International Association
for Cryptologic Research

All instances of the semidirect key exchange protocol, a generalisation of the famous Diffie-Hellman key exchange protocol, satisfy the so-called ``telescoping equality''; in some cases, this equality has been used to construct an attack. In this report we present computational evidence suggesting that an instance of the scheme called `MOBS (Matrices Over Bitstrings)' is an example of a scheme where the telescoping equality has too many solutions to be a practically viable means to conduct an attack.

The 2021 Election for Directors of the IACR Board is now open.

You may vote as often as you wish now through November 16th using the Helios https://heliosvoting.org cryptographically-verifiable election system, but only your last vote will be counted.

Please see for a brief overview of how the Helios system works and https://www.iacr.org/elections/eVoting/ for information on the IACR decision to adopt Helios.

2021 members of the IACR (generally people who attended an IACR event in 2020) should shortly receive, or have already received, voting credentials from system@heliosvoting.org sent to their email address of record with the IACR. Please check your spam folder first if you believe that you haven't received the mail. Questions about this election may be sent to elections@iacr.org.

Information about the candidates can be found below and also at https://iacr.org/elections/2021/candidates.php.

The symmetric cryptographic primitive of choice today is AES. Its security is well-studied and hardware acceleration is available on a variety of platforms. Following the success of AES and the 128-bit AES-NI instructions for it, Intel has extended the x86 instruction set with Vector AES instructions. For the first time, we evaluate the performance impact that these instructions have on complex AES processing beyond bulk encryption. In particular, we focus on the area of secure multi-party computation where AES calls are either independent, allowing easy use of VAES for full speed-up, or where the AES calls are dependent on the results of previous AES evaluations. For independent calls, we evaluate the performance impact using Microsoft CrypTFlow2 and the EMP-OT library, both of which primarily use AES in counter mode. For dependent calls, we evaluate the performance impact using the ABY framework and the EMP-AGMPC framework. To get optimal efficiency from the hardware, enough independent calls need to be combined for each batch of AES executions. We identify such batches using a deferred execution technique paired with early execution to reduce non-locality issues and more static techniques using circuit depth and explicit gate independence. We present a performance and a modularity-focused technique to compute the AES operations efficiently while also immediately using the results and preparing the inputs. Using these manually implemented techniques, we achieve a performance improvement via VAES of up to 244% for ABY and of up to 28% for EMP-AGMPC. With our additional, alternative garbling schemes, we achieve up to 171% better performance for ABY through the use of VAES. Additionally, our evaluations show overall performance benefits of up to 24% for EMP-OT.

Password-authenticated key exchange (PAKE) is a major area of cryptographic protocol research and practice. Many PAKE proposals have emerged in the 30 years following the original 1992 Encrypted Key Exchange (EKE), some accompanied by new theoretical models to support rigorous analysis. To reduce confusion and encourage practical development, major standards bodies including IEEE, ISO/IEC and the IETF have worked towards standardizing PAKE schemes, with mixed results. Challenges have included contrasts between heuristic protocols and schemes with security proofs, and subtleties in the assumptions of such proofs rendering some schemes unsuitable for practice. Despite initial difficulty identifying suitable use cases, the past decade has seen PAKE adoption in numerous large-scale applications such as Wi-Fi, Apple's iCloud, browser synchronization, e-passports, and the Thread network protocol for Internet of Things devices. Given this backdrop, we consolidate three decades of knowledge on PAKE protocols, integrating theory, practice, standardization and real-world experience. We provide a thorough and systematic review of the field, a summary of the state-of-the-art, a taxonomy to categorize existing protocols, and a comparative analysis of protocol performance using representative schemes from each taxonomy category. We also review real-world applications, summarize lessons learned, and highlight open research problems related to PAKE protocols.

We consider the problem of revealing a small hidden lattice from the knowledge of a low-rank sublattice modulo a given sufficiently large integer – the Hidden Lattice Problem. A central motivation of study for this problem is the Hidden Subset Sum Problem, whose hardness is essentially determined by that of the hidden lattice problem. We describe and compare two algorithms for the hidden lattice problem: we first adapt the algorithm by Nguyen and Stern for the hidden subset sum problem, based on orthogonal lattices, and propose a new variant, which we explain to be related by duality in lattice theory. Following heuristic, rigorous and practical analyses, we find that our new algorithm brings some advantages as well as a competitive al- ternative for algorithms for problems with cryptographic interest, such as Approximate Common Divisor Problems, and the Hidden Subset Sum Problem. Finally, we study variations of the problem and highlight its relevance to cryptanalysis.

