International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

16 February 2021

Selmer Center, University of Bergen, Norway
Job Posting Job Posting

The Selmer Center in Secure Communication is looking for a PhD student to join us in our new research project Cryptographic Boolean Functions for Threshold Implementations, funded by the Norwegian Research Council. This study will be supervised by Prof. Budaghyan, Prof. Carlet and Prof. Rijmen.

Applicants interested in helping us over the next 3 years to study Boolean functions used as building blocks in cryptographic primitives and their Threshold Implementations in order to find efficient ways of preventing Side Channel Attacks, must have:

  • obtained a master's degree in Mathematics or Computer Science by 01.11.2021 (the position's starting date),
  • strong background in Discrete Mathematics or symmetric cryptography, and
  • good programming skills

For further information and the online application form please follow the link in the title above.

Closing date for applications:

Contact: Prof. Lilya Budaghyan

More information: https://www.jobbnorge.no/en/available-jobs/job/200521/phd-position-in-informatics-cryptography

Expand
Nagasaki, Japan, 30 May - 3 June 2022
Event Calendar Event Calendar
Event date: 30 May to 3 June 2022
Expand

12 February 2021

Bern, Switzerland, 19 May - 7 July 2021
Event Calendar Event Calendar
Event date: 19 May to 7 July 2021
Submission deadline: 15 March 2021
Notification: 15 April 2021
Expand
Tamar Lichter Blanks, Stephen D. Miller
ePrint Report ePrint Report
Lattice-based cryptography relies on generating random bases which are difficult to fully reduce. Given a lattice basis (such as the private basis for a cryptosystem), all other bases are related by multiplication by matrices in $GL(n,\mathbb{Z})$. How can one sample random elements from $GL(n,\mathbb{Z})$? We consider various methods, finding some are stronger than others with respect to the problem of recognizing rotations of the $\mathbb{Z}^n$ lattice. In particular, the standard algorithm of multiplying unipotent generators together (as implemented in Magma's RandomSLnZ command) generates instances of this last problem which can be efficiently broken, even in dimensions nearing 1,500. Similar weaknesses for this problem are found with the random basis generation method in one of the NIST Post-Quantum Cryptography competition submissions (DRS). Other algorithms are described which appear to be much stronger.
Expand
Boris Fouotsa Tako, Péter Kutas, Simon-Philipp Merz
ePrint Report ePrint Report
It is well known that the general supersingular isogeny problem reduces to the supersingular endomorphism ring computation problem. However, in order to attack SIDH-type schemes one requires a particular isogeny which is usually not returned by the general reduction. At Asiacrypt 2016, Galbraith et al. presented a polynomial-time reduction of the problem of finding the secret isogeny in SIDH to the problem of computing the endomorphism ring of a supersingular elliptic curve. Their method exploits that secret isogenies in SIDH are short, and thus it does not extend to other SIDH-type schemes where this condition is not fulfilled. We present a more general reduction algorithm that generalises to all SIDH-type schemes. The main idea of our algorithm is to exploit available torsion point images together with the KLPT algorithm to obtain a linear system of equations over a certain residue class ring. Lifting the solution of this linear system yields the secret isogeny. As a consequence, we show that the choice of the prime $p$ in B-SIDH is tight.
Expand
Lei Bi, Xianhui Lu, Junjie Luo, Kunpeng Wang, Zhenfei Zhang
ePrint Report ePrint Report
In this paper, we study the hybrid dual attack over Learning with Errors (LWE) problems for any secret distribution. Prior to our work, hybrid attacks are only considered for sparse and/or small secrets. A new and interesting result from our analysis shows that a hybrid dual attack can outperform a standalone dual attack, regardless of the secret distribution. We formulate our results into a framework of predicting the performance of the hybrid dual attacks. We also present a few tricks that further improve our attack. To illustrate the effectiveness of our result, we re-evaluate the security of all LWE related proposals in round 3 of NIST’s post-quantum cryptography process, and improve the state-of- the-art cryptanalysis results by 1-9 bits, under the BKZ-core-SVP model.
Expand
Mark Simkin, Luisa Siniscalchi, and Sophia Yakoubov
ePrint Report ePrint Report
Identifiable abort (IA) is the strongest security guarantee that is achievable for secure multi-party computation in the dishonest majority setting. Protocols that achieve IA ensure that, in case of an abort, all honest parties agree on the identity of at least one corrupt party who can be held accountable for the abort. It is important to understand what computational primitives must be used to obtain secure computation with identifiable abort. This can be approached by asking which oracles can be used to build perfectly secure computation with identifiable abort. Ishai, Ostrovsky, and Zikas (Crypto 2014) show that an oracle that returns correlated randomness to all $n$ parties is sufficient; however, they leave open the question of whether oracles that return output to fewer than $n$ parties can be used.

