International Association
for Cryptologic Research

We offer several postdoctoral positions at the networked quantum devices unit at Okinawa Institute of Science and Technology. Potential research topics include:

• Theory of quantum key distribution or other quantum cryptographic protocols.
• Private and quantum capacities of channels and networks.

The Okinawa Institute of Science and Technology Graduate University (OIST) is a dynamic new graduate university in Okinawa Prefecture, Japan. The university is located on 85 hectares of protected forestland overlooking beautiful shoreline and coral reefs. The campus is striking architecturally, and the facilities are outstanding. There are no academic departments, which facilitates multidisciplinary research. Outstanding resources and equipment are provided and managed to encourage easy access and collaboration. English is the official language of the University, and the university research community is fully international, with more than 50 countries represented. OIST has rapidly gained recognition in the worldwide academic community as a model for excellence.

Benefits:

• Relocation, housing and commuting allowances
• Annual paid leave and summer holidays
• Health insurance Private School Mutual Aid
• Welfare pension insurance (kousei-nenkin)
• Worker’s accident compensation insurance (roudousha-saigai-hoshou-hoken)

Closing date for applications:

Contact: David Elkouss

More information: https://groups.oist.jp/netq/postdoc-application-form

The cryptography research group at the Institute of Cybersecurity and Cryptology (iC2), University of Wollongong (UOW), Australia, is recruiting a PhD candidate for a joint research project between UOW and CSIRO/Data61. The candidate will be granted a full scholarship, including full tuition fee (AUD $32K/year) and attractive stipends (up to AUD $32K/year). The candidate will be supervised by Prof Willy Susilo, Dr Khoa Nguyen and a Data61 scientist. The candidate’s research will be closely related to Post-Quantum Cryptography, an important and trendy research area aiming to build robust cryptographic systems that remain secure in the long-term future. The research group at iC2, UOW is one of the largest research hubs in cryptography in Australia and the Asia-Pacific region. The group regularly publishes cutting-edge results at top conferences and journals on cryptography and cybersecurity. Applicants need to have a Master’s degree and English proficiency (IELTS 6.5 or equivalent). Solid knowledge of mathematics, computer science and cryptography will be encouraged. Female candidates are preferred.

Closing date for applications:

Contact: For more information and/or to submit CVs, please contact Prof Willy Susilo (wsusilo@uow.edu.au, https://sites.google.com/view/willy-susilo/) and Dr Khoa Nguyen (khoa@uow.edu.au, https://sites.google.com/view/khoantt/).

Technology Innovation Institute (TII) is a publicly funded research institute, based in Abu Dhabi, United Arab Emirates. It is home to a diverse community of leading scientists, engineers, mathematicians, and researchers from across the globe, transforming problems and roadblocks into pioneering research and technology prototypes that help move society ahead.

Cryptography Research Centre

Our work covers post-quantum cryptography, lightweight cryptography, cloud encryption schemes, secure protocols, quantum cryptographic technologies and cryptanalysis.

Position: Senior ASIC Design and Verification Engineer

Working on block and system-level RTL design, simulation and functional/correctness verification

Design, development and test of RTL IP blocks for FPGA and ASIC implementations

Prototyping and debugging systems on different FPGA platforms (Intel, Xilinx, Microsemi)

Testing of FPGA IP blocks through Chipscope/Signal analyzer tools

Testing of ASIC implementations through functional and formal verification

Defining, developing, and executing verification/coverage plans and test benches

Continuously improving the components (e.g., stimulus, assertions, coverage) of our design verification environment

Skills required for the job

BS/MS degree in electrical/electronic/computer engineering with 5+ years of relevant experience in the industry

Experience using Verilog/VHDL and SystemVerilog

Programming and scripting skills in C/C++, Python/Tcl

Hands-on experience with FPGA flows, methodologies and tools

Experience writing test plans, portable benches, and verification IPs (transactors, monitors, speed adapters)

Experience with verification methods and tools including simulators, coverage collection, and waveform viewers

Ability to understand and integrate hardware co

Experience with testing of ASIC implementations through KATs, ATPG etc.

