International Association
for Cryptologic Research

In the recent ePrint report 2021/583 titled "Entropoid-based cryptography is group exponentiation in disguise" Lorenz Panny gave a cryptanalysis of the entropoid based instances proposed in our eprint report 2021/469. We acknowledge the correctness of his claims for the concrete instances described in our original report 2021/469.

However, we find that claims for the general applicability of his attack on the general Entropoid framework are misleading. Namely, based on the Theorem 1 in his report, which claims that for every entropic quasigroup $(G, *)$, there exists an Abelian group $(G, \cdot)$, commuting automorphisms $\sigma$, $\tau$ of $(G, \cdot)$, and an element $c \in G$, such that $x * y = \sigma(x) \cdot \tau(y) \cdot c$ the author infers that \emph{"all instantiations of the entropoid framework should be breakable in polynomial time on a quantum computer."}

There are two misleading parts in these claim: \textbf{1.} It is implicitly assumed that all instantiations of the entropoid framework would define entropic quasigroups - thus fall within the range of algebraic objects addressed by Theorem 1. \emph{We will show a construction of entropic groupoids that are not quasigroups}; \textbf{2.} It is implicitly assumed that finding the group $(G, \cdot)$, the commuting automorphisms $\sigma$ and $\tau$ and the constant $c$ \emph{would be easy for every given entropic operation} $*$ and its underlying groupoid $(G, *)$. However, the provable existence of a mathematical object \emph{does not guarantee an easy finding} of that object.

Treating the original entropic operation $* := *_1$ as a one-dimensional entropic operation, we construct multidimensional entropic operations $* := *_m$, for $m\geq 2$ and we show that newly constructed operations do not have the properties of $* = *_1$ that led to the recovery of the automorphism $\sigma$, the commutative operation $\cdot$ and the linear isomorphism $\iota$ and its inverse $\iota^{-1}$.

We give proof-of-concept implementations in SageMath 9.2 for the new multidimensional entropic operations $* := *_m$ defined over several basic operations $* := *_1$ and we show how the non-associative and non-commutative exponentiation works for the key exchange and digital signature schemes originally proposed in report 2021/469.

Lossy trapdoor functions, introduced by Peikert and Waters (STOC '08), can be initialized in one of two indistinguishable modes: in injective mode, the function preserves all information about its input, and can be efficiently inverted given a trapdoor, while in lossy mode, the function loses some information about its input. Such functions have found countless applications in cryptography, and can be constructed from a variety of number-theoretic or algebraic ``Cryptomania'' assumptions. In this work, we introduce targeted lossy functions (TLFs), which relax lossy trapdoor functions along two orthogonal dimensions. First, they do not require an inversion trapdoor in injective mode. Second, the lossy mode of the function is initialized with some target input, and the function is only required to lose information about this particular target. The injective and lossy modes should be indistinguishable even given the target. We construct TLFs from ``Minicrypt'' assumptions, namely, injective pseudorandom generators, or even one-way functions under a natural relaxation of injectivity. We then generalize TLFs to incorporate branches, and construct all-injective-but-one and all-lossy-but-one variants. We show a wide variety of applications of targeted lossy functions. In several cases, we get the first Minicrypt constructions of primitives that were previously only known under Cryptomania assumptions. Our applications include:

-Pseudo-entropy functions from one-way functions.

-Deterministic leakage-resilient message-authentication codes and improved leakage-resilient symmetric-key encryption from one-way functions.

-Extractors for extractor-dependent sources from one-way functions.

-Selective-opening secure symmetric-key encryption from one-way functions.

-A new construction of CCA PKE from (exponentially secure) trapdoor functions and injective pseudorandom generators.

We also discuss a fascinating connection to distributed point functions.

We present a history of how cryptographic key sizes have been determined for various schemes.

