International Association
for Cryptologic Research

Simula UiB (http://simula-uib.com) in Bergen, Norway, has a 4-year PhD position available in the field of cryptography. PhD students at Simula UiB enjoy an inclusive working environment with competitive salaries.

Job description

The PhD student we are looking for is eager to dive deeper into selected research topics in cryptography. The supervisor for this position is Chief Research Scientist Håvard Raddum, and the possible research areas of interest are: cryptanalysis of crypto primitives, fully homomorphic encryption with applications, or lattice-based cryptography. This list is not exhaustive, other topics will also be considered. The job consists of doing research on a daily basis, moving the research front on one or a few selected areas. Writing research papers and presenting them is an important part of the position. All research will be done with the aim of the student obtaining a PhD degree. The candidate will receive the PhD degree from the University of Bergen. 25% of the 4-year period is compulsory work related to the PhD student’s research area. Examples of compulsory work are teaching courses, outreach, applied research experiments, etc.

Closing date for applications:

Contact: Håvard Raddum - email: haavardr@simula.no. For administrative enquiries, contact bergen@simula.no.

More information: https://www.simula.no/about/job/call-phd-student-cryptography

Supersingular isogeny Diffie-Hellman (SIDH) is attractive for small public key size, but it is still unsatisfactory due to its efficiency, compared to other post-quantum proposals. In this paper, we focus on the performance of SIDH when the starting curve is $E_6:y^2=x^3+6x^2+x$, which is fixed in Round-3 SIKE implementation. We present several tricks to accelerate key generation of SIDH by precomputing few elements in the base field. We also point out that the main ideas of Costello et al. and Faz-Hern\'andez et al. to improve the ladder performance of SIDH, of which the starting curve is $E_0:y^2=x^3+x$, could be still utilized for the current SIDH protocol.

A recent work of Benhamouda and Lin (TCC~'20) identified a dream version of secure multiparty computation (MPC), termed **Multiparty reusable Non-Interactive Secure Computation** (MrNISC), that combines at the same time several fundamental aspects of secure computation with standard simulation security into one primitive: round-optimality, succinctness, concurrency, and adaptivity. In more detail, MrNISC is essentially a two-round MPC protocol where the first round of messages serves as a reusable commitment to the private inputs of participating parties. Using these commitments, any subset of parties can later compute any function of their choice on their respective inputs by broadcasting one message each. Anyone who sees these parties' commitments and evaluation messages (even an outside observer) can learn the function output and nothing else. Importantly, the input commitments can be computed without knowing anything about other participating parties (neither their identities nor their number) and they are reusable across any number of computations.

By now, there are several known MrNISC protocols from either (bilinear) group-based assumptions or from LWE. They all satisfy semi-malicious security (in the plain model) and require trusted setup assumptions in order to get malicious security. We are interested in maliciously secure MrNISC protocols **in the plain model, without trusted setup**. Since the standard notion of polynomial simulation is un-achievable in less than four rounds, we focus on MrNISC with **super-polynomial**-time simulation (SPS).

Our main result is the first maliciously secure SPS MrNISC in the plain model. The result is obtained by generically compiling any semi-malicious MrNISC and the security of our compiler relies on several well-founded assumptions, including an indistinguishability obfuscator and a time-lock puzzle (all of which need to be sub-exponentially hard). As a special case we also obtain the first 2-round maliciously secure SPS MPC based on well-founded assumptions. This MPC is also concurrently self-composable and its first message is short (i.e., its size is independent of the number of the participating parties) and reusable throughout any number of computations.

A ring signature is a signature scheme that provides the authenticity of a message anonymously. In this paper, we first present a post-quantum sigma protocol for a ring that relies on the supersingular isogeny-based interactive zero-knowledge identification scheme proposed by De Feo, Jao, and Plût in 2014. We prove the correctness, 2-special soundness, and honest-verifier zero-knowledge properties of the proposed protocol. Then, we construct a ring signature from the proposed sigma protocol for a ring by applying the Fiat-Shamir transform. In order to reduce the size of the exchanges, we use the Merkle tree and show that the signature size increases logarithmically in the size of the ring. The complexity analyses of the proposed protocols are also provided.

