International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

29 October 2021

Hyeonbum Lee, Jae Hong Seo
ePrint Report ePrint Report
We propose two zero-knowledge arguments for arithmetic circuits with fan-in 2 gates in the uniform random string model. Our first protocol features $O(\sqrt{\log_2 N})$ communication and round complexities and $O(N)$ computational complexity for the verifier, where $N$ is the size of the circuit. Our second protocol features $O(\log_2N)$ communication and $O(\sqrt{N})$ computational complexity for the verifier. We prove the soundness of our arguments under the discrete logarithm assumption or the double pairing assumption, which is at least as reliable as the decisional Diffie-Hellman assumption. The main ingredient of our arguments is two different generalizations of B\"unz et al.'s Bulletproofs inner-product argument (IEEE S\&P 2018) that convinces a verifier of knowledge of two vectors satisfying an inner-product relation. For a protocol with sublogarithmic communication, we devise a novel method to aggregate multiple arguments for bilinear operations such as multi-exponentiations, which is essential for reducing communication overheads. For a protocol with a sublinear verifier, we develop a generalization of the discrete logarithm relation assumption, which is essential for reducing verification overhead while keeping the soundness proof solely relying on the discrete logarithm assumption. These techniques are of independent interest.
Expand
Xianrui Qin, Cailing Cai, Tsz Hon Yuen
ePrint Report ePrint Report
In this paper, we give the first formal security analysis on the one-more unforgeability of blind ECDSA. We start with giving a general attack on blind ECDSA, which is similar to the ROS attack on the blind Schnorr signature. We formulate the ECDSA-ROS problem to capture this attack.

Next, we give a generic construction of blind ECDSA based on an additive homomorphic encryption and a corresponding zero-knowledge proof. Our concrete instantiation is about 40 times more bandwidth efficient than the blind ECDSA in AsiaCCS 2019.

After that, we give the first formal proof of one-more unforgeability for blind ECDSA, under a new model called algebraic bijective random oracle. The security of our generic blind ECDSA relies on the hardness of a discrete logarithm-based interactive assumption and an assumption of the underlying elliptic curve.

Finally, we analyze the hardness of the ECDSA-ROS problem in the algebraic bijective random oracle model.
Expand
Apheris, Berlin, Germany
Job Posting Job Posting

As a Privacy and Cryptography Engineer at Apheris, your primary focus will be driving development of privacy and cryptographic modules in our product core and push it to customers together with a team of great software engineers and data scientists. You will be working on challenging deep tech projects closely together with customers from various industries with a focus on Healthcare, Pharma and Sustainability. With your engineering expertise, you will be responsible for meeting project and product goals and act accordingly to upcoming bottlenecks. You will design and build new features and enhance our product core with innovative technologies, participate in code reviews, and promote engineering best practices in our tech team. We empower you to be a major contributor to the success of projects, customer’s satisfaction, and the advancement of our product core.

What you will do
  • Implement privacy and cryptographic modules into our product in a secure, robust and scalable way
  • Be a hands-on engineering contributor and promote best practices in our tech team
  • Contribute to the writing of scientific whitepapers, Jupyter Notebook tutorials and blog posts about privacy and cryptographic algorithms and their usage in our product
  • Contribute to team deliverables following an agile methodology and participate in retrospective sessions to continuously improve the teams’ way of working
You should apply if
  • Master or PhD in Computer Science, Mathematics or Cryptography, or equivalent practical experience
  • 3 or more years of relevant work experience
  • Expert coding skills in Python, including common data science and ML libraries. Further languages are a plus (e.g.,R, C, C++, Go, Rust)
  • Solid understanding of privacy technologies and machine learning
  • ...

Closing date for applications:

Contact: See link to full text of the job description

More information: https://apheris.jobs.personio.de/job/492987?_pc=222318

Expand
Microsoft Research, Redmond, WA
Job Posting Job Posting
Research Internships at Microsoft provide a dynamic environment for research careers with a network of world-class research labs led by globally-recognized scientists and engineers. Our researchers and engineers pursue innovation in a range of scientific and technical disciplines to help solve complex challenges in diverse fields, including computing, healthcare, economics, and the environment.

