International Association
for Cryptologic Research

The University of Passau has established a strategic research collaboration agreement with Honda Research Institute Europe GmbH (HRI-EU) for the purpose of a collaborative research project entitled “Scalable privacy-preserving secure multi-party computation”. In this doctoral project, privacy-preserving mechanisms for multiparty computation (MPC) are developed and evaluated for the relevant use-case of computation over huge telematics data sets in a privacy-preserving manner. The position is to be filled as soon as possible for 3 years with the possibility of extension. You will conduct research and publish/present the results at top venues for research in cryptography and IT security. Topics of particular interest include (but are not limited to): 1. Conduct research on state-of-the-art multiparty computation (MPC) protocols, 2. Holistic MPC system optimisation and support for time-series data, 3. Privacy-preserving data cleansing and data poisoning prevention, 4. Efficiency-enhancing data pre-processing, 5. Design and implementation of building blocks for utilising privacy-preserving cryptographic techniques in cloud computing and automotive applications Your Profile: 1. Master's degree (or equivalent) or doctorate/PhD in computer science, information security, mathematics or a related subject; we welcome applications from students who have not yet completed their degree studies or doctoral research, but are close to doing so, 2. Knowledge and understanding of privacy-oriented cryptography (theory and/or practice), 3. Fluency in written and spoken English.

Closing date for applications:

Contact: Ektor Arzoglou (ektor.arzoglou@uni-passau.de)

More information: https://www.fim.uni-passau.de/en/computer-engineering

Digital signature is an essential primitive in cryptography, which can be used as the digital analogue of handwritten signatures but also as a building block for more complex systems. In the latter case, signatures with specific features are needed, so as to smoothly interact with the other components of the systems, such as zero-knowledge proofs. This has given rise to so-called signatures with efficient protocols, a versatile tool that has been used in countless applications. Designing such signatures is however quite difficult, in particular if one wishes to withstand quantum computing. We are indeed aware of only one post-quantum construction, proposed by Libert et al. at Asiacrypt'16, yielding very large signatures and proofs. In this paper, we propose a new construction that can be instantiated in both standard lattices and structured ones, resulting in each case in dramatic performance improvements. In particular, the size of a proof of message-signature possession, which is one of the main metrics for such schemes, can be brought down to less than 650 KB. As our construction retains all the features expected from signatures with efficient protocols, it can be used as a drop-in replacement in all systems using them, which mechanically improves their own performance, and has thus an impact on many applications.

Indifferentiability is a powerful notion in cryptography. If a construction is proven to be indifferentiable from an ideal object, it can under certain assumptions instantiate that ideal object in higher-level constructions. Indifferentiability is a particularly useful model for cryptographic hash functions, and myriad results are known proving that a hash function behaves like a random oracle under the assumption that the underlying primitive (typically a compression function, a block cipher, or a permutation) is random. Recently, advances have been made in proving indifferentiability of one-way functions with fixed input length. One such example is truncation of a permutation. If one evaluates a random permutation on an input value concatenated with a fixed initial value, and truncates the output, one obtains a construction that is indifferentiable from a random function up to a certain bound (Dodis et al., FSE 2009; Choi et al., ASIACRYPT 2019). Security of this construction, however, is in part determined by the length of the initial value; omission of this fixed value yields an insecure construction.

In this paper, we reconsider truncation of a permutation, and prove that the construction is indifferentiable from a random oracle, even if this fixed initial value is replaced by a randomized value. This randomized value may be the same for different evaluations of the construction, or freshly generated, up to the discretion of the adversary. The security level is the same as that of truncation with fixed initial value, up to collisions in the randomized value.