Use of game theory and mechanism design in cloud security is a well-studied topic. When applicable, it has the advantages of being efficient and simple compared to cryptography alone. Most analyses consider two-party settings, or multi-party settings where coalitions are not allowed. However, many cloud security problems that we face are in the multi-party setting and the involved parties can almost freely collaborate with each other. To formalize the study of disincentivizing coalitions from deviating strategies, a well-known definition named k-resiliency has been proposed by Abraham et al. (ACM PODC '06). Since its proposal, k-resiliency and related definitions are used extensively for mechanism design. However, in this work we observe the shortcoming of k-resiliency. That is, although it is secure, these definitions are too strict to use for many cases and rule out secure mechanisms as insecure. To overcome this, we propose a new definition named l-repellence against the presence of a single coalition to replace k-resiliency. Our definition incorporates transferable utility in game theory as it is realistic in many distributed and multi-party computing settings. We also propose m-stability definition against the presence of multiple coalitions, which is inspired by threshold security in cryptography. We then show the advantages of our novel definitions on three mechanisms, none of which were previously analyzed against coalitions: incentivized cloud computation, forwarding data packages in ad hoc networks, and connectivity in ad hoc networks. Regarding the former, our concepts improve the proposal by Küpçü (IEEE TDSC '17), by ensuring a coalition-proof mechanism.

Evaluating the side-channel resistance of a device in practice is a problematic and arduous process. Current certification schemes require to attack the device under test with an ever-growing number of techniques to validate its security. In addition, the success or failure of these techniques strongly depends on the individual implementing them, due to the fallible and human intrinsic nature of several steps of this path.

To alleviate this problem, we propose a battery of automated attacks as a side-channel analysis robustness assessment of an embedded device. To prove our approach, we conduct realistic experiments on two different devices, creating a new dataset (AES_RA) as a part of our contribution. Furthermore, we propose a novel way of performing these attacks using Principal Component Analysis, which also serves as an alternative way of selecting optimal principal components automatically. In addition, we perform a detailed analysis of automated attacks against masked AES implementations, comparing our method with the state-of-the-art approaches and proposing two novel initialization techniques to overcome its limitations in this scenario. We support our claims with experiments on AES_RA and a public dataset (ASCAD), showing how our, although fully automated, approach can straightforwardly provide state-of-the-art results.

In known constructions of classical zero-knowledge protocols for NP, either of zero-knowledge or soundness holds only against computationally bounded adversaries. Indeed, achieving both statistical zero-knowledge and statistical soundness at the same time with classical verifier is impossible for NP unless the polynomial-time hierarchy collapses, and it is also believed to be impossible even with a quantum verifier. In this work, we introduce a novel compromise, which we call the certified everlasting zero-knowledge proof for QMA. It is a computational zero-knowledge proof for QMA, but the verifier issues a classical certificate that shows that the verifier has deleted its quantum information. If the certificate is valid, even unbounded malicious verifier can no longer learn anything beyond the validity of the statement. We construct a certified everlasting zero-knowledge proof for QMA. For the construction, we introduce a new quantum cryptographic primitive, which we call commitment with statistical binding and certified everlasting hiding, where the hiding property becomes statistical once the receiver has issued a valid certificate that shows that the receiver has deleted the committed information. We construct commitment with statistical binding and certified everlasting hiding from quantum encryption with certified deletion by Broadbent and Islam [TCC 2020] (in a black box way), and then combine it with the quantum sigma-protocol for QMA by Broadbent and Grilo [FOCS 2020] to construct the certified everlasting zero-knowledge proof for QMA. Our constructions are secure in the quantum random oracle model. Commitment with statistical binding and certified everlasting hiding itself is of independent interest, and there will be many other useful applications beyond zero-knowledge.

Masking is the main countermeasure against side-channel attacks on embedded devices. For cryptographic algorithms that combine Boolean and arithmetic masking, one must therefore convert between the two types of masking, without leaking additional information to the attacker. In this paper we describe a new high-order conversion algorithm between Boolean and arithmetic masking, based on table recomputation, and provably secure in the ISW probing model. We show that our technique is particularly efficient for masking structured LWE encryption schemes such as Kyber and Saber. In particular, for Kyber IND-CPA decryption, we obtain an order of magnitude improvement compared to existing techniques.

TCC'21 will take place will take place in Raleigh, United States on November 8-11 2021.

Registration for TCC 2021 is now open for both in person and remote attendees! Register early! The earliest we know the number of in-person attendees, the best the in-person experience will be. See: https://tcc.iacr.org/2021/registration.php

Stipends are available for students.

A special "in person" workshop will take place alongside TCC. Deadline to submit a talk is Oct. 13th. More details on the workshop can be found here: https://tcc.iacr.org/2021/inperson.php

We at Arcana(arcana.network) are looking for someone well versed with applied math and cryptography to help design our protocol and allied systems. Specifically, we are looking for knowledge in a significant subset of the following: (1) Verifiable Delay Function(VDF) implementation. (2)Distributed key generation(DKG) and management(DKMS). (3)Encryption schemes. (4)Game theoretical (dis)incentivisation on a decentralized network. (5)Distributed Random Number generation. (6)End to End Encryption schemes . (7)Zero Knowledge proofs. (8)Verifiable computation. Academics and part time consultants also welcome to apply.

