International Association
for Cryptologic Research

The Research group on Cryptology and Information Security (GiCSI) of the Spanish National Research Council is seeking highly motivated professionals in applying for the Comfuturo call (https://comfuturo.es/) to conduct research in the area of cryptographic privacy-enhancing technologies, blockchain-based protocols and security protocols. ComFuturo is a 60-month programme that offers 15 ComFuturo 36-month fellowships to Experienced Researchers of any nationality who have obtained their PhD in the last 10 years and who have not resided or carried out their main activity (work or studies) in Spain for more that 12 months in the last 3 years. The ComFuturo fellows will be selected through a single call and an objective and transparent process which will include an external evaluation. The Spanish National Research Council will recruit, hire and host them. The gross salary is estimated to be around 39.000 - 43.000 €/year. The Research Group in Cryptography and Security is looking for candidates with interest in working in applied cryptography and collaborate with the on-goin H2020 SPIRS project (https://www.spirs-project.eu/) and the Horizon Euroep GOIT project (https://wiki.f-si.org/index.php Horizon_2021_Coordination_and_Support_Action_(CSA)_proposal). Candidates interested in conducting research in quantum-safe cryptography are also welcomed.

Closing date for applications:

Contact: david.arroyo@csic.es

More information: https://comfuturo.es/

LIST is looking for a highly motivated candidate with proven skills in healing the security issues that befall modern software during its development lifecycle, to work on a research project funded by EC with a three-years duration. The recently introduced area of DevSecOps - in medium to large companies - unfortunately lacks automated security tools, while most existing solutions are targeting only one narrow step of the software development lifecycle (SDLC) process but miss a much-needed holistic overview of the global security solution. In this context, the LAZARUS project innovates by intervening in multiple steps of the SDLC, performing targeted security checks and collecting valuable information and intelligence from each step, and exploiting advanced ML and AI methods to convert this intelligence into actionable insights and recommendations. The specific missions of the candidate will include, but are not limited to, participating into the following activities along the project partners:

(1) To predict software security defects before deployment and prevent security breaches.

(2) To develop a set of algorithms that allow quantifying software exploitability and facilitate the work of correcting its errors.

(3) To develop and apply new model-checking techniques to verify the security of software.

(4) To specify and develop two workflow-disruptive techniques which leverages Intel SGX enclave trusted but with the lowest impact on the software lifecycle and on its performance.

(5) To implement and test the developed solutions.

(6) To develop ex-ante information security policies for the demonstration and implement periodic reviews to objectively evaluate adherence to the policies.

Closing date for applications:

Contact: Dr. Qiang Tang (qiang.tang@list.lu)

IOG is a leading company in the crypto industry. We are designing and implementing different blockchains using Proof of Work, Proof of Stake, and permissioned BFT.

We are leaders in the research field, with more than a hundred research papers published in the most influential cryptography conferences and journals (NDSS, ICDCS, EUROCRYPT, CRYPTO, SODA, ACM CCS, Financial Cryptography, ESORICS, S&P, Euro S&P, etc).

Your mission

• Define short, mid, and long term roadmaps for implementation of cryptographic primitives
• Synchronize with the Director of Engineering (or, by default, the CTO) to validate the roadmap, requirements, and strategy for the cryptographic engineering team
• Define and structure the team that is required to satisfy this roadmap
• Provide secure implementations of the cryptographic primitives required by IO projects
• Read and review cryptographic research papers and contribute when possible to implement them as prototypes
• Design, specify, implement, and improve cryptographic primitives in production-grade software directly or delegate to and supervise the applied cryptographers in charge of it
• Review, integrate, and improve common cryptographic primitives, and translate them to other programming languages or delegate/supervise the applied cryptographers in charge of it.

Requirements:

• A STEM Master’s or PhD degree
Solid experience in managing small teams of cryptographic engineers
• Solid understanding of cryptography, its basic theories, and uses
• Senior expertise in developing cryptographic primitives in C/C++ and Rust
• Senior expertise in standard cryptography domains
• Ability to learn new domains like zero-knowledge proofs and MPC and project innovation roadmaps
• Clear understanding and experience of implementing cryptographic primitives delivered by researchers

Please apply via the attached job board link (further details on website).

Closing date for applications:

Contact: Aadil S.

