31 May 2022

Hanjun Li, Huijia Lin, and Ji Luo
An important theme in research on attribute-based encryption (ABE) is minimizing the sizes of the secret keys and ciphertexts. In this work, we present two new ABE schemes with *constant-size* secret keys, that is, the key size is independent of the sizes of policies or attributes, and dependent only on the security parameter lambda.

* We construct the first key-policy ABE scheme for circuits with constant-size secret keys, |sk_f|=poly(lambda), which concretely consist of only three group elements. The previous state-of-the-art construction by [Boneh et al., Eurocrypt '14] has key size polynomial in the maximum depth d of the policy circuits, |sk_f|=poly(d,lambda). Our new scheme removes this dependency of key size on d while keeping the ciphertext size the same, which grows linearly in the attribute length and polynomially in the maximal depth, |ct|=|x|poly(d,lambda).

* We present the first ciphertext-policy ABE scheme for Boolean formulae that simultaneously has constant-size keys and succinct ciphertexts of size independent of the policy formulae, in particular, |sk_f|=poly(lambda) and |ct_x|=poly(|x|,lambda). Concretely, each secret key consists of only two group elements. Previous ciphertext-policy ABE schemes either have succinct ciphertexts but non constant-size keys [Agrawal--Yamada, Eurocrypt '20; Agrawal--Wichs--Yamada, TCC '20], or constant-size keys but large ciphertexts that grow with the policy size, as well as the attribute length. Our second construction is the first ABE scheme achieving *double succinctness*, where both keys and ciphertexts are smaller than the corresponding attributes and policies tied to them.

Our constructions feature new ways of combining lattices with pairing groups for building ABE and are proven selectively secure based on LWE and in the generic (pairing) group model. We further show that when replacing the LWE assumption with its adaptive variant introduced in [Quach--Wee--Wichs FOCS '18] the constructions become adaptively secure.
Ghada Almashaqbeh, Ran Canetti, Yaniv Erlich, Jonathan Gershoni, Tal Malkin, Itsik Pe’er, Anna Roitburd-Berman, and Eran Tromer
We propose a mechanism for generating and manipulating protein polymers to obtain a new type of consumable storage that exhibits intriguing cryptographic "self-destruct" properties, assuming the hardness of certain polymer-sequencing problems. To demonstrate the cryptographic potential of this technology, we first develop a formalism that captures (in a minimalistic way) the functionality and security properties provided by the technology. Next, using this technology, we construct and prove security of two cryptographic applications that are currently obtainable only via trusted hardware that implements logical circuitry (either classical or quantum). The first application is a password-controlled secure vault where the stored data is irrecoverably erased once a threshold of unsuccessful access attempts is reached. The second is (a somewhat relaxed version of) one-time programs, namely a device that allows evaluating a secret function only a limited number of times before self-destructing, where each evaluation is made on a fresh user-chosen input. Finally, while our constructions, modeling, and analysis are designed to capture the proposed polymer-based technology, they are sufficiently general to be of potential independent interest.
Robin Geelen, Michiel Van Beirendonck, Hilder V. L. Pereira, Brian Huffman, Tynan McAuley, Ben Selfridge, Daniel Wagner, Georgios Dimou, Ingrid Verbauwhede, Frederik Vercauteren, and David W. Archer
Fully Homomorphic Encryption (FHE) allows for secure computation on encrypted data. It enables a variety of theoretical and practical applications, but is still several orders of magnitudes too slow to be practical. We present BASALISC, an architecture family of FHE hardware accelerators that aims to substantially accelerate FHE computations in the cloud. BASALISC implements Brakerski, Gentry, and Vaikuntanathan's (BGV) scheme and supports a range of parameter sets. In contrast to many prior studies, we directly support and implement BGV bootstrapping - the noise removal capability necessary to support arbitrary-depth computation.