Closing date for applications:

Contact: admin@arcana.network

More information: https://arcana.network

The Institute of Information Security and Dependability at KIT is looking for a Post-Doc with expertise in privacy-preserving cryptographic protocols with a focus on secure multi-party computation , ideally, having hands-on experiences with MPC-compilers. A track record in this field is expected, including publications at reputable conferences such as Crypto, Eurocrypt, ACM CCS, PETS, etc.

You will be a member of the KASTEL Security Research Labs (https://zentrum.kastel.kit.edu) and the Topic "Engineering Secure Systems" of the Helmholtz Association. Your research is dealing with cryptographic protocols for privacy-preserving computations, e.g., applied to mobility systems. It will result in both theoretical security concepts (protocol designs, security proofs, etc.) and their practical implementation (e.g., a demonstrator) for some application domain. The contract will initially be limited to 1 year, but can be extended.

If you are interested, please formally apply using the link given below. Besides your CV including a list of your publications, please also include the names of three references.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@rub.de)

More information: https://www.pse.kit.edu/karriere/joboffer.php?id=96409&language=en

The high cost of IC design has made chip protection one of the first priorities of the semiconductor industry. In addition, with the growing number of untrusted foundries, the possibility of inside foundry attack is escalating. However, by taking advantage of polymorphic gates, the layouts of the circuits with different functionalities look exactly identical, making it impossible even for an inside foundry attacker to distinguish the defined functionality of an IC by looking at its layout. Moreover, since memristor is compatible with CMOS structure, it is possible to efficiently design hybrid memristor- CMOS circuits. In this paper, we propose a hardware obfuscation method based on polymorphic hybrid memristor-CMOS technology. Overhead of the polymorphic designs and the time complexity of possible attacks are discussed.

Group signatures allow group members to sign on behalf of the group anonymously. They are therefore well suited to storing data in a way that preserves the users’ privacy, while guaranteeing its authenticity. Garms and Lehmann (PKC’19) introduced a new type of group signatures that balance privacy with utility by allowing to selectively link subsets of the group signatures via an oblivious entity, the converter. The conversion takes a batch of group signatures and blindly transforms signatures originating from the same user into a consistent representation. Their scheme essentially targets a setting where the entity receiving fully unlinkable signatures and the converted ones is the same: only pseudonyms but not full signatures are converted, and the input to the converter is assumed to be well-formed. Thus, the converted outputs are merely linkable pseudonyms but no longer signatures. In this work we extend and strengthen such convertibly linkable group signatures. Conversion can now be triggered by malicious entities too, and the converted outputs can be publicly verified. This preserves the authentication of data during the conversion process. We define the security of this scheme and give a provably secure instantiation. Our scheme makes use of controlled-malleable NIZKs, which allow proofs to be mauled in a controlled manner. This allows signatures to be blinded, while still ensuring they can be verified during conversions.

This paper describes a practical side-channel power analysis on CRYSTALS-Kyber key-encapsulation mechanism. In particular, we analyse the polynomial multiplication in the decapsulation phase to recover the secret key in a semi-static setting. The power analysis attack was performed against the KYBER512 implementation from pqm4 running on STM32F3 M4-cortex CPU.

We consider the related-tweak impossible differential cryptanalysis of \texttt{TweAES}. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme \texttt{ESTATE} which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of \texttt{TweAES}, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against \texttt{TweAES} based on one of these 5.5-round distinguishes. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against \texttt{TweAES}, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of \texttt{TweAES} in the design document. Our 8-round key recovery attack is the best one against \texttt{TweAES} in terms of the number of rounds and complexities so far.

The final exponentiation affects the efficiency of pairing computations especially on pairing-friendly curves with high embedding degree. We propose an efficient method for computing the hard part of the final exponentiation on the KSS18 curve at 192-bit security level. Implementations indicate that the computation of the final exponentiation can be 8.74% faster than the previously fastest result.

This paper presents the design and evaluation of Wendy, the first Byzantine consensus protocol that achieves optimal latency (two phases), linear authenticator complexity, and optimistic responsiveness. Wendy's core technical contribution is a novel aggregate signature scheme that allows leaders to prove, with constant pairing cost, that an operation did not commit. This No-commit proof addresses prior liveness concerns in protocols with linear authenticator complexity (including view change), allowing Wendy to commit operations in two-phases only.