In this work, we show that for $t \leq n - 2$ corruptions, oracles that return output to $n - 1$ parties are sufficient to obtain perfectly secure computation with identifiable abort. Using our construction recursively, we see that for $t \leq n - \ell - 2$ and $\ell \in \mathcal{O}(1)$, oracles that return output to $n - \ell - 1$ parties are sufficient.

For our construction, we introduce a new kind of secret sharing scheme which we call unanimously identifiable secret sharing with public and private shares (UISSwPPS). In a UISSwPPS scheme, each share holder is given a public and a private shares. Only the public shares are necessary for reconstruction, and the knowledge of a private share additionally enables the identification of at least one party who provided an incorrect share in case reconstruction fails. The important new property of UISSwPPS is that, even given all the public shares, an adversary should not be able to come up with a different public share that causes reconstruction of an incorrect message, or that avoids the identification of a cheater if reconstruction fails.
Expand
Andreas Erwig, Sebastian Faust, Kristina Hostáková, Monosij Maitra, Siavash Riahi
ePrint Report ePrint Report
Adaptor signatures are a novel cryptographic primitive with important applications for cryptocurrencies. They have been used to construct second layer solutions such as payment channels or cross-currency swaps. The basic idea of an adaptor signature scheme is to tie the signing process to the revelation of a secret value in the sense that, much like a regular signature scheme, an adaptor signature scheme can authenticate messages, but simultaneously leaks a secret to certain parties. Recently, Aumayr et al. provide the first formalization of adaptor signature schemes, and present provably secure constructions from ECDSA and Schnorr signatures. Unfortunately, the formalization and constructions given in this work have two limitations: (1) current schemes are limited to ECDSA and Schnorr signatures, and no generic transformation for constructing adaptor signatures is known; (2) they do not offer support for aggregated two-party signing, which can significantly reduce the blockchain footprint in applications of adaptor signatures.

In this work, we address these two shortcomings. First, we show that signature schemes that are constructed from identification (ID) schemes, which additionally satisfy certain homomorphic properties, can generically be transformed into adaptor signature schemes. We further provide an impossibility result which proves that unique signature schemes (e.g., the BLS scheme) cannot be transformed into an adaptor signature scheme. In addition, we define two-party adaptor signature schemes with aggregatable public keys and show how to instantiate them via a generic transformation from ID-based signature schemes. Finally, we give instantiations of our generic transformations for the Schnorr, Katz-Wang and Guillou-Quisquater signature schemes.
Expand
Paul Frixons, André Schrottenloher
ePrint Report ePrint Report
In this paper, we study the security of the Legendre PRF against quantum attackers, given classical queries only, and without quantum random-access memories. We give two algorithms that recover the key of a shifted Legendre symbol with unknown shift, with a complexity smaller than exhaustive search of the key. The first one is a quantum variant of the table-based collision algorithm. The second one uses Kuperberg's abelian hidden shift algorithm in an offline manner. We show that the latter, although asymptotically promising, is not currently the most efficient against practical parameters.
Expand
Liliya Akhmetzyanova, Evgeny Alekseev, Alexandra Babueva, Stanislav Smyshlyaev
ePrint Report ePrint Report
Development of signature schemes providing short signatures is a quite relevant non-trivial challenge for cryptographers. Since the late 1980’s many short signature schemes have been proposed. The most perspective schemes are multivariate schemes and schemes based on Weil pairing. Unfortunately, the cryptographic tools used in these schemes are still not supported by most cryptographic software that complicates their effortless use in practice.