BASALISC exploits data representation in residue number systems and number-theoretic transforms to realize massive FHE parallelism. We propose a new generalized version of bootstrapping that can be implemented with optimized Montgomery multipliers that cost 46% less in silicon area and 40% less in power consumption versus traditional approaches. BASALISC is a Reduced Instruction Set Computing (RISC) architecture with a four-layer memory hierarchy, including a two-dimensional conflict-free inner memory layer that enables 32 Tb/s radix-256 number-theoretic transform (NTT) computations without pipeline stalls. Our conflict-resolution data permutation hardware is re-used to compute BGV automorphisms without additional hardware and without throughput penalty. BASALISC additionally includes a custom multiply-accumulate unit familiar in Digital Signal Processing (DSP) architectures, with which we accelerate tight BGV key switching loops. The BASALISC computation units and inner memory layers are designed in asynchronous logic, allowing them to run at different speeds to optimize each function. BASALISC is designed for Application-Specific Integrated Circuit (ASIC) implementation with a 1 GHz operational frequency, and is already underway toward tape-out with a 150mm2 die size in a 12nm Global Foundries process.

The BASALISC toolchain comprises both a custom compiler and a joint performance and correctness simulator. We evaluate BASALISC in multiple ways: we study its physical realizability; we emulate and formally verify its core functional units; and we study its performance on a single iteration of logistic regression training over encrypted data. For this application, comprising from up to 900K high-level BASALISC instructions (including 513 bootstraps) down to 27B low-level instructions, we show a speedup of at least 2,025x over HElib - a popular software FHE library - running on a Xeon-class processor.
Martin R. Albrecht and Yixin Shen
We present a quantum augmented variant of the dual lattice attack on the Learning with Errors (LWE) problem, using classical memory with quantum random access (QRACM). Applying our results to lattice parameters from the literature, we find that our algorithm outperforms previous algorithms, assuming unit cost access to a QRACM.

On a technical level, we show how to obtain a quantum speedup on the search for Fast Fourier Transform (FFT) coefficients above a given threshold by leveraging the relative sparseness of the FFT and using quantum amplitude estimation. We also discuss the applicability of the Quantum Fourier Transform in this context. Furthermore, we give a more rigorous analysis of the classical and quantum expected complexity of guessing part of the secret vector where coefficients follow a discrete Gaussian (mod \(q\)).
Keewoo Lee
We revisit the question of what should be the definition of bit security, previously answered by Micciancio-Walter (Eurocrypt 2018) and Watanabe-Yasunaga (Asiacrypt 2021). Our new definition is simple, but (i) captures both search and decision primitives in a single framework like Micciancio-Walter, and (ii) has a firm operational meaning like Watanabe-Yasunaga. It also matches intuitive expectations and can be easily well-estimated in terms of Kullback-Leibler divergence. Along the way of defining bit security and justifying our definition, we raise undervalued concepts such as allowing aborts in security games, considering partial adversaries, and verifiability in security games.
Péter Kutas and Christophe Petit
Isogeny-based cryptography is a promising approach for post-quantum cryptography.

The best-known protocol following that approach is the supersingular isogeny Diffie-Hellman protocol (SIDH); this protocol was turned into the CCA-secure key encapsulation mechanism SIKE, which was submitted to and remains in the third round of NIST's post-quantum standardization process as an ``alternate'' candidate.

Isogeny-based cryptography generally relies on the conjectured hardness of computing an isogeny between two isogenous elliptic curves, and most cryptanalytic work referenced on SIKE's webpage exclusively focuses on that problem.

Interestingly, the hardness of this problem is sufficient for neither SIDH nor SIKE. In particular, these protocols reveal additional information on the secret isogeny, in the form of images of specific torsion points through the isogeny.

This paper surveys existing cryptanalysis approaches exploiting this often called ``torsion point information'', summarizes their current impact on SIKE and related algorithms, and suggests some research directions that might lead to further impact.
Binbin Tu, Yu Chen, Qi Liu, and Cong Zhang
Private set union (PSU) allows two parties to compute the union of their sets without revealing anything except the union and it has found numerous applications in practice. Recently, some computationally efficient PSU protocols have been designed in the balanced case, but a potential limitation with these approaches is the communication complexity, which scales linearly with the size of the larger set. This is of particular concern when performing PSU in the unbalanced case, where one party is a constrained device (cellphone) holding a small set, and another is a large service provider.

