International Association
for Cryptologic Research

In this document we describe the Darlin proof carrying data scheme for the distributed computation of block and epoch proofs in a Latus sidechain of Zendoo (IACR eprint 2020/123). Recursion as well as base proofs rest on Marlin using the Pasta cycle of curves and the ‘dlog’ polynomial commitment scheme introduced by Bootle et al. EUROCRYPT 2016. We apply the amortization technique from Halo (IACR eprint 2019/099) to the non-succinct parts of the verifier, and we adapt their strategy for bivariate circuit encoding polynomials to aggregate Marlin’s inner sumchecks across the nodes of the proof carrying data scheme. Regarding performance, the advantage of Darlin over a scheme without inner sumcheck aggregation is about 30% in a tree-like scenario as ours, and beyond when applied to linear recursion.

The Sidon cryptosystem is a new multivariate encryption scheme based on the theory of Sidon spaces which was presented at PKC 2021. As is usual for this kind of schemes, its security relies on the hardness of solving particular instances of the MQ problem and of the MinRank problem. A nice feature of the scheme is that it enjoys a homomorphic property due the bilinearity of its public polynomials. Unfortunately, we will show that the Sidon cryptosystem can be broken by a polynomial time key-recovery attack. This attack relies on the existence of solutions to the underlying MinRank instance which lie in a subfield and which are inherent to the structure of the secret Sidon space. We prove that such solutions can be found in polynomial time. Our attack consists in recovering an equivalent key for the cryptosystem by exploiting these particular solutions, and this task can be performed very efficiently.

Many recent stream ciphers use Galois NFSRs as their main building blocks, such as the hardware-oriented finalists Grain and Trivium in the eSTREAM project. Previous work has found some types of Galois NFSRs equivalent to Fibonacci ones, including that used in Grain. Based on the observability of an NFSR on [0,N-1], which means any two initial states of an NFSR are distinguishable from their corresponding output sequences of length N, the paper first presents two easily verifiable necessary and sufficient conditions for Galois NFSRs equivalent to Fibonacci ones. It then validates both conditions by the Galois NFSRs previously found (not) equivalent to Fibonacci ones. As an application, the paper finally reveals that the 288-stage Galois NFSR used in Trivium is neither equivalent to a 288-stage Fibonacci NFSR, nor observable on [0,287], theoretically verifying Trivium's good design criteria of confusion and diffusion.

Many of the recent advanced lattice-based $\Sigma$-/public-coin honest verifier (HVZK) interactive protocols based on the techniques developed by Lyubashevsky (Asiacrypt'09, Eurocrypt'12) can be transformed into a non-interactive zero-knowledge (NIZK) proof in the random oracle model (ROM) using the Fiat-Shamir transform. Unfortunately, although they are known to be secure in the $\mathit{classical}$ ROM, existing proof techniques are incapable of proving them secure in the $\mathit{quantum}$ ROM (QROM). Alternatively, while we could instead rely on the Unruh transform (Eurocrypt'15), the resulting QROM secure NIZK will incur a large overhead compared to the underlying interactive protocol.

In this paper, we present a new simple semi-generic transform that compiles many existing lattice-based $\Sigma$-/public-coin HVZK interactive protocols into QROM secure NIZKs. Our transform builds on a new primitive called $\textit{extractable linear homomorphic commitment}$ protocol. The resulting NIZK has several appealing features: it is not only a proof of knowledge but also straight-line extractable; the proof overhead is smaller compared to the Unruh transform; it enjoys a relatively small reduction loss; and it requires minimal background on quantum computation. To illustrate the generality of our technique, we show how to transform the recent Bootle et al.'s 5-round protocol with an exact sound proof (Crypto'19) into a QROM secure NIZK by increasing the proof size by a factor of $2.6$. This compares favorably to the Unruh transform that requires a factor of more than $50$.

We show that Yao’s garbling scheme is adaptively indistinguishable for the class of Boolean circuits of size S and treewidth w with only a S^O(w) loss in security. For instance, circuits with constant treewidth are as a result adaptively indistinguishable with only a polynomial loss. This (partially) complements a negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main technical contributions, we introduce a new pebble game that abstracts out our security reduction and then present a pebbling strategy for this game where the number of pebbles used is roughly O(d w log(S)), d being the fan-out of the circuit. The design of the strategy relies on separators, a graph-theoretic notion with connections to circuit complexity.

