International Association
for Cryptologic Research

Physical side-channel analysis poses a huge threat to post-quantum cryptographic schemes implemented on embedded devices. Still, secure implementations are missing for many schemes. In this paper, we present an efficient solution for masked polynomial inversion, a main component of the key generation of multiple post-quantum KEMs. For this, we introduce a polynomial-multiplicative masking scheme with efficient arbitrary order conversions from and to additive masking. Furthermore, we show how to integrate polynomial inversion and multiplication into the masking schemes to reduce costs considerably. We demonstrate the performance of our algorithms for two different post-quantum cryptographic schemes on the Cortex-M4. For NTRU, we measure an overhead of 35% for the first-order masked inversion compared to the unmasked inversion while for BIKE the overhead is as little as 11%. Lastly, we verify the security of our algorithms for the first masking order by measuring and performing a TVLA based side-channel analysis.

The BGV scheme is a state-of-the-art fully homomorphic encryption (FHE) scheme. Encryption is based on the Learning with Errors over rings (RLWE) assumption and thus each ciphertext has an associated error that grows with each homomorphic operation. To avoid failure during decryption, the growing error, also called critical quantity, needs to stay below a certain threshold. This requires a trade-off between security and error margin that influences the parameters specific to each use case. Choosing such parameters, for example the polynomial degree or the ciphertext modulus, is a challenge and requires expert knowledge.

The main idea of our work is to improve the current state of BGV parameter selection. More specifically, we provide a parameter generator for the leveled BGV scheme using theoretical bounds on the error growth and an empirically derived formula for the security estimate. For the former, we combine previous analysis using the canonical embedding norm and analysis of the residue number system. For the latter, we develop a model based on data from the Lattice Estimator tool and coupled optimization. Finally, we provide the open-source generator which outputs easy-to-use code snippets for the BGV libraries HElib and PALISADE.

Vector commitments (VC) are a cryptographic primitive that allow one to commit to a vector and then “open” some of its positions efficiently. Vector commitments are increasingly recognized as a central tool to scale highly decentralized networks of large size and whose content is dynamic. In this work, we examine the demands on the properties that an ideal vector commitment should satisfy in the light of the emerging plethora of practical applications and propose new constructions that improve the state-of-the-art in several dimensions and offer new tradeoffs. We also propose a unifying framework that captures several constructions and show how to generically achieve some properties from more basic ones. On the practical side, we focus on building efficient schemes that do not require new trusted setup (we can reuse existing ceremonies for pairing-based “powers of tau” run by real-world systems such as ZCash or Filecoin). Our (in-progress) implementation demonstrates that our work over-performs in efficiency prior schemes with same properties.

In theory, Fully Homomorphic Encryption schemes allow to compute any operation over encrypted data. However in practice, one of the major difficulties lies into determining secure cryptographic parameters that reduce the computational cost of evaluating a circuit. In this paper, we propose a framework of optimization to solve this open problem. Even though it mainly focuses on TFHE, the method is generic enough to be adapted to any FHE scheme. As an application, this framework allows us to design solutions to efficiently increase the precision initially supported by the TFHE scheme to large integers. Beyond the classical radix encoding of plaintexts, we propose an alternative representation making use of the Chinese Remainder Theorem, which is particularly suited for parallel computation. We show how to evaluate operations on these new ciphertext types, from basic arithmetic operations, to more complex ones, such as the evaluation of a generic look-up table. The latter relies on a new efficient way to evaluate a programmable bootstrapping. Finally, we propose a plethora of applications of the optimization framework, such as true comparisons between bootstrapping operators, i.e. not only on the computation time but also on the amount of output error and more importantly the probability of failure all at once.