In this work, we propose a generic framework of using the leveled fully homomorphic encryption and a newly introduced protocol called permute matrix Private EQuality Test (pm-PEQT) to construct the \emph{unbalanced} PSU that is secure against semi-honest adversaries. By instantiating the pm-PEQT, we obtain fast unbalanced PSU protocols with a small communication overhead. Our protocol has communication complexity \emph{linear in the size of the smaller set, and logarithmic in the larger set}. More precisely, if the set sizes are $|X|\ll |Y|$, our protocol achieves a communication overhead of $O(|X|\log |Y|)$.

Finally, we implement our protocols that can compare with the state-of-the-art PSU. Experiments show that our protocols are more efficient than all previous protocols in the unbalanced case, especially, the larger the difference of two set sizes, the better our protocols perform. Our running-time-optimized benchmarks show that it takes 18.782 seconds of computation and 2.179 MB of communication to compute the union between $2^{10}$ strings and $2^{19}$ strings. Compared to prior secure PSU proposed by Jia et al. (Usenix Security 2022), this is roughly a $300 \times$ reduction in communication and $20 \times$ reduction in computational overhead with a single thread in WAN/LAN settings.
Yu Chen, Min Zhang, Cong Zhang, and Minglang Dong
Private set operations allow two parties perform secure computation on two private sets, such as intersection or union related functions. In this paper, we identify a framework for performing private set operations. At the technical core of our framework is multi-query reverse private membership test (mqRPMT), which is a natural extension of RPMT recently proposed by Kolesnikov et al. (ASIACRYPT 2019). In mqRPMT, a client with set $X = (x_1, \dots, x_n)$ interacts with a server holding a set $Y$. As a result, the server only learns a bit vector $(e_1, \dots, e_n)$ indicating whether $x_i \in Y$ but without knowing the value of $x_i$, while the client learns nothing. We present two constructions of mqRPMT from newly introduced cryptographic primitive and protocol. One is is based on commutative weak pseudorandom function (cwPRF), the other is based on permuted oblivious pseudorandom functions (pOPRF). Both cwPRF and pOPRF can be instantiated from the decisional Diffie-Hellman like assumptions in the random oracle model. We also introduce a slight weak version of mqRPMT dubbed mqRPMT$^*$, in which the client learns the cardinality of $X \cup Y$. We show mqRPMT$^*$ can be build from a category of mqPMT called Sigma-mqPMT, which in turn can be realized from the DDH assumption or oblivious polynomial evaluation. This makes the first step towards establishing the relation between the two building blocks.

We demonstrate the practicality of our framework with implementations. By plugging our cwPRF-based mqRPMT to the general framework, we obtain the first PSU protocol with strict linear complexity. For input sets of size $2^{20}$, the resulting PSU protocol requires roughly 80 MB bandwidth, and 50 seconds using 8 threads. To the best of our knowledge, it requires the least communication among all the known PSU protocols. By plugging our FHE-based mqRPMT$^*$ to the general framework, we obtain a PSU$^*$ suitable for unbalanced setting, whose communication complexity is linear in the size of the smaller set, and logarithmic in the larger set.

29 May 2022

Mysten Labs
Mysten Labs is looking for 2 interns in blockchain cryptography with a focus in any of the following topics: Private NFTs, Anonymous Transactions, Key Loss Protection, Multi-Signatures and Zero Knowledge Proofs.

Successful applicants will work closely with experts in both academia and industry including George Danezis, Konstantinos Chalkias, Foteini Baldimtsi, Alberto Sonnino, François Garillot, Sam Blackshear, Lefteris Kokoris-Kogias, while enjoying a high degree of ownership & autonomy in working conditions & task prioritization.

Ideal candidate expectations:
- PhD or PostDoc researcher - or - engineer in cryptography, software security or distributed systems.

