International Association
for Cryptologic Research

Businesses that are subject to AML/CTF regulation must meet their KYC obligations. In this context, to establish and verify a customer’s identity, the customer is required to share personal information with these businesses. This creates a Pareto dominated situation where a customer’s privacy is typically traded off for the mandated transparency requirements. In addition, this privacy erosion also reduces the security and safety of the customer as shared personal information can be passed on or stolen and used against the best interest of the customer (e.g. identity theft). Recent innovations in self-sovereign identity and zero-knowledge cryptography, along with proper ecosystem design, allow for a novel approach to KYC that protects the customer’s privacy without reducing transparency. The proposed solution concept, zkKYC, removes the need for the customer to share any personal information with a regulated business for the purpose of KYC, and yet provides the transparency to allow for a customer to be identified if and when that is ruled necessary by a designated governing entity (e.g. regulator, law enforcement). This approach breaks the traditional privacy vs. transparency trade-off and provides structured transparency, resulting in a net positive outcome for all parties involved.

This paper presents a new family of linear codes, namely the expanded Gabidulin codes. Exploiting the existing fast decoder of Gabidulin codes, we propose an efficient algorithm to decode these new codes when the noise vector satisfies a certain condition. Further more, these new codes enjoy an excellent error-correcting capability because of the optimality of their parent Gabidulin codes. Based on different masking techniques, we give two encryption schemes by using expanded Gabidulin codes in the McEliece setting. According to our analysis, both of these two cryptosystems can resist the existing structural attacks. Compared to some other code-based cryptosystems, our proposals have obvious advantage in public-key representation without using the cyclic or quasi-cyclic structure.

Advances in cryptography have enabled the features of confidentiality, security, and integrity on small embedded devices such as IoT devices. While mathematically strong, the platform on which an algorithm is implemented plays a significant role in the security of the final product. Side-channel attacks exploit the variations in the system’s physical characteristics to obtain information about the sensitive data. In our scenario, a software implementation of a cryptographic algorithm is flashed on devices from different manufactures with the same instruction set configured for identical execution. To analyze the influence of the microarchitecture on side-channel leakage, we acquire thirty-two sets of power traces from four physical devices. While we notice minor differences in the leakage behaviour for different physical boards from the same manufacturer, our results confirm that the difference in microarchitecture implementations will leak different side-channel information. We also show that TVLA leakage prediction should be treated with caution as it is sensitive to both false positives and negatives.

Practical side-channel attacks on recent devices may be challenging due to the poor quality of acquired signals. It can originate from different factors, such as the growing architecture complexity, especially in System-on-Chips, creating unpredictable and concurrent operation of multiple signal sources on the device.

This work makes use of mixture distributions to formalize this complexity, allowing us to explain the benefit of using a technique like Scatter, where different samples of the traces are aggregated into the same distribution. Some observations of the conditional mixture distributions are made in order to model the leakage in such context. From this, we infer local coherency of information held in the distribution as a general property of side-channel leakage in mixture distributions. This leads us to introduce how spatial analysis tools, such as Moran's Index, can be used to significantly improve non-profiled attacks compared to other techniques from the state-of-the-art. Exploitation of this technique is experimentally shown very promising, as demonstrated on two AES implementations including masking and shuffling countermeasures.

Symmetric Searchable Encryption (SSE) allows users to outsource encrypted data to a possibly untrusted remote location while simultaneously being able to perform keyword search directly through the stored ciphertexts. An ideal SSE scheme should reveal no information about the content of the encrypted information nor about the searched keywords and their mapping to the stored files. However, most of the existing SSE schemes fail to fulfill this property since in every search query, some information potentially valuable to a malicious adversary is leaked. The leakage becomes even bigger if the underlying SSE scheme is dynamic. In this paper, we minimize the leaked information by proposing a forward and backward private SSE scheme in a multi-client setting. Our construction achieves optimal search and update costs. In contrast to many recent works, each search query only requires one round of interaction between a user and the cloud service provider. In order to guarantee the security and privacy of the scheme and support the multi-client model (i.e. synchronization between users), we exploit the functionality offered by AMD's Secure Encrypted Virtualization (SEV).