The Cryptography and Privacy Research Group is hiring interns for the summer of 2022. We are seeking strong candidates to work with our renowned researchers on various topics. We are particularly interested in privacy-preserving ML, privacy and transparency techniques for digital identity systems and public key infrastructures, account/identity/password recovery, and web privacy/security, including fraud detection and prevention. We encourage all PhD students with relevant technical background in any of these topics to apply as soon as possible, as we will start interviewing immediately.

For summer internships, we typically work closely with Microsoft product groups (Teams, Edge, to name a few) to bring research ideas to real life. The internships often involve prototyping the research results, so a strong candidate is expected to have some proficiency in programming and interest in working alongside our engineers.

More information and application at https://careers.microsoft.com/us/en/job/1195145/Research-Intern-Privacy-and-Cryptography

Closing date for applications:

Contact: Kim Laine (kim.laine@microsoft.com)

Expand
KIT, Karlsruhe, Germany
Job Posting Job Posting
We have a fully funded position to pursue a PhD (or join us as a postdoc) as part of our French-German project Propolis on Smart City Privacy, in a consortium with Eurecom, SAP, and The Urban Institute: https://propolis-project.eu/ . We will primarily work on publishing location trajectories with DP guarantees and differentially private ML on location data (for instance for traffic management, public security, and risk management in smart cities).

We can hire MSc graduates from CS, math and related fields who would like to pursue a PhD, or PostDocs to prepare them for academic/industry careers -- or to keep them with us for a while (including co-supervision of MSc/PhD students, if applicable). We are and will remain a small, international, diverse team with close interaction. Good command of the English language is necessary (no German needed), and we recruit based on qualification and commitment. We focus on positive working environments and the quality of results.

Closing date for applications:

Contact: Thorsten Strufe and Javier Parra-Arnau

More information: https://ps.tm.kit.edu/english/200.php

Expand
KIT, Karlsruhe, Germany
Job Posting Job Posting
Four fully funded positions to do a PhD or Post-Doc (co-supervision of PhD students, in case of interest) on 6G security and privacy (location privacy, availability, security architectures, practical quantum key generation) at KIT/KASTEL and Excellence Cluster CeTI.

Closing date for applications:

Contact: Thorsten Strufe

More information: https://ps.tm.kit.edu/english/200.php

Expand

27 October 2021

Canterbury, United Kingdom, -
Event Calendar Event Calendar
Event date: to
Submission deadline: 21 March 2022
Notification: 6 June 2022
Expand
Giesecke+Devrient Mobile Security GmbH, Munich, Germany
Job Posting Job Posting
In a fast changing world, it takes pioneering spirit to create trustworthy technology. We enable secure connectivity and payment solutions for billions of people around the globe. At G+D Mobile Security, you will play a key role in realizing the digital transformation.

G+D Mobile Security is looking for a Cryptography Engineer (m/f/d) for its Cryptology department at its Munich Headquarters as soon as possible

Job description:

  • Secure implementation of cryptographic algorithms and security relevant OS components for smart cards in assembler
  • Optimization regarding run time and memory consumption
  • Design and implementation of countermeasures to defend against hardware related attacks against smart cards
  • Analysis of the results of side-channel attacks and derivation of effective countermeasures
Your Profile:
  • Background in mathematics, computer science or electronic engineering
  • Ideally PhD in cryptography or 3+ years experience in cryptography or related area
  • Programming skills in assembler for 8/16/32 bit embedded microcontrollers
  • Ideally experience in embedded security and side-channel-attacks
Your benefits:
  • High level of responsibility and exciting projects
  • Working in an international security technology company
  • Very flexible working hours and home office possibilities
  • Wide range of training and further education opportunities
  • Attractive family benefits such as a summer holiday camp for children
  • Other benefits such as an own sports club and a canteen subsidized by the employer
We are looking forward to receiving your application!