In the current paper we investigate the opportunity of shortening the standard ElGamal-type signatures. We propose three methods of shortening signatures (for any ElGamal-type schemes such as ECDSA, GOST and SM2) and analyze how applying these methods affects the security. Applying all three methods to the GOST signature scheme with elliptic curve subgroup order $q$, $2^{255} < q < 2^{256}$, can reduce the signature size from $512$ to $320$ bits. The modified scheme provides sufficient security and acceptable (for non-interactive protocols) signing and verifying time.
Expand
Greg Morrisett, Elaine Shi, Kristina Sojakova, Xiong Fan, Joshua Gancher
ePrint Report ePrint Report
Although there have been many successes in verifying proofs of non-interactive cryptographic primitives such as encryption and signatures, formal verification of interactive cryptographic protocols is still a nascent area. While in principle, it seems possible to extend general frameworks such as Easycrypt to encode proofs for more complex, interactive protocols, a big challenge is whether the human effort would be scalable enough for proof mechanization to eventually acquire mainstream usage among the cryptography community. We work towards closing this gap by introducing a simple framework, Interactive Probabilistic Dependency Logic (IPDL), for reasoning about a certain well-behaved subset of cryptographic protocols. A primary design goal of IPDL is for formal cryptographic proofs to resemble their on-paper counterparts. To this end, IPDL includes an equational logic to reason about approximate observational equivalence (i.e., computational indistinguishability) properties between protocols. IPDL adopts a channel-centric core logic, which decomposes the behavior of the protocol into the behaviors along each communication channel. IPDL supports straight-line programs with statically bounded loops. This design allows us to capture a broad class of protocols encountered in the cryptography literature, including multi-party, reactive, and/or inductively-defined protocols; meanwhile, the logic can track the runtime of the computational reduction in security proofs, thus ensuring computational soundness. We demonstrate the use of IPDL by a number of case studies, including a multi-use, secure message communication protocol, a multi-party coin toss with abort protocol, several oblivious transfer constructions, as well as the two-party GMW protocol for securely evaluating general circuits. We provide a mechanization of the IPDL proof system and our case studies in Coq, and our code is open sourced at https://github.com/ipdl/ipdl.
Expand
Benjamin E. Diamond
ePrint Report ePrint Report
With an eye towards applications in cryptography, we consider the problem of evaluating boolean functions through affine-linear arithmetic functionals. We show that each subset of the discrete unit cube admits an exact covering by affine hyperplanes (over a sufficiently large prime field). We study the complexity class consisting of boolean functions whose on-sets and off-sets admit coverings by polynomially many hyperplanes. This extends and improves upon a framework of Ishai and Kushilevitz (FOCS '00). We also investigate a number of concrete examples.

We moreover study the concrete construction of compact coverings, and provide new geometric algorithms. Our logic synthesizer constructs affine coverings of cube subsets using a recursive backtracking procedure, and minimizes the total number of flats used; it may be of independent interest. This represents a new paradigm in boolean logic minimization. We relate this paradigm to classical logic synthesis.

Applying our paradigm, we present a general protocol for commitment-consistent secure two-party computation with an untrusted third party, generalizing a construction of Wagh, Gupta, and Chandran (PETS '19). Our generalization supports the secure evaluation of arbitrary boolean functionalities; we also add commitment-consistency and malicious security under one corruption. We report on a highly efficient implementation of a specialization of this general protocol to a certain natural boolean function.
Expand
Christoph Egger, Mike Graf, Ralf Kuesters, Daniel Rausch, Viktoria Ronge, and Dominique Schröder
ePrint Report ePrint Report
In the past few years blockchains have been a major focus for security research, resulting in significant progress in the design, formalization, and analysis of blockchain protocols. However, the more general class of distributed ledgers, which includes not just blockchains but also prominent non-blockchain protocols, such as Corda and OmniLedger, cannot be covered by the state-of-the-art in the security literature yet. These distributed ledgers often break with traditional blockchain paradigms, such as block structures to store data, system-wide consensus, or global consistency.

In this paper, we close this gap by proposing the first framework for defining and analyzing the security of general distributed ledgers, with an ideal distributed ledger functionality, called $\mathcal{F}_\text{ledger}$, at the core of our contribution. This functionality covers not only classical blockchains but also non-blockchain distributed ledgers in a unified way.

To illustrate $\mathcal{F}_\text{ledger}$, we first show that the prominent ideal blockchain functionalities $\mathcal{G}_\text{ledger}$ and $\mathcal{G}_\text{PL}$ realize (suitable instantiations of) $\mathcal{F}_\text{ledger}$, which precisely captures their security properties. This immediately implies that their respective implementations, including Bitcoin, Ouroboros Genesis, and Ouroboros Crypsinous, realize $\mathcal{F}_\text{ledger}$ as well. Secondly, we demonstrate that $\mathcal{F}_\text{ledger}$ is capable of precisely modeling also non-blockchain distributed ledgers by performing the first formal security analysis of such a distributed ledger, namely the prominent Corda protocol. Due to the wide spread use of Corda in the industry, in particular the financial sector, this analysis is of independent interest.