In this paper, we show that a software implementation of CCA secure Saber KEM protected by first-order masking and shuffling can be broken by deep learning-based power analysis. Using an ensemble of deep neural networks created at the profiling stage, we can recover the session key and the long-term secret key from $257 \times N$ and $24 \times 257 \times N$ traces, respectively, where $N$ is the number of repetitions of the same measurement. The value of $N$ depends on the implementation, environmental factors, acquisition noise, etc.; in our experiments $N = 15$ is enough to succeed. The neural networks are trained on a combination of 80% of traces from the profiling device with a known shuffling order and 20% of traces from the device under attack captured for all-0 and all-1 messages. ``Spicing'' the training set with traces from the device under attack helps minimize the negative effect of device variability.

Several constructions of Mutually Unbiased Bases (MUBs) borrow tools from combinatorial objects. In this paper we focus how one can construct Approximate Real MUBs (ARMUBs) with improved parameters using results from the domain of Resolvable Block Designs (RBDs). We first explain the generic idea of our strategy in relating the RBDs with MUBs/ARMUBs, which are sparse (the basis vectors have small number of non-zero co-ordinates). Then specific parameters are presented, for which we can obtain new classes and improve the existing results. To be specific, we present an infinite family of $\lceil\sqrt{d}\rceil$ many ARMUBs for dimension $d = q(q+1)$, where $q \equiv 3 \bmod 4$ and it is a prime power, such that for any two vectors $v_1, v_2$ belonging to different bases, $|\braket{v_1|v_2}| < \frac{2}{\sqrt{d}}$. We also demonstrate certain cases, such as $d = sq^2$, where $q$ is a prime power and $sq \equiv 0 \bmod 4$. These findings subsume and improve our earlier results in [Cryptogr. Commun. 13, 321-329, January 2021]. This present construction idea provides several infinite families of such objects, not known in the literature, which can find efficient applications in quantum information processing for the sparsity, apart from suggesting that parallel classes of RBDs are intimately linked with MUBs/ARMUBs.

PhD and Post-Doc positions in the domain of IoT and cyber-physical systems security are available at Università della Svizzera italiana, in the ALaRI research group. Prospective candidates are expected to investigate aspects related to physical attacks (side channel and fault attacks) and countermeasures, lightweight cryptography, and encryption techniques for high performance computing and machine learning. The positions are fully funded, and budget for research expenses and conference travel is available.

Candidates must hold (or be close to the completion of) a master degree (for the PhD position) or a PhD degree (for the Post-Doc position), preferably in computer science, computer engineering, or electrical engineering. Prior experience in hardware design, software programming, and/or cryptography is an asset. The research work will involve contributing to international research projects.

Interested candidates should apply by sending an email with subject line “Application for Ph.D” or “Application for Post-Doc” to openposition@a.alari.ch including your CV, the name and the contact information of at least two references, the appropriate certificates, and a motivation letter that demonstrates your interest in and your qualifications for the positions.

Screening of applications will begin 15th July. Priority will be given to applications submitted by this date, but the position will remain open until filled.

Closing date for applications:

Contact: Inquiries can be sent to openposition@a.alari.ch

Job Description

• As a PhD student in our research group, you will actively contribute to research and engineering projects at the intersection of cloud computing and privacy-enhancing technologies (PETs).
• Embedded in an international team of cloud and security experts, you will apply your knowledge of distributed systems and cloud technologies to design, implement and validate cloud native PET solutions as part of the Franco-German BMBF/MESRI-funded research project CRYPTECS.
• Your work consists of integrating state-of-the-art PETs (such as Secure Multiparty Computation, Trusted Execution Environments, and Differential Privacy) with distributed systems / computing concepts (such as distributed ledgers and parallel programming models) and cloud-native technologies (such as container orchestrators and serverless computing frameworks) at a conceptual and technical level.
• Thanks to your implementation skills, you will contribute to building a PET cloud stack that can be deployed in an industrial context. Through experimental use for real-world use cases in different domains such as Automotive AI and Internet of Things, you will close the feedback loop and gain valuable insights to improve your solutions. You will advance the state of the art in cloud-based PETs research and publish your results together with renowned researchers from the international CRYPTECS consortium.