Knowledge of side-channel and fault-based attacks (either through actual implementations or through design)

Closing date for applications:

Contact:
Mehdi Messaoudi - Talent Acquisition Manager
mehdi.messaoudi@tii.ae

The Max Planck Institute for Security and Privacy (https://www.mpi-sp.org/) and Ruhr University Bochum (https://www.ruhr-uni-bochum.de/en) are looking for an outstanding PhD candidate or postdoctoral researcher, as part of the CASA (https://casa.rub.de/en/) cluster of excellence. The successful candidate will be expected to conduct theoretical research at the intersection of quantum information and cryptography. Examples of possible areas include (but are not limited to):

Quantum information theory

Quantum and post-quantum cryptography

Mathematics and geometry of cryptographic problems

Representation theory and optimization

To be eligible for a PhD position, the candidate must have:

A Master’s degree or equivalent (or be close to completing one) in computer science, mathematics, physics or related fields. Outstanding candidates with a Bachelor degree will also be considered.

Excellent communication and writing skills in English.

An outstanding track record in classes related to quantum information, cryptography, and/or mathematics and theoretical computer science in general.

Postdoctoral candidates will also be considered, in which case the candidate is expected to carry out independent research in an area related to the topics described above. To be eligible, the candidate should have a publication record in top conferences/journals in cryptography, quantum information, or mathematical physics.

The Max Planck Institute and the Ruhr University are co-located in Bochum (Germany) and offer a vibrant atmosphere for research that spans across many areas of computer science and mathematics. The Ph.D. program is entirely in English; knowledge of German is not required.

The position is fully funded (100%) and paid according to the E-13 pay category (E-14 for postdocs). The starting date is negotiable, but ideally in fall 2022.

To apply for the position, please send:

Curriculum vitae.

Electronic contact details of 2-3 potential references.

A brief cover letter (half a page at most).

Closing date for applications:

Contact: Giulio Malavolta (giulio.malavolta@mpi-sp.org) and Michael Walter (michael.walter@rub.de).

Atomic Swaps enable exchanging crypto-assets without trusting a third party. To enable these swaps, both parties lock funds and let their counterparty withdraw them in exchange for a secret. This leads to the so-called griefing attack, or the emergence of an American Call option, where one party stops participating in the swap, thereby making their counterparty wait for a timelock to expire before they can withdraw their funds. The standard way to mitigate this attack is to make the attacker pay a premium for the emerging American Call option. In these premium-paying approaches, the premium itself ends up being locked for possibly an even longer duration than the swap amount itself. We propose a new Atomic Swap construction, where neither party exposes itself to a griefing attack by their counterparty. Notably, unlike previous constructions, ours can be implemented in Bitcoin as is. Our construction also takes fewer on-chain transactions and has a lower worst-case timelock.

The OCB mode of operation for block ciphers has three variants, OCB1, OCB2 and OCB3. OCB1 and OCB3 can be used as secure authenticated encryption schemes whereas OCB2 has been shown to be classically insecure (Inoue et al., Crypto 2019). Even further, in the presence of quantum queries to the encryption functionality, a series of works by Kaplan et al. (Crypto 2016), Bhaumik et al. (Asiacrypt 2021) and Bonnetain et al. (Asiacrypt 2021) have shown how to break the existential unforgeability of the OCB modes. However, these works did not consider the confidentiality of OCB in the presence of quantum queries.

We fill this gap by presenting the first formal analysis of the IND-qCPA security of OCB. In particular, we show the first attacks breaking the IND-qCPA security of the OCB modes. Surprisingly, we are able to prove that OCB2 is IND-qCPA secure when used without associated data, while relying on the assumption that the underlying block cipher is a quantum-secure pseudorandom permutation. Additionally, we present new quantum attacks breaking the universal unforgeability of OCB. Our analysis of OCB has implications for the post-quantum security of XTS, a well-known disk encryption standard, that was considered but mostly left open by Anand et al. (PQCrypto 2016).

