International Association
for Cryptologic Research

The CRYSPY Lab (CRyptography, Security and PrivacY) at Lund University is looking for a Post Doctoral researcher to work on the design of post-quantum secure cryptographic solutions. We welcome applications from Ph.D. holders, the ideal candidate is expected to be motivated, able to carry research tasks in an independent way, open to collaborate in on-going projects in a team-work fashion, and willing to perform some teaching duties. There is also time for independent research, no restrictions on collaboration with other researchers. The application will be open until we find a suitable candidate.
Main requirements: a Ph.D. degree in Computer Science, Applied Mathematics, or a related field. Competitive research record in cryptography or information security. Strong mathematical or algorithmic background. Fluent written and verbal communication skills in English.
About the CRYSPY lab: we are about 20 researchers (counting PhD students and seniors) passionate about solving real world security issues as well as posing and addressing security challenges of a theoretical taste. We have a long history of design and cryptanalisys of symmetric ciphers and lattice-based constructions, as well as network-security. More recently, we are moving towards post-quantum cryptosystems, homomorphic authenticators, privacy-aware data storage and sharing solutions.
For more info: https://www.eit.lth.se/index.php?gpuid=508&L=1 and https://epagnin.github.io

Closing date for applications:

Contact: elena.pagnin@eit.lth.se

More information: https://lu.varbi.com/en/what:job/jobID:439586/type:job/where:4/apply:1

We are looking for a Research Fellow (Post-Doc), to join our group. The applicants should have background and be interested in working on different aspects of lattice based cryptography, and a strong publication record, in particular on:

- security proofs for lattice-based schemes,
- building and implementing lattice-based constructions.

The research will take place in the CAPSULE team (formerly called EMSEC team), within the IRISA computer science institute located in Rennes, France. To apply please send us by email your detailed CV (with publication list) and a research statment. The position has flexible starting date, with possibility to start in January / February 2022 or later.
Review of applications will start immediately until the position is filled.

Closing date for applications:

Contact: Adeline Roux-Langlois / adeline.roux-langlois@irisa.fr and Alexandre Wallet / alexandre.wallet@inria.fr

There are fully funded PhD scholarships available to the UK, EU and international students at the Department of Computer Science, University of Warwick. Students who are interested to pursue a PhD in security and applied cryptography are encouraged to contact feng.hao@warwick.ac.uk with a CV.

Closing date for applications:

Contact: feng.hao@warwick.ac.uk

More information: https://warwick.ac.uk/fac/sci/dcs/people/feng_hao/openings/

You will conduct research towards a distributed intrusion detection system for constrained devices in real-world IoT applications. The intrusion detection system (IDS) you will develop will facilitate detection and containment of a security breach in the Edge, making the IoT applications of tomorrow more secure and reliable.

Your activity will be at an exciting intersection of the following fields:

• Embedded development. The constrained nature of low-power embedded world will present you with stimulating research challenges. You will implement and test your results on real-world, low-power embedded HW platforms, maintaining a steady link between your research and practice and ensuring a real-world impact.
• Applied security. To defend from attacks, you will get intimately familiar with them. You will acquire knowledge of different types of intrusion, how they manage to penetrate a system, and how they can be recognized.
• Artificial intelligence. Modern IDS systems rely on AI. You will review the state of the art, select the most viable AI algorithms for an IDS in the constrained setting of IoT Edge, and carefully tweak them for the job.
• Distributed computing. A swarm of Things in the Edge can, collaboratively monitor itself much more effectively than a single device. You will combine all the above and deploy a distributed IDS on a group of constrained embedded devices, identifying the tradeoffs between efficiency and overhead.

The result of your work will be an IDS system, which will be able to make a difference in the security and reliability of real-world IoT applications.
We are looking for a student who has a Masters (or equivalent) degree in Electrical Engineering, Electronics or Computer Science with background and passion in (most of):

• Solid understanding of machine learning concepts and some practice
• Proficiency with programming in C
• Experience with embedded development is an advantage
• Background in applied cryptography and security is an advantage
• Fluency in English is required, proficiency in French is an advantage.
• Good communication and interpersonal skills.