Certificate authorities in public key infrastructures typically require entities to prove possession of the secret key corresponding to the public key they want certified. While this is straightforward for digital signature schemes, the most efficient solution for public key encryption and key encapsulation mechanisms (KEMs) requires an interactive challenge-response protocol, requiring a departure from current issuance processes. In this work we investigate how to non-interactively prove possession of a KEM secret key, specifically for lattice-based KEMs, motivated by the recently proposed KEMTLS protocol which replaces signature-based authentication in TLS 1.3 with KEM-based authentication. Although there are various zero-knowledge (ZK) techniques that can be used to prove possession of a lattice key, they yield large proofs or are inefficient to generate. We propose a technique called verifiable generation, in which a proof of possession is generated at the same time as the key itself is generated. Our technique is inspired by the Picnic signature scheme and uses the multi-party-computation-in-the-head (MPCitH) paradigm; this similarity to a signature scheme allows us to bind attribute data to the proof of possession, as required by certificate issuance protocols. We show how to instantiate this approach for two lattice-based KEMs in Round 3 of the NIST post-quantum cryptography standardization project, Kyber and FrodoKEM, and achieve reasonable proof sizes and performance. Our proofs of possession are faster and an order of magnitude smaller than the previous best MPCitH technique for knowledge of a lattice key, and in size-optimized cases can be comparable to even state-of-the-art direct lattice-based ZK proofs for Kyber. Our approach relies on a new result showing the uniqueness of Kyber and FrodoKEM secret keys, even if the requirement that all secret key components are small is partially relaxed, which may be of independent interest for improving efficiency of zero-knowledge proofs for other lattice-based statements.

We introduce a new efficient, transparent setup, polynomial commitment scheme that runs on efficient groups with logarithmic verifier and communication costs. Existing group based polynomial commitment schemes must run on costly groups such as class groups with unknown order or pairing based groups to achieve transparency (no trusted setup), making them slow in practice, and non-group based schemes such as Reed-Soloman based schemes has its own set of pros and cons compared to group based schemes.

We offer the first group based polynomial commitment scheme that does not rely on expensive pairing based groups or class groups with unknown order to achieve transparency while still providing logarithmic verifier and communication costs. While the asymptotic performance of our protocol is comparable to the current state of art, its concrete verifier and communication costs are about one order of magnitude more efficient than the current state of art schemes.

The asymptotic costs of our new transparent scheme is dominated by $3n \,\mathbb{G}$ exponential prover cost, 3 log $n \, \mathbb{G}$ exponential verifier cost and 3 log $n \, \mathbb{G}$ communication cost. Running with one thread and evaluating a polynomial of $n=2^{20}$ degree terms, the verifier cost of our protocol is $\approx 2.5 ms$, and the communication cost is $\approx 2 KB$, giving approximately 11X and 9X improvement over the current state of art.

The boomerang attack is a cryptanalysis technique that combines two short differentials instead of using a single long differential. It has been applied to many primitives, and results in the best known attacks against several AES-based ciphers (Kiasu-BC, Deoxys-BC). In this paper, we introduce a general framework for boomerang attacks with truncated differentials. While the underlying ideas are already known, we show that a careful analysis provides a significant improvement over the best boomerang attacks in the literature. In particular, we take into account structures on the plaintext and ciphertext sides, and include an analysis of the key recovery step. On 6-round AES, we obtain a structural distinguisher with complexity $2^{87}$ and a key recovery attack with complexity $2^{61}$. The truncated boomerang attacks is particularly effective against tweakable AES variants. We apply it to 8-round Kiasu-BC, resulting in the best known attack with complexity $2^{83}$ (rather than $2^{103}$). We also show an interesting use of the 6-round distinguisher on TNT-AES, a tweakable block-cipher using 6-round AES as a building block. Finally, we apply this framework to Deoxys-BC, using a MILP model to find optimal trails automatically. We obtain the best attacks against round-reduced versions of all variants of Deoxys-BC.

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are working on cutting edge tech, including zkSNARKS, proof systems and zkVMs, to fundamentally change the way of building decentralized and scalable Web3 applications. We are looking for a Lead Zero-Knowledge Cryptographer for our cryptographic team distributed across the globe. Amongst other projects, the team is dedicated to the design of our Layer-2 scaling solution based on STARK-proven virtual machines. You will help our team grow, conduct research and lay out SNARK-based cryptographic protocols, working on related cutting-edge technologies such as zkVMs.

Requirements

You should be aware of state of the art proving systems such as Plonk and STARKs, and have a solid background in computational models and blockchain technologies. Additional requirements are represented by:

• Ph.D. in mathematics, computer science, or cryptography;
• Solid foundations in zero-knowledge and cryptographic protocols ;
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols, and PETs;
• Strong problem-solving skills;
• The ability to work in a team setting as well as autonomously

Experience in reading code (e.g. C++, Rust) though not mandatory, it is welcomed.

