in computer science, electronics, or applied mathematics with a strong interest in systems security, algorithms. Prior experience in software or hardware development, code analysis, and/or signal processing is an asset. We offer a competitive salary and an international cutting-edge research program in an attractive working environment. WPI is a highly-ranked research university in the Boston area and offers the opportunity to collaborate with world-class faculty and students in a collegial environment. We maintain close connections with surrounding universities and private companies.

Closing date for applications:

Contact: Berk Sunar, sunar@wpi.edu
Professor, Department of Electrical and Computer Engineering
Vernam Applied Crypto and Cybersecurity Lab
Worcester Polytechnic Institute USA

More information: http://vernam.wpi.edu/positions/

Bitcoin Cash, created in 2017, is a “hard fork” from Bitcoin responding to the need for allowing a higher transaction volume. This is achieved by a larger block size, as well as a new difficulty adjustment (target recalculation) function(s) that acts more frequently (as opposed to Bitcoin’s difficulty adjustment happening about every two weeks), resulting in a potentially different target for each block. While seemingly achieving its goal in practice, to our knowledge there is no formal analysis to back this proposal up.

In this paper we provide the first formal cryptographic analysis of Bitcoin Cash’s target recalculation functions against all possible adversaries. We follow the analytical approach developed in the Bitcoin backbone protocol [Eurocrypt 2015 and follow-ups], of first establishing basic properties of the blockchain data structure, from which the properties of a robust transaction ledger (namely, Consistency and Liveness) can be derived. However, the more active target recalculation mechanism as well as the more pronounced fluctuation of the mining population (due in part to miners’ behavior of switching chains towards achieving higher expected rewards) require new analytical tools.

We perform our analysis in the bounded-delay network model with dynamic participation of miners, of both ASERT and SMA (Bitcoin Cash’s current and former recalculation functions, respectively) and conclude that in order to satisfy security (namely, properties satisfied except with negligible probability in the security parameter) considerably larger parameter values should be used with respect to the ones used in practice.

Federated learning (FL) allows to train a massive amount of data privately due to its decentralized structure. Stochastic gradient descent (SGD) is commonly used for FL due to its good empirical performance, but sensitive user information can still be inferred from weight updates shared during FL iterations. We consider Gaussian mechanisms to preserve local differential privacy (LDP) of user data in the FL model with SGD. The trade-offs between user privacy, global utility, and transmission rate are proved by defining appropriate metrics for FL with LDP. Compared to existing results, the query sensitivity used in LDP is defined as a variable and a tighter privacy accounting method is applied. The proposed utility bound allows heterogeneous parameters over all users. Our bounds characterize how much utility decreases and transmission rate increases if a stronger privacy regime is targeted. Furthermore, given a target privacy level, our results guarantee a significantly larger utility and a smaller transmission rate as compared to existing privacy accounting methods.

In this work, we study GPU implementations of various state-of-the-art sieving algorithms for lattices (Becker-Gama-Joux 2015, Becker-Ducas-Gama-Laarhoven 2016, Herold-Kirshanova 2017) inside the General Sieve Kernel (G6K, Albrecht et al. 2019). In particular, we extensively exploit the recently introduced *Tensor Cores* -- originally designed for raytracing and machine learning -- and demonstrate their fitness for the cryptanalytic task at hand. We also propose a new *dual-hash* technique for efficient detection of `lift-worthy' pairs to accelerate a key ingredient of G6K: finding short lifted vectors.

We obtain new computational records, reaching dimension $180$ for the SVP Darmstadt Challenge improving upon the previous record for dimension $155$. This computation ran for $51.6$ days on a server with $4$ NVIDIA Turing GPUs and $1.5$TB of RAM. This corresponds to a gain of about two orders of magnitude over previous records both in terms of wall-clock time and of energy efficiency.

Internet of Things (IoT) promises a strong world connecting digital and physical enviromments. Nevertheless, such a framework comes with huge security and privacy vulnerabilities, due to the heterogeneous nature of devices and of the diversity of their provenance. Other noticeable, technical challenges in IoT are brought with the constrained resources of devices, forcing to design protocol as lightweight as possible.

In this paper, we present a new system with access control key updates and direct user revocation, that are beneficial features in IoT. Access control is done using Ciphertext-Policy Attribute-Based Encryption where attributes represent roles of devices within their networks. Moreover, we devise a novel approach, based on a binary tree, to append time credentials. This allows us to find an interesting trade-off between key update frequency and user revocation list length, as well as stressing time-sensitive data exchanged in IoT environments. The security of our scheme is proved under the Decisional Bilinear Diffie-Hellman Exponent assumption.

Future work will focus on the implementation and analysis of our solution, in order to confirm that the latter is fully deployable in IoT networks.

Over the past five years, a significant line of research has investigated the blockchain consensus problem in the general permissionless setting, where protocol nodes can leave and join dynamically. The work of Garay et al. (Eurocrypt 2015) and Pass et al. (Eurocrypt 2017) showed the security properties of consistency and liveness for Nakamoto's seminal proof-of-work protocol. However, consistency and liveness do not provide any guarantees on the relationship between the order in which transactions arrive into the network and the finalized order in the ledger, making protocols prone to transaction order-manipulation attacks. As a solution, a recent paper by Kelkar et al. (Crypto 2020) introduced a third useful property for consensus protocols: transaction-order-fairness. Their model was limited to the classical (permissioned) setting, where the set of protocol nodes is fixed a priori, and does not fit well for permissionless environments where order-manipulation attacks have been most prominent.