More information: https://apply.workable.com/io-global/j/69087296EB/

Passionate about Cryptography? Want to keep doing research while receiving a good pay? Come and join us as a Post Doctoral Fellow at Lund University! 😎

The Deal: Come here, do good research, share your knowledge. We'll pay you and help you shape your career towards your next goal! For further, official details, follow the link in the ad title.
Eyebird view of your role: You will be part of the research ecosystems around the SSF project SMARTY: Secure Software Update Deployment for the Smart City (RIT17-0035). This will give you access to an exciting workplace where you can foster research in collaboration with your new colleagues. As you'll be joining the security section of the SMARTY team, you will work with one senior researcher (Elena Pagnin) and one PhD student towards the following goals:

• Improving the efficiency of PQ primitives to better suit modern resourceful IoT devices.
• Investigating the potential of lightweight MPC for networks of IoT devices.
• Advancing the research frontiers in PETs, VC, and in other cryptographic schemes suitable for real-time system.

To help you gain experience, you will be given significant research autonomy, and the chance to influence the final outcome of the project. Moreover, if you'd like to develop other skills, you can aid in the supervision of PhD students and Masters' projects, teaching at Masters' and PhD level, and take career-development courses offered by Lund University.
Funding & Timing: You get a 2-year, full-time employment as a Postdoctor at Lund university. The position is available immediately and with a flexible start date. There is an option to renew the contract for 1 additional year subject to acquiring funding (either by the candidate or by the host).

Closing date for applications:

Contact: Applications only via the official link: https://lu.varbi.com/en/what:job/jobID:500134/

More information: https://lu.varbi.com/en/what:job/jobID:500134/

Passionate about cryptography? Want to work on designing, reviewing and implementing cryptography to solve impactful security and privacy problems? Follow the link or contact me directly!

Closing date for applications:

Contact: ysierra (at) apple.com

More information: https://jobs.apple.com/en-us/details/200312812/cryptographic-engineer

Are you an Applied Cryptologist that has a track record in the implementation of products with fundamental cryptology features? Do you have a relevant Master and coding experience in the area of Applied Cryptology? Do you want to design, code and co-invent the next generation of Distributed Systems protocols? At QPQ, we are building the Internet of Economics, a new approach to a compliant and regulated financial systems infrastructure.

What do we give you?
• A stimulating, Socratic intellectual environment.
• Hybrid office approach – we have been a distributed workforce from the start. This role is centred around our European axis, so we expect you to live within +/- 3 hours of CET. We get together a complete team every quarter, so you must be willing to travel and embrace being part of a diverse team drawn from many walks of life and cultures.
• Good salary, travel expense budget and many future opportunities to participate in the company’s growth.
• The mother of all intellectual challenges!

Responsibilities:
• implement and embed in products cryptographic protocols in the privacy space.
• Working with a multi-faceted team of practitioners on a set of blockchain-based privacy protocols interacting with the DeFi space and providing compliance with financial regulations.
• Focus on zero knowledge schemes which provide privacy and compliance.

Requirements:
• MSc or multi-year experience in cryptography or a closely related field.
• Knowledge of modern cryptographic primitives.
• Be able to productize protocols/schemes/algorithms in at least one relevant programming language (C++ or Rust desirable).
• General understanding of full-stack system architecture.
• Have a thorough approach and be committed to high quality output. Have prior research/code already published in the space.
- Excellent communication and collaboration skills.

Closing date for applications:

Contact: opportunities@qpq.io

We are looking for talented and motivated Post-docs to work on the ERC AdG project PROCONTRA: Smart-Contract Protocols: Theory for Applications. The project is about theoretical and applied aspects of blockchain and smart contracts. The ideal candidates should have a Ph.D. degree in cryptography (or related field) from a leading university, and a proven record of publications in top cryptography/security/TCS venues. We offer a competitive salary, a budget for conference travel and research visit, and membership in a young and vibrant team with several international contacts (for more see: www.crypto.edu.pl). A successful candidate will be given substantial academic freedom and can work on a variety of research problems related to the main theme of the project.

Closing date for applications:

Contact: Stefan Dziembowski

More information: https://www.crypto.edu.pl/post-doc

We currently have an opening for a tenure-track assistant professor or associate professor at the Technical University of Denmark. The opening is for research in all areas of cyber security including all areas of cryptography. For more information, click the title link. For questions, feel free to contact us.

Closing date for applications:

Contact: Tyge Tiessen or Christian Majenz (tyti or chmaj at dtu.dk)

More information: https://www.compute.dtu.dk/om-os/ledige-stillinger/job?id=2e9ac066-5deb-4361-a669-7fdcb405f2f8

The most common application for side-channel attacks is the extraction of secret information, such as key material, from the implementation of a cryptographic algorithm. However, using side-channel information, we can extract other types of information related to the internal state of a computing device, such as the instructions executed and the content of registers. We used machine learning to build a side-channel disassembler for the ARM-Cortex M0 architecture, which can extract the executed instructions from the power traces of the device. Our disassembler achieves a success rate of 99% under ideal conditions and 88.2% under realistic conditions when distinguishing between groups of instructions. We also provide an overview of the lessons learned in relation to data preparation and noise minimization techniques.