We introduce a secure histogram aggregates method which is suitable for many applications such as ad conversion measurements. Our solution relies on three-party computation with linear complexity and guarantees differentially private histogram outputs. We formally analyse the security and privacy of our method and compare it with existing proposals. Finally, we conclude our report with a performance analysis.

Lattice attacks are threats to (EC)DSA and have been used in cryptanalysis. In lattice attacks, a few bits of nonce leaks in multiple signatures are sufficient to recover the secret key. Currently, the BKZ algorithm is frequently used as a lattice reduction algorithm for lattice attacks, and there are many reports on the conditions for successful attacks. However, experimental attacks using the BKZ algorithm have only shown results for specific key lengths, and it is not clear how the conditions change as the key length changes. In this study, we conducted some experiments to simulate lattice attacks on P256, P384, and P521 and confirmed that attacks on P256 with 3 bits nonce leak, P384 with 4 bits nonce leak, and P521 with 5 bits nonce leak are feasible. The result for P521 is a new record. We also investigated in detail the reasons for the failure of the attacks and proposed a model to estimate the feasibility of lattice attacks using the BKZ algorithm. We believe that this model can be used to estimate the effectiveness of lattice attacks when the key length is changed.

We give a new algorithm for finding an isogeny from a given supersingular elliptic curve $E/\mathbb{F}_{p^2}$ to a subfield elliptic curve $E'/\mathbb{F}_p$, which is the bottleneck step of the Delfs-Galbraith algorithm for the general supersingular isogeny problem. Our core ingredient is a novel method of rapidly determining whether a polynomial $f \in L[X]$ has any roots in a subfield $K \subset L$, while crucially avoiding expensive root-finding algorithms. In the special case when $f=\Phi_{\ell,p}(X,j) \in \mathbb{F}_{p^2}[X]$, i.e. when $f$ is the $\ell$-th modular polynomial evaluated at a supersingular $j$-invariant, this provides a means of efficiently determining whether there is an $\ell$-isogeny connecting the corresponding elliptic curve to a subfield curve. Together with the traditional Delfs-Galbraith walk, inspecting many $\ell$-isogenous neighbours in this way allows us to search through a larger proportion of the supersingular set per unit of time. Though the asymptotic $\tilde{O}(p^{1/2})$ complexity of our improved algorithm remains unchanged from that of the original Delfs-Galbraith algorithm, our theoretical analysis and practical implementation both show a significant reduction in the runtime of the subfield search. This sheds new light on the concrete hardness of the general supersingular isogeny problem, the foundational problem underlying isogeny-based cryptography.

Deep attestation is a particular case of remote attestation, i.e., verifying the integrity of a platform with a remote verification server. We focus on the remote attestation of hypervisors and their hosted virtual machines (VM), for which two solutions are currently supported by ETSI. The first is single-channel attestation, requiring for each VM an attestation of that VM and the underlying hypervisor through the physical TPM. The second, multi-channel attestation, allows to attest VMs via virtual TPMs and separately from the hypervisor -- this is faster and requires less overall attestations, but the server cannot verify the link between VM and hypervisor attestations, which comes for free for single-channel attestation. We design a new approach to provide linked remote attestation which achieves the best of both worlds: we benefit from the efficiency of multi-channel attestation while simultaneously allowing attestations to be linked. Moreover, we formalize a security model for deep attestation and prove the security of our approach. Our contribution is agnostic of the precise underlying secure component (which could be instantiated as a TPM or something equivalent) and can be of independent interest. Finally, we implement our proposal using TPM 2.0 and vTPM (KVM/QEMU), and show that it is practical and efficient.