  Closing date for applications:

  Contact: To apply visit https://www.csem.ch/page.aspx?pid=47528&jobid=122842.
  You will be based in part at CSEM (Switzerland), and in part at the Cybersecurity Research Group at AAU (Austria); you need to be eligible to work in Europe, and you need to be flexible as you will travel regularly.

  More information: https://www.csem.ch/page.aspx?pid=47528&jobid=122842

The Faculty of Mathematics at the University of Waterloo invites applications from outstanding qualified candidates for two, 2-year, prestigious postdoctoral fellowship positions. Applications are solicited from any of the research areas of the Department of Combinatorics & Optimization: Algebraic Combinatorics, Discrete Optimization, Continuous Optimization, Cryptography, Graph Theory, and Quantum Computing.

A Ph.D. degree and evidence of excellence in research are required. Successful applicants are expected to maintain an active program of research. The annual salary is $75,000. In addition, a travel fund of $15,000 per year is provided. The anticipated start date is fall 2022.

Interested individuals should apply using the MathJobs site (https://www.mathjobs.org/jobs/list/19031). Applications should include a cover letter describing their interest in the position, and names of faculty members with whom the applicant would like to interact, a curriculum vitae and research statement, and at least three reference letters.

Inquiries may be addressed to Jochen Koenemann, Chair, Department of Combinatorics and Optimization. The deadline for application is December 31, 2021.

Closing date for applications:

Contact: Jochen Koenemann (jochen@uwaterloo.ca)

More information: https://uwaterloo.ca/combinatorics-and-optimization/career-opportunities#PrestigiousPDF

The Computer Security and Industrial Cryptography (COSIC) research group belongs to the Electrical Engineering Department at the KU Leuven. Research group COSIC is looking for a Postdoc researcher to work on efficient MPC protocols for privacy-preserving machine learning.
The prospective candidate will design and develop efficient MPC protocols for privacy-preserving data analytics for medical diagnostics and predictive maintenance applications. The work includes, but is not limited to, investigating machine learning algorithms that best suit MPC and that have efficient implementations over MPC. You will be working closely with tools such as SCALE-MAMBA and/or MP-SPDZ. The candidate will be part of a team in a project on Secure and Scalable Data Sharing, which will run until mid-2025.
Specific skills required:
The candidate must hold a PhD degree in Cryptography or a related subject with strong publication records in crypto/security venues. In addition to a strong background in both public and symmetric cryptography, good knowledge in MPC, machine learning algorithms, and cryptographic protocols are expected. Hands on experience with an MPC framework will be considered as a merit. The candidate should also have coding experience in C/C++ and Python, experience in practical aspects of secure computation is a must.

Closing date for applications:

Contact: Please check the application procedure at https://www.esat.kuleuven.be/cosic/vacancies/ and send all requested documents to jobs-cosic@esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

A major difficulty in quantum rewinding is the fact that measurement is destructive: extracting information from a quantum state irreversibly changes it. This is especially problematic in the context of zero-knowledge simulation, where preserving the adversary's state is essential.

In this work, we develop new techniques for quantum rewinding in the context of extraction and zero-knowledge simulation:

(1) We show how to extract information from a quantum adversary by rewinding it without disturbing its internal state. We use this technique to prove that important interactive protocols, such as the Goldreich-Micali-Wigderson protocol for graph non-isomorphism and the Feige-Shamir protocol for NP, are zero-knowledge against quantum adversaries.

(2) We prove that the Goldreich-Kahan protocol for NP is post-quantum zero knowledge using a simulator that can be seen as a natural quantum extension of the classical simulator.

Our results achieve (constant-round) black-box zero-knowledge with negligible simulation error, appearing to contradict a recent impossibility result due to Chia-Chung-Liu-Yamakawa (FOCS 2021). This brings us to our final contribution:

(3) We introduce coherent-runtime expected quantum polynomial time, a computational model that (a) captures all of our zero-knowledge simulators, (b) cannot break any polynomial hardness assumptions, and (c) is not subject to the CCLY impossibility. In light of our positive results and the CCLY negative results, we propose coherent-runtime simulation to be the right quantum analogue of classical expected polynomial-time simulation.