Apple's file-sharing service AirDrop leaks phone numbers and email addresses by exchanging vulnerable hash values of the user's own contact identifiers during the authentication handshake with nearby devices. In a paper presented at USENIX Security'21, we theoretically describe two attacks to exploit these vulnerabilities and propose "PrivateDrop" as a privacy-preserving drop-in replacement for Apple's AirDrop protocol based on private set intersection.

In this demo, we show how these vulnerabilities are efficiently exploitable via Wi-Fi and physical proximity to a target. Privacy and security implications include the possibility of conducting advanced spear phishing attacks or deploying multiple "collector" devices in order to build databases that map contact identifiers to specific locations. For our proof-of-concept, we leverage a custom rainbow table construction to reverse SHA-256 hashes of phone numbers in a matter of milliseconds. We discuss the trade-off between success rate and storage requirements of the rainbow table and, after following responsible disclosure with Apple, we publish our proof-of-concept implementation as "AirCollect" on GitHub.

Riverside Research is seeking a research scientist to solve challenging cybersecurity problems using formal methods for system security analysis. The ideal candidate will be an outside-the-box thinker who is excited to work on cutting-edge research of the intersection of formal methods and cybersecurity. They will work with our Trusted and Resilient Systems research group to apply formal methods techniques to critical defense systems and develop new formal methods tools and techniques to significantly advance the state of the art. All Riverside Research opportunities require U.S. Citizenship. Job Responsibilities: Use techniques from formal methods to develop security analyses of large, complex systems Develop new techniques and tools for applying formal methods to hard security problems Present research at meetings and conferences Assist with proposal writing and customer meetings Collaborate with others in the broader research and Defense communities Mentoring junior scientists and setting direction on future formal analysis research and development efforts Other duties as assigned. Required Qualifications: 5 years’ experience with BS in Computer Science or related field 2 years’ experience with MS in Computer Science or related field PhD in Computer Science or related field Previous experience in formal methods for security analysis Excellent written and verbal communication skills evidenced by published papers and presentations at research conferences Proficiency in computer programming and experience with formal analysis tools and languages Desired Qualifications: Previous experience with EasyCrypt Previous experience mentoring other researchers Proposal development experience Ability to manage time independently without direct supervision Active Secret Security Clearance, must be capable of acquiring at least secret level Riverside Research strives to be one of America's premier providers of independent, trusted technical and scientific expertise. We continue to add experienced and technically astute staff who are highly motivated to help our DoD and Intelligence Community (IC

Closing date for applications:

Contact: Michael Costanzo

More information: https://boards.greenhouse.io/riversideresearch/jobs/4572209003

The Telecooperation Lab [TK] (Prof. Dr. Mühlhäuser) at Technical University of Darmstadt is seeking candidates for a Postdoctoral position, preferably in the area of network security, esp. botnet defense. Experts in user-centric security & privacy or quantification of security will also be considered. The contract is initially limited to two years and can be extended.

What we offer:

• Highly innovative research, especially within the framework of our participation in the National Research Center for Applied Cybersecurity ATHENE
• Perfection of your research skills using stringent scientific methods
• Independent research as well as research in a team of excellent doctoral and master candidates
• Excellent support for further academic qualification (habilitation, independent young researcher)
• Manifold support to present your research at top international conferences and leading journals
• Exceptional team spirit and cordial working atmosphere in an international team
• Exposure to cutting-edge research and to an international community of peers

Your profile:

• Appetite for cutting-edge international research and interest to shape the future cybersecurity
• Completed PhD with excellent research record and deep knowledge in cybersecurity & privacy, preferably in one of the above focus areas
• Experience in writing and publishing scientific work in flagship conferences and journals
• Strong interpersonal skills and proven teamwork competencies
• High level of intrinsic motivation and demonstrated ability to perform targeted independent work
• Master's level knowledge in computer networks and preferably in artificial intelligence
• Excellent command of English and preferably good command of German

The Technische Universität Darmstadt intends to increase the number of female employees and encourages female candidates to apply. In case of equal qualifications applicants with a degree of disability of at least 50 or equal will be given pre