Dijk et al. presents Remote Attestation (RA) for secure processor technology which is secure in the presence of an All Digital State Observing (ADSO) adversary. The scheme uses a combination of hardware security primitives and design principles together with a new cryptographic primitive called a Public Key Session based One-Time Signature Scheme with Secret Key Exposure (OTS-SKE). Dijk et al. show a hash based realization of OTS-SKE which is post quantum secure but suffers long $8.704$ KB signatures for 128-bit quantum security or 256-bit classical security. From a classical cryptographic perspective we complete the picture by introducing a bilinear map based OTS-SKE with short $0.125$ KB signatures, $65$ times shorter, and for which the security reduces to the Computational Diffie-Hellman Problem (CDHP) -- at the cost of a $9\times$ longer initialization phase in the RA scheme if implemented in software (this can be improved with appropriate elliptic curve hardware acceleration). Signing takes 560 ms at most $60\%$ of the $>936$ ms needed for the hash based scheme.

Digital signatures following the methodology of “Fiat-Shamir with Aborts”, proposed by Lyubashevsky, are capable of achieving the smallest public-key and signature sizes among all the existing lattice signature schemes based on the hardness of the Ring-SIS and Ring-LWE problems. Since its introduction, several variants and optimizations have been proposed, and two of them (i.e., Dilithium and qTESLA) entered the second round of the NIST post-quantum cryptography standardization. This method of designing signatures relies on rejection sampling during the signing process. Rejection sampling is crucial for ensuring both the correctness and security of these signature schemes. In this paper, we investigate the possibility of removing the two rejection conditions used both in Dilithium and qTESLA. First, we show that removing one of the rejection conditions is possible, and provide a variant of Lyubashevsky’s signature with comparable parameters with Dilithium and qTESLA. Second, we give evidence on the difficulty of removing the other rejection condition, by showing that two very general approaches do not yield a signature scheme with correctness or security.

Roughly four decades ago, Taher ElGamal put forward what is today one of the most widely known and best understood public key encryption schemes. ElGamal encryption has been used in many different contexts, chiefly among them by the OpenPGP standard. Despite its simplicity, or perhaps because of it, in reality there is a large degree of ambiguity on several key aspects of the cipher. Each library in the OpenPGP ecosystem seems to have implemented a slightly different "flavour" of ElGamal encryption. While --taken in isolation-- each implementation may be secure, we reveal that in the interoperable world of OpenPGP, unforeseen cross-configuration attacks become possible. Concretely, we propose different such attacks and show their practical efficacy by recovering plaintexts and even secret keys.

Digital signature is one of the most important public key cryptographic primitive for message authentication. In a digital signature scheme, receiver of a message-signature pair gets assurance about the fact that the message belongs to the sender and neither receiver nor any third party can manipulate the message. In the current state of art, most of the existing digital signatures' security relies on classical cryptographic assumption based hard problems, such as discrete log, integer factorization, etc. However, rapid development of quantum computing creates a security threat to these classical digital signature schemes. It indicates the recruitment of an alternative solution which can prevent quantum attacks. We focus on this concern by implementing a post-quantum secure isogeny based digital signature scheme without making use of SIDH and CSIDH. Our scheme achieves uf-cma security under a hard problem in isogeny. The proposed signature scheme incurs 256 byte public key size and 128 byte signature size to achieve 128-bit security level (NIST-1 level of security). In particular, the size of signature of our design is smaller than all other IBC based signature schemes at the 128-bit security level.

This paper presents a brand-new idea of masking the algebraic structure of linear codes used in code-based cryptography. Specially, we introduce the so-called semilinear transformations in coding theory, make a thorough study on their algebraic properties and then creatively apply them to the construction of code-based cryptosystems. Note that $\mathbb{F}_{q^m}$ can be viewed as an $\mathbb{F}_q$-linear space of dimension $m$, a semilinear transformation $\varphi$ is therefore defined to be an $\mathbb{F}_q$-linear automorphism of $\mathbb{F}_{q^m}$. After that, we impose this transformation to a linear code $\mathcal{C}$ over $\mathbb{F}_{q^m}$. Apparently $\varphi(\mathcal{C})$ forms an $\mathbb{F}_q$-linear space, but generally does not preserve the $\mathbb{F}_{q^m}$-linearity according to our analysis. Inspired by this observation, a new technique for masking the structure of linear codes is developed in this paper. Meanwhile, we endow the secret code with the so-called partial cyclic structure to make a reduction in public-key size. Compared to some other code-based cryptosystems, our proposal admits a much more compact representation of public keys. For instance, 1058 bytes are enough to reach the security of 256 bits, almost 1000 times smaller than that of the Classic McEliece entering the third round of the NIST PQC project.