Your Profile

• Education: Excellent Master's degree in computer science or related discipline with specialization in distributed systems, ideally combined with knowledge of security and privacy
• Personality: Positive team player, who is highly motivated, has an innovative mindset, is eager to learn new things, and is passionate about applied research and engineering
• Working Practice: Hands-on experience with software development beyond scientific prototypes, ideally in an open source context
• Experience: Knowledge in the area of cloud native technologies, ideally experience in PETs
• Languages: Fluent in English (written and spoken)

Closing date for applications:

Contact: Dr. Sven Trieflinger via Smart Recruiters (see https://smrtr.io/5YBmQ)

More information: https://www.bosch.com/research/know-how/success-stories/trustworthy-computing-data-sovereignty-while-connected/

Responsibilities Perform research and engineering on cryptographic protocols in the privacy space Working with a team of cryptographers and practitioners on a blockchain-based privacy protocol which interacts with the DeFi space and also provides elements of compliance with financial regulations Focus on zero knowledge schemes which provide privacy and compliance Role will consist of approximately 75% research and 25% engineering Requirements Masters or Ph.D. in cryptography or a closely related field Be able to prototype protocols/schemes/algorithms in one or more relevant programming languages Be familiar with the blockchain and DeFi space 3+ years of software engineering experience General understanding of full-stack system architecture Have a thorough approach and be committed to high quality output Have prior research/code already published in the space Experienced with remote collaboration (video conferencing, collaborative design and coding etc.) Be comfortable working both independently and as part of a larger team on a fast-paced project Excellent communication and collaboration skills A proactive, self-driven approach and entrepreneurial, problem-solving mindset Able to proactively identify which activities can benefit the project the most in the shortest period of time, communicate, and execute on their ideas without needing to be micromanaged Full-time availability with flexible working hours within predominantly American/European timezones Nice to Have Zero-Knowledge proof schemes such as pairing-based SNARKs (Groth16, PLONK), Bulletproofs, STARKs, etc. Different arithmetization schemes such as AIR, R1CS, PLONK. Different methods of implementing recursive SNARKs. Selective disclosure schemes Financial regulation schemes and compliance topics Experience working remotely Experience with financial regulation and compliance Why Work With Panther? Highly competitive compensation (including equity) Remote work in a dynamic, fast-growth startup Flexible working hours Opportunity to work with a world-class team on a cutting edge project, which will break boundaries in the blockchain privacy/compliance space

Closing date for applications:

Contact: Ramadan Ameen

More information: https://www.pantherprotocol.io

We offer a postdoctoral position for up to 5 years to work on the cryptanalysis of post-quantum cryptographic protocols.

The University of Birmingham is one of the main UK research centers in Cyber security. The candidate will work with Dr. Christophe Petit and his team.

The ideal candidate should have a very strong background in cryptography or related area, including number theory, computer algebra, and quantum computing. Previous work on post-quantum cryptography is desirable, especially with lattice-based or code-based cryptography.

Closing date for applications:

Contact: Christophe Petit (C.Petit.1 at bham dot ac dot uk)

More information: https://bham.taleo.net/careersection/external/jobdetail.ftl?job=2100013X&tz=GMT%2B01%3A00&tzname=Europe%2FLondon

We offer up to two Ph.D. positions to work on the cryptanalysis of post-quantum cryptographic protocols. The studentship covers a stipend and tuition fees.

The University of Birmingham is one of the main UK research centers in Cyber security. The candidate will work with Dr. Christophe Petit and his team.

The ideal candidate should have a very strong background in cryptography or related area, including number theory, computer algebra, and quantum computing. P

Closing date for applications:

Contact: Christophe Petit (C.Petit.1 at bham dot ac dot uk)

More information: https://sits.bham.ac.uk/lpages/EPS003.htm

The Quantum Information Group at Yukawa Institute for Theoretical Physics, Kyoto University, Japan is looking for a postdoctoral researcher to work on theory of quantum cryptography. (If you are interested in quantum cryptography, background of quantum information is not mandatory: people from ``non-quantum" cryptography are also highly welcomed.) Depending on the qualification, the title of research assistant professor can be given.