Closing date for applications:

Contact: Rolf Egert, egert at tk dot tu-darmstadt dot de

More information: https://www.tu-darmstadt.de/universitaet/karriere_an_der_tu/stellenangebote/aktuelle_stellenangebote/stellenausschreibungen_detailansichten_1_417536.en.jsp

TU Darmstadt is a world leading research institute for cybersecurity and privacy protection. The position, funded by the German Research Foundation (DFG), is embedded in a highly interdisciplinary Research Training Group and enables close scientific cooperation between computer science, business informatics, law, psychology/usability and sociology.

What we offer:

• Highly innovative research in Darmstadt's top cybersecurity research cluster
• Acquisition of high-class research skills based on stringent scientific methods
• Research in the interdisciplinary PAT team with more than 30 PhD students, postdocs, and professors
• Excellent supervision and qualification concept for an expeditious and outstanding doctoral degree
• Manifold support to present your research at top international conferences and in leading journals
• Exceptional team spirit and cordial working atmosphere in an international team
• Exposure to cutting-edge research and to an international community of peers

Your Profile:

• Ambition for cutting-edge international research and interest in interdisciplinary research challenges
• A very good Master’s degree and deep knowledge in cybersecurity as well as privacy protection
• Complementary knowledge in the areas of computer networks and artificial intelligence
• Initial experience in scientific work and publishing
• Strong social competence and verifiable teamwork skills
• High level of intrinsic motivation and demonstrated ability to perform targeted independent work
• Excellent command of English and preferably good command of German

The Technische Universität Darmstadt intends to increase the number of female employees and encourages female candidates to apply. In case of equal qualifications applicants with a degree of disability of at least 50 or equal will be given preference.

Closing date for applications:

Contact: Dr. Ephraim Zimmer, zimmer at privacy-trust dot tu-darmstadt dot de

More information: https://www.tu-darmstadt.de/universitaet/karriere_an_der_tu/stellenangebote/aktuelle_stellenangebote/stellenausschreibungen_detailansichten_1_417600.en.jsp

Event date: 29 November to 30 November 2021
Submission deadline: 23 August 2021
Notification: 4 October 2021

Correct application of masking on hardware implementation of cryptographic primitives necessitates the instantiation of registers in order to achieve the non-completeness (commonly said to stop the propagation of glitches). This sometimes leads to a high latency overhead, making the implementation not necessarily suitable for the underlying application. As a concrete example, this holds for Keccak. Application of d + 1 Domain Oriented Masking (DOM) on a round-based implementation of Keccak leads to the introduction of two register stages per round, i.e., two times higher latency. On the other hand, Rhythmic-Keccak, introduced in CHES 2018, unrolls two rounds to half the latency compared to an unprotected ordinary round-based implementation. To that end, td + 1 masking is used which requires a notable area, and – apart from the difficulty to construct – its extension to higher orders seems beyond the bounds of feasibility. In this paper, we focus on d + 1 masking and introduce a methodology which enables us to stay with the latency of an unprotected round-based implementation, i.e., one register stage per round. While being secure under glitch-extended probing model, we provide a general design where the desired security order can be easily adjusted without any effect on the above-given latency. Compared to the Rhythmic-Keccak, the synthesis results show that our first-order design is able to accomplish the entire operations of Keccak-f[200] in the same period of time while decreasing the area by 74.5%. Notably, our implementations achieve around 30% less delay compared to the corresponding original DOM-Keccak designs.

Traitor tracing aims to identify the source of leaked decryption keys. Since the "traitor" can try to hide their key within obfuscated code in order to evade tracing, the tracing algorithm should work for general, potentially obfuscated, decoder programs. In the setting of such general decoder programs, prior work uses black box tracing: the tracing algorithm ignores the implementation of the decoder, and instead traces just by making queries to the decoder and observing the outputs.