https://careers.gi-de.com/job/Munich-Kryptologen-%28mfd%29-81677/723297801/

Closing date for applications:

Contact: Dr. Harald Vater (Harald.Vater (at) gi-de.com)

Expand
University of the West of England
Job Posting Job Posting
The candidate will investigate the utilisation of emerging variants of blockchains, such as redactable directed acyclic graph (DAG) based blockchain, as well as proof-of-location techniques for securing IoT and wireless devices. The candidate will work under a supervisory team with high expertise in IoT, wireless networks and protocols from, blockchain and information security, including Dr Djamel Djenouri and Dr Essam Ghadafi. For an informal discussion about the studentship, please email Dr Djamel Djenouri (Djamel.Djenouri@uwe.ac.uk) or Dr Essam Ghadafi (Essam.Ghadafi@uwe.ac.uk).

Closing date for applications:

Contact: Essam Ghadafi (Essam.Ghadafi@uwe.ac.uk)

More information: https://www.uwe.ac.uk/research/postgraduate-research-study/how-to-apply/studentship-opportunities/iot-over-wireless-networks

Expand
CISPA Helmholtz Center for Information Security
Job Posting Job Posting
The CISPA Helmholtz Center for Information Security provides a unique work environment that offers the advantages of a university department and a research laboratory alike. As the latest member of the Helmholtz Association, the largest research organization in Germany, CISPA has embarked on a mission: to rethink the digitalized world of the future from the ground up and make it safer through innovative cutting-edge research. In the medium term, the center will grow to more than 800 employees with 60 Faculty and research group leaders. Faculty receive extremely competitive institutional funding, enjoy academic freedom, and build and lead their team of young researchers, and are granted the opportunity to teach graduate and undergraduate courses.

CISPA is located in Saarbrücken, in the tri-border area of Germany, France, and Luxembourg. We maintain an international and diverse work environment and seek applications from outstanding researchers worldwide. The working language is English. A command of German is not required for a successful career at CISPA.

CISPA is looking for candidates that hold a doctoral degree in computer science or related areas and have an outstanding research track record in all areas related to IT-Security, Privacy and Cryptography, especially in, but not limited to the fields of

  • software security,
  • security of critical infrastructure,
  • embedded systems,
  • network and distributed system (incl. blockchains) security,
  • hardware security,
  • privacy-enhancing technologies,
  • usable security and privacy,
  • applied cryptography,
  • quantum cryptography,
  • cryptanalysis.

    All applicants are expected to build up a research team that pursues an internationally visible research agenda.

    Tenure-track positions are intended for candidates with excellent research credentials and the potential to pursue a program of innovative research. The positions are comparable to tenure-track positions at a leading university, and come with two full time research staff positions and generous support for other expenses.

    Closing date for applications:

    Contact: scientific-recruiting@cispa.saarland

    More information: https://jobs.cispa.saarland/jobs/detail/tenure-track-faculty-positions-in-all-areas-related-to-it-security-privacy-and-cryptography-f-m-d-129

  • Expand
    Akash Shah, Nishanth Chandran, Mesfin Dema, Divya Gupta, Arun Gururajan, Huan Yu
    ePrint Report ePrint Report
    Secure inference allows a server holding a machine learning (ML) inference algorithm with private weights, and a client with a private input, to obtain the output of the inference algorithm, without revealing their respective private inputs to one another. While this problem has received plenty of attention, existing systems are not applicable to a large class of ML algorithms (such as in the domain of Natural Language Processing) that perform featurization as their first step. In this work, we address this gap and make the following contributions:

    1. We initiate the formal study of secure featurization and its use in conjunction with secure inference protocols. 2. We build secure featurization protocols in the one/two/three-server settings that provide a tradeoff between security and efficiency. 3. Finally, we apply our algorithms in the context of secure phishing detection and evaluate our end-to-end protocol on models that are commonly used for phishing detection.
    Expand
    Sebastian Paul, Yulia Kuzovkova, Norman Lahr, Ruben Niederhagen
    ePrint Report ePrint Report
    Large-scale quantum computers will be able to efficiently solve the underlying mathematical problems of widely deployed public key cryptosystems in the near future. This threat has sparked increased interest in the field of Post-Quantum Cryptography (PQC) and standardization bodies like NIST, IETF, and ETSI are in the process of standardizing PQC schemes as a new generation of cryptography. This raises the question of how to ensure a fast, reliable, and secure transition to upcoming PQC standards in today’s highly interconnected world.