Protocols for state machine replication (SMR) are typically differently designed for synchronous or asynchronous networks, with a lower corruption threshold in the latter case. Recent network-agnostic protocols are secure when run in either a synchronous or an asynchronous network. We propose two new constructions of network-agnostic SMR protocols that improve on existing protocols in terms of either adversarial model or communication complexity: 1. an adaptively secure protocol with optimal corruption thresholds and quadratic amortized communication complexity per transaction; 2. a statically secure protocol with near-optimal corruption thresholds and linear amortized communication complexity per transaction.

We further explore efficient SMR protocols run in a network that may change between synchronous and asynchronous arbitrarily often; parties can be uncorrupted (as in the proactive model), and the protocol should remain secure as long as the appropriate corruption thresholds are always maintained. We show that proactively secure SMR using threshold cryptography is impossible without some form of synchronization between the parties. Motivated by this negative result, we consider a model where the adversary is limited in the total number of parties it can corrupt over the duration of the protocol and show, in this setting, that our SMR protocols remain secure under arbitrarily changing network conditions.

Incompressible encryption, recently proposed by Guan, Wichs and Zhandry (EUROCRYPT'22), is a novel encryption paradigm geared towards providing strong long-term security guarantees against adversaries with bounded long-term memory. Given that the adversary forgets just a small fraction of a ciphertext, this notion provides strong security for the message encrypted therein, even if, at some point in the future, the entire secret key is exposed. This comes at the price of having potentially very large ciphertexts. Thus, an important efficiency measure for incompressible encryption is the message-to-ciphertext ratio (also called the rate). Guan et al. provided a low-rate instantiation of this notion from standard assumptions and a rate-1 instantiation from indistinguishability obfuscation (iO). In this work, we propose a simple framework to build rate-1 incompressible encryption from standard assumptions. Our construction can be realized from, e.g. the DDH and additionally the DCR or the LWE assumptions.

Vector Commitments allow one to (concisely) commit to a vector of messages so that one can later (concisely) open the commitment at selected locations. In the state of the art of vector commitments, algebraic constructions have emerged as a particularly useful class, as they enable advanced properties, such as stateless updates, subvector openings and aggregation, that are for example unknown in Merkle-tree-based schemes. In spite of their popularity, algebraic vector commitments remain poorly understood objects. In particular, no construction in standard prime order groups (without pairing) is known.

In this paper, we shed light on this state of affairs by showing that a large class of concise algebraic vector commitments in pairing-free, prime order groups are impossible to realize.

Our results also preclude any cryptographic primitive that implies the algebraic vector commitments we rule out, as special cases. This means that we also show the impossibility, for instance, of succinct polynomial commitments and functional commitments (for all classes of functions including linear forms) in pairing-free groups of prime order.

This work presents new advances in algebraic cryptanalysis of small scale derivatives of AES. We model the cipher as a system of polynomial equations over GF(2), which involves only the variables of the initial key, and we subsequently attempt to solve this system using Gröbner bases. We show, for example, that one of the attacks can recover the secret key for one round of AES-128 under one minute on a contemporary CPU. This attack requires only two known plaintexts and their corresponding ciphertexts. We also compare the performance of Gröbner bases to a SAT solver, and provide an insight into the propagation of diffusion within the cipher.

The focus of this work are multi-signatures schemes in the synchronized setting. A multi-signature scheme allows multiple signatures for the same message but from independent signers to be compressed into one short aggregated signature, which allows verifying all of the signatures simultaneously. In the synchronized setting, the signing algorithm takes the current time step as an additional input. It is assumed that no signer signs more than one message per time step and we aim to aggregate signatures for the same message and same time step. This setting is particularly useful in the context of blockchains, where validators are naturally synchronized by the blocks they sign.