FPGA bitstream encryption and authentication can be defeated by various techniques and it is critical to understand how these vulnerabilities enable extraction and tampering of commercial FPGA bitstreams. We exploit the physical vulnerability of bitstream encryption keys to readout using failure analysis equipment and conduct an end-to-end bitstream tamper attack. Our work underscores the feasibility of supply chain bitstream tampering and the necessity of guarding against such attacks in critical systems.

COMETv1, by Gueron, Jha and Nandi, is a mode of operation for nonce-based authenticated encryption with associated data functionality. It was one of the second round candidates in the ongoing NIST Lightweight Cryptography Standardization Process. In this paper, we study a generalized version of COMETv1, that we call gCOMET, from provable security perspective. First, we present a comprehensive and complete security proof for gCOMET in the ideal cipher model. Second, we view COMET, the underlying mode of operation in COMETv1, as an instantiation of gCOMET, and derive its concrete security bounds. Finally, we propose another instantiation of gCOMET, dubbed COMETv2, and show that this version achieves better security guarantees as well as memory-efficient implementations as compared to COMETv1.

In this paper we describe a provably secure authentication protocol for resource limited devices. The proposed algorithm performs whole-network authentication using very few rounds and in a time logarithmic in the number of nodes. Compared to one-to-one node authentication and previous proposals, our protocol is more efficient: it requires less communication and computation and, in turn, lower energy consumption.

A postdoctoral position and a PhD position are open in the faculty of engineering at Bar-Ilan University, hosted by Prof. Carmit Hazay and Dr. Ran Gelles. The positions involve performing theoretical research in cryptography. In particular, researching topics on secure computation over unreliable channels and over networks where the adversary controls the communication channels.

This project is in collaboration with Purdue University and participant will be offered several all expenses paid visits to Purdue University, USA.

The postdoctoral position is offered for 1 year and can be extended by an additional year contingent upon funding and satisfactory performance. The PhD position spans an entire course of a PhD degree, with an expected duration of 4 years.

Applicants should ideally have background in information-theoretic secure computation as well as general background in cryptography. Knowledge in coding theory and information theory is an advantage. Candidates are expected to be highly motivated and mathematically capable.

Applications should include (1) a CV including a list of publications, (2) a short research statement, (3) names and contact information of 2-3 potential references.

Closing date for applications:

Contact: carmit.hazay@biu.ac.il and ran.gelles@biu.ac.il

The Department of Mathematics at Virginia Tech (http://www.math.vt.edu/) invites applications for a tenure-track faculty position in Mathematics of Quantum Algorithms, Coding, or Cryptography with a start date of August 10, 2022, at its Blacksburg, VA, campus. The successful candidate will have a strong background in post-quantum cryptography, cryptanalysis of post-quantum cryptosystems, quantum error correction, quantum algorithms, or related topics in quantum information theory. Possible specialties include but are not limited to applied algebra, algebraic geometry, combinatorics, number theory, coding theory, cryptography, or a closely related area. Appointment as an Assistant Professor of Mathematics is anticipated, but exceptional senior candidates will be considered for Associate Professor of Mathematics or Professor of Mathematics positions.

Closing date for applications:

Contact: qacc21@math.vt.edu

Applications are invited for a Postdoctoral Associate position with the Department of Mathematics at Virginia Tech, Blacksburg, VA. The position involves research in algebraic coding theory and cryptography, especially code-based cryptography, and teaching one class per semester. Applications received by 11:59 pm EST on December 16, 2021, will receive full consideration.

Closing date for applications:

Contact: Gretchen Matthews gmatthews@vt.edu

More information: http://careers.pageuppeople.com/968/cw/en-us/job/518387/postdoctoral-associate-cy-matthews

The successful candidate will join a strong and motivated research team lead to carry out research to pursue a PhD on the

Security of Decentralized Finance in Ethereum blockchain.