We offer:

• Competitive salary, yearly bonus, and stock options
• Flexible working hours, fully remote if preferred
• The opportunity to work with talented minds on innovative, high-quality open source solutions.

If you want to get more knowledge about our technology, read our Whitepapers at the website: https://www.horizen.io/research/

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

More information: https://horizenlabs.io/careers/job/?gh_jid=4536288004

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

We are looking for an engineer who will contribute in building the cryptographic infrastructure of our Web 3.0-enabled blockchain ecosystem. You will be involved in the design and implementation of our zero-knowledge Layer 2 scaling solution based on STARK-proven virtual machines. Our international team works in a stimulating and innovative environment, where people’s technical expertise and experience contribute to the development of cutting-edge blockchain technology.

Requirements

• Experience in implementing zero-knowledge proving systems or related cryptographic primitives;
• Comfortable in implementing low-level operations such as finite field arithmetics, hash functions, etc.;
• Enthusiastic about algorithmic improvements and code optimization.

Furthermore, any experience with

• Plonk, STARKs, AIR circuits,
• EVM, zk-VMs,
• C/C++/Rust programming language

though not mandatory, it is welcomed. We offer

• Competitive salary, yearly bonus, and stock options
• Flexible working hours, fully remote if preferred
• The opportunity to work with talented minds on innovative, high-quality open source solutions.

If you want to get more knowledge about our technology, read our Whitepapers at the website: https://www.horizen.io/research/

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are looking for a cryptographer, or applied cryptographer, to join our growing crypto team based in Milan, Italy. Currently, the team is developing a protocol suite for SNARK-based proof-composition, but its duties reach beyond that, developing privacy-enhancing solutions for our sidechain ecosystem.

Responsabilities

• Design privacy-enhancing technology built on SNARK-based protocols
• Perform collaborative research and assist technical colleagues in their development work
• Participate in standards-setting

Requirements

• Ph.D. in mathematics, computer science, or cryptography
• Solid foundations in zero-knowledge and cryptographic protocols
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols or PETs
• Strong problem-solving skills
• The ability to work in a team setting as well as autonomously
• Foundations in blockchain technology and experience in reading Rust are a plus

We offer

• A competitive salary plus pre-series A stock options
• Flexible working hours, including the possibility of remote working
• The opportunity to work with talented minds on challenging topics in this field, including the most recent advancements in zero-knowledge
• A nice and informal team setting to conduct research and development of high-quality open source solutions

If you are interested in this position, you might want to take a look at our recent publications (IACR eprints 2021/930, 2021/399, 2020/123) and our latest podcast on zeroknowledge.fm (Episode 178). For further questions, please contact the email below.

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

The Institute of Cybersecurity and Cryptology at the University of Wollongong is a premier research institute that conducts research in cybersecurity and cryptology. We are seeking for a postdoctoral fellow to conduct research in the topic of "Secure Crowdsourcing". This position is supported by the Australian Research Council Discovery Project. It is expected that the candidate is proficient with cryptography research, in the area of pairing-based cryptography and/or lattice-based cryptography, security modelling and security proofs. This position is a research only position. The successful candidate is expected to contribute to the research at the Institute of Cybersecurity and Cryptology at the University of Wollongong. Closing Date: Wednesday 6 July 2022, 11:59 PM AEST Australian Time

Closing date for applications:

Contact: Prof Willy Susilo

More information: https://ejgl.fa.ap1.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/2502/?mode=location

One Ph.D. position opening (post-quantum cryptography and related) at Dr. Jiafeng Harvest Xie's Security and Cryptography (SAC) Lab (https://www.ece.villanova.edu/~jxie02/lab/), Department of Electrical and Computer Engineering, Villanova University, Villanova, PA USA.

Villanova University ranks #49 National Universities in the USA (US News), is located in Villanova, west suburban of Philadelphia. Famous alumni include the current First Lady of the USA!

Requirements: Preferred to be in majors of CS/CE/EE, Applied Mathematics/Cryptography.

Skillful in programming Languages such as CC++, Python, VHDL/Verilog, and so on.

Deadline: better to start in Fall 2022/Spring 2023.