We present Squirrel, a concretely efficient lattice-based multi-signature scheme in the synchronized setting that works for a bounded number of $2^{\tau}$ time steps and allows for aggregating up to $\rho$ signatures at each step, where both $\tau$ and $\rho$ are public parameters upon which the efficiency of our scheme depends. Squirrel allows for non-interactive aggregation of independent signatures and is proven secure in the random oracle model in the presence of rogue-key attacks assuming the hardness of the short integer solution problem in a polynomial ring.

We provide a careful analysis of all parameters and show that Squirrel can be instantiated with good concrete efficiency. For $\tau = 24$ and $\rho = 4096$, a signer could sign a new message every 10 seconds for 5 years non-stop. Assuming the signer has a cache of 112 MB, signing takes 68 ms and verification of an aggregated signature takes 36 ms. The size of the public key is 1 KB, the size of an individual signature is 52 KB, and the size of an aggregated signature is 771 KB.

We study the framework of Watanabe and Yasunaga (Asiacrypt 2021) that enables us to evaluate the bit security of cryptographic primitives/games with an operational meaning. First, we observe that their quantitative results preserve even if adversaries are allowed to output the failure symbol in games. With this slight modification, we show that their framework evaluates the advantage of adversaries more pessimistically than that of Micciancio and Walter (Eurocrypt 2018). Also, we prove the optimality of the Goldreich-Levin hard-core predicate by employing the reduction algorithm of Hast (J. Cryptology, 2004). These two results resolve open problems that remained. We demonstrate that all games we need to care about in their framework are decision games. Namely, we show that for every search game $G$, there is the corresponding decision game $G'$ such that $G$ has $\lambda$-bit security if and only if $G'$ has $\lambda$-bit security. The game $G'$ consists of the real and the ideal games, where attacks in the ideal game are never approved. Such games often appear in game-hopping security proofs. The result justifies such security proofs because they lose no security. Finally, we provide a distribution replacing theorem. Suppose that a game using distribution $Q$ in a black-box manner is $\lambda$-bit secure, and two distributions $P$ and $Q$ are computationally $\lambda$-bit secure indistinguishable. In that case, the game where $Q$ is replaced by $P$ is also $\lambda$-bit secure.

We propose a new Diffie-Hellman-like Non-Interactive Key Exchange that uses the Lattice Isomorphisms as a building block. Our proposal also relies on a group action structure, implying a similar security setup as in the Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) protocol where Kuperberg's algorithm applies. We short label our scheme as LIKE. As with the original Diffie-Hellman protocol, our proposed scheme is also passively secure. We provide a proof-of-concept constant-time C-code implementation of LIKE, and conservatively propose LIKE-1, LIKE-3, and LIKE-5 instances with equivalent asymptotic Kuperberg's algorithm complexity than CSIDH-4096, CSIDH-6144, and CSIDH-8192. Our experiments illustrate that LIKE-1 is about 3.8x faster than CTIDH-512 (the current fastest variant of CSIDH-512), and it is about 641.271x faster than CSIDH-4096 when deriving shared keys (while LIKE-1 key generation is about 2.16x faster than CSIDH-4096); oppositely, LIKE-1 public keys are 32.25x larger than CSIDH-4096.

Privacy and security challenges due to the outsourcing of data storage and processing to third-party cloud providers are well known. With regard to data privacy, Oblivious RAM (ORAM) schemes provide strong privacy guarantees by not only hiding the contents of the data (by encryption) but also obfuscating the access patterns of the outsourced data. But most existing ORAM datastores are not fault tolerant in that if the external storage server (which stores encrypted data) or the trusted proxy (which stores the encryption key and other meta- data) crashes, an application loses all of its data. To achieve fault-tolerance, we propose QuORAM, the first ORAM datastore to replicate data with a quorum-based replication protocol. QuORAM’s contributions are three-fold: (i) it obfuscates access patterns to provide obliviousness guarantees, (ii) it replicates data using a novel lock-free and decentralized replication protocol to achieve fault-tolerance, and (iii) it guarantees linearizable semantics. Experimentally evaluating QuORAM highlights counter-intuitive results: QuORAM in- curs negligible cost to achieve obliviousness when compared to an insecure fault-tolerant replicated system; QuORAM’s peak throughput is 2.4x of its non-replicated baseline; and QuORAM performs 33.2x better in terms of throughput than an ORAM datastore that relies on CockroachDB, an open- source geo-replicated database, for fault tolerance.