We observe that, in some settings, such black box tracing leads to consistency and user privacy issues. On the other hand, these issues do not appear inherent to white box tracing, where the tracing algorithm actually inspects the decoder implementation. We therefore develop new white box traitor tracing schemes providing consistency and/or privacy. Our schemes can be instantiated under various assumptions ranging from public key encryption and NIZKs to indistinguishability obfuscation, with different trade-offs. To the best of our knowledge, ours is the first work to consider white box tracing in the general decoder setting.

We show equivalence between the existence of one-way functions and the existence of a sparse language that is hard-on-average w.r.t. some efficiently samplable ``high-entropy'' distribution. In more detail, the following are equivalent: - The existentence of a $S(\cdot)$-sparse language $L$ that is hard-on-average with respect to some samplable distribution with Shannon entropy $h(\cdot)$ such that $h(n)-\log(S(n)) \geq 4\log n$; - The existentence of a $S(\cdot)$-sparse language $L \in \NP$, that is hard-on-average with respect to some samplable distribution with Shannon entropy $h(\cdot)$ such that $h(n)-\log(S(n)) \geq n/3$; - The existence of one-way functions.

Our results are insipired by, and generalize, the recent elegant paper by Ilango, Ren and Santhanam (ECCC'21), which presents similar characterizations for concrete sparse languages.

We study several strengthening of classical circular security assumptions which were recently introduced in four new lattice-based constructions of indistinguishability obfuscation: Brakerski-D\"ottling-Garg-Malavolta (Eurocrypt 2020), Gay-Pass (STOC 2021), Brakerski-D\"ottling-Garg-Malavolta (Eprint 2020) and Wee-Wichs (Eprint 2020). We provide explicit counterexamples to the {\em $2$-circular shielded randomness leakage} assumption w.r.t.\ the Gentry-Sahai-Waters fully homomorphic encryption scheme proposed by Gay-Pass, and the {\em homomorphic pseudorandom LWE samples} conjecture proposed by Wee-Wichs. Our work suggests a separation between classical circular security of the kind underlying un-levelled fully-homomorphic encryption from the strengthened versions underlying recent iO constructions, showing that they are not (yet) on the same footing. Our counterexamples exploit the flexibility to choose specific implementations of circuits, which is explicitly allowed in the Gay-Pass assumption and unspecified in the Wee-Wichs assumption. Their indistinguishabilty obfuscation schemes are still unbroken. Our work shows that the assumptions, at least, need refinement. In particular, generic leakage-resilient circular security assumptions are delicate, and their security is sensitive to the specific structure of the leakages involved.

In this paper, we show that standard model black-box reductions naturally lift to various setup assumptions, such as the random oracle (ROM) or ideal cipher model. Concretely, we prove that a black-box reduction from a security notion P to security notion Q in the standard model can be turned into a non-programmable black-box reduction from P_O to Q_O in a model with a setup assumption O, where P_O and Q_O are the natural extensions of P and Q to a model with a setup assumption O. Our results rely on a generalization of the recent framework by Hofheinz and Nguyen (PKC 2019) to support primitives which make use of a trusted setup. Our framework encompasses standard idealized settings like the random oracle and the ideal cipher model. At the core of our main result lie novel properties of negligible functions that can be of independent interest.

A two-party authenticated key exchange (AKE) protocol allows each of the two parties to share a common secret key over insecure channels even in the presence of active adversaries who can actively control and modify the exchanged messages. To capture the various kind of malicious behaviors of the adversaries, there have been lots of efforts to define the security models. Amongst them, the extended Canetti-Krawczyk (eCK) security model is considered as one of the strongest ones and widely adopted.

In this paper, we present a pairing-based eCK-secure AKE protocol in the standard model. The underlying assumptions of our construction are the hardness of the decisional bilinear Diffie-Hellman (DBDH) problem and the existence of pseudorandom functions. It is notable that the previous constructions either relied their security on random oracles or used somewhat strong assumptions such as the existence of strong-pseudorandom functions. We believe our construction is well-suited for real-world implementations such as the TLS protocol suite since our construction is simple and based on standard assumptions without random oracles.