This research focuses on the security aspects of post-quantum cryptography and related implementations (or AI accelerator). Advisor and senior Ph.D. student will guide you to get started and work together on forthcoming challenges. You will not be fighting alone!!!

Contact email: jiafeng.xie@villanova.edu

Closing date for applications:

Contact: Jiafeng Harvest Xie

More information: https://www.ece.villanova.edu/~jxie02/lab/

Event date: 7 November to 9 November 2022
Submission deadline: 24 June 2022
Notification: 6 August 2022

Event date: 23 April to 27 April 2023

We offer several postdoctoral positions at the networked quantum devices unit at Okinawa Institute of Science and Technology. Potential research topics include:

• Theory of quantum key distribution or other quantum cryptographic protocols.
• Private and quantum capacities of channels and networks.

The Okinawa Institute of Science and Technology Graduate University (OIST) is a dynamic new graduate university in Okinawa Prefecture, Japan. The university is located on 85 hectares of protected forestland overlooking beautiful shoreline and coral reefs. The campus is striking architecturally, and the facilities are outstanding. There are no academic departments, which facilitates multidisciplinary research. Outstanding resources and equipment are provided and managed to encourage easy access and collaboration. English is the official language of the University, and the university research community is fully international, with more than 50 countries represented. OIST has rapidly gained recognition in the worldwide academic community as a model for excellence.

Benefits:

• Relocation, housing and commuting allowances
• Annual paid leave and summer holidays
• Health insurance Private School Mutual Aid
• Welfare pension insurance (kousei-nenkin)
• Worker’s accident compensation insurance (roudousha-saigai-hoshou-hoken)

Closing date for applications:

Contact: David Elkouss

More information: https://groups.oist.jp/netq/postdoc-application-form

The cryptography research group at the Institute of Cybersecurity and Cryptology (iC2), University of Wollongong (UOW), Australia, is recruiting a PhD candidate for a joint research project between UOW and CSIRO/Data61. The candidate will be granted a full scholarship, including full tuition fee (AUD $32K/year) and attractive stipends (up to AUD $32K/year). The candidate will be supervised by Prof Willy Susilo, Dr Khoa Nguyen and a Data61 scientist. The candidate’s research will be closely related to Post-Quantum Cryptography, an important and trendy research area aiming to build robust cryptographic systems that remain secure in the long-term future. The research group at iC2, UOW is one of the largest research hubs in cryptography in Australia and the Asia-Pacific region. The group regularly publishes cutting-edge results at top conferences and journals on cryptography and cybersecurity. Applicants need to have a Master’s degree and English proficiency (IELTS 6.5 or equivalent). Solid knowledge of mathematics, computer science and cryptography will be encouraged. Female candidates are preferred.

Closing date for applications:

Contact: For more information and/or to submit CVs, please contact Prof Willy Susilo (wsusilo@uow.edu.au, https://sites.google.com/view/willy-susilo/) and Dr Khoa Nguyen (khoa@uow.edu.au, https://sites.google.com/view/khoantt/).

Technology Innovation Institute (TII) is a publicly funded research institute, based in Abu Dhabi, United Arab Emirates. It is home to a diverse community of leading scientists, engineers, mathematicians, and researchers from across the globe, transforming problems and roadblocks into pioneering research and technology prototypes that help move society ahead.

Cryptography Research Centre

Our work covers post-quantum cryptography, lightweight cryptography, cloud encryption schemes, secure protocols, quantum cryptographic technologies and cryptanalysis.

Position: Senior ASIC Design and Verification Engineer

Working on block and system-level RTL design, simulation and functional/correctness verification

Design, development and test of RTL IP blocks for FPGA and ASIC implementations

Prototyping and debugging systems on different FPGA platforms (Intel, Xilinx, Microsemi)

Testing of FPGA IP blocks through Chipscope/Signal analyzer tools

Testing of ASIC implementations through functional and formal verification

Defining, developing, and executing verification/coverage plans and test benches

Continuously improving the components (e.g., stimulus, assertions, coverage) of our design verification environment

Skills required for the job

BS/MS degree in electrical/electronic/computer engineering with 5+ years of relevant experience in the industry

Experience using Verilog/VHDL and SystemVerilog

Programming and scripting skills in C/C++, Python/Tcl

Hands-on experience with FPGA flows, methodologies and tools

Experience writing test plans, portable benches, and verification IPs (transactors, monitors, speed adapters)

Experience with verification methods and tools including simulators, coverage collection, and waveform viewers

Ability to understand and integrate hardware co

Experience with testing of ASIC implementations through KATs, ATPG etc.

