International Association
for Cryptologic Research

Group signatures are an important cryptographic primitive providing both anonymity and accountability to signatures. Accountable ring signatures combine features from both ring signatures and group signatures, and can be directly transformed to group signatures. While there exists extensive work on constructing group signatures from various post-quantum assumptions, there has not been any using isogeny-based assumptions. In this work, we propose the first construction of isogeny-based group signatures, which is a direct result of our isogeny-based accountable ring signature. This is also the first construction of accountable ring signatures based on post-quantum assumptions. Our schemes are based on the decisional CSIDH assumption (D-CSIDH) and are proven secure under the random oracle model (ROM).

With the fast-growing technology and emerging innovations in the research arena, privacy and preservation of data predominantly in the medical field are highly essential. At the same time, there is a need for minimized storage of voluminous data in the medical repository. The inspiration for this research work to formulate the hybrid methodologies using improved Steganography, wavelet transform, and lossless compression for privacy and preservation of medical big data images and patient information in the medical big data repositories. The novelty of the work focuses on the preservation of patient’s information using enhanced security and optimized big data image storage, which helps the pharmacology professionals to store double the amount of information in the same storage space of the medical big data repository. The secure storage, fast retrieval of image, and minimum computation are the basic ideology of the work. The research work adopts a fast and optimized approach of the Knight Tour algorithm for embedding the patient’s data in their medical image and a Discrete Wavelet Transform (DWT) for the safeguarding of the cover image. Furthermore, a lossless wavelet packet compression is applied to minimize the storage size and to maximize storage efficiency. The outcome of the work achieves a higher level of data security without loss in the quality of the image. In addition, the preservation of the reduced size image will be easy to accommodate and can store bountiful images in the repository. A proposed hybrid method of compression in order to get high resolution on spatial and frequency domains will provide an edge.

We construct an efficient dynamic group signature (or more generally an accountable ring signature) from isogeny and lattice assumptions. Our group signature is based on a simple generic construction that can be instantiated by cryptographically hard group actions such as the CSIDH group action or an MLWE-based group action. The signature is of size $O(\log N)$, where $N$ is the number of users in the group. Our idea builds on the recent efficient OR-proof by Beullens, Katsumata, and Pintore (Asiacrypt'20), where we efficiently add a proof of valid ciphertext to their OR-proof and further show that the resulting non-interactive zero-knowledge proof system is online extractable.

Our group signatures satisfy more ideal security properties compared to previously known constructions, while simultaneously having an attractive signature size. The signature size of our isogeny-based construction is an order of magnitude smaller than all previously known post-quantum group signatures (e.g., 6.6 KB for 64 members). In comparison, our lattice-based construction has a larger signature size (e.g., either 126 KB or 89 KB for 64 members depending on the satisfied security property). However, since the $O(\cdot)$-notation hides a very small constant factor, it remains small even for very large group sizes, say $2^{20}$.

Both ring signatures and group signatures are useful privacy tools, allowing signers to hide their identities within a set of other public keys, while allowing their signatures to be validated with respect to the entire set. Group signature schemes and revocable ring signature schemes both provide the additional ability for certain authorized members to revoke the anonymity on a signature and reveal the true signer—allowing management of abuse in the scheme. This work consists of two parts. Firstly, we introduce a stronger security notion—collusion resistance—for revocable ring signatures and show how to derive a group signature scheme from it, which provides a new approach to obtaining group signatures. This improves on the existing weak security model (e.g. with selfless anonymity) which fails to guarantee anonymity of members whose keys are exposed. Our stronger notion requires that the scheme remains secure against full key exposure in the anonymity game, and allows collusion among arbitrary members in the revocability game. Secondly (and more concretely), we construct a practical collusion-resistant revocable ring signature scheme based on hard homogenous spaces (HHS), and thus obtain a group signature scheme based on isogenies. To the best of our knowledge, the schemes given in this work are the first efficient post-quantum (collusion-resistant) revocable ring signature scheme, and the first efficient isogeny-based group signature scheme in the literature.

In the context of the NIST post-quantum cryptography project, there have been claims that the Gaborit&Aguilar-Melchor patent could apply to the Kyber and Saber encryption schemes. In this short note, we argue that these claims are in contradiction with the potential validity of the patent.

Thermal jitter (phase noise) from a free-running ring oscillator is a common, easily implementable physical randomness source in True Random Number Generators (TRNGs). We show how to evaluate entropy, autocorrelation, and bit pattern distributions of ring oscillator noise sources, even with low jitter levels or some bias. Entropy justification is required in NIST 800-90B and AIS-31 testing and for applications such as the RISC-V entropy source extension. Our numerical evaluation algorithms outperform Monte Carlo simulations in speed and accuracy. We also propose a new lower bound estimation formula for the entropy of ring oscillator sources which applies more generally than previous ones.