The starting date is negotiable (but ideally as soon as possible), and the contract is by the end of March 2024.

Interested candidates can apply by sending
CV
publication list
research statement
contact information of two referees
to the contact address below.

The deadline for applications is 7/31/2021.

For applying and for more information please contact:

Closing date for applications:

Contact: Tomoyuki Morimae, Associate Professor
Yukawa Institute for Theoretical Physics, Kyoto University, Japan tomoyuki.morimae@yukawa.kyoto-u.ac.jp

The bulk of Internet interactions is highly redundant and also security sensitive. To reduce communication bandwidth and provide a desired level of security, a data stream is first compressed to squeeze out redundant bits and then encrypted using authenticated encryption. This generic solution is very flexible and works well for any pair of (compression, encryption) algorithms. Its downside, however, is the fact that the two algorithms are designed independently. One would expect that designing a single algorithm that compresses and encrypts (called compcrypt) should produce benefits in terms of efficiency and security.

The work investigates how to design a compcrypt algorithm using the ANS compression. First, we examine basic properties of ANS and show that a plain ANS with a hidden encoding table can be broken by statistical attacks. Next, we study ANS behaviour when its states are chosen at random. Our compcrypt algorithm is built using ANS with randomised state jumps and a sponge MonkeyDuplex encryption. Its security and efficiency are discussed. The design provides 128-bit security for both confidentiality and integrity/authentication. Our implementation experiments show that our compcrypt algorithm processes symbols with a rate up to 269 MB/s (with a slight loss of compression rate).

Many privacy preserving blockchain and e-voting systems are based on the modified ElGamal scheme that supports homomorphic addition of encrypted values. For practicality reasons though, decryption requires the use of precomputed discrete-log (dlog) lookup tables along with algorithms like Shanks's baby-step giant-step and Pollard's kangaroo. We extend the Shanks approach as it is the most commonly used method in practice due to its determinism and simplicity, by proposing a truncated lookup table strategy to speed up decryption and reduce memory requirements. While there is significant overhead at the precomputation phase, these costs can be parallelized and only paid once and for all. As a starting point, we evaluated our solution against the widely-used secp family of elliptic curves and show that we can achieve storage reduction by 7x-14x, depending on the group size. Our algorithm can be immediately imported to existing works, especially when the range of encrypted values is known, such as in Zether, PGC and Solidus protocols.

Expanding graphs are known due to their remarkable applications to Computer Science. We are looking for their applications to Post Quantum Cryptography. One of them is postquantum analog of Diffie-Hellman protocol in the area of intersection of Noncommutative and Multivariate Cryptographies .This graph based protocol allows correspondents to elaborate collision cubic transformations of affine space Kn defined over finite commutative ring K. Security of this protocol rests on the complexity of decomposition problem of nonlinear polynomial map into given generators. We show that expanding graphs allow to use such output as a ‘’seed’’ for secure construction of infinite sequence of cubic transformation of affine spaces of increasing dimension. Correspondents can use the sequence of maps for extracting passwords for one time pads in alphabet K and other symmetric or asymmetric algorithms. We show that cubic polynomial maps of affine spaces of prescribed dimension can be used for transition of quadratic public keys of Multivariate Cryptography into the shadow of private areas.

Game-theoretic analyses of cryptocurrencies and---more generally---blockchain-based decentralized ledgers offer insight on their economic robustness and behavior when even their underpinning cryptographic assumptions fail. In this work we utilize the recently proposed blockchain adaptation of the rational protocol design (RPD) framework [EUROCRYPT '18] to analyze 51% double-spending attacks against Nakamoto-style proof-of-work based cryptocurrencies. We first observe a property of the originally proposed utility class that yields an unnatural conclusion against such attacks, and show how to devise a utility that avoids this pitfall and makes predictions that match the observable behavior---i.e., that renders attacking a dominant strategy in settings where an attack was indeed observed in reality. We then propose a generic remedy to the underlying protocol parameters that provably deter adversaries controlling a majority of the system's resources from attacks on blockchain consistency, including the 51% double-spending attack. This can be used as guidance to patch systems that have suffered such attacks, e.g., Ethereum Classic and Bitcoin Cash, and serves as a demonstration of the power of game-theoretic analyses.