    In this work, we propose and investigate a migration strategy towards post-quantum (PQ) authentication for the network protocol Transport Layer Security (TLS). Our strategy is based on the concept of “mixed certificate chains” which use different signature algorithms within the same certificate chain. In order to demonstrate the feasibility of our migration strategy we combine the well-studied and trusted hash-based signature schemes SPHINCS+ and XMSS with elliptic curve cryptography first and subsequently with lattice-based PQC signature schemes (CRYSTALS-Dilithium and Falcon). Furthermore, we combine authentication based on mixed certificate chains with the lattice-based key encapsulation mechanism (KEM) CRYSTALS-Kyber as representative for PQC KEMs to evaluate a fully post-quantum and mutually authenticated TLS 1.3 handshake.

    Our results show that mixed certificate chains containing hash-based signature schemes only at the root certificate authority level lead to feasible connection establishment times despite the increase in communication size. By analyzing code size and peak memory usage of our client and server programs we further demonstrate the suitability of our migration strategy even for embedded devices.
    Expand
    Dmitrii Koshelev
    ePrint Report ePrint Report
    This paper continues author's previous ones about compression of points on elliptic curves $E_b\!: y^2 = x^3 + b$ (with $j$-invariant $0$) over a finite field $\mathbb{F}_{\!q}$. More precisely, we show in detail how any two (resp. three) points from $E_b(\mathbb{F}_{\!q})$ can be quickly compressed to two (resp. three) elements of $\mathbb{F}_{\!q}$ (apart from a few auxiliary bits) in such a way that the corresponding decompression stage requires to extract only one cubic (resp. sextic) root in $\mathbb{F}_{\!q}$ (with several multiplications and without inversions). As a result, for many $q$ occurring in practice the new compression-decompression methods are more efficient than the classical one with the two (resp. three) $x$ or $y$ coordinates of the points, which extracts two (resp. three) roots in $\mathbb{F}_{\!q}$. We explain why the new methods are useful in the context of modern real-world pairing-based protocols. As a by-product, when $q \equiv 2 \ (\mathrm{mod} \ 3)$ (in particular, $E_b$ is supersingular), we obtain a two-dimensional analogue of Boneh--Franklin's encoding, that is a way to sample two \grqq independent'' $\mathbb{F}_{\!q}$-points on $E_b$ at the cost of one cubic root in $\mathbb{F}_{\!q}$. Finally, we comment on the case of four and more points from $E_b(\mathbb{F}_{\!q})$.
    Expand
    Lukas Aumayr, Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Pedro Monero-Sanchez, Matteo Maffei
    ePrint Report ePrint Report
    Payment channels (PC) are a promising solution to the scalability issue of cryptocurrencies, allowing users to perform the bulk of the transactions off-chain without needing to post everything on the blockchain. Many PC proposals however, suffer from a severe limitation: Both parties need to constantly monitor the blockchain to ensure that the other party did not post an outdated transaction. If this event happens, the honest party needs to react promptly and engage in a punishment procedure. This means that prolonged absence periods (e.g., due to a power outage) may be exploited by malicious users. As a mitigation, the community has introduced watchtowers, a third-party monitoring the blockchain on behalf of off-line users. Unfortunately, watchtowers are either trusted, which is critical from a security perspective, or they have to lock a certain amount of coins, called collateral, for each monitored PC in order to be held accountable, which is financially infeasible for a large network.

