International Association
for Cryptologic Research

We present a framework GenoPPML for privacy-preserving machine learning in the context of sensitive genomic data processing. The technology combines secure multiparty computation techniques based on the recently proposed Manticore secure multiparty computation framework for model training and fully homomorphic encryption based on TFHE for model inference. The framework was successfully used to solve breast cancer prediction problems on gene expression datasets coming from distinct private sources while preserving their privacy – the solution winning 1st place for both Tracks I and III of the genomic privacy competition iDASH'2020.

In this paper, we present preimage attacks on 4-round Keccak-224/256 as well as 4-round Keccak[$r = 640,c = 160,l = 80$] in the preimage challenges. We revisit the Crossbred algorithm for solving the Boolean multivariate quadratic (MQ) system, propose a new view for the case $D = 2$ and elaborate the computational complexity. The result shows that the Crossbred algorithm outperforms brute force theoretically and practically with feasible memory costs. In our attacks, we construct Boolean MQ systems in order to make full use of variables. With the help of solving MQ systems, we successfully improve preimage attacks on Keccak-224/256 reduced to 4 rounds. Moreover, we implement the preimage attack on 4-round Keccak[$r = 640,c = 160,l = 80$], an instance in the Keccak preimage challenges, and find 78-bit matched \textit{near preimages}. Due to the fundamental rule of solving MQ systems, the complexity elaboration of Crossbred algorithm is of independent interest.

The idea of hybrid homomorphic encryption (HHE) is to drastically reduce bandwidth requirements when using homomorphic encryption (HE) at the cost of more expensive computations in the encrypted domain. To this end, various dedicated schemes for symmetric encryption have already been proposed. However it is still unclear if those ideas are already practically useful, because (1) no cost-benefit analysis was done for use cases and (2) very few implementations are publicly available. We address this situation in several ways. After we formally define HHE in a broader sense than before, we build an open-source benchmarking framework involving several use cases covering three popular libraries. Using this framework, we explore properties of the respective HHE proposals. It turns out that even medium-sized use cases are infeasible, especially when involving integer arithmetic. Consequently, we propose Pasta, a cipher thoroughly optimized for integer HHE use cases. Pasta is designed to minimize the multiplicative depth, while also leveraging the structure of both state-of-the-art integer HE schemes (BFV and BGV) to minimize the homomorphic evaluation latency. Using our new benchmarking environment, we extensively evaluate Pasta in SEAL and HElib and compare its properties to 7 existing ciphers in two use cases. Our evaluations show that Pasta outperforms its competitors for HHE both in terms of homomorphic evaluation time and noise consumption, showing its efficiency for applications in real-world HE use cases. Concretely, Pasta outperforms Agrasta by a factor of up to 82 and Masta by a factor of up to 6 when applied to the two use cases.

Event date: 29 September to 1 October 2021
Submission deadline: 30 June 2021

We are seeking a Postdoctoral Researcher to join us in our project to ensure reliable and trustworthy power grid operation. In this project, we will approach the security challenges from three angles; secure energy transactions, secure decentralized storage for collaboration, and secure end-to-end communication for resource monitoring and control.

Your Responsibilities

• Conduct research on provable data possession and secure collaborative storage.
• Develop and improve upon techniques to provide Completeness, Correctness, and Freshness guarantees on stored data in collaborative applications.
• Implement the developed solutions

Basic Requirements

• PhD in Cryptography, Applied Cryptography, Information Theory, Mathematics, Computer Science or related areas.
• Excellent track record in reputable Cryptography and Security venues.
• Ability to perform research independently.
• Good communication skills and ability to collaborate with a team of researchers and engineers.
• Experience or interest in software prototyping.

Nice to Have

• Experience in data/message integrity research, such as Provable Data Possession, Proof of Data Retrievability.
• Familiar with or interested in Cloud and IoT concepts, DER and Grid 2.0 paradigm.

For more information, please visit ADSC's website: http://adsc.illinois.edu/.

Closing date for applications:

Contact: Interested candidates should apply online at https://my.engr.illinois.edu/apply/.

Applications are invited for a postdoctoral research position in “distributed cryptography,” a term we broadly use to encompass areas such as secure multiparty computation, cryptographic protocols, foundational aspects of blockchains, and their relation thereof. Applicants are expected to hold a PhD in computer science or related field, and must have published papers in cryptography and/or distributed computing venues. The position will be available starting in the Fall 2021, and remain open until filled. The postdoctoral researcher will have a joint appointment at Purdue University and Texas A&M University.