We consider the streaming variant of the Bounded Storage Model (BSM), where the honest parties can stream large amounts of data to each other, while only maintaining a small memory of size $n$. The adversary also operates as a streaming algorithm, but has a much larger memory size $m \gg n$. The goal is to construct unconditionally secure cryptographic schemes in the BSM, and prior works did so for symmetric-key encryption, key agreement, oblivious transfer and multiparty computation. In this work, we construct message authentication and signatures in the BSM.

First, we consider the symmetric-key setting, where Alice and Bob share a small secret key. Alice can authenticate arbitrarily many messages to Bob by streaming long authentication tags of size $k \gg m$, while ensuring that the tags can be generated and verified using only $n$ bits of memory. We show a solution using local extractors (Vadhan; JoC '04), which allows for up to exponentially large adversarial memory $m = 2^{O(n)}$, and has tags of size $k= O(m)$. Second, we consider the same setting as above, but now additionally require each individual tag to be small, of size $k \leq n$. We show a solution is still possible when the adversary's memory is $m = O(n^2)$, which is optimal. Our solution relies on a space lower bound for leaning parities (Raz; FOCS '16). Third, we consider the public-key signature setting. A signer Alice initially streams a long verification key over an authentic channel, while only keeping a short signing key in her memory. A verifier Bob receives the streamed verification key and generates some short verification digest that he keeps in his memory. Later, Alice can sign arbitrarily many messages using her signing key by streaming the signatures to Bob, who can verify them using his verification digest. We show a solution for $m= O(n^2)$, which we show to be optimal. Our solution relies on a novel entropy lemma, of independent interest. We show that, if a sequence of blocks has sufficiently high min-entropy, then a large fraction of individual blocks must have high min-entropy. Naive versions of this lemma are false, but we show how to patch it to make it hold.

The System and Software Security (S3) group at The University of Manchester is looking for a Post-Doc in Secure and Verifiable AI Models to join our ambition EPSRC-funded EnnCore project (https://enncore.github.io/).

The successful candidate will enjoy designing, developing, and evaluating novel AI models that are secure and robust against attacks. The project will involve continuous interaction with experts in explainable AI, software testing and formal software verification.

The S3 group conducts a world-leading research in the space of explainable AI, automated software verification and testing. It develops award-winning software verification tools and regularly wins prices at international competitions.

Closing date for applications:

Contact: Mustafa Mustafa (mustafa.mustafa@manchester.ac.uk)

More information: https://www.jobs.manchester.ac.uk/displayjob.aspx?jobid=22435

In CRYPTO'21, Shen et al. have proved that $\textsf{DbHtS}$ is secure up to $2^{2n/3}$ queries in the multi-user setting independent of the number of users, where the double block hash function $\textsf{H}$ consists of two independent $n$-bit keyed hash function $(\textsf{H}_{K_h,1}, \textsf{H}_{K_h, 2})$ such that each of the $n$-bit keyed hash function is $O(2^{-n})$ universal and regular. They have also demonstrated the applicability of their result to key-reduced variants of $\textsf{DbHtS}$ MACs including $\textsf{2K-SUM-ECBC}$, $\textsf{2K-PMAC\_Plus}$ and $\textsf{2K-LightMAC\_Plus}$ without requiring any additional domain separation. Recently, Guo and Wang have shown three instantiations of $\textsf{DbHtS}$ framework where each of their $n$-bit keyed hash functions is $O(2^{-n})$ universal and regular but the constructions are itself secure only up to the birthday bound. In this work, we show a sufficient condition on the underlying Double-block Hash ($\textsf{DbH}$) function under which we prove $3n/4$-bit multi-user security of $\textsf{DbHtS}$ construction in the ideal-cipher model. As an instantiation, we show that Polyhash based $\textsf{DbHtS}$ construction is multi-user secured up to $2^{3n/4}$ queries in the ideal-cipher model. Moreover, due to the result of the generic attack on $\textsf{DbHtS}$ constructions by Ga\"etan et al. in CRYPTO'18, our derived bound for the construction is tight.