The successful candidate will closely work with industry, specifically with Quantstamp. The position holder will be required to perform the following tasks:

Contribute to the project “Securing DeFi Implementations” in collaboration with Quantstamp as industrial partner

Carrying out research in the predefined areas

Disseminating results through scientific publications

Present results in well-known international conferences and workshops

Assisting in organization of relevant workshops

Join the team activities and meetings

Closing date for applications:

Contact: Antonio Ken Iannillo

More information: https://recruitment.uni.lu/en/details.html?nPostingId=69496&nPostingTargetId=100822&id=QMUFK026203F3VBQB7V7VV4S8&LG=UK&mask=karriereseiten&sType=Social%20Recruiting

In this work, we are the first to explore route discovery in private channel networks. We first determine what ``ideal" privacy for a routing protocol means in this setting. We observe that protocols achieving this strong privacy definition exist by leveraging (topology hiding) Multi-Party Computation but they are (inherently) inefficient as route discovery must involve the entire network.

We then present protocols with weaker privacy guarantees but much better efficiency. In particular, route discovery typically only involves small fraction of the nodes but some information on the topology and balances -- beyond what is necessary for performing the transaction -- is leaked.

The core idea is that both sender and receiver gossip a message which then slowly propagates through the network, and the moment any node in the network receives both messages, a path is found. In our first protocol the message is always sent to all neighbouring nodes with a delay proportional to the fees of that edge. In our second protocol the message is only sent to one neighbour chosen randomly with a probability proportional to its degree. While the first instantiation always finds the cheapest path, the second might not, but it involves a smaller fraction of the network.

% We discuss some extensions like employing bilinear maps so the gossiped messages can be re-randomized, making them unlikeable and thus improving privacy. We also discuss some extensions to further improve privacy by employing bilinear maps.

Simulations of our protocols on the Lightning network topology (for random transactions and uniform fees) show that our first protocol (which finds the cheapest path) typically involves around 12\% of the 6376 nodes, while the second only touches around 18 nodes $(<0.3\%)$, and the cost of the path that is found is around twice the cost of the optimal one.

Secure inference allows a model owner (or, the server) and the input owner (or, the client) to perform inference on machine learning model without revealing their private information to each other. A large body of work has shown efficient cryptographic solutions to this problem through secure 2- party computation. However, they assume that both parties are semi-honest, i.e., follow the protocol specification. Recently, Lehmkuhl et al. showed that malicious clients can extract the whole model of the server using novel model-extraction attacks. To remedy the situation, they introduced the client-malicious threat model and built a secure inference system, MUSE, that provides security guarantees, even when the client is malicious.

In this work, we design and build SIMC, a new cryptographic system for secure inference in the client malicious threat model. On secure inference benchmarks considered by MUSE, SIMC has 23 − 29× lesser communication and is up to 11.4× faster than MUSE. SIMC obtains these improvements using a novel protocol for non-linear activation functions (such as ReLU) that has > 28× lesser communication and is up to 43× more performant than MUSE. In fact, SIMC's performance beats the state-of-the-art semi-honest secure inference system!

Finally, similar to MUSE, we show how to push the majority of the cryptographic cost of SIMC to an input independent preprocessing phase. While the cost of the online phase of this protocol, SIMC++, is same as that of MUSE, the overall improvements of SIMC translate to similar improvements to the preprocessing phase of MUSE.

In this study, we focus on the differential cryptanalysis of the ChaCha stream cipher. In the conventional approach, an adversary first searches for the input/output differential pair with the best differential bias and then analyzes the probabilistic neutral bits (PNB) in detail based on the obtained input/output differential pair. However, although time and data complexities for the attack can be estimated by the differential bias and PNB obtained in this approach, their combination does not always represent the best. In addition, a comprehensive analysis of the PNB was not provided in existing studies; they have not clarified the upper bounds of the number of rounds required for the differential attack based on the PNB to be successful. To solve these problems, we proposed a PNB-based differential attack on the reduced-round ChaCha by first comprehensively analyzing the PNB at all output differential bit positions and then searching for the input/output differential pair with the best differential bias based on the obtained PNB. By comprehensively analyzing the PNB, we clarified that an upper bound of the number of rounds required for the PNB-based differential attack to be successful was 7.25 rounds. As a result, the proposed attack can work on the 7.25-round ChaCha with time and data complexities of \(2^{255.62}\) and \(2^{37.49}\), respectively. Further, using the existing differential bias presented by Coutinho and Neto at EUROCRYPT 2021, we further improved the attack on the 7.25-round ChaCha with time and data complexities of \(2^{244.22}\) and \(2^{69.14}\), respectively. The best existing attack on ChaCha, proposed by Coutinho and Neto at EUROCRYPT 2021, works on up to 7 rounds with time and data complexities of \(2^{228.51}\) and \(2^{80.51}\), respectively. Therefore, we improved the best existing attack on the reduced-round ChaCha. We believe that this study will be the first step towards an attack on more rounds of ChaCha, e.g., the 8-round ChaCha.