    We present Sleepy Channels, the first bi-directional PC protocol without watchtowers (or any other third party) that supports an unbounded number of payments and does not require parties to be persistently online. The key idea is to confine the period in which PC updates can be validated on-chain to a short, pre-determined time window, which is where the PC parties have to be online. This behavior is incentivized by letting the parties lock a collateral in the PC, which can be adjusted depending on their mutual trust and which they get back much sooner if they are online during this time window. Our protocol is compatible with any blockchain that is capable of verifying digital signatures (e.g., Bitcoin), as shown by our proof of concept. Moreover, Sleepy Channels impose a communication and computation overhead similar to state-of-the-art PC protocols while removing watchtower's collateral and fees for the monitoring service.
    Expand
    Bo-Yuan Peng, Adrian Marotzke, Ming-Han Tsai, Bo-Yin Yang, Ho-Lin Chen
    ePrint Report ePrint Report
    We present a novel full hardware implementation of Streamlined NTRU Prime, with two variants: A high-speed, high-area implementation, and a slower, low-area implementation. We introduce several new techniques that improve performance, including a batch inversion for key generation, a high-speed schoolbook polynomial multiplier, an NTT polynomial multiplier combined with a CRT map, a new DSP-free modular reduction method, a high-speed radix sorting module, and new en- and decoders. With the high-speed design, we achieve the to-date fastest speeds for Streamlined NTRU Prime, with speeds of 5007, 10989 and 64026 cycles for encapsulation, decapsulation, and key generation respectively, while running at 285 MHz on a Xilinx Zynq Ultrascale+. The entire design uses 40060 LUT, 26384 flip-flops, 36.5 Bram and 31 DSP.
    Expand
    Karl Wüst, Kari Kostiainen, Srdjan Capkun
    ePrint Report ePrint Report
    Due to the popularity of blockchain-based cryptocurrencies, the increasing digitalization of payments, and the constantly reducing role of cash in society, central banks have shown an increased interest in deploying central bank digital currencies (CBDCs) that could serve as a replacement of cash. While most recent research on CBDCs focuses on blockchain technology, it is not clear that this choice of technology provides the optimal solution. In particular, the centralized trust model of a CBDC offers opportunities for different designs. In this paper, we depart from blockchain designs and instead build on ideas from traditional e-cash schemes. We propose a new style of building digital currencies that combines the transaction processing model of e-cash with the account model of managing funds that is commonly used in blockchain solutions. We argue that such a style of building digital currencies is especially well-suited to CBDCs. We also design the first such digital currency system, called Platypus, that provides strong privacy, massive scalability, and expressive but simple regulation, which are all critical features for a CBDC. Platypus achieves these properties by adapting techniques similar to those used in anonymous blockchain cryptocurrencies like Zcash and applying them to the e-cash context.
    Expand
    Yupu Hu, Jun Liu, Baocang Wang, Xingting Dong, Yanbin Pan
    ePrint Report ePrint Report
    Functional encryption (FE) is an advanced topic in the research of cryptography, and the Agr17 FE scheme is one of the major FE schemes. It took the BGG+14 attribute-based encryption (ABE) scheme as a bottom structure, which was upgraded into a `partially hiding predicate encryption' (PHPE) scheme and combined with a fully homomorphic encryption (FHE) scheme. However, there is a remaining problem, the implementation of the modulus reduction, in the Agr17 FE scheme. First, a modulus reduction is necessary for the polynomial-time computability of the scheme. Second, the detailed steps of the modulus reduction were absent in the scheme (including its conference version and full version). Instead, the authors only pointed out several reference works. The author's meaning seemed to be that the modulus reduction of the Agr17 FE scheme can be obtained by directly using or simply generalizing these reference works. Third, these reference works only described various modulus reductions of FHE schemes, without the hint of how to generalize them into the modulus reduction of FE schemes. Finally, any modulus reduction of FHE can not be simply generalized into the modulus reduction of the Agr17 FE scheme due to the following two facts: (1) The Agr17 FE scheme has two moduli, which are the modulus of the FHE ciphertext and of the ABE ciphertext, both are originally superpolynomial in size for processing $P/poly$ functions. (2) Both moduli need to be scaled down to polynomial size, and both of them need to be reduced to the same new modulus, otherwise, the correctness of the scheme will fail.