We show that our construction has immediate implications in the context of parallel variable-length digest generation. In detail, we describe Cascade-MGF, that operates on top of any cryptographic hash function and uses the hash function output as randomized initial value in truncation. We demonstrate that Cascade-MGF compares favorably over earlier parallel variable-length digest generation constructions, namely Counter-MGF and Chained-MGF, in almost all settings.

ver the last years, the rise of the IoT, and the connection of mobile - and hence physically accessible - devices, immensely enhanced the demand for fast and secure hardware implementations of cryptographic algorithms which offer thorough protection against SCA attacks. Among a variety of proposed countermeasures against SCA, masking has transpired to be a promising candidate, attracting significant attention in both, academia and industry. Here, abstract adversary models have been derived, aiming to accurately model real-world attack scenarios, while being sufficiently simple to enable formally proving the SCA resilience of masked implementations on an algorithmic level. In the context of hardware implementations, the robust probing model has become highly relevant for proving SCA resilience due to its capability to model physical defaults like glitches and data transitions. As constructing a correct and secure masked variant of large and complex circuits is a challenging task, a new line of research has recently emerged, aiming to design small, masked subcircuits - realizing for instance a simple AND gate - which still guarantee security when composed to a larger circuit. Although several designs realizing such composable subcircuits - commonly referred to as gadgets - have been proposed, negligible research was conducted in order to find trade-offs between different overhead metrics, like randomness requirement, latency, and area consumption. In this work, we present HPC3, a hardware gadget which is trivially composable under the notion of PINI in the glitch-extended robust probing model. HPC3 realizes a two-input AND gate in one clock cycle which is generalized for any arbitrary security order. Existing state-of-the-art PINI gadgets either require a latency of two clock cycles or are limited to first-order security. In short, HPC3 enables the designer to trade double the randomness for half the latency compared to existing gadgets, providing high flexibility and enabling the designer to gain significantly more speed in real-time applications.

We present and analyze a new protocol that provides a distributed ECDSA signing service, with the following properties: it works in an asynchronous communication model; it works with $n$ parties with up to $f < n/3$ Byzantine corruptions; it provides guaranteed output delivery; it provides a very efficient, non-interactive online signing phase; it supports additive key derivation according to the BIP32 standard.

This service is being implemented and integrated into the architecture of the Internet Computer, enabling smart contracts running on the Internet Computer to securely hold and spend Bitcoin and other cryptocurrencies.

Research on the design of masked cryptographic hardware circuits in the past has mostly focused on reducing area and randomness requirements. However, many embedded devices like smart cards and IoT nodes also need to meet certain performance criteria, which is why the latency of masked hardware circuits also represents an important metric for many practical applications. The root cause of latency in masked hardware circuits is the need for additional register stages that synchronize the propagation of shares. Otherwise, glitches would violate the basic assumptions of the used masking scheme. This issue can be addressed to some extent, e.g., by using lightweight cryptographic algorithms with low-degree S-boxes, however, many applications still require the usage of schemes with higher- degree S-boxes like AES. Several recent works have already proposed solutions that help reduce this latency yet they either come with noticeably increased area/randomness requirements, limitations on masking orders, or specific assumptions on the general architecture of the crypto core. In this work, we introduce a generic and efficient method for designing single-cycle glitch-resistant (higher-order) masked hardware of cryptographic S-boxes. We refer to this technique as (generic) Self-Synchronized Masking (“SESYM”). The main idea of our approach is to replace register stages with a partial dual-rail encoding of masked signals that ensures synchronization within the circuit. More concretely, we show that WDDL gates and Muller C-elements can be used in combination with standard masking schemes to design single-cycle S-box circuits that, especially in case of higher-degree S-boxes, have noticeably lower requirements in terms of area and online randomness. We apply our method to DOM-based S-boxes of Ascon and AES and compare the resulting circuits to existing latency optimized circuits based on TI, GLM, and LMDPL. The latency of all three designs is reduced to single-cycle operation and are $d^\text{th}$ -order secure. Compared to GLM-masked Ascon, our approach comes with a 6.4 times reduction in online randomness for all protection orders. Compared to 1st-order LMDPL-masked AES, our approach achieves comparable results, while it is more generic, amongst others, by also supporting higher-order designs. We also underline the practical protection of our constructions against power analysis attacks via empirical and formal verification approaches.