Blockchain, a potentially disruptive technology, advances many different applications, e.g., crypto-currencies, supply chains, and the Internet of Things. Under the hood of blockchain, it is required to handle different kinds of digital assets and data. The next-generation blockchain ecosystem is expected to consist of numerous applications, and each application may have a distinct representation of digital assets. However, digital assets cannot be directly recorded on the blockchain, and a tokenization process is required to format these assets. Tokenization on blockchain will inevitably require a certain level of proper standards to enrich advanced functionalities and enhance interoperable capabilities for future applications. However, due to specific features of digital assets, it is hard to obtain a standard token form to represent all kinds of assets. For example, when considering fungibility, some assets are divisible and identical, commonly referred to as fungible assets. In contrast, others that are not fungible are widely referred to as non-fungible assets. When tokenizing these assets, we are required to follow different tokenization processes. The way to effectively tokenize assets is thus essential and expecting to confront various unprecedented challenges. This paper provides a systematic and comprehensive study of the current progress of tokenization on blockchain. First, we explore general principles and practical schemes to tokenize digital assets for blockchain and classify digitized tokens into three categories: fungible, non-fungible, and semi-fungible. We then focus on discussing the well-known Ethereum standards on non-fungible tokens. Finally, we discuss several critical challenges and some potential research directions to advance the research on exploring the tokenization process on the blockchain. To the best of our knowledge, this is the first systematic study for tokenization on blockchain.

This paper proposes a lightweight authenticated encryption (AE) scheme, called Light-OCB, which can be viewed as a lighter variant of the CAESAR winner OCB as well as a faster variant of the high profile NIST LWC competition submission LOCUS-AEAD. Light-OCB is structurally similar to LOCUS-AEAD and uses a nonce-based derived key that provides optimal security, and short-tweak tweakable blockcipher (tBC) for efficient domain separation. Light-OCB improves over LOCUS-AEAD by reducing the number of primitive calls, and thereby significantly optimizing the throughput. To establish our claim, we provide FPGA hardware implementation details and benchmark for Light-OCB against LOCUS-AEAD and several other well-known AEs. The implementation results depict that, when instantiated with the tBC TweGIFT64, Light-OCB achieves an extremely low hardware footprint - consuming only around 1128 LUTs and 307 slices (significantly lower than that for LOCUS-AEAD) while maintaining a throughput of 880 Mbps, which is almost twice as that of LOCUS-AEAD. To the best of our knowledge, this figure is significantly better than all the known implementation results of other lightweight ciphers with parallel structures.

In this paper we present an optimized variant of Gentry, Halevi and Vaikuntanathan (GHV)'s Homomorphic Encryption (HE) scheme (EUROCRYPT'10). Our scheme is appreciably more efficient than the original GHV scheme without losing its merits of the (multi-key) homomorphic property and matrix encryption property. In this research, we first measure the density for the trapdoor pairs that are created by using Alwen and Peikert's trapdoor generation algorithm and Micciancio and Peikert's trapdoor generation algorithm, respectively, and use the measurement result to precisely discuss the time and space complexity of the corresponding GHV instantiations. We then propose a generic GHV-type construction with several optimizations that improve the time and space efficiency from the original GHV scheme. In particular, our new scheme can achieve asymptotically optimal time complexity and avoid generating and storing the inverse of the used trapdoor. Finally, we present an instantiation that, by using a new set of (lower) bound parameters, has the smaller sizes of the key and ciphertext than the original GHV scheme.