These results also illustrate that $\mathcal{F}_\text{ledger}$ not just generalizes the modular treatment of blockchains to distributed ledgers, but moreover helps to unify existing results.
Expand
Morteza Adeli, Nasour Bagheri, Sadegh Sadeghi and Saru Kumari
ePrint Report ePrint Report
Alongside the development of cloud computing and Internet of Things(IoT), cloud-based RFID is receiving more attention nowadays. Cloud-based RFID system is specifically developed to providing real-time data that can be fed to the cloud for easy access and instant data interpretation. Security and privacy of constrained devices in these systems is a challenging issue for many applications. To deal with this problem, we propose \(\chi\)perbp, a lightweight authentication protocol based on \(\chi\)per component. \(\chi\)per is a hardware/software friendly component that can be implemented using bit-wise operations. To evaluate the performance efficiency of our proposed scheme, we implement the \(\chi\)perbp scheme on a FPGA module Xilinx Kintex-7 using the hardware description language VHDL. Our security and cost analysis of the proposed protocol shows that the proposed protocol provides desired security against various attacks, in a reasonable cost. Also, formal security evaluation using BAN logic and Scyther tool indicates its security correctness. Besides, we analyse the security of a related protocol which has been recently proposed by Fan \textit{et al.} It is a cloud-based lightweight mutual authentication protocol for RFID devices in an IoT system. Although they have claimed security against active and passive adversaries, however, our detailed security analysis in this paper demonstrates major drawbacks of this protocol. More precisely, the proposed attack disclose the tag's secrets efficiently. Given the tag's secrets, any other attack will be trivial.
Expand

11 February 2021

CWI Cryptology Group, Amsterdam, Netherlands
Job Posting Job Posting
Centrum Wiskunde & Informatica (CWI) has a vacancy in the Cryptology Group for a talented PhD student, on the subject of Post-Quantum Secure Cryptographic Protocols.

The successful candidate will be working with Lisa Kohl, within the NWO Gravitation project QSC.

Candidates are required to have a master’s degree in Computer Science, Mathematics or a related discipline, ideally with a specialization in Cryptology.

All applications should include a detailed resume, motivation letter, list of MSc courses and grades, copy of master’s thesis and list of publications (if applicable). Please send your application in a single PDF file (with master's thesis as separate attachement).

The application deadline is March 31st, 2021. Review of applications will start immediately until the position is filled.

Closing date for applications:

Contact: Lisa Kohl (l.m.kohl (at) cwi.nl)

Expand
Horizen Labs, Milan (Italy)
Job Posting Job Posting

Horizen Labs is a blockchain technology company that designs, develops and delivers powerful, scalable and reliable distributed ledger solutions for business. Our Core Engineering Team is based in Milan, Italy. It’s an innovative and collaborative group of technical developers who are dedicated to the design and development of world-class blockchain-based products.

We are now looking for a junior cryptographer, or applied cryptographer, to join our Cryptography Team and develop cutting-edge SNARK-based proof-composition models and software.

The Role
  • Help the team, to develop practical applications using both advanced SNARK-based protocols and conventional cryptographic tools
  • Keep up to date on emerging capabilities in the fast-growing Zero-Knowledge area and identify where and how new capabilities can be applied
  • Identify and recommend technologies and cryptographic solutions to solve technical challenges
  • Participate in standards setting, perform collaborative research into open source solutions and assist technical colleagues in their development work
Requirements
  • MS/Ph.D. in Mathematics, Computer Science, Computer Programming, or Computer Engineering
  • Core understanding of classical crypto primitives (symmetric and public key cryptography)
  • Base principles of Elliptic Curve Cryptography, Zero-knowlegde proofs and SNARGs
  • Foundations of blockchain technology, and experience developing in Rust and/or C++, is a plus.

Closing date for applications:

Contact: Maurizio Binello

More information: https://horizenlabs.io/

Expand
The University of Edinburgh
Job Posting Job Posting
Funded 3-year (full-time) PhD in secure multi-party computation. The aims of the project include (but are not limited to):
1) Improving efficiency and cryptographic assumptions of multi-party computation protocols.
2) Studying new communication models for real-world applications, to obtain protocols with improved performance and security features.
3) Proposing new security definitions and realistic trusted assumptions to overcome current impossibility results.