The LowMC family of block ciphers was first proposed by Albrecht et al. in [ARS+15], specifically targeting adoption in FHE and MPC applications due to its low multiplicative complexity. The construction operates a 3-bit S-box as the sole non-linear transformation in the algorithm. In contrast, both the linear layer and round key generation are achieved through multiplications of full rank matrices over GF(2). The cipher is instantiable using a diverse set of default configurations, some of which have partial non-linear layers i.e., in which the S-boxes are not applied over the entire internal state of the cipher.

The significance of cryptanalysing LowMC was elevated by its inclusion into the NIST PQC digital signature scheme PICNIC in which a successful key recovery using a single plaintext/ciphertext pair is akin to retrieving the secret signing key. The current state-of-the-art attack in this setting is due to Dinur [Din21a], in which a novel way of enumerating the roots of a Boolean system of equation is morphed into a key recovery procedure that undercuts an ordinary exhaustive search in terms of time complexity for the variants of the cipher up to five rounds.

In this work, we demonstrate that this technique can efficiently be enriched with a specific linearization strategy that reduces the algebraic degree of the non-linear layer as put forward by Banik et al. [BBDV20]. This amalgamation yields a drastic reduction in terms of memory complexity across all instantiations of LowMC up to six rounds with a quasi-equivalent time complexity.

Single Secret Leader Election protocols (SSLE, for short) allow a group of users to select a random leader so that the latter remains secret until she decides to reveal herself. Thanks to this feature, SSLE can be used to build an election mechanism for proof-of-stake based blockchains. In particular, a recent work by Azouvi and Cappelletti (ACM AFT 2021) shows that in comparison to probabilistic leader election methods, SSLE-based proof-of-stake blockchains have significant security gains, both with respect to grinding attacks and with respect to the private attack. Yet, as of today, very few concrete constructions of SSLE are known. In particular, all existing protocols are only secure in a model where the adversary is supposed to corrupt participants before the protocol starts -- an assumption that clashes with the highly dynamic nature of decentralized blockchain protocols.

In this paper we make progress in the study of SSLE by proposing new efficient constructions that achieve stronger security guarantees than previous work. In particular, we propose the first SSLE protocol that achieves adaptive security. Our scheme is proven secure in the universal composability model and achieves efficiency comparable to previous, less secure, realizations in the state of the art.

In CRYPTO'03, Patarin conjectured a lower bound on the number of distinct solutions $(P_1, \ldots, P_{q}) \in (\{0,1\}^{n})^{q}$ satisfying a system of equations of the form $X_i \oplus X_j = \lambda_{i,j}$ such that $X_1, X_2, \ldots$, $X_{q}$ are pairwise distinct is either 0 or greater than the average over all $\lambda_{i,j}$ values in $\{0,1\}^n$. This result is known as ``$P_i \oplus P_j$ for any $\xi_{\max}$'' or alternatively as Mirror Theory for general $\xi_{\max}$, which was later proved by Patarin in ICISC'05. Mirror theory for general $\xi_{\max}$ stands as a powerful tool to provide a high security guarantee for many block cipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps which are non-trivial to fix. In this work, we present the first complete proof of the $P_i \oplus P_j$ for any $\xi_{\max}$ theorem. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and provide updated security bounds. Our result is actually more general in nature as we consider equations of the form $X_i \oplus X_j = \lambda_k$ over a commutative group under addition, and of exponent 2.