Blockchain has recently been able to draw wider attention throughout the research community. Since its emergence, the world has seen the mind-blowing expansion of this new technology, which was initially developed as a pawn of digital currency more than a decade back. A self-administering ledger that ensures extensive data immutability over the peer-to-peer network has made it attractive for cybersecurity applications such as a sensor-enabled system called the Internet of things (IoT). Brand new challenges and questions now demand solutions as huge IoT devices are now online in a distributed fashion to ease our everyday lives. After being motivated by those challenges, the work here has figured out the issues and perspectives an IoT infrastructure can suffer because of the wrong choice of blockchain technology. Though it may look like a typical review, however, unlike that, this paper targets sorting out the specific security challenges of the blockchain-IoT eco-system through critical findings and applicable use-cases. Therefore, the contribution includes directing Blockchain architects, designers, and researchers in the broad domain to select the unblemished combinations of Blockchain-powered IoT applications. In addition, the paper promises to bring a deep insight into the state-of-the-art Blockchain platforms, namely Ethereum, Hyperledger, and IOTA, to exhibit the respective challenges, constraints, and prospects in terms of performance and scalability.

Logic locking aims to protect the intellectual property of a circuit from a fabricator by modifying the original logic of the circuit into a new “locked” circuit such that an entity without the key should not be able to learn anything about the original circuit. While logic locking provides a promising solution to outsourcing the fabrication of chips, unfortunately, several of the proposed logic locking systems have been broken. The lack of established secure techniques stems in part from the absence of a rigorous treatment toward a notion of security for logic locking, and the disconnection between practice and formalisms. We seek to address this gap by introducing formal definitions to capture the desired security of logic locking schemes. In doing so, we investigate prior definitional efforts in this space, and show that these notions either incorrectly model the desired security goals or fail to capture a natural “compositional” property that would be desirable in a logic locking system. Finally we move to constructions. First, we show that universal circuits satisfy our security notions. Second, we show that, in order to do better than universal circuits, cryptographic assumptions are necessary.

We present a diffusion block (DB), which is extraordinarily fast. After one round, it reaches complete diffusion, which means only 16 memory reads and 15 XOR operations. It uses only the most common operations available in any microprocessor. The diffusion and speed are based on a large key, about 64 kB for encryption and 34 kB for decryption, expanded from the classical key size of 128, 256, or more bits. The basic block length is 128 bits and could be expanded to 192, 256, or more. DB uses the same core idea as uses AES, DES, and others, which has been studied for more than 50 years by many cryptanalysts.

This paper presents concrete quantum cryptanalysis for binary elliptic curves for a time-efficient implementation perspective (i.e., reducing the circuit depth), complementing the previous research by Banegas et al., that focuses on the space-efficiency perspective (i.e., reducing the circuit width). To achieve the depth optimization, we propose an improvement to the existing circuit implementation of the Karatsuba multiplier and FLT-based inversion, then construct and analyze the resource in Qiskit quantum computer simulator. The proposed multiplier architecture, improving the quantum Karatsuba multiplier by Van Hoof et al., reduces the depth and yields lower number of CNOT gates that bounds to O(nlog2(3)) while maintaining a similar number of Toffoli gates and qubits. Furthermore, our improved FLT-based inversion reduces CNOT count and overall depth, with a tradeoff of higher qubit size. Finally, we employ the proposed multiplier and FLT-based inversion for performing quantum cryptanalysis of binary point addition as well as the complete Shor’s algorithm for elliptic curve discrete logarithm problem (ECDLP). As a result, apart from depth reduction, we are also able to reduce up to 90% of the Toffoli gates required in a single-step point addition compared to prior work, leading to significant improvements and give a new insights on quantum cryptanalysis for a depth-optimized implementation.