- at least one publication in any of the top cryptography, privacy and security conferences, such as: CCS, S&P, CRYPTO, USENIX SECURITY, EUROCRYPT, ASIACRYPT, NDSS, FC, AsiaCCS, EUROS&P, PETS, CT-RSA, ESORICS etc.

- Understanding of fundamental cryptographic schemes & underlying math for any of the following: hash functions, finite field arithmetic, polynomials (FFT) & elliptic curves, bilinear pairings, threshold signatures.

- Experience implementing high-performance & parallelizable protocols in languages such as Rust, Go, Java, or C/C++, and Github portfolio or productionized implementation will be a plus.

Our team is 100% remote & we are hiring across the world. Here at Mysten Labs, you’ll be joining a world class team with tremendous growth potential. We raised our 1st funding round ($36m series A) from top Silicon Valley VCs led by Andreessen Horowitz (a16z) with participation from Redpoint, Lightspeed, Coinbase Ventures, Electric Capital, Standard Crypto, NFX, Slow Ventures, Scribble Ventures, Samsung Next, Lux Capital etc.

HOW TO APPLY: Applicants are invited to e-mail their CV (use title: Summer 2022 Cryptography Internship) to

Closing date for applications:

Contact: Kostas Chalkias (Chief Cryptographer)

JP Morgan Chase, various locations in US
We are looking for a cryptography engineer who will be part of the Blockchain Technology Security Group to build foundational services for JP Morgan distributed ledger technology initiatives. In this role, you will be designing and coding security components and applications. You will have the exciting challenge of working on cutting-edge technology and building enterprise solutions that cater to all the lines of business. You’ll work in a collaborative, trusting, thought-provoking environment—one that encourages diversity of thought and creative solutions that are in the best interests of our customers globally



  • Experience as applied cryptographer
  • Experience with OpenSSL /TLS API; threading and socket programming in Linux, HSMs, and PKCS #11
  • Solid understanding of Linux OS with strong knowledge of object oriented programming; specifically high-level languages such as Java, Python, Go, and node.js, C, C++ and Bash
  • Familiar/Experience building solutions for digital assets and distributed ledger technology (blockchain) with focus on algorithms and data structures
  • Desirable: Experience with multi-party computation (MPC) & HSMs and custody crypto assets

Closing date for applications:

Contact: France Law (

Telecom Paris, Institut Polytechnique de Paris
We have a Chair of Junior Professor at Telecom Paris, Institut Polytechnique de Paris, the priority themes for this position are cryptography, data protection, network security, and software security. This 5-year contract Chair has several advantages: a maximum teaching load of 64h per year; associated funding of 320 K€ available at the start of the work; competitive salary; no requirement of the French language; after a 5-year contract, the junior professor can be directly appointed as a Full professor (a permanent, tenured position). Application deadline: August 31, 2022. More information on this position:

Closing date for applications:

Contact: Hieu Phan (

More information:


28 May 2022

Ananya Appan, Anirudh Chandramouli, and Ashish Choudhury
In this paper, we design secure multi-party computation (MPC) protocols in the asynchronous communication setting with optimal resilience. Our protocols are secure against a computationally-unbounded malicious adversary, characterized by an adversary structure $\mathcal{Z}$, which enumerates all possible subsets of potentially corrupt parties. Our protocols incur a communication of $\mathcal{O}(|\mathcal{Z}|^2)$ and $\mathcal{O}(|\mathcal{Z}|)$ bits per multiplication for perfect and statistical security respectively. These are the first protocols with this communication complexity, as such protocols were known only in the synchronous communication setting (Hirt and Tschudi, ASIACRYPT 2013).
Jason T. LeGrow, Yan Bo Ti, and Lukas Zobernig
We consider the use of supersingular abelian surfaces in cryptography. Several generalisations of well-known cryptographic schemes and constructions based on supersingular elliptic curves to the 2-dimensional setting of superspecial abelian surfaces have been proposed. The computational assumptions in the superspecial 2-dimensional case can be reduced to the corresponding 1-dimensional problems via a product decomposition by observing that every superspecial abelian surface is non-simple and separably isogenous to a product of supersingular elliptic curves. Instead, we propose to use supersingular non-superspecial isogeny graphs where such a product decomposition does not have a computable description via separable isogenies. We study the advantages and investigate security concerns of the move to supersingular non-superspecial abelian surfaces.
Nico Döttling, Sanjam Garg, Sruthi Sekar, and Mingyuan Wang
Side-stepping the protection provided by cryptography, exfiltration attacks are becoming a considerable real-world threat. With the goal of mitigating the exfiltration of cryptographic keys, big-key cryptosystems have been developed over the past few years. These systems come with very large secret keys which are thus hard to exfiltrate. Typically, in such systems, the setup time must be large as it generates the large secret key. However, subsequently, the encryption and decryption operations, that must be performed repeatedly, are required to be efficient. Specifically, the encryption uses only a small public key and the decryption only accesses small ciphertext-dependent parts of the full secret key. Nonetheless, these schemes require decryption to have access to the entire secret key. Thus, using such big-key cryptosystems necessitate that users carry around large secret keys on their devices, which can be a hassle and in some cases might also render exfiltration easy.