In the recent ePrint report 2021/583 titled "Entropoid-based cryptography is group exponentiation in disguise" Lorenz Panny gave a cryptanalysis of the entropoid based instances proposed in our eprint report 2021/469. We acknowledge the correctness of his claims for the concrete instances described in our original report 2021/469.

However, we find that claims for the general applicability of his attack on the general Entropoid framework are misleading. Namely, based on the Theorem 1 in his report, which claims that for every entropic quasigroup $(G, *)$, there exists an Abelian group $(G, \cdot)$, commuting automorphisms $\sigma$, $\tau$ of $(G, \cdot)$, and an element $c \in G$, such that $x * y = \sigma(x) \cdot \tau(y) \cdot c$ the author infers that \emph{"all instantiations of the entropoid framework should be breakable in polynomial time on a quantum computer."}

There are two misleading parts in these claim: \textbf{1.} It is implicitly assumed that all instantiations of the entropoid framework would define entropic quasigroups - thus fall within the range of algebraic objects addressed by Theorem 1. \emph{We will show a construction of entropic groupoids that are not quasigroups}; \textbf{2.} It is implicitly assumed that finding the group $(G, \cdot)$, the commuting automorphisms $\sigma$ and $\tau$ and the constant $c$ \emph{would be easy for every given entropic operation} $*$ and its underlying groupoid $(G, *)$. However, the provable existence of a mathematical object \emph{does not guarantee an easy finding} of that object.

Treating the original entropic operation $* := *_1$ as a one-dimensional entropic operation, we construct multidimensional entropic operations $* := *_m$, for $m\geq 2$ and we show that newly constructed operations do not have the properties of $* = *_1$ that led to the recovery of the automorphism $\sigma$, the commutative operation $\cdot$ and the linear isomorphism $\iota$ and its inverse $\iota^{-1}$.

We give proof-of-concept implementations in SageMath 9.2 for the new multidimensional entropic operations $* := *_m$ defined over several basic operations $* := *_1$ and we show how the non-associative and non-commutative exponentiation works for the key exchange and digital signature schemes originally proposed in report 2021/469.

Lossy trapdoor functions, introduced by Peikert and Waters (STOC '08), can be initialized in one of two indistinguishable modes: in injective mode, the function preserves all information about its input, and can be efficiently inverted given a trapdoor, while in lossy mode, the function loses some information about its input. Such functions have found countless applications in cryptography, and can be constructed from a variety of number-theoretic or algebraic ``Cryptomania'' assumptions. In this work, we introduce targeted lossy functions (TLFs), which relax lossy trapdoor functions along two orthogonal dimensions. First, they do not require an inversion trapdoor in injective mode. Second, the lossy mode of the function is initialized with some target input, and the function is only required to lose information about this particular target. The injective and lossy modes should be indistinguishable even given the target. We construct TLFs from ``Minicrypt'' assumptions, namely, injective pseudorandom generators, or even one-way functions under a natural relaxation of injectivity. We then generalize TLFs to incorporate branches, and construct all-injective-but-one and all-lossy-but-one variants. We show a wide variety of applications of targeted lossy functions. In several cases, we get the first Minicrypt constructions of primitives that were previously only known under Cryptomania assumptions. Our applications include:

-Pseudo-entropy functions from one-way functions.

-Deterministic leakage-resilient message-authentication codes and improved leakage-resilient symmetric-key encryption from one-way functions.

-Extractors for extractor-dependent sources from one-way functions.

-Selective-opening secure symmetric-key encryption from one-way functions.

-A new construction of CCA PKE from (exponentially secure) trapdoor functions and injective pseudorandom generators.

We also discuss a fascinating connection to distributed point functions.

We present a history of how cryptographic key sizes have been determined for various schemes.