We focus on the multiple persistent faults analysis in this paper to fill existing gaps in its application in a variety of scenarios. Our major contributions are twofold. First, we propose a novel technique to apply persistent fault apply in the multiple persistent faults setting that decreases the number of survived keys and the required data. We demonstrate that by utilizing 1509 and 1448 ciphertexts, the number of survived keys after performing persistent fault analysis on AES in the presence of eight and sixteen faults can be reduced to only $2^9$ candidates, whereas the best known attacks need 2008 and 1643 ciphertexts, respectively, with a time complexity of $2^{50}$. Second, we develop generalized frameworks for retrieving the key in the ciphertext-only model. Our methods for both performing persistent fault attacks and key-recovery processes are highly flexible and provide a general trade-off between the number of required ciphertexts and the time complexity. To break AES with 16 persistent faults in the Sbox, our experiments show that the number of required ciphertexts can be decreased to 477 while the attack is still practical with respect to the time complexity. To confirm the accuracy of our methods, we performed several simulations as well as experimental validations on the ARM Cortex-M4 microcontroller with electromagnetic fault injection on AES and LED, which are two well-known block ciphers to validate the types of faults and the distribution of the number of faults in practice.

Syncing the latest state of a blockchain can be a resource-intensive task, driving (especially mobile) end users towards centralized services offering instant access. To expand full decentralized access to anyone with a mobile phone, we introduce a consensus-agnostic compiler for constructing {\em ultralight clients}, providing secure and highly efficient blockchain syncing via a sequence of SNARK-based state transition proofs, and prove its security formally. Instantiating this, we present Plumo, an ultralight client for the Celo blockchain capable of syncing the latest network state summary in just a few seconds even on a low-end mobile phone. In Plumo, each transition proof covers four months of blockchain history and can be produced for just $25 USD of compute. Plumo achieves this level of efficiency thanks to two new SNARK-friendly constructions, which may also be of independent interest: a new BLS-based offline aggregate multisignature scheme in which signers do not have to know the members of their multisignature group in advance, and a new composite algebraic-symmetric cryptographic hash function.

Recently, motivated by its increased use in real-world applications, there has been a growing interest on the reduction of trust in the generation of the common reference string (CRS) for zero-knowledge (ZK) proofs. This line of research was initiated by the introduction of subversion non-interactive ZK (NIZK) proofs by Bellare et al. (ASIACRYPT'16). Here, the zero-knowledge property needs to hold even in case of a malicious generation of the CRS. Groth et al. (CRYPTO'18) then introduced the notion of updatable zk-SNARKS, later adopted by Lipmaa (SCN'20) to updatable quasi-adaptive NIZK (QA-NIZK) proofs. In contrast to the subversion setting, in the updatable setting one can achieve stronger soundness guarantees at the cost of reintroducing some trust, resulting in a model in between the fully trusted CRS generation and the subversion setting. It is a promising concept, but all previous updatable constructions are ad-hoc and tailored to particular instances of proof systems. Consequently, it is an interesting question whether it is possible to construct updatable ZK primitives in a more modular way from simpler building blocks.

In this work we revisit the notion of trapdoor smooth projective hash functions (TSPHFs) in the light of an updatable CRS. TSPHFs have been introduced by Benhamouda et al. (CRYPTO'13) and can be seen as a special type of a 2-round ZK proof system. In doing so, we first present a framework called lighter TSPHFs (L-TSPHFs). Building upon it, we introduce updatable L-TSPHFs as well as instantiations in bilinear groups. We then show how one can generically construct updatable quasi-adaptive zero-knowledge arguments from updatable L-TSPHFs. Our instantiations are generic and more efficient than existing ones. Finally, we discuss applications of (updatable) L-TSPHFs to efficient (updatable) 2-round ZK arguments as well as updatable password-authenticated key-exchange (uPAKE).

At CANS’20, El Housni and Guillevic introduced a new 2-chain of pairing-friendly elliptic curves for recursive zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) made of the former BLS12-377 curve (a Barreto–Lynn–Scott curve over a 377- bit prime field) and the new BW6-761 curve (a Brezing–Weng curve of embedding degree 6 over a 761-bit prime field). First we generalise the curve construction, the pairing formulas (e : G1 × G2 → GT ) and the group operations to any BW6 curve defined on top of any BLS12 curve, forming a family of 2-chain pairing-friendly curves. Second, we investigate other possible 2-chain families made on top of the BLS12 and BLS24 curves. We compare BW6 to Cocks–Pinch curves of higher embedding degrees 8 and 12 (CP8, CP12) at the 128-bit security level. We explicit an optimal ate and optimal Tate pairing on our new CP curves. We show that both for BLS12 and BLS24, the BW6 construction always gives the fastest pairing and curve arithmetic compared to Cocks-Pinch curves. Finally, we suggest a short list of curves suitable for Groth16 and KZG-based universal SNARKs and present an optimized implementation of these curves. Based on Groth16 and PlonK (a KZG- based SNARK) implementations, we obtain that the BLS12-377/BW6-761 pair is optimized for the former while the BLS24-315/BW6-672 pair is optimized for the latter.