Closing date for applications:

Contact: To apply, please send an email, including your CV, to Juan Garay (garay@tamu.edu) and Vassilis Zikas (vzikas@cs.purdue.edu)

Ockam is designing open source protocols and libraries for end-to-end encrypted communication within IoT and other connected systems. In this role, you will be responsible for the architecture and design of cryptographic protocols within Ockam. Our goal is to make our cryptographic libraries easy to use correctly and hard to misuse, you will lead the design of these library APIs in Rust. This is an applied cryptography role which will involve researching and applying robust, peer reviewed, cryptographic primitives to the design of our protocols. The role will also involve implementing cryptographic primitives and protocols in Rust. You will also get to work with Rust FFI and our C and Elixir libraries. You'll have the chance to design protocols for - Secure Channels, Authenticated Key-Exchange, Anonymous Credentials, Key lifecycle, Authentication, Authorization etc. Interesting cryptographic building blocks that you would get to dive deep into and apply to real-world problems will include - Bi-linear parings, Zero knowledge proofs, Noise Framework, Sigma Protocols, Signature schemes like BBS+, Secure Multi Party Computation etc. Ockam is a small and extremely senior team. This role involves architecture, interface design, writing code, responsibility for testing, and publishing documentation.

Closing date for applications:

Contact: Ockam.io

More information: https://www.ockam.io/team/Applied-Cryptographer-Rust/61e07e82-0589-51de-b250-42dbceb31c3c

Recent progress in interactive zero-knowledge (ZK) proofs has improved the efficiency of proving large-scale computations significantly. Nevertheless, real-life applications (e.g., in the context of private inference using deep neural networks) often involve highly complex computations, and existing ZK protocols lack the expressiveness and scalability to prove results about such computations efficiently.

In this paper, we design, develop, and evaluate a ZK system (Mystique) that allows for efficient conversions between arithmetic and Boolean values, between publicly committed and privately authenticated values, and between fixed-point and floating-point numbers. Targeting large-scale neural-network inference, we also present an improved ZK protocol for matrix multiplication that yields a 7× improvement compared to the state-of-the-art. Finally, we incorporate Mystique in Rosetta, a TensorFlow-based privacy-preserving framework.

Mystique is able to prove correctness of an inference on a private image using a committed (private) ResNet-101 model in 28 minutes, and can do the same task when the model is public in 5 minutes, with only a 0.02% decrease in accuracy compared to a non-ZK execution when testing on the CIFAR-10 dataset. Our system is the first to support ZK proofs about neural-network models with over 100 layers with virtually no loss of accuracy.

Fully Homomorphic Encryption (FHE) schemes enable to compute over encrypted data. Among them, TFHE [CGGI17] has the great advantage of offering an efficient method for bootstrapping noisy ciphertexts, i.e., reduce the noise. Indeed, homomorphic computation increases the noise in ciphertexts and might compromise the encrypted message. TFHE bootstrapping, in addition to reducing the noise, also evaluates (for free) univariate functions expressed as look-up tables. It however requires to have the most significant bit of the plaintext to be known a priori, resulting in the loss of one bit of space to store messages. Furthermore it represents a non negligible overhead in terms of computation in many use cases.

In this paper, we propose a solution to overcome this limitation, that we call Programmable Bootstrapping Without Padding (WoP-PBS). This approach relies on two building blocks. The first one is the multiplication à la BFV [FV12] that we incorporate into TFHE. This is possible thanks to a thorough noise analysis showing that correct multiplications can be computed using practical TFHE parameters. The second building block is the generalization of TFHE bootstrapping introduced in this paper. It offers the flexibility to select any chunk of bits in an encrypted plaintext during a bootstrap. It also enables to evaluate many LUTs at the same time when working with small enough precision. All these improvements are particularly helpful in some applications such as the evaluation of Boolean circuits (where a bootstrap is no longer required in each evaluated gate) and, more generally, in the efficient evaluation of arithmetic circuits even with large integers. Those results improve TFHE circuit bootstrapping as well. Moreover, we show that bootstrapping large precision integers is now possible using much smaller parameters than those obtained by scaling TFHE ones.

Consider a server with a large set $S$ of strings $\{x_1,x_2, \dots,x_N\}$ that would like to publish a small hash $h$ of its set $S$ such that any client with a string $y$ can send the server a short message allowing it to learn $y$ if $y \in S$ and nothing otherwise. In this work, we study this problem of two-round private set intersection (PSI) with low (asymptotically optimal) communication cost, or what we call laconic private set intersection ($\ell$PSI) and its extensions. This problem is inspired by the recent general frameworks for laconic cryptography [Cho et al. CRYPTO 2017, Quach et al. FOCS'18].