SHA-256 is a secure cryptographic hash function. As such, its output should not have any detectable property. This paper describes three bit strings whose hashes by SHA-256 are nevertheless correlated in a non-trivial way: the first half of their hashes XORs to zero. They were found by “brute-force”, without exploiting any cryptographic weakness in the hash function itself. This does not threaten the security of the hash function and does not have any cryptographic implication. This is an example of a large “combinatorial” computation in which at least 8.7 × 10 22 integer operations have been performed. This was made possible by the combination of: 1) recent progress on algorithms for the underlying problem, 2) creative use of "dedicated" hardware accelerators, 3) adapted implementations of the relevant algorithms that could run on massively parallel machines. The actual computation was done on aging hardware. It required seven calendar months using two obsolete second-hand bitcoin mining devices converted into "useful" computational devices. A second step required 570 CPU-years on an 8-year old IBM BlueGene/Q computer, a few weeks before it was scrapped. To the best of our knowledge, this is the first practical 128-bit collision-like result obtained by brute-force, and it is the first bitcoin miner-accelerated computation.

We study new candidates for symmetric cryptographic primitives that leverage alternation between linear functions over $\mathbb{Z}_2$ and $\mathbb{Z}_3$ to support fast protocols for secure multiparty computation (MPC). This continues the study of weak pseudorandom functions of this kind initiated by Boneh et al. (TCC 2018) and Cheon et al. (PKC 2021).

We make the following contributions. (Candidates). We propose new designs of symmetric primitives based on alternating moduli. These include candidate one-way functions, pseudorandom generators, and weak pseudorandom functions. We propose concrete parameters based on cryptanalysis.

(Protocols). We provide a unified approach for securely evaluating modulus-alternating primitives in different MPC models. For the original candidate of Boneh et al., our protocols obtain at least 2x improvement in all performance measures. We report efficiency benchmarks of an optimized implementation.

(Applications). We showcase the usefulness of our candidates for a variety of applications. This includes short "Picnic-style" signature schemes, as well as protocols for oblivious pseudorandom functions, hierarchical key derivation, and distributed key generation for function secret sharing.

In recent years, research has shown the networking layer’s significant influence on the scalability, security, and privacy of blockchain systems. Such large-scale networks however exhibit a degree of complexity that demands model-based simulations as real-world experiments are often not possible. In this work, we methodically characterize blockchain networks by reference to the paradigmatic Bitcoin peer-to-peer network, explore the state-of-the-art protocols, and emphasize this key design space. To this end, we conducted a longitudinal measurement study on the Bitcoin network, from which we extract a comprehensive network model and implement it as part of the bns network simulation framework. We validate the model in comparison to real-world measurements as well as to results from related work. Moreover, we experimentally show how network utilization and miners’ geographical location impact the block propagation characteristics.

Many recent private set intersection (PSI) protocols encode input sets as polynomials. We consider the more general notion of an oblivious key-value store (OKVS), which is a data structure that compactly represents a desired mapping $k_i \mapsto v_i$. When the $v_i$ values are random, the OKVS data structure hides the $k_i$ values that were used to generate it. The simplest (and size-optimal) OKVS is a polynomial $p$ that is chosen using interpolation such that $p(k_i)=v_i$.

We initiate the formal study of oblivious key-value stores, and show new constructions resulting in the fastest OKVS to date.

Similarly to cuckoo hashing, current analysis techniques are insufficient for finding {\em concrete} parameters to guarantee a small failure probability for our OKVS constructions. Moreover, it would cost too much to run experiments to validate a small upper bound on the failure probability. We therefore show novel techniques to amplify an OKVS construction which has a failure probability $p$, to an OKVS with a similar overhead and failure probability $p^c$. Setting $p$ to be moderately small enables to validate it by running a relatively small number of $O(1/p)$ experiments. This validates a $p^c$ failure probability for the amplified OKVS.