The Learning with Errors (LWE) problem consists of distinguishing linear equations with noise from uniformly sampled values. LWE enjoys a hardness reduction from worst-case lattice problems, which are believed to be hard for classical and quantum computers. Besides, LWE allows for the construction of a large variety of cryptographic schemes, including fully-homomorphic encryption and attribute-based cryptosystems. Unfortunately, LWE requires large key sizes and computation times. To improve efficiency, Ring-LWE replaces linear equations with noisy ring products. Nowadays, Ring-LWE and its variants are frequently used in the construction of post-quantum secure cryptosystems.

In this survey, we give an overview of the hardness results for LWE and Ring-LWE, aiming to connect both problems and to provide good intuition to the reader. We present a proof of the strongest hardness result for Ring-LWE available the literature, which is a reduction from ideal lattice problems to its decision form. We start by introducing both Ring-LWE and LWE and their mathematical foundations, focusing on lattices and algebraic number theory. Then, we sketch the classical hardness proof for LWE and extend the proof techniques to the ring case. We also introduce informal discussions on parameter choices, weaknesses, related work, and open problems.

In this paper, we study the round complexity of concurrently secure computation protocols in the plain model, without random oracles or assuming the presence of a trusted setup. In the plain model, it is well known that concurrently secure two-party computation with polynomial simulation is impossible to achieve in two rounds. For this reason, we focus on the well-studied notion of security with super-polynomial simulation (SPS). Our main result is the first construction of two-round SPS two-party computation for general functionalities in the plain model. Prior to our work, we only knew three-round constructions [Badrinarayanan et al., TCC 2017] and two-round protocols were not known from any computational assumption. As immediate applications, we establish the feasibility result for a series of cryptographic primitives of interest, such as: Two-round password authentication key exchange (PAKE) in the plain model, two-round concurrent blind signature in the plain model, and two round concurrent computation for quantum circuits (2PQC).

Shannon mutual information is an effective method to analyze the information interaction in a point-to-point communication system. However, it cannot solve the problem of channel capacity in graph structure communication system. This problem make it impossible to use traditional mutual information (TMI) to detect the real information and to measure the information embedded in the graph structure. Therefore, measuring the interaction of graph structure and the degree of privacy leakage has become an emerging and challenging issue to be considered. To solve this issue, we propose a novel structural mutual information (SMI) theory based on structure entropy model and the Shannon mutual information theorem, following by the algorithms for solving SMI. The SMI is used to detect the real network structure and measure the degree of private data leakage in the graph structure. Our work expands the channel capacity of Shannon’s second theorem in graph structure, discusses the correlation properties between SMI and TMI, and concludes that SMI satisfies some basic properties, including symmetry, non-negativity, and so on. Finally, theoretical analysis and example demonstration show that the SMI theory is more effective than the traditional privacy measurement methods to measure the information amount embedded in the graph structure and the overall degree of privacy leakage. It provides feasible theoretical support for the privacy protection technology in the graph structure.

Algorand Foundation invites proposals for the Algorand Centres of Excellence (ACE) programme to build and run multidisciplinary centers which advance research and support applied education in the blockchain and cryptocurrency space.

Proposals for three to five years are accepted from higher education institutions and non-profit research organizations anywhere in the world. The ACE programme is being launched with a budget of 100,000,000 ALGO for the next ten years.

See the ACE website for further details.

Public key cryptography is widely used in key exchange and digital signature protocols. Public key cryptography requires expensive primitive operations, such as finite-field and group operations. These finite-field and group operations require a number of clock cycles to exe- cute. By carefully optimizing these primitive operations, public key cryp- tography can be performed with reasonably fast execution timing. In this paper, we present the new implementation result of Curve448 on 32-bit ARM Cortex-M4 microcontrollers. We adopted state-of-art implementa- tion methods, and some previous methods were re-designed to fully uti- lize the features of the target microcontrollers. The implementation was also performed with constant timing by utilizing the features of micro- controllers and algorithms. Finally, the scalar multiplication of Curve448 on 32-bit ARM Cortex-M4@168MHz microcontrollers requires 6,285,904 clock cycles. To the best of our knowledge, this is the first optimized im- plementation of Curve448 on 32-bit ARM Cortex-M4 microcontrollers. The result is also compared with other ECC and post-quantum cryptog- raphy (PQC) implementations. The proposed ECC and the-state-of-art PQC results show the practical usage of hybrid post-quantum TLS on the target processor.