A variety of post-quantum cryptographic schemes are currently undergoing standardization in the National Institute of Standards and Technology's post-quantum cryptography standardization process. It is well known from classical cryptography that actual implementations of cryptographic schemes can be attacked by exploiting side-channels, e.g. timing behavior, power consumption or emanation in the electromagnetic field. Although several of the reference implementations currently in the third and final standardization round are - to some extent - implemented in a timing-constant fashion, resistance against other side-channels is not taken into account yet. Implementing sufficient countermeasures, however, is challenging.

We therefore exemplarily examine CRYSTALS-Kyber, which is a lattice-based key encapsulation mechanism currently considered as a candidate for standardization. By analyzing the power consumption side-channel during message encoding we develop four more and compare six different implementations with an increasing degree of countermeasures.

We show that introducing randomization countermeasures is crucial as all examined implementations aiming at reducing the leakage by minimizing the Hamming distance of the processed intermediate values only are vulnerable against single-trace attacks when implemented on an ARM Cortex-M4.

Micropayments are one of the challenges in cryptocurrencies.

The problems in realizing micropayments in the blockchain are the low throughput and the high blockchain transaction fee.

As a solution, decentralized probabilistic micropayment has been proposed. The winning amount is registered in the blockchain, and the tickets are issued to be won with probability $p$, which allows us to aggregate approximately $\frac{1}{p}$ transactions into one.

Unfortunately, existing solutions do not allow for ticket transferability, and the smaller $p$, the more difficult it is to use them in the real world.

We propose a novel decentralized probabilistic micropayment Transferable Scheme. It allows tickets to be transferable among users. By allowing tickets to be transferable, we can make $p$ smaller.

We also propose a novel Proportional Fee Scheme. This is a scheme where each time a ticket is transferred, a portion of the blockchain transaction fee will be charged.

With the proportional fee scheme, users will have the advantage of sending money with a smaller fee than they would generally send through the blockchain.

For example, sending one dollar requires only ten cents.

This paper presents the first adaptively simulation secure functional encryption (FE) schemes for attribute-weighted sums. In such an FE scheme, encryption takes as input N pairs of attribute {(x_i, z_i )}_{i \in [N]} for some N \in \mathbb{N} where the attributes {x_i}_{i \in [N]} are public while the attributes {z_i}_{i \in [N]} are private. The indices i \in [N] are referred to as the slots. A secret key corresponds to some weight function f, and decryption recovers the weighted sum \sum_{i \in [N]} f(x_i)z_i. This is an important functionality with a wide range of potential real life applications. In the proposed FE schemes attributes are viewed as vectors and weight functions are arithmetic branching programs (ABP). We present two schemes with varying parameters and levels of adaptive security.

(a) We first present a one-slot scheme that achieves adaptive security in the simulation-based security model against a bounded number of ciphertext queries and an arbitrary polynomial number of secret key queries both before and after the ciphertext queries. This is the best possible level of security one can achieve in the adaptive simulation-based framework. From the relations between the simulation-based and indistinguishability-based security frameworks for FE, it follows that the proposed FE scheme also achieves indistinguishability- based adaptive security against an a-priori unbounded number of ciphertext queries and an arbitrary polynomial number of secret key queries both before and after the ciphertext queries. Moreover, the scheme enjoys compact ciphertexts that do not grow with the number of appearances of the attributes within the weight functions.

(b) Next, bootstrapping from the one-slot scheme, we present an unbounded-slot scheme that achieves simulation-based adaptive security against a bounded number of ciphertext and pre-ciphertext secret key queries while supporting an a-priori unbounded number of post-ciphertext secret key queries. The scheme achieves public parameters and secret key sizes independent of the number of slots N and a secret key can decrypt a ciphertext for any a-priori unbounded N. Further, just like the one-slot scheme, this scheme also has the ciphertext size independent of the number of appearances of the attributes within the weight functions. However, all the parameters of the scheme, namely, the master public key, ciphertexts, and secret keys scale linearly with the bound on the number of pre-ciphertext secret key queries.

Our schemes are built upon asymmetric bilinear groups of prime order and the security is derived under the standard (bilateral) k-Linear (k-Lin) assumption. Our work resolves an open problem posed by Abdalla, Gong, and Wee in CRYPTO 2020, where they presented an unbounded-slot FE scheme for attribute-weighted sum achieving only semi-adaptive simulation security. At a technical level, our work extends the recent adaptive security framework of Lin and Luo [EUROCRYPT 2020], devised to achieve compact ciphertexts in the context of indistinguishability-based payload-hiding security, into the setting of simulation-based adaptive attribute-hiding security.