Knowledge of side-channel and fault-based attacks (either through actual implementations or through design)

Closing date for applications:

Contact:
Mehdi Messaoudi - Talent Acquisition Manager
mehdi.messaoudi@tii.ae

The Max Planck Institute for Security and Privacy (https://www.mpi-sp.org/) and Ruhr University Bochum (https://www.ruhr-uni-bochum.de/en) are looking for an outstanding PhD candidate or postdoctoral researcher, as part of the CASA (https://casa.rub.de/en/) cluster of excellence. The successful candidate will be expected to conduct theoretical research at the intersection of quantum information and cryptography. Examples of possible areas include (but are not limited to):

Quantum information theory

Quantum and post-quantum cryptography

Mathematics and geometry of cryptographic problems

Representation theory and optimization

To be eligible for a PhD position, the candidate must have:

A Master’s degree or equivalent (or be close to completing one) in computer science, mathematics, physics or related fields. Outstanding candidates with a Bachelor degree will also be considered.

Excellent communication and writing skills in English.

An outstanding track record in classes related to quantum information, cryptography, and/or mathematics and theoretical computer science in general.

Postdoctoral candidates will also be considered, in which case the candidate is expected to carry out independent research in an area related to the topics described above. To be eligible, the candidate should have a publication record in top conferences/journals in cryptography, quantum information, or mathematical physics.

The Max Planck Institute and the Ruhr University are co-located in Bochum (Germany) and offer a vibrant atmosphere for research that spans across many areas of computer science and mathematics. The Ph.D. program is entirely in English; knowledge of German is not required.

The position is fully funded (100%) and paid according to the E-13 pay category (E-14 for postdocs). The starting date is negotiable, but ideally in fall 2022.

To apply for the position, please send:

Curriculum vitae.

Electronic contact details of 2-3 potential references.

A brief cover letter (half a page at most).

Closing date for applications:

Contact: Giulio Malavolta (giulio.malavolta@mpi-sp.org) and Michael Walter (michael.walter@rub.de).

Atomic Swaps enable exchanging crypto-assets without trusting a third party. To enable these swaps, both parties lock funds and let their counterparty withdraw them in exchange for a secret. This leads to the so-called griefing attack, or the emergence of an American Call option, where one party stops participating in the swap, thereby making their counterparty wait for a timelock to expire before they can withdraw their funds. The standard way to mitigate this attack is to make the attacker pay a premium for the emerging American Call option. In these premium-paying approaches, the premium itself ends up being locked for possibly an even longer duration than the swap amount itself. We propose a new Atomic Swap construction, where neither party exposes itself to a griefing attack by their counterparty. Notably, unlike previous constructions, ours can be implemented in Bitcoin as is. Our construction also takes fewer on-chain transactions and has a lower worst-case timelock.

The OCB mode of operation for block ciphers has three variants, OCB1, OCB2 and OCB3. OCB1 and OCB3 can be used as secure authenticated encryption schemes whereas OCB2 has been shown to be classically insecure (Inoue et al., Crypto 2019). Even further, in the presence of quantum queries to the encryption functionality, a series of works by Kaplan et al. (Crypto 2016), Bhaumik et al. (Asiacrypt 2021) and Bonnetain et al. (Asiacrypt 2021) have shown how to break the existential unforgeability of the OCB modes. However, these works did not consider the confidentiality of OCB in the presence of quantum queries.

We fill this gap by presenting the first formal analysis of the IND-qCPA security of OCB. In particular, we show the first attacks breaking the IND-qCPA security of the OCB modes. Surprisingly, we are able to prove that OCB2 is IND-qCPA secure when used without associated data, while relying on the assumption that the underlying block cipher is a quantum-secure pseudorandom permutation. Additionally, we present new quantum attacks breaking the universal unforgeability of OCB. Our analysis of OCB has implications for the post-quantum security of XTS, a well-known disk encryption standard, that was considered but mostly left open by Anand et al. (PQCrypto 2016).