This work describes the Mitaka signature scheme: a new hash-and-sign signature scheme over NTRU lattices which can be seen as a variant of NIST finalist Falcon. It achieves comparable efficiency but is considerably simpler, online/offline, and easier to parallelize and protect against side-channels, thus offering significant advantages from an implementation standpoint. It is also much more versatile in terms of parameter selection. We obtain this signature scheme by replacing the FFO lattice Gaussian sampler in Falcon by the ``hybrid'' sampler of Ducas and Prest, for which we carry out a detailed and corrected security analysis. In principle, such a change can result in a substantial security loss, but we show that this loss can be largely mitigated using new techniques in key generation that allow us to construct much higher quality lattice trapdoors for the hybrid sampler relatively cheaply. This new approach can also be instantiated on a wide variety of base fields, in contrast with Falcon's restriction to power-of-two cyclotomics. We also introduce a new lattice Gaussian sampler with the same quality and efficiency, but which is moreover compatible with the integral matrix Gram root technique of Ducas et al., allowing us to avoid floating point arithmetic. This makes it possible to realize the same signature scheme as Mitaka efficiently on platforms with poor support for floating point numbers. Finally, we describe a provably secure masking of Mitaka. More precisely, we introduce novel gadgets that allow provable masking at any order at much lower cost than previous masking techniques for Gaussian sampling-based signature schemes, for cheap and dependable side-channel protection.

Well before large-scale quantum computers will be available, traditional cryptosystems must be transitioned to post-quantum secure schemes. The NIST PQC competition aims to standardize suitable cryptographic schemes. Candidates are evaluated not only on their formal security strengths, but are also judged based on the security of the optimized implementation, for example, with regard to resistance against side-channel attacks.

HQC is a promising code-based key encapsulation scheme and selected as an alternate candidate in the third round of the competition, which puts it on track for getting standardized separately to the finalists, in a fourth round.

Despite having already received heavy scrutiny with regard to side channel attacks, in this paper, we show a novel timing vulnerability in the optimized implementations of HQC, leading to a full secret key recovery. The attack is both practical, requiring only approx. 866,000 idealized decapsulation timing oracle queries in the 128-bit security setting, and structurally different from previously identified attacks on HQC: Previously, exploitable side-channel leakages have been identified in the BCH decoder of a previously submitted version, in the ciphertext check as well as in the PRF of the Fujisaki-Okamoto (FO) transformation employed by several NIST PQC KEM candidates. In contrast, our attack uses the fact that the rejection sampling routine invoked during the deterministic re-encryption of the KEM decapsulation leaks secret-dependent timing information. These timing leaks can be efficiently exploited to recover the secret key when HQC is instantiated with the (now constant-time) BCH decoder, as well as with the RMRS decoder of the current submission. Besides a detailed analysis of the new attack, we discuss possible countermeasures and their limits.

Event date: 7 June to 9 June 2022
Submission deadline: 20 February 2022
Notification: 15 April 2022

The Department of Mathematical Sciences at Florida Atlantic University invites applications for two tenure-track positions at the assistant professor level in the area of cryptology, starting in August 2022.   We will consider applicants knowledgeable in the general area of cryptology. Preferences will be given to candidates with several broad areas of interest including, but not limited to, mathematical foundations of public-key cryptography, post-quantum cryptography (e.g., based on error-correcting codes, lattice problems, or polynomial systems of equations), and algorithmic number theory. In general, we will give higher priority to the overall originality and promise of the candidate’s work rather than to the sub-area specialization.   Responsibilities for this position will be teaching, scholarly research, and professional service.   The successful candidate is expected to apply for and secure external research funding, and actively participate in interdisciplinary programs. Applicants must possess a Ph.D. in Mathematics or a closely related field. Women, minorities, individuals with disabilities, veterans, and candidates who are from historically underrepresented backgrounds in STEM fields are encouraged to apply.   We seek candidates who through their research (working with both undergraduate and graduate students), teaching, and/or service can contribute to the diversity and academic excellence of our department, and who is committed to working with diverse faculty, students, staff, and the broader community.   Minimum Qualification:    Applicants must possess a Ph.D. in Mathematics or a closely related field.   Women, minorities, individuals with disabilities, veterans, and candidates who are from historically underrepresented backgrounds in STEM fields are encouraged to apply.  EOE

Closing date for applications:

Contact: For more information and to apply, visit www.fau.edu/jobs and go to Apply Now REQ11778.

More information: http://www.fau.edu/jobs

The Cryptography & Security Group at Aarhus University invites applications from Ph.D. holders in areas of Cryptography & Distributed Ledger technology.

The Cryptography & Security group is focused on the design of cryptographic protocols, distributed ledger technology as well as the development of fundamental cryptographic techniques. Note that this call is open ended, please send your application as soon as possible.