We construct, under standard hardness assumptions, the first non-malleable commitments secure against quantum attacks. Our commitments are statistically binding and satisfy the standard notion of non-malleability with respect to commitment. We obtain the following instantiations:

\begin{itemize} \item A $\log^\star(\lambda)$-round classical protocol based on quantum fully-homomorphic encryption and the quantum hardness of Learning with Errors. \item A polynomial-round classical protocol based on post-quantum oblivious transfer.

\item A polynomial-round quantum protocol based on post-quantum one-way functions. \end{itemize}

Previously, non-malleable commitments with quantum security were only known against a restricted class of adversaries known as synchronizing adversaries. At the heart of our results is a general technique that allows to modularly obtain non-malleable commitments from any extractable commitment protocol, obliviously of the underlying extraction strategy (black-box or non-black-box), round complexity, and whether communication is quantum or classical. The transformation preserves the quantum security of the underlying extractable commitments, and is new even in the classical setting.

We prove that the path-finding problem in $\ell$-isogeny graphs and the endomorphism ring problem for supersingular elliptic curves are equivalent under reductions of polynomial expected time, assuming the generalised Riemann hypothesis. The presumed hardness of these problems is foundational for isogeny-based cryptography. As an essential tool, we develop a rigorous algorithm for the quaternion analog of the path-finding problem, building upon the heuristic method of Kohel, Lauter, Petit and Tignol. This problem, and its (previously heuristic) resolution, are both a powerful cryptanalytic tool and a building-block for cryptosystems.

Event date: 5 November to 8 November 2021
Submission deadline: 20 July 2021
Notification: 25 August 2021

The Cybersecurity - Identity Management group at the Hasso-Plattner-Institute (HPI), University of Potsdam is looking for motivated PhD students in the area of cryptography and privacy.

Your future tasks

• Development and analysis of provably secure cryptographic protocols for real-world problems. Topics of interest include (but are not limited to):
  • Privacy-enhancing technologies
  • Password-based cryptography
  • Foundations and solutions for real-world cryptography
• Publish and present results at top-tier international conferences
• Participate in teaching activities (depends on position)

Your skills

• Master’s degree in Computer Science, Mathematics, or a related area by the time of appointment
• Profound knowledge and interest in the areas of cryptography and IT security
• Fluency in English (written and spoken)

There are two types for the PhD positions: One position comes with a teaching obligation for which also sufficient German language skills are required. Review of applicants will start immediately until the position is filled. The starting date is flexible. The other is through the scholarship program of the HPI. Deadline for scholarship applications is August 15, and the positions usually start around October.

We look forward to your application including a CV, motivation letter and a list of attended Master courses and grades. Please submit your application documents (only as PDF) via email, and indicate the position you are interested in (teaching/scholarship).

Closing date for applications:

Contact: Anja Lehmann (anja . lehmann - at - hpi . de)

More information: https://hpi.de/lehmann/home.html

We have an open postdoc position in the domain of Scalable and Secure Data Sharing funded FWO SBO (strategic basic research) project MOZAIK. The prospective candidate is expected to design and develop efficient MPC protocols for privacy-preserving data analytics. The work includes, but not limited to, investigating machine learning algorithms that best suit MPC and that can be efficiently implemented over MPC. You will be working closely with tools such as https://github.com/KULeuven-COSIC/SCALE-MAMBA The candidate must hold a PhD degree in Cryptography or a related subject with strong publication records in crypto/security venues. In addition to a strong background in both public and symmetric cryptography, good knowledge in MPC, machine learning algorithms, and cryptographic protocols are expected. The candidate should also have coding experience in C/C++ and Python, experience in practical aspects of secure computation is a must.

Closing date for applications:

Contact: For inquiries send an email to jobs-cosic@esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

We invite applications for a postdoctoral research position in applied cryptography in topics related, but not limited, to the following:

• Zero-knowledge proofs
• Polynomial/vector commitments
• Searchable/structured encryption
• Oblivious algorithms
• TEE-assisted cryptography

Applicants are expected to have a PhD in computer science or related field and published papers in cryptography (IACR venues) and/or top-tier security conferences (Big-4). Experience with hands-on implementation is a plus. The specific research topic will be determined based on the interests of the applicant.