In this paper we study the effect of using small prime numbers within the Joye-Libert public key encryption scheme. We introduce two novel versions and prove their security. We further show how to choose the system's parameters such that the security results hold. Moreover, we provide a practical comparison between the cryptographic algorithms we introduced and the original Joye-Libert cryptosystem.

Protocols solving the Distributed Discrete Logarithm (DDLog) problem are a core component of many recent constructions of group-based homomorphic secret sharing schemes. On a high-level, these protocols enable two parties to transform multiplicative shares of a secret into additive share locally without any communication. Due to their important applications, various generic optimized DDLog protocols were proposed in the literature, culminating in the asymptotically optimal generic protocol of Dinur, Keller, and Klein (J. Cryptol. 2020) solving DDLog in time $T$ with error probability $O(W/T^2)$ when the magnitude of the secret is bounded by $W$.

Given that DDLog is solved repeatedly with respect to a fixed group in its applications, a natural approach for improving the efficiency of DDLog protocols could be via leveraging some precomputed group-specific advice. To understand the limitations of this approach, we revisit the distributed discrete logarithm problem in the preprocessing model and study the possible time-space trade-offs for DDLog in the generic group model. As our main result, we show that, in a group of size $N$, any generic DDLog protocol for secrets of magnitude $W$ with parties running in time $T$ using precomputed group-specific advice of size $S$ has success probability \[ \epsilon = O\left(\dfrac{T^2}{W} + \dfrac{\max\{S,\log W\} \cdot T^2}{N}\right). \] Thus, assuming $N \geq W \log W$, we get a lower bound $ST^2= \Omega(\epsilon N)$ on the time-space trade-off for DDLog protocols using large advice of size $S= \Omega(N/W)$. Interestingly, for DDLog protocols using \emph{small advice} of size $S=O(N/W)$, we get a lower bound $T^2=\Omega(\epsilon W)$ on the running time, which, in the constant-error regime, asymptotically matches the running time of the DDLog protocol \emph{without any advice} of Dinur et al. (J. Cryptol. 2020). In other words, we show that generic DDLog protocols achieving constant success probability do not benefit from any advice of size $S= O(N/W)$ in the online phase of the DDLog problem.

Verifiable Delay Functions (VDFs) are a set of new crypto- graphic schemes ensuring that an agent has spent some time (evaluation phase) in a unparalleled computation. A key requirement for such a construction is that the verification of the computation’s correctness has to be done in a significantly shorter time than the evaluation phase. This has led VDFs to recently gain exposure in large-scale decentralized projects as a core component of consensus algorithms or spam-prevention mechanisms. In this work, due to the increasing relevance and the lack of literature, we will focus on the optimization of the verification phase of Wesolowski’s VDF and provide a three-axis of improvement concerning multi-exponentiation computation, prime testing techniques, and hash- ing tricks. We will show that our optimizations reduce the computation time of the verification phase between 12% and 35% for the range of parameters considered.

This paper proposes a new block cipher called HARPOCRATES, which is different from traditional SPN, Feistel, or ARX designs. The new design structure that we use is called the substitution convolution network. The novelty of the approach lies in that the substitution function does not use fixed S-boxes. Instead, it uses a key-driven lookup table storing a permutation of all 8-bit values. If the lookup table is sufficiently randomly shuffled, the round sub-operations achieve good confusion and diffusion to the cipher. While designing the cipher, the security, cost, and performances are balanced, keeping the requirements of encryption of data-at-rest in mind. The round sub-operations are massively parallelizable and designed such that a single active bit may make the entire state (an 8 × 16 binary matrix) active in one round. We analyze the security of the cipher against linear, differential, and impossible differential cryptanalysis. The cipher’s resistance against many other attacks like algebraic attacks, structural attacks, and weak keys are also shown. We implemented the cipher in software and hardware; found that the software implementation of the cipher results in better throughput than many well-known ciphers. Although HARPOCRATES is appropriate for the encryption of data-at-rest, it is also well-suited in data-in-transit environments.

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ''hard supersingular curves,'' that is, concrete supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. Or, even better, to produce a hash function to the vertices of the supersingular ℓ-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hopes that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.