We currently have two open Postdoc positions. The successful candidate will work either with Prof. Ivan Damgård on the SecureDNA project or Prof. Jesper Buus Nielsen as part of the Cobra Research center. He or she will contribute to either of these research projects, as described in more detail here:

SecureDNA: improve efficiency and security of the SecureDNA system by conducting fundamental research in areas such as adaptive protocol security as well as the design of post-quantum cryptographic primitives, e.g., design of threshold PRF and OPRF. Work with the SecureDNA developers towards implementation of these improvements.

Cobra: Design and analysis of blockchain consensus protocols. Design and analysis of cryptographic tools for blockchains, e.g., zero-knowledge, MPC for blockchain, anonymous payments. Design and analysis of layer 2 protocols for blockchains.

The candidate is expected to spend part of the research time collaborating with Concordium Research on blockchain related research topics and can expect to coordinate part of the daily collaboration between COBRA and Concordium Research. There is also time for independent research and no restrictions on collaboration with other researchers.

Requirements: a Ph.D. degree in Computer Science, Applied Mathematics, or a related field. Competitive research record in cryptography or information security. Strong mathematical and algorithmic CS background. Fluent written and verbal communication skills in English

We offer a one-year employment contract, which is extendable based on performance, and highly competitive salaries.

Send your application with all material collected in a single pdf file to the contact person below.

Closing date for applications:

Contact: Malene Andersen, malene.andersen@cs.au.dk

The School of Computing and Information Technology (SCIT) at the University of Wollongong is looking to recruit an enthusiastic staff member to support teaching and research within SCIT, particularly in the cybersecurity domain, which includes flexible delivery, online degrees and micro-credentials. SCIT aims to maintain its position as a world class Research School and this position is expected to contribute towards that aim.

Closing date for applications:

Contact: Prof Willy Susilo

More information: https://ejgl.fa.ap1.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/1795/?utm_medium=jobshare

The Security and Privacy Research Unit at TU Wien (https://secpriv.wien) is offering a fully funded PhD position within the Christian Doppler Laboratory on Blockchain Technologies for the Internet of Things (CDL-BOT, https:// www.cdl-bot.at/en) under the supervision of Univ.-Prof. Dr. Matteo Maffei.

The successful candidate will conduct world-class research on the formal verification of security properties in cryptocurrencies, smart contracts, and DeFi applications.

The Security and Privacy group at TU Wien is internationally renowned, regularly publishes in top security and privacy venues, and consists of an international and diverse team with various expertise in the field of cryptography, security, and privacy.

We offer:

• An international environment: the working language is English, knowledge of German is not required.
• Continuing personal and professional education and flexible working hours
• Central location of workplace with very good accessibility (U1/U2/U4 Karlsplatz)
• A creative environment in one of the most liveable cities in the world
• A highly competitive salary

Interested candidates should send the application material to matteo.maffei@tuwien.ac.at. The application material should include:

• a motivation letter
• Bachelor and Master transcripts of records
• a publication list
• a curriculum vitae
• contact information for two referees

Applications received by November 19th will receive full consideration, but they will be accepted until the position is filled.

Additional details on the call are available at https://secpriv.wien/work/Bot.pdf

Closing date for applications:

Contact: Univ.-Prof. Dr. Matteo Maffei (matteo.maffei@tuwien.ac.at)

More information: https://secpriv.wien/work/Bot.pdf

The Institute of Information Security and Dependability at KIT is looking for a Post-Doc with expertise in privacy-preserving cryptographic protocols with a focus on secure multi-party computation, ideally, having hands-on experiences with MPC-compilers. A track record in this field is expected, including publications at reputable conferences such as Crypto, Eurocrypt, ACM CCS, PETS, etc.

You will be a member of the KASTEL Security Research Labs (https://zentrum.kastel.kit.edu) and the Topic "Engineering Secure Systems" of the Helmholtz Association. KASTEL brings together security researchers belonging to various disciplines and offers excellent funding opportunities for your research projects.

Your research will be dealing with cryptographic protocols for privacy-preserving computations, e.g., applied to mobility systems. It will result in both theoretical security concepts (protocol designs, security proofs, etc.) and their practical implementation (e.g., a demonstrator) for some application domain. The contract will initially be limited to 1 year, but can be extended by several years (depending on the candidates performance).