An $\ell$-server Private Information Retrieval (PIR) scheme allows a client to retrieve the $\tau$-th element $a_\tau$ from a database $\bm{a}=(a_1,\ldots,a_n)$ which is replicated among $\ell$ servers. It is called $t$-private if any coalition of $t$ servers learns no information on $\tau$, and $b$-error correcting if a client can correctly compute $a_\tau$ from $\ell$ answers containing $b$ errors. This paper concerns the following problems: Is there a $t$-private $\ell$-server PIR scheme with communication complexity $o(n)$ such that a client can detect errors with probability $1-\epsilon$ even if $\ell-1$ servers return false answers? Is it possible to add error correction capability to it? We first formalize a notion of $(1-\epsilon)$-fully error detecting PIR in such a way that an answer returned by any malicious server depends on at most $t$ queries, which reflects $t$-privacy. We then prove an impossibility result that there exists no $1$-fully error detecting (i.e., $\epsilon=0$) PIR scheme with $o(n)$ communication. Next, for $\epsilon>0$, we construct $1$-private $(1-\epsilon)$-fully error detecting and $(\ell/2-O(1))$-error correcting PIR schemes which have $n^{o(1)}$ communication, and a $t$-private one which has $O(n^{c})$ communication for any $t\geq2$ and some constant $c<1$. Technically, we show generic transformation methods to add error correction capability to a basic fully error detecting PIR scheme. We also construct such basic schemes by modifying certain existing PIR schemes which have no error detection capability.

Smart contracts and blockchain technologies are inherently limited as their decision cannot rely on real-world events that happen ``outside'' of the blockchain environment. This has motivated the introduction of trusted identities, the so-called ``Oracles'', that attest the information about real-world events into the blockchain. This enables mutually distrustful parties to establish contracts based on said events.

All known solutions to implement oracle-based contracts rely either on Turing-complete smart contracts or on trusted hardware. In particular, no solution comes with provable cryptographic guarantees that are compatible with many popular cryptocurrencies, such as Bitcoin. In this work, we lay the foundations of oracle contracts for cryptocurrencies. We present game-based definitions that model the security properties of oracle contracts and we propose the first construction with provable security guarantees. As a contribution of independent interest and as our main technical building block, we show an efficient construction of \emph{witness encryption} for the following class of languages: $$ \{ (\vk, m) \in \mathcal{L} : \exists~\sigma \text{ s.t. }\mathsf{Verify}(\vk, \sigma, m) = 1\} $$ where $\sigma$ is a BLS digital signature on $m$. We show how this can be extended to the threshold settings and how to efficiently prove that the encrypted message has a certain structure. The former allows distribution of trust among several ``Oracles'' and to guarantee the latter, we develop a new batching technique for cut-and-choose, inspired by the work of Lindell-Riva on garbled circuits.

In this note we study the limitations of incompressible encodings with information-theoretic security. We demonstrate a flaw in the existing proof of the impossibility of constructing incompressible encodings information-theoretically. Our main contribution is a full proof of impossibility of existence of non-trivial information-theoretically secure incompressible encoding schemes.

Leakage-resilient cryptography aims to protect cryptographic primitives from so-called "side channel attacks" that exploit their physical implementation to learn their input or secret state. Starting from the works of Ishai, Sahai and Wagner (CRYPTO`03) and Micali and Reyzin (TCC`04), most works on leakage-resilient cryptography either focus on protecting general computations, such as circuits or multiparty computation protocols, or on specific non-interactive primitives such as storage, encryption and signatures. This work focuses on leakage-resilience for the middle ground, namely for distributed and interactive cryptographic primitives.

Our main technical contribution is designing the first secret-sharing scheme that is equivocal, resists adaptive probing of a constant fraction of bits from each share, while incurring only a constant blowup in share size. Equivocation is a strong leakage-resilience guarantee, recently introduced by Hazay et al. (ITC`21). Our construction is obtained via a general compiler which we introduce, that transforms any secret-sharing scheme into an equivocal scheme against adaptive leakage. An attractive feature of our compiler is that it respects additive reconstruction, namely, if the original scheme has additive reconstruction, then the transformed scheme has linear reconstruction.