In this work, we initiate the investigation of order-fairness in the permissionless setting and provide two protocols that realize it. Our protocols work in a synchronous network and use an underlying longest-chain blockchain. As an added contribution, we show that any fair ordering protocol achieves a powerful zero-block confirmation property, through which honest transactions can be securely confirmed even before they are included in any block.

The Classic McEliece cryptosystem is one of the most trusted quantum-resistant cryptographic schemes. Deploying it in practical applications, however, is challenging due to the size of its public key. In this work, we bridge this gap. We present an implementation of Classic McEliece on an ARM Cortex-M4 processor, optimized to overcome memory constraints. To this end, we present an algorithm to retrieve the public key ad-hoc. This reduces memory and storage requirements and enables the generation of larger key pairs on the device. To further improve the implementation, we perform the public key operation by streaming the key to avoid storing it as a whole. This additionally reduces the risk of denial of service attacks. Finally, we use these results to implement and run TLS on the embedded device.

Abstract—Cryptographic communication protocols provide confidentiality, integrity and authentication properties for end-to- end communication under strong corruption attacks, including, notably, post-compromise security (PCS). Most protocols are designed for one-to-one communication. Protocols for group communication are less common, less efficient, and tend to provide weaker security guarantees. This is because group communication poses unique challenges, such as coordinated key updates, changes to group membership and complex post- compromise recovery procedures.

We need to tackle this complex challenge as a community. Thus, the Internet Engineering Task Force (IETF) has created a working group with the goal of developing a sound standard for a continuous asynchronous key-exchange protocol for dynamic groups that is secure and remains efficient for large group sizes. The current version of the Messaging Layer Security (MLS) security protocol is in a feature freeze, i.e., no changes are made in order to provide a stable basis for cryptographic analysis. The key schedule and TreeKEM design are of particular concern since they are crucial to distribute and combine several keys to achieve PCS.

In this work, we provide a computational analysis of the MLS key schedule, TreeKEM and their composition, as specified in Draft 11 of the MLS RFC. The analysis is carried out using the State Separating Proofs methodology [9], and showcases the flexibility of the approach, enabling us to provide a full computational analysis shortly after Draft 11 was published.

We present an approach for designing fast public key encryption cryptosystems using random primitives and error permutation. An encryption speed of such systems allows to use them for “on-the-fly” public key encryption and makes them useful for real-time communications. A small error size allows to use this approach for designing digital signature schemes

Cramer, Damgård, and Schoenmakers (CDS) built a proof system to demonstrate the possession of subsets of witnesses for a given collection of statements that belong to a prescribed access structure P by composing so-called sigma-protocols for each atomic statement. Their verifier complexity is linear in the size of the monotone span program representation of P. We propose an alternative method for combining sigma-protocols into a single non-interactive system for a compound statement in the random oracle model. In contrast to CDS, our verifier complexity is linear in the size of the acyclicity program representation of P, a complete model of monotone computation introduced in this work. We show that the acyclicity program size of a predicate is never larger than its de Morgan formula size and it is polynomially incomparable to its monotone span program size. We additionally present an extension of our proof system, with verifier complexity linear in the monotone circuit size of P, in the common reference string model. Finally, considering the types of statement that naturally reduce to acyclicity programming, we discuss several applications of our new methods to protecting privacy in cryptocurrency and social networks.

In this work, we consider a recent application of coding theory in the context of post-quantum digital signature schemes, and their cryptanalysis. We indeed implement an attack on the recent attempt by Li, Xing and Yeo to produce a code-based signature scheme using the Schnorr-Lyubashevsky approach in the Hamming metric. Differently from other (unsuccessful) proposals, this new scheme exploits rejection sampling along with dense noise vectors to hide the secret key structure in produced signatures. We show that these measures, besides yielding very slow signing times and rather long signatures, do not succeed in protecting the secret key. We are indeed able to prove the existence of a strong correlation between produced signatures, which ultimately leaks information about the secret key. To support this claim, we use both theoretical arguments and numerical evidences. Finally, we employ such a weakness to mount a full key recovery attack, which is able to recover the secret key after the observation of a bunch of signatures.

Smart contract-enabled blockchains represent a powerful tool in supporting a large variety of applications. Despite their salient features of transparency, decentralization, and expressiveness, building privacy-preserving applications using these platforms remains an open question. Existing solutions fall short in achieving this goal since they support a limited operation set, only support private computation on inputs belonging to one user, or even ask the users themselves to perform the computations off-chain. In this paper, we propose smartFHE, a modular framework to support private smart contracts that utilizes fully homomorphic encryption (FHE). The smartFHE framework allows users to build arbitrary decentralized applications that preserve input/output privacy for inputs belonging to the same user or even different users. This is achieved by employing single and multi-key FHE to compute over private (encrypted) data and account balances, along with efficient zero-knowledge proof systems to prove well-formedness of private transactions. Crucially, our framework is "modular" since any FHE and ZKP scheme can be used so long as they satisfy certain minimal requirements with respect to correctness and security. Furthermore, smartFHE reduces the burden on the user, since miners translate smart contract code into public or private operations based on whether the accounts involved are public or private. In proposing smartFHE, we define notions for a privacy-preserving smart contract (PPSC) scheme along with its correctness and security. We provide a concrete instantiation of a PPSC using the smartFHE framework. Finally, we consider further extensions/optimizations.

Event date: to
Submission deadline: 23 November 2021

Event date: to
Submission deadline: 1 September 2021

Event date: to
Submission deadline: 1 June 2021

Event date: to
Submission deadline: 1 March 2021