We start by showing the first feasibility result for realizing $\ell$PSI based on the CDH assumption, or LWE with polynomial noise-to-modulus ratio. However, these feasibility results use expensive non-black-box cryptographic techniques leading to significant inefficiency. Next, with the goal of avoiding these inefficient techniques, we give a construction of $\ell$PSI schemes making only black-box use of cryptographic functions. Our construction is secure against semi-honest receivers, malicious senders and reusable in the sense that the receiver's message can be reused across any number of executions of the protocol. The scheme is secure under the $\phi$-hiding, decisional composite residuosity and subgroup decision assumptions.

Finally, we show natural applications of $\ell$PSI to realizing a semantically-secure encryption scheme that supports detection of encrypted messages belonging to a set of ``illegal'' messages (e.g., an illegal video) circulating online. Over the past few years, significant effort has gone into realizing laconic cryptographic protocols. Nonetheless, our work provides the first black-box constructions of such protocols for a natural application setting.

Cryptocurrency and blockchain continue to build on an innovative computation model that has paved the way for a large variety of applications. However, privacy is a huge concern as most (permissionless) blockchains log everything in the clear. This has resulted in several academic and industrial initiatives to address privacy. Starting with the UTXO model introduced by Bitcoin, initial works brought confidentiality and anonymity to payments. Recent works have expanded to support more generalized forms of private computation. Such solutions tend to be highly involved as they rely on advanced cryptographic primitives and creative techniques to handle issues related to dealing with private blockchain records (e.g. concurrency, private coin tracking to prevent double spending, efficiency). This situation makes it hard to comprehend the current state-of-the-art, much less build on top of it.

To address these challenges, we provide a systematization of knowledge for privacy-preserving solutions in blockchain. To the best of our knowledge, our work is the first of its kind. After motivating design challenges, we provide an overview of the zero-knowledge proof systems used in supporting blockchain privacy, focusing on their key features and limitations. Then, we develop a systematization of knowledge framework using which we group the state-of-the-art privacy preserving solutions under three categories: private payments, computation with input/output privacy, and function privacy. We briefly touch upon challenges and implications including misuse, regulations and compliance, usability, and limited functionality. Our work seeks to highlight open problems and research questions to guide future work directions.

In this paper, we initiate a study of asymmetric all-or-nothing transforms (or asymmetric AONTs). A (symmetric) $t$-all-or-nothing transform is a bijective mapping defined on the set of $s$-tuples over a specified finite alphabet. It is required that knowledge of all but $t$ outputs leaves any $t$ inputs completely undetermined. There have been numerous papers developing the theory of AONTs as well as presenting various applications of AONTs in cryptography and information security.

In this paper, we replace the parameter $t$ by two parameters $t_o$ and $t_i$, where $t_i \leq t_o$. The requirement is that knowledge of all but $t_o$ outputs leaves any $t_i$ inputs completely undetermined. When $t_i < t_o$, we refer to the AONT as asymmetric.

We give several constructions and bounds for various classes of asymmetric AONTs, especially those with $t_i = 1$ or $t_i = 2$. We pay particular attention to linear transforms, where the alphabet is a finite field $F_q$ and the mapping is linear.

The recent KEMTLS protocol (Schwabe, Stebila and Wiggers, CCS’20) is a promising design for a quantum-safe TLS handshake protocol. Focused on the web setting, wherein clients learn server public-key certificates only during connection establishment, a drawback compared to TLS 1.3 in terms of latency is that KEMTLS introduces an additional round trip before the server can send data. In many scenarios, including IoT and embedded settings, client devices may however have the targeted server certificate pre-loaded, so that such performance penalty seems unnecessarily restrictive.

This work proposes a variant of KEMTLS tailored to such scenarios. The protocol leverages the fact that clients know the server public keys in advance to decrease handshake latency while protecting client identities. It combines medium-lived with long-term server public keys to enable a delayed form of forward secrecy even from the first data flow on, and full forward secrecy upon the first round trip. The protocol is proved to achieve strong security guarantees, based on the security of the underlying building blocks, in a new model for multi-stage key exchange with medium-lived keys.

Established in 2020, Dfns is a cybersecurity startup operating within decentralized finance (DeFi). From our office in Paris, we are building an API for digital asset security. More specifically, Xkey provides safe, cloud-native custody as a service to help companies secure cryptos & tokens. Dfns is also a stellar team incubated at Station F (the world's biggest startup campus), the Garage (#1 blockchain ecosystem in Europe), and Techstars Future of Finance in collaboration with ABN AMRO.