With the goal of removing this problem, in this work, we initiate the study of big-key identity-based encryption (bk-IBE). In such a system, the master secret key is allowed to be large but we require that the identity-based secret keys are short. This allows users to use the identity-based short keys as the ephemeral secret keys that can be more easily carried around and allow for decrypting ciphertexts matching a particular identity, e.g. messages that were encrypted on a particular date. In particular:

-We build a new definitional framework for bk-IBE capturing a range of applications. In the case when the exfiltration is small our definition promises stronger security --- namely, an adversary can break semantic security for only a few identities, proportional to the amount of leakage it gets. In contrast, in the catastrophic case where a large fraction of the master secret key has been ex-filtrated, we can still resort to a guarantee that the ciphertexts generated for a randomly chosen identity (or, an identity with enough entropy) remain protected. We demonstrate how this framework captures the best possible security guarantees.

-We show the first construction of such a bk-IBE offering strong security properties. Our construction is based on standard assumptions on groups with bilinear pairings and brings together techniques from seemingly different contexts such as leakage resilient cryptography, reusable two-round MPC, and laconic oblivious transfer. We expect our techniques to be of independent interest.
Javad Ghareh Chamani, Dimitrios Papadopoulos, Mohammadamin Karbasforushan, and Ioannis Demertzis
We focus on the problem of Dynamic Searchable Encryption (DSE) with efficient (optimal/quasi-optimal) search in the presence of deletions. Towards that end, we first propose OSSE, the first DSE scheme that can achieve asymptotically optimal search time, linear to the result size and independent of any prior deletions, improving the previous state of the art by a multiplicative logarithmic factor. We then propose our second scheme LLSE, that achieves a sublogarithmic search overhead ($\log\log i_w$, where $i_w$ is the number or prior insertions for a keyword) compared to the optimal achieved by OSSE. While this is slightly worse than our first scheme, it still outperforms prior works, while also achieving faster deletions and asymptotically smaller server storage. Both schemes have standard leakage profiles and are forward-and-backward private. Our experimental evaluation is very encouraging as it shows our schemes consistently outperform the prior state-of-the-art DSE by $1.3$-$6.4\times$ in search computation time, while also requiring just a single roundtrip to receive the search result. Even compared with prior simpler and very efficient constructions in which all deleted records are returned as part of the result, our OSSE achieves better performance for deletion rates ranging from 45-55%, while the previous state-of-the-art quasi-optimal scheme achieves this for 65-75% deletion rates.
Kyungbae Jang, Anubhab Baksi, Jakub Breier, Hwajeong Seo, and Anupam Chattopadhyay
In this paper, we present the quantum implementation and analysis of the recently proposed block cipher, DEFAULT. DEFAULT is consisted of two components, namely DEFAULT-LAYER and DEFAULT-CORE. Two instances of DEFAULT-LAYER is used before and after DEFAULT-CORE (the so-called `sandwich construction').