If you are interested, please send me an email and formally apply using the link: ogy.de/cryptojob. Besides your CV including a list of your publications, please also include the names of three references.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@rub.de)

TENURE TRACK AND FULL PROFESSORSHIP FOR PRIVACY

The Horst Görtz Institute for IT Security (HGI) in Bochum, Germany is one of the most renowned institutes in the field of IT Security in Europe. The HGI currently hosts 26 faculty members, maintains extensive networks and has produced numerous successful start-ups. HGI is home to the Cluster of Excellence "CASA: Cyber Security in the Age of Large-Scale Adversaries", funded with approximately 30 million euros. This outstanding environment offers excellent working conditions in a highly topical and exciting field. In addition, there is a very good working atmosphere in a young and diverse group of researchers.

The Faculty of Computer Science at Ruhr-Universität Bochum invites applications for an Assistant Professorship with tenure track and a tenured Full Professorship for Privacy. Applicants should have an excellent track record in research and teaching in at least one of the following areas:

Cryptographic tools for privacy

Differential privacy and private data analysis

Machine learning and privacy

Anonymous communication and censorship resistance

Game theory approaches for privacy

Data protection technologies.

We are looking for a scientist with an internationally visible research profile, who complements already existing focus areas. We expect a willingness to cooperate with the HGI as well as an active role in current and planned projects, especially in the Cluster of Excellence "CASA: Cyber Security in the Age of Large Scale Adversaries". The Max Planck Institute for Security and Privacy offers additional possibilities for collaboration.

Official job adds can be found here https://www.stellenwerk-bochum.de/en/node/407452 . Applications are requested by December 15, 2021 to the Dean of the Faculty of Computer Science at Ruhr-Universität Bochum, Alexander May, e-mail: career-casa@rub.de. Further information can be found on our homepages at https://informatik.rub.de/en/ https://casa.rub.de/en/

Closing date for applications:

Contact: Alexander May, Dean of the Faculty of Computer Science at Ruhr-Universitaet Bochum, Germany

More information: https://informatik.rub.de/en/

Based in the School of Computing at the Australian National University several fully funded PhD positions are available in on a project called “Efficient privacy-persevering proofs for secure e-government and e-voting.” The positions are for 3 years.

You will work on applying formal methods, particularly interactive theorem provers, to cryptography. The main focus of the project is verifying zero-knowledge proof systems.

The PhD student is expected to have a master's degree or equivalent, and a strong background in one or more of cryptography, formal methods, and mathematics.

Closing date for applications:

Contact: Thomas Haines

In the Science, Engineering and Technology Group, Faculty of Engineering Technology, Department of Electrical Engineering (ESAT), Campus Diepenbeek at KU Leuven, a full-time vacancy for academic staff or tenure track (professor) is available in the area of hardware security for the Internet of Things (IoT). We are looking for internationally oriented candidates with an excellent research record in this area and a strong affinity with industrial applications. Besides scientific research, the candidate will be teaching in the field of embedded systems and digital hardware design (including FPGA design) within the Faculty of Engineering Technology at Campus Diepenbeek. KU Leuven (https://www.kuleuven.be/english) is a research-intensive, internationally orientated university that carries out both fundamental and applied scientific research. Our university is highly focused on interdisciplinary and multidisciplinary research and strives for international excellence. In this regard, the university actively works together with research partners in Belgium and abroad and provides its students with an academic education that is based on high-quality scientific research.
The department of Electrical Engineering (also known as ESAT (https://www.esat.kuleuven.be/english) of the KU Leuven conducts research at a high international level. It is also responsible for education in the domains of electrical engineering, electronics, and information processing. The department is also co-founder of many spin-off companies. With more than 300 PhD students, 200 master students, and 100 staff members, ESAT is a strong international research and educational department.
The applicant will join the Embedded Systems & Security (ES&S) group (https://iiw.kuleuven.be/onderzoek/ess) that is part of the COSIC research group (https://www.esat.kuleuven.be/cosic).

Closing date for applications:

Contact: Prof. Georges Gielen, Chair, Departement Electrical Engineering-ESAT, georges.gielen(AT)kuleuven.be

More information: https://www.kuleuven.be/personeel/jobsite/jobs/60004322?hl=en&lang=en