We extend our compiler to a general paradigm for protecting distributed primitives against leakage, and show its applicability to various primitives, including secret sharing, verifiable secret sharing, function secret sharing, distributed encryption and signatures, and distributed zero-knowledge proofs. For each of these primitives, our paradigm transforms any construction of the primitive into a scheme that resists adaptive party corruptions, as well as adaptive probing leakage of a constant fraction of bits in each share when the share is stored in memory (but not when it is used in computations). Moreover, the transformation incurs only a constant blowup in the share size, and respects additive reconstruction - an important feature for several of these primitives, such as function secret sharing and distributed encryption.

The looming threat of an adversary with Quantum computing capability led to a worldwide research effort towards identifying and standardizing novel post-quantum cryptographic primitives. Post-standardization, all existing security protocols will need to support efficient implementation of these primitives. In this work, we contribute to these efforts by reporting the smallest implementation of CRYSTALS-Dilithium, a finalist candidate for post-quantum digital signature.

By invoking multiple optimizations to leverage parallelism, pre-computation and memory access sharing, we obtain an implementation that could be fit into one of the smallest Zynq FPGA. On Zynq Ultrascale+, our design achieves an improvement of about 36.7%/35.4%/42.3% in Area×Time (LUTs×s) trade-off for KeyGen/Sign/Verify respectively over state-of-the-art implementation. We also evaluate our design as a co-processor on three different hardware platforms and compare the results with software implementation, thus presenting a detailed evaluation of CRYSTALS-Dilithium targeted for embedded applications. Further, on ASIC using TSMC 65nm technology, our design requires 0.227mm$^2$ area and can operate at a frequency of 1.176 GHz. As a result, it only requires 53.7μs/96.9μs/57.7μs for KeyGen/Sign/Verify operation for the best-case scenario.

Event date: 19 October to 21 October 2022
Submission deadline: 30 May 2022
Notification: 30 June 2022

Event date: 12 July to 15 July 2022

Event date: 24 August to 26 August 2022
Submission deadline: 8 June 2022
Notification: 18 July 2022

A full-time 2-year postdoctoral position is available at IMB (Institut de Mathématiques de Bordeaux), supported by the ANR-NSF project CHARM (Cryptographic hardness of module lattices). Potential research topics include:

• Lattice algorithms and cryptanalysis (shortest or closest vector problems, LWE, for rings, modules or lattices)
• Algebraic number theory and lattices (geometry of numbers, ideals in numbers fields, automorphic forms)
• Quantum algorithms for lattices (security proofs, cryptanalysis)

The candidate should hold a PhD degree in Mathematics or Computer Science, and should have a strong record related to any of the above topics. Starting date is flexible, preferably before October 2022.
To apply, please send your CV, a motivation letter and names of at least two persons who can provide reference letters.
The CHARM project is a collaboration between four scientific intitutions in France and in the USA. Members in Bordeaux are: Bill Allombert, Karim Belabas, Aurel Page, Alice Pellet-Mary, and Benjamin Wesolowski.

Closing date for applications:

Contact: Benjamin Wesolowski, benjamin.wesolowski@math.u-bordeaux.fr

The Institute of Information Security and Dependability at KIT is looking for two PostDocs in privacy-preserving cryptographic protocols. Experiences with secure multi-party computation and MPC compilers and UC-based security models are desired. A track record in this field is expected, including publications at reputable conferences such as Crypto, Eurocrypt, ACM CCS, PETS, etc.

You will be a member of the KASTEL Security Research Labs (https://zentrum.kastel.kit.edu) and the Topic "Engineering Secure Systems" of the Helmholtz Association. Your research is dealing with cryptographic protocols for privacy-preserving computations, e.g., applied to mobility or productions systems. It will result in both theoretical security concepts (protocol designs, security proofs, etc.) and their practical implementation (e.g., a demonstrator) for some application domain. The contract will initially be limited to 1 year, but can be extended to several years.

If you are interested, please send an email including your CV and a list of publications to andy.rupp@partner.kit.edu. Applications will be considered until the positions are filled.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@partner.kit.edu)

More information: https://crypto.kastel.kit.edu/english/research_group_rupp.php