    In this paper, we demonstrate that the Agr17 FE scheme is $P/poly$ invalid. More specifically, we show that, when processing $P/poly$ functions, the Agr17 FE scheme cannot be implemented again after its modulus reduction. To show the soundness of our demonstration, we present the statements in two stages. At the first stage, we show that the modulus reduction of the Agr17 FE scheme should be a double modulus reduction, which includes two modulus reductions for the FHE ciphertext and ABE ciphertext, respectively. This double modulus reduction has the following three key points: (1) The modulus reduction for the FHE ciphertext should be seen as a series of Boolean operations, and converted into `attribute quasi-homomorphic operations'. (2) The modulus reduction for the ABE ciphertext is a learning-with-errors (LWE) -based modulus reduction, which is an ordinary modulus reduction. (3) The two modulus reductions should obtain the same new modulus, otherwise, the scheme would not be implemented again. At the second stage, we show that the modulus reduction for the ABE ciphertext will destroy the structure of ABE so that the subsequent decryption would not be executed. The reason lies in that the decryption of ABE is an LWE decryption with conditions rather than an ordinary LWE decryption, and the modulus reduction will destroy the conditions of decryption. Besides, to show such invalidity cannot be easily crossed by revising the scheme, we design a `natural' revised version of the Agr17 scheme. The key point is to change the small modulus inner product into an arithmetic inner product, which can be obtained by the modulus inner product of the ABE ciphertext. The revised scheme is valid, i.e., the decryption can be implemented correctly. However, the revised scheme is insecure because the decryptor knows much more secret information, and hence the scheme can be broken by collusion attacks with much less cost.
    Expand
    Paul Crowley, Nathan Huckleberry, Eric Biggers
    ePrint Report ePrint Report
    On modern processors HCTR is one of the most efficient constructions for building a tweakable super-pseudorandom permutation. However, a bug in the specification and another in Chakraborty and Nandi's security proof invalidate the claimed security bound. We here present HCTR2, which fixes these issues and improves the security bound, performance and flexibility. GitHub: https://github.com/google/hctr2
    Expand
    Kyoohyung Han, Dukjae Moon, Yongha Son
    ePrint Report ePrint Report
    Circuit-based Private Set Intersection (circuit-PSI) enables two parties with input set $X$ and $Y$ to compute a function $f$ over the intersection set $X \cap Y$, without revealing any other information. State-of-the-art protocols for circuit-PSI commonly involves a procedure that securely checks whether two input strings are equal and outputs an additive share of the equality result. More importantly, this procedure occupies the largest portion, roughly $90\%$ computational or communication cost for circuit-PSI. In this work, we propose {\textit{equality preserving compression}} (EPC) protocol that compresses the length of equality check targets while preserving equality using homomorphic encryption (HE) scheme, which is secure against the semi-honest adversary. We then apply our EPC protocol to previous circuit-PSI protocols framework and implement them. As a result, we achieve around 2x improvement on both communication and computational cost {\emph{at one stroke}} than previous results.
    Expand
    ZUC Design Team
    ePrint Report ePrint Report
    ZUC-256 is a stream cipher, together with AES-256 and SNOW-V, proposed as the core primitive in future set of 3GPP confidentiality and integrity algorithms for the upcoming 5G applications which offer the 256-bit security. \\ While the original initialization scheme of ZUC-256 can work with a 256-bit key and an IV of length up to 184 bits, we describe a new initialization scheme of ZUC-256 that supports an IV of the exact 128 bits in this paper. Compared to the original initialization scheme, this new key/IV setup algorithm avoids the division of the whole key/IV byte and provides a simple and natural-looking initialization scheme for ZUC-256.
    Expand
    ◄ Previous Next ►