Closing date for applications:

Contact: Michele Ciampi (michele.ciampi [at] ed.ac.uk)

More information: https://www.ed.ac.uk/informatics/postgraduate/fees/research-scholarships/research-grant-funding/phd-secure-multi-party-computation

Expand
IT University of Copenhagen
Job Posting Job Posting
The IT University of Copenhagen invites highly motivated individuals to apply for a Postdoc position starting in May 2021 or soon thereafter for a duration of 2 years. The position is in the context of the project “Enabling User-Accountable Mechanisms for Decision Systems”, which looks at ways to provide dispute resolution capabilities to decision systems (e.g. voting protocols) by combining cryptographic techniques for human senses with advanced cryptographic protocols. Candidates should apply here: https://candidate.hr-manager.net/ApplicationInit.aspx?cid=119&ProjectId=181269&DepartmentId=3439&MediaId=1282

Closing date for applications:

Contact: Rosario Giustolisi (rosg@itu.dk) or Carsten Schuermann (carsten@itu.dk)

More information: https://candidate.hr-manager.net/ApplicationInit.aspx?cid=119&ProjectId=181269&DepartmentId=3439&MediaId=1282

Expand
Télécom Paris , Secure and Safe Hardware team, Palaiseau, France
Job Posting Job Posting
The position requires expertise and skills in:
  • Architectures and design methods of digital circuits/embedded systems for both hardware and low-level software.
  • Theory and practice in the security/safety of electronic circuits and on-board systems.
Circuit and embedded system expertise as well as skills in modeling and quantifying risks are essential for the position. The design a circuit with effective protections against attacks and validation methods should be mastered.
The position requires significant publications in leading journals and conferences. Initiating and participating to national, international and industrial research projects is expected. Higher education experience as well as fluency in written and oral English are required.
Other types of competencies that could serve for the position are listed below:
  • Experience in developing embedded systems with hardware and / or software protections.
  • Culture of cyber-physical threats and protection principles.
  • In-depth knowledge of microprocessor architectures and associated software development tools.
  • Methods and architectures of integrated circuits and embedded systems.
  • Experimental data generation and analysis.
  • Knowledge in modeling, signal processing and machine learning methods.
Detailed informations and submission can be found at:

https://institutminestelecom.recruitee.com/l/en/o/maitre-de-conferences-en-securite-et-surete-des-systemes-embarques-a-telecom-paris-cdi

Closing date for applications:

Contact: jean-luc.danger@telecom-paris.fr

More information: https://institutminestelecom.recruitee.com/l/en/o/maitre-de-conferences-en-securite-et-surete-des-systemes-embarques-a-telecom-paris-cdi

Expand
Ph.D. Scholarship (Post-Quantum Cryptographic Hardware & AI Security )
Job Posting Job Posting
There are two Ph.D. positions opening at Dr. Jiafeng Harvest Xie's research group at the Department of Electrical and Computer Engineering of Villanova University, Villanova, PA (west of Philadelphia), USA. The research topics of this position primarily focused on hardware implementation and security issues related to the post-quantum cryptosystems and AI systems. Interested ones are warmly welcomed to send their resume/CV to Dr. Xie through email: jiafeng.xie@villanova.edu

Requirements: preferred to be at the majors of Computer Science, Computer Engineering, Electrical Engineering and related others. Familiar with fault attack and analysis will be desirable. Proficiency in programming languages such as C/C++ and HDLs (FPGA development skills and experience are big plus). Good at English communication and writing. Great enthusiasm of doing research oriented tasks. Excellent team work member. Degree: both B.S. and M.S. graduates or similar are warmly welcomed to apply. Start date: Summer 2021 and Fall 2021 are both ok. It is always better to apply as early as possible. Positions are open until they are filled. The 2021 U.S. News & World Report ranks Villanova as tied for the 53th best National University in the U.S (Famous Alumni includes the First Lady of the United States, etc.). Brief introduction of Dr. Xie: Dr. Jiafeng Harvest Xie is currently an Assistant Professor at the Department of Electrical and Computer Engineering of Villanova University. His research interests include cryptographic engineering, hardware security, and VLSI digital design. He is the Best Paper Awardee of IEEE HOST 2019. He has served the Associate Editor for Microelectronics Journal, IEEE Access, and IEEE Trans. Circuits and Systems II. He has also been awarded the 2019 IEEE Access Outstanding Associate Editor. Contact: Jiafeng Harvest Xie (jiafeng.xie@villanova.edu) Contact: Jiafeng Harvest Xie

Closing date for applications:

Contact: Dr. Jiafeng Xie (jiafeng.xie@villanova.edu)

More information: https://www1.villanova.edu/villanova/engineering/departments/ece/facultyStaff/biodetail.html?mail=jiafeng.xie@villanova.edu&xsl=bio_long

Expand