Permutation polynomials of finite fields have many applications in Coding Theory, Cryptography and Combinatorics. In the first part of this paper we present a new family of local permutation polynomials based on a class of symmetric subgroups without fixed points, the so called e-Klenian groups. In the second part we use the fact that bivariate local permutation polynomials define Latin Squares, to discuss several constructions of Mutually Orthogonal Latin Squares (MOLS) and, in particular, we provide a new family of MOLS on size a prime power.

As integrated circuit (IC) design and manufacturing have become highly globalized, hardware security risks become more prominent as malicious parties can exploit multiple stages of the supply chain for profit. Two potential targets in this chain are third-party intellectual property (3PIP) vendors and their customers. Untrusted parties can insert hardware Trojans into 3PIP circuit designs that can both alter device functionalities when triggered or create a side channel to leak sensitive information such as cryptographic keys. To mitigate this risk, the absence of Trojans in 3PIP designs should be verified before integration, imposing a major challenge for vendors who have to argue their IPs are safe to use, while also maintaining the privacy of their designs before ownership is transferred. To achieve this goal, in this work we employ modern cryptographic protocols for zero-knowledge proofs and enable 3PIP vendors prove an IP design is free of Trojan triggers without disclosing the corresponding netlist. Our approach uses a specialized circuit compiler that transforms arbitrary netlists into a zero-knowledge-friendly format, and introduces a versatile Trojan detection module that maintains the privacy of the actual netlist. We evaluate the effectiveness of our methodology using selected benchmarks.

Homomorphic encryption is one of the most secure solutions for processing sensitive information in untrusted environments, and there have been many recent advances towards its efficient implementation for the evaluation of linear functions and approximated arithmetic. However, the practical performance when evaluating arbitrary (nonlinear) functions is still a major challenge for HE schemes. The TFHE scheme [Chillotti et al., 2016] is the current state-of-the-art for the evaluation of arbitrary functions, and, in this work, we focus on improving its performance. We divide this paper into two parts. First, we review and implement the main techniques to improve performance or error behavior in TFHE proposed so far. For many, this is the first practical implementation. Then, we introduce novel improvements to several of them and new approaches to implement some commonly used procedures. We also show which proposals can be suitably combined to achieve better results. We provide a single library containing all the reviewed techniques as well as our original contributions. Our implementation is up to 1.2 times faster than previous ones with a similar optimization level, and our novel techniques provide speedups of up to 2.83 times on algorithms such as the Full-Domain Functional Bootstrap (FDFB).

In this paper, we propose the first key-recovery side-channel attack on Classic McEliece, a KEM finalist in the NIST Post-quantum Cryptography Standardization Project. Our novel idea is to design an attack algorithm where we submit special ciphertexts to the decryption oracle that correspond to cases of single errors. Decoding of such cipher-texts involves only a single entry in a large secret permutation, which is part of the secret key. Through an identified leakage in the additive FFT step used to evaluate the error locator polynomial, a single entry of the secret permutation can be determined. Reiterating this for other entries leads to full secret key recovery.

The attack is described using power analysis both on the FPGA reference implementation and a software implementation running on an ARM Cortex-M4. We use a machine-learning-based classification algorithm to determine the error locator polynomial from a single trace. The attack is fully implemented and evaluated in the Chipwhisperer framework and is successful in practice. For the smallest parameter set, it is using about 300 traces for partial key recovery and less than 800 traces for full key recovery, in the FPGA case. A similar number of traces are required for a successful attack on the ARM software implementation.

Automated search methods based on Satisfiability Modulo Theories (SMT) problems are being widely used to evaluate the security of block ciphers against distinguishing attacks. While these methods provide a systematic and generic methodology, most of their software implementations are limited to a small set of ciphers and attacks, and extending these implementations requires significant effort and expertise.

In this work we present CASCADA, an open-source Python library to evaluate the security of cryptographic primitives, specially block ciphers, against distinguishing attacks with bit-vector SMT solvers. The tool CASCADA implements the bit-vector property framework herein proposed and several SMT-based automated search methods to evaluate the security of ciphers against differential, related-key differential, rotational-XOR, impossible-differential, impossible-rotational-XOR, related-key impossible-differential, linear and zero-correlation cryptanalysis. The library CASCADA is the result of a huge engineering effort, and it provides many functionalities, a modular design, an extensive documentation and a complete suite of tests.

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods.

In this paper, we present the first bit-vector differential model for the $n$-bit modular addition by a constant input. Our model contains $O(\log_2(n))$ basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool \texttt{ArxPy} to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works.