We discuss about the the various choices made to keep the cost for the basic quantum circuit and that of the Grover's oracle search, and compare it with the levels of quantum security specified by the United States' National Institute of Standards and Technology (NIST). All in all, our work nicely fits in the research trend of finding the possible quantum vulnerability of symmetric key ciphers.
Pascal Lafourcade, Gael Marcadet, and Léo Robert
In 1986, A.Yao introduced the notion of garbled circuits, designed to verify the correctness of computations performed on an untrusted server. However, correctness is guaranteed for only one input, meaning that a new garbled circuit must be created for each new input. To address this drawback, in 2010 Gennaro et al. performed the evaluation of the garbled circuit homomorphically using Fully Homomorphic Encryption scheme, allowing to reuse the same garbled circuit for new inputs. Their solution requires to encrypt the garbled circuit at every new input. In this paper, we propose a verifiable-computation scheme allowing to verify the correctness of computations performed by an untrusted server for multiple inputs, where the garbled circuit is homomorphically encrypted only once. Hence, we have a faster scheme comparing to Gennaro’s solution, since for each new input, we reduce the computations by the size of the circuit representing the function to be computed, for the same security level. The key point to obtain this speed-up is to rely on Multi-Key Homomorphic Encryption (MKHE) and then to encrypt only once the garbled circuit.
Michele Ciampi, Divya Ravi, Luisa Siniscalchi, and Hendrik Waldner
Secure multi-party computation (MPC) protocols that are resilient to a dishonest majority allow the adversary to get the output of the computation while, at the same time, forcing the honest parties to abort. Aumann and Lindell introduced the enhanced notion of security with identifiable abort, which still allows the adversary to trigger an abort but, at the same time, it enables the honest parties to agree on the identity of the party that led to the abort. More recently, in Eurocrypt 2016, Garg et al. showed that, assuming access to a simultaneous message exchange channel for all the parties, at least four rounds of communication are required to securely realize non-trivial functionalities in the plain model.

Following Garg et al., a sequence of works has matched this lower bound, but none of them achieved security with identifiable abort. In this work, we close this gap and show that four rounds of communication are also sufficient to securely realize any functionality with identifiable abort using standard and generic polynomial-time assumptions. To achieve this result we introduce the new notion of bounded-rewind secure MPC that guarantees security even against an adversary that performs a mild form of reset attacks. We show how to instantiate this primitive starting from any MPC protocol and by assuming trapdoor-permutations.

The notion of bounded-rewind secure MPC allows for easier parallel composition of MPC protocols with other (interactive) cryptographic primitives. Therefore, we believe that this primitive can be useful in other contexts in which it is crucial to combine multiple primitives with MPC protocols while keeping the round complexity of the final protocol low.

27 May 2022

Eindhoven University of Technology
Eindhoven University of Technology (TU/e), our Coding Theory and Cryptology (CC) group of the Discrete Mathematics (DM) cluster of the Department of Mathematics and Computer Science (M&CS) are looking for an (tenure-track) assistant professor in Cryptology. This vacancy is part of the Irène Curie Fellowship and is currently only open for female candidates.

The position will be part of the Coding Theory and Cryptology (CC) group, within the Discrete Mathematics (DM) cluster. The other group in DM is Discrete Algebra and Geometry. The CC group consists of one full professor (Lange), two associate professors (Schoenmakers and de Weger), and three assistant professors (Hülsing Ravagnani, and Schäge). CC provides undergraduate and graduate courses in cryptology, coding theory, algebra and number theory, as well as service teaching.

The ideal candidate has research experience complementing the existing strengths in CC and a background in mathematics but candidates from all areas of cryptology are encouraged to apply.

We look forward to your application and will screen it as soon as we have received it. Screening will continue until the position has been filled. We expect the first round of interviews in early July, so apply before June 20 to be considered in this round.

Closing date for applications:

Contact: Tanja Lange

More information:


26 May 2022

Melbourne, Australia, 10 July - 14 July 2023
Event date: 10 July to 14 July 2023