Finally, we describe how OKVS can significantly improve the state of the art of essentially all variants of PSI. This leads to the fastest two-party PSI protocols to date, for both the semi-honest and the malicious settings. Specifically, in networks with moderate bandwidth (e.g., 30 - 300 Mbps) our malicious two-party PSI protocol has 40\% less communication and is 20-40\% faster than the previous state of the art protocol, even though the latter only has heuristic confidence.

Secure multi-party computation allows mutually distrusting parties to compute securely over their private data. However, guaranteeing output delivery to honest parties when the adversarial parties may abort the protocol has been a challenging objective. As a representative task, this work considers two-party coin-tossing protocols with guaranteed output delivery, a.k.a., fair coin-tossing.

In the information-theoretic plain model, as in two-party zero-sum games, one of the parties can force an output with certainty. In the commitment-hybrid, any $r$-message coin-tossing protocol is ${1/\sqrt r}$-unfair, i.e., the adversary can change the honest party's output distribution by $1/\sqrt r$ in the statistical distance. Moran, Naor, and Segev (TCC--2009) constructed the first $1/r$-unfair protocol in the oblivious transfer-hybrid. No further security improvement is possible because Cleve (STOC--1986) proved that $1/r$-unfairness is unavoidable. Therefore, Moran, Naor, and Segev's coin-tossing protocol is optimal. However, is oblivious transfer necessary for optimal fair coin-tossing?

Maji and Wang (CRYPTO--2020) proved that any coin-tossing protocol using one-way functions in a black-box manner is at least $1/\sqrt r$-unfair. That is, optimal fair coin-tossing is impossible in Minicrypt. Our work focuses on tightly characterizing the hardness of computation assumption necessary and sufficient for optimal fair coin-tossing within Cryptomania, outside Minicrypt. Haitner, Makriyannia, Nissim, Omri, Shaltiel, and Silbak (FOCS--2018 and TCC--2018) proved that better than $1/\sqrt r$-unfairness, for any constant $r$, implies the existence of a key-agreement protocol.

We prove that any coin-tossing protocol using public-key encryption (or, multi-round key agreement protocols) in a black-box manner must be $1/\sqrt r$-unfair. Next, our work entirely characterizes the additional power of secure function evaluation functionalities for optimal fair coin-tossing. We augment the model with an idealized secure function evaluation of $f$, \aka, the $f$-hybrid. If $f$ is complete, that is, oblivious transfer is possible in the $f$-hybrid, then optimal fair coin-tossing is also possible in the $f$-hybrid. On the other hand, if $f$ is not complete, then a coin-tossing protocol using public-key encryption in a black-box manner in the $f$-hybrid is at least $1/\sqrt r$-unfair.

Code-based public key cryptosystems are one of the main techniques available in the area of Post-Quantum Cryptography. This work aims to propose a key encapsulation mechanism (KEM) with short ciphertext and secret key. Our goal is achieved in two steps. We first present a public key encryption (PKE) scheme, basicPKE, using a parity check matrix of Maximum Distance Separable (MDS) code as the public key matrix. In our construction, we exploit the structure of a companion matrix to obtain an MDS code which significantly reduces the storage of the secret key. The scheme basicPKE provides security against Indistinguishability under Chosen Plaintext Attacks (IND-CPA). Secondly, following the design framework of basicPKE, we construct another PKE scheme, fullPKE, that leads us to design our KEM scheme, fullKEM. We have shown that the scheme fullPKE is secure against One-Wayness under Plaintext and Validity Checking Attacks (OW-PCVA) and the scheme fullKEM achieves security against Indistinguishability under Chosen Ciphertext Attacks (IND-CCA) in the random oracle model. Moreover, our KEM can be shown to accomplish post-quantum security in the quantum random oracle model.