Interested applicants should submit their CV and a single-page research statement. The position is available immediately and on a rolling basis until filled. It will initially be for one year and can be extended given satisfactory performance.

Work environment: The HKUST CSE department was ranked 17th in the world in 2020 by THE World University Rankings. Our graduates typically produce research output of the highest quality and consistently staff world-class institutions. The lab offers a creative work environment that is ideal for excellent research.

Closing date for applications:

Contact: Prof. Papadopoulos Dimitrios, dipapado at cse dot ust dot hk

We study the round complexity of zero-knowledge for QMA (the quantum analogue of NP). Assuming the quantum quasi-polynomial hardness of the learning with errors (LWE) problem, we obtain the following results: - 2-Round statistical witness indistinguishable (WI) arguments for QMA. - 4-Round statistical zero-knowledge arguments for QMA in the plain model, additionally assuming the existence of quantum fully homomorphic encryption. This is the first protocol for constant-round statistical zero-knowledge arguments for QMA. - 2-Round computational (statistical, resp.) zero-knowledge for QMA in the timing model, additionally assuming the existence of post-quantum non-parallelizing functions (time-lock puzzles, resp.).

All of these protocols match the best round complexity known for the corresponding protocols for NP with security against classical adversaries. Along the way, we introduce and construct the notions of sometimes-extractable oblivious transfer and sometimes-simulatable zero-knowledge, which might be of independent interest.

Encrypted databases systems and searchable encryption schemes still leak critical information (e.g.: access patterns) and require a choice between privacy and efficiency. We show that using ORAM schemes as a black-box is not a panacea and that optimizations are still possible by improving the data structures. We design an ORAM-based secure database that is built from the ground up: we replicate the typical data structure of a database system using different optimized ORAM constructions and derive a new solution for oblivious searches on databases. Our construction has a lower bandwidth overhead than state-of-the-art ORAM constructions by moving client-side computations to a proxy with an intermediate (rigorously defined) level of trust, instantiated as a server-side isolated execution environment. We formally prove the security of our construction and show that its access patterns depend only on public information. We also provide an implementation compatible with SQL databases (PostgresSQL). Our system is 1.2 times to 4 times faster than state-of-the-art ORAM-based solutions.

Stake-based multiparty cryptographic primitives operate in a setting where participants are associated with their stake, security is argued against an adversary that is bounded by the total stake it possesses —as opposed to number of parties— and we are interested in scalability, i.e., the complexity of critical operations depends only logarithmically in the number of participants (that are assumed to be numerous).

In this work we put forth a new stake-based primitive, stake-based threshold multisignatures (STM, or “Mithril” signatures), which allows the aggregation of individual signatures into a compact multisignature pro- vided the stake that supports a given message exceeds a stake threshold. This is achieved by having for each message a pseudorandomly sampled subset of participants eligible to issue an individual signature; this ensures the scalability of signing, aggregation and verification.

We formalize the primitive in the universal composition setting and propose efficient constructions for STMs. We also showcase that STMs are eminently useful in the cryptocurrency setting by providing two applications: (i) stakeholder decision-making for Proof of Work (PoW) blockchains, specifically, Bitcoin, and (ii) fast bootstrapping for Proof of Stake (PoS) blockchains.

The celebrated PCP Theorem states that any language in NP can be decided via a verifier that reads $O(1)$ bits from a polynomially long proof. Interactive oracle proofs (IOP), a generalization of PCPs, allow the verifier to interact with the prover for multiple rounds while reading a small number of bits from each prover message. While PCPs are relatively well understood, the power captured by IOPs (beyond NP) has yet to be fully explored.

We present a generalization of the PCP theorem for interactive languages. We show that any language decidable by a $k(n)$-round IP has a $k(n)$-round public-coin IOP, where the verifier makes its decision by reading only $O(1)$ bits from each (polynomially long) prover message and $O(1)$ bits from each of its own (random) messages to the prover. Our proof relies on a new notion of PCPs that we construct called index-decodable PCPs, which may be of independent interest.

We are then able to bring transformations that previously applied only for IPs into the realm of IOPs. We show IOP-to-IOP transformations that preserve query complexity and achieve: (i) private-coins to public-coins; (ii) round reduction; and (iii) imperfect to perfect completeness.