We are looking for a highly motivated candidate to fill a cryptography researcher position at Dfns. Topics include:

Secure multi-party computation

Threshold Signature

Anonymity and privacy

Cryptocurrencies

Blockchain-based cryptography

Closing date for applications:

Contact: Houda Ferradi: Houda@dfns.io

More information: https://www.dfns.co/

A candidate will work in the area of post-quantum cryptography. A candidate will conduct research on code-based, lattice-based cryptography in term of design, its security and performance analysis; and possibly its applications, etc. The work requires to carry out some simulations.

Applicants are expected to have a PhD degree in Mathematics/Computer Science and a strong background in algebra, linear algebra, algebraic number theory or algebraic coding theory.

Preferred candidates are expected to be proficient in Magma software or SAGEMATH software, a team worker and able to conduct independent research.

Interested candidates will kindly include their full CV and transcripts in their applications and send to Dr Chik How Tan, tsltch@nus.edu.sg.

Only shortlisted applicants will be notified. Review of applicants will start immediately.

Closing date for applications:

Contact: Dr Chik How Tan (tsltch@nus.edu.sg)

Event date: 9 November to 11 November 2021
Submission deadline: 1 July 2021
Notification: 15 August 2021

Event date: 6 October to 8 October 2021
Submission deadline: 7 July 2021
Notification: 10 August 2021

TU Wien is Austria's largest institution of research and higher education in the fields of technology and natural sciences. The Security and Privacy research unit at the Institute of Logic and Computation at TU Wien is offering a 4-year PhD student position in symmetric cryptography.

A successful candidate should have an excellent academic record from a completed master or diploma curriculum in Mathematics, Computer Science, or related fields. Previous knowledge or experience in the area of cryptography or security is a plus.

The Security and Privacy research unit at TU Wien is internationally renowned with its expertise in the fields of cryptography, security and privacy. Our working language is English.

Formal applications must be submitted via https://jobs.tuwien.ac.at/Job/153314. We look forward to receiving your application until 29.07.2021.

Closing date for applications:

Contact: Inquiries about the position and process to Asst. Prof. Elena Andreeva elena[dot]andreeva[at]tuwien[dot]ac[dot]at

More information: https://jobs.tuwien.ac.at/Job/153314

In distributed computations and cryptography, it is desirable to record events on a public ledger, such that later alterations are computationally infeasible. An implementation of this idea is called blockchain, which is a distributed protocol that allows the creation of an immutable ledger. While such an idea is very appealing, the ledger may be contaminated with incorrect, illegal, or even dangerous data, and everyone running the blockchain protocol has no option but to store and propagate the unwanted data. The ledger is bloated over time, and it is not possible to remove redundant information. Finally, missing data cannot be inserted later. Redactable blockchains were invented to allow the ledger to be mutated in a controlled manner. To date, redactable blockchains support at most two types of redactions: block modification and removal. The next logical step is to support block insertions. However, we show that this seemingly innocuous enhancement renders all previous constructs insecure. We put forward a model for blockchains supporting all three redaction operations, and construct a blockchain that is provably secure under this formal definition.

Abstract: Side-channel attacks exploit information from the physical implementation of cryptographic systems, rather than from theoretical weaknesses. In recent years, cache attacks have made significant progress in their ability to recover secret information by combining observations of the victim's cache access and knowledge of the internal structure of the cipher. So far, cache attacks have been implemented for most Feistel-structured and SPN-structured block cipher algorithms, but the security of algorithms for special structures has little attention. In this paper, the Flush+Reload attack is performed on the implementation of MISTY1. Unlike Feistel and SPN structures, MISTY1 is a class of the block cipher with a recursive structure. The FL function is performed before the plaintext input S-box and after the ciphertext output S-box, making it difficult to attack the first and last rounds. However, we find that the key scheduling part of MISTY1 leaks many bits of key, which, together with the leakage of partial bits of the round key during encryption, was sufficient to recover the key of the MISTY1 algorithm. We design the algorithm that only needs to observe one time encryption to recover the MISTY1 128-bit key and use leakage during encryption to reduce the complexity of the algorithm. We experiment on 32-byte cache line and 64-byte cache line environment, respectively. In the 32-byte cache line environment, an adversary only needs to observe five times encryption to recover the all 128-bit key of the MISTY1 in 0.035 seconds; in the 64-byte cache line environment, an adversary needs to observe 10 times encryption to recover the entire 128-bit key in 2.1 hours.

Keywords: Side Channel, Cache attack, Flush+Reload, MISTY1, Key Scheduling Part