There are two main aims to this paper. Firstly, we survey the relevant existing attack strategies known to apply to the most commonly used lattice-based cryptographic problems as well as to a number of their variants. In particular, we consider attacks against problems in the style of LWE, SIS and NTRU defined over rings of the form $\mathbb{Z}[X]/(f(X), g(X))$, where classically $g(X) = q$ is an integer modulus. We also include attacks on variants which use only large integer arithmetic, corresponding to the degree one case $g(X) = X - c$. Secondly, for each of these approaches we investigate whether they can be generalised to the case of a polynomial modulus $g(X)$ having degree larger than one, thus addressing the security of the generalised cryptographic problems from linear algebra introduced by Bootland et al. We find that some attacks readily generalise to a wide range of parameters while others require very specific conditions to be met in order to work.

Message Authentication Code or MAC, is a well-studied cryptographic primitive that is used in order to authenticate communication between two parties sharing a secret key. A Tokenized MAC or TMAC is a related cryptographic primitive, introduced by Ben-David & Sattath (QCrypt'17) which allows limited signing authority to be delegated to third parties via the use of single-use quantum signing tokens. These tokens can be issued using the secret key, such that each token can be used to sign at most one document. We provide an elementary construction for TMAC based on BB84 states. Our construction can tolerate up to 14% noise, making it the first noise-tolerant TMAC construction. The simplicity of the quantum states required for our construction combined with its noise tolerance, makes it practically more feasible than the previous TMAC construction. The TMAC is existentially unforgeable against adversaries with signing and verification oracles (i.e., analogous to EUF-CMA security for MAC), assuming post-quantum one-way functions exist.

We have multiple open positions for PhD students in the area of symmetric and post-quantum cryptography in the Digital Security group at Radboud University in Nijmegen. The positions cover different topics, ranging from the provable security of modes of use, design of primitives supported by cryptanalysis, post-quantum algorithms and implementations, and protection against implementation attacks based on power, electromagnetic side channel analysis, and fault attacks. For the symmetric crypto topic, we focus on cryptography based on permutations as in the sponge, duplex and farfalle constructions, especially suited for low energy consumption. For the post-quantum cryptography position, a suggestion is to work on isogeny-based crypto but this can be discussed based on a candidate’s background.

The Digital Security Group of Radboud University is one of the leading groups in computer security in The Netherlands and Europe, and one of the pioneers in permutation-based crypto and corresponding leakage-resilient modes.

The successful candidate should ideally have a master in Computer Science, Mathematics, or Electrical engineering. Applications will be considered until the positions are filled.

To apply, please send the following documents to dis-secr (at) cs.ru.nl, with the subject "PhD position in cryptography":
- a motivation letter
- your cv
- your master diploma certificate (scanned)
- transcript of the courses you took (including grades)
- up to 3 references

To enquire about the positions you can contact: Joan Daemen, joan (at) cs.ru.nl, Lejla Batina, lejla (at) cs.ru.nl, and Bart Mennink, b.mennink (at) cs.ru.nl

Closing date for applications:

Contact: dis-secr (at) cs.ru.nl

Applications are invited for a post-doctoral fellow position in one or more of these areas- cryptographic engineering/applied cryptography as it relates to blockchain technology, cryptocurrencies and digital payments. The successful candidate will join Professor Anwar Hasan’s research group at the University of Waterloo. Applicants with a recent Ph.D. in Computer Engineering, Computer Science or a related discipline, and publications at premium venues are encouraged to send pdf copies of their CVs and cover letters via email to Professor Anwar Hasan (ahasan at uwaterloo.ca). Application deadline: November 8, 2021 for full consideration. After this deadline, applications will be processed as they arrive.

Closing date for applications:

Contact: Anwar Hasan

I (Ni Trieu) am looking for 2 Ph.D. students to join my group. An ideal candidate should be interested in security, privacy, applied cryptography. No prior experience in cryptography or security is required. Experience in other areas, including theory, math, database, machine learning, bioinformatics is a plus. If you are interested, please send your CV, transcripts, and everything that you believe will help your application in PDF format to nitrieu@asu.edu. Thank you.
Please see more information at https://nitrieu.github.io/position/.

Closing date for applications:

Contact: Ni Trieu

More information: https://nitrieu.github.io/position/