International Association
for Cryptologic Research

The position for a research assistant is open in Cryptography and Information Security (CrIS) Lab at IISc. CrIS lab is associated to the Department of Computer Science and Automation (CSA). The research focus of the lab include secure multiparty computation, fault-tolerant distributed computing, and privacy preserving machine learning, but is not limited to them.

This position is open for post-graduate (BTech/MSc/MS/MTech/Dual degree/Integrated Mtech) students interested in getting more research experience. Applicants who have credited a cryptography course in their home institute and/or who have worked on a related topic for their master's thesis are preferred.

You can apply through and find further details regarding opportunities at CrIS here - https://www.csa.iisc.ac.in/~cris/opportunities.html

Closing date for applications:

Contact: Professor Arpita Patra

More information: https://www.csa.iisc.ac.in/~cris/about.html

We have an open position for a research assistant.
Research topics include:

• primitives for symmetric cryptosystems (block ciphers, hash functions, ...)
• algorithms for secret-key encryption, authentication, and authenticated encryption
• quantum algorithms and their application in attacks on symmetric cryptosystems
• hash-based signature schemes
• language-theoretic security methods for the secure communication protocols

Responsibilities:
perform research to further the research assistant's own scientific qualification, publish and present results at workshops and conferences, participate in teaching and the university's self-administration, supervise students, and assist with external funding proposals.
Hiring requirements:

• successfully completed university studies (diploma, master or equivalent) in computer science or a closely related field
• an excellent track record in classes related to cryptography or quantum algorithms, or in general excellent results in mathematics and theoretical computer science
• very good programming skills and very good knowledge of English, written and spoken
• willingness to imparting specialized knowledge to students, own familiarization with new research areas and to the presentation of scientific results at international conferences
• good knowledge of German is an advantage for carrying out teaching, but not required; also beneficial is experience with Linux, git, and LaTeX

The position is also open for recently graduated postdocoral researchers. Such candidates need a publication list with at least three outstanding publications, related to the above research topics.
Please send us your application with the usual documents (at least: cover letter, curriculum vitae, relevant degree certificates/grade overviews, research interests, if available: List of publications) and electronic contact details for at least two references by email (one PDF) or by post.
Deadline: August 31, 2022

Closing date for applications:

Contact: Frau Thielken: emmely.kornelia.thielken@uni-weimar.de

More information: https://www.uni-weimar.de/en/university/news/job-openings/m-wp-10-22/

The Cryptography and Privacy Engineering Group (ENCRYPTO) @CS Department @Technical University of Darmstadt offers a fully funded position as Doctoral Researcher (Research Assistant/PhD Student) in Cryptography and Privacy Engineering to be filled as soon as possible until June 30, 2026 with the possibility of extension.
Job description: You'll work in the collaborative research center CROSSING funded by the German Research Foundation (DFG). In our subproject E4 Compiler for Privacy-Preserving Protocols, we build compilers to automatically generate optimized secure multi-party computation protocols for privacy-preserving applications. See https://encrypto.de/CROSSING for details. You conduct research, implement prototypes, and publish&present the results at top venues. You'll participate in teaching and supervise thesis students & student assistants.
We offer: We demonstrate that privacy is efficiently protectable in real-world applications via cryptographic protocols. Our open and international working environment facilitates excellent research in a sociable team. TU Darmstadt is a top research university for IT security, cryptography and CS in Europe. Darmstadt is a very international, livable and well-connected city in the Rhine-Main area around Frankfurt. Knowledge of German is beneficial, but not required, and TU Darmstadt offers corresponding support.
Your profile:

• Completed Master's degree (or equivalent) at a top university with excellent grades in IT security, computer science, or a similar area.
• Extensive knowledge in applied cryptography/IT security and very good software development skills. Knowledge in cryptographic protocols (ideally MPC) is a plus.
• • Experience in hardware synthesis/compiler construction is beneficial.
• Self-motivated, reliable, creative, can work independently, and want to do excellent research.
• Our working language is English: able to discuss/write/present scientific results in English. German is beneficial but not required.

Application deadline: Jul 31, 2022. Later applications are considered.

Closing date for applications:

Contact: Thomas Schneider (application@encrypto.cs.tu-darmstadt.de)

More information: https://encrypto.de/2022-CROSSING

CHES 2022 will take place in Leuven, Belgium in September 18-21, 2022.

The registration site is now open. Early registration is until August 18th.

Yasuda proposed a variable input-length PRF in CRYPTO 2011, called $\textsf{PMAC\_Plus}$, based on an $n$-bit block cipher. $\textsf{PMAC\_Plus}$ is a rate-$1$ construction and inherits the well-known $\textsf{PMAC}$ parallel network with a low additional cost. However, unlike $\textsf{PMAC}$, $\textsf{PMAC\_Plus}$ is secure roughly up to $2^{2n/3}$ queries. Zhang et al. proposed \textsf{3kf9} in ASIACRYPT 2012, Naito proposed \textsf{LightMAC\_Plus} in ASIACRYPT 2017, and Iwata et al. proposed \textsf{GCM-SIV2} in FSE 2017 -- all of them secure up to around $2^{2n/3}$ queries. Their structural designs and corresponding security proofs were unified by Datta et al. in their framework {\em Double-block Hash-then-Sum} (\textsf{DbHtS}). Leurent et al. in CRYPTO 2018 and then Lee et al. in EUROCRYPT 2020 established a tight security bound of $2^{3n/4}$ on \textsf{DbHtS}. That $\textsf{PMAC\_Plus}$ provides security for roughly up to $2^{3n/4}$ queries is a consequence of this result. In this paper, we propose a public permutation-based variable input-length PRF called ${\textsf{pPMAC\_Plus}}$. We show that ${\textsf{pPMAC\_Plus}}$ is secure against all adversaries that make at most $2^{2n/3}$ queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of ${\textsf{pPMAC\_Plus}}$ with the two-round iterated Even-Mansour cipher can yield a beyond the birthday bound secure PRF based on public permutations. Altogether, the solution incurs $(2\ell + 4)$ permutation calls, whereas our proposal requires only $(\ell+2)$ permutation calls, $\ell$ being the maximum number of message blocks.

Recent works have started side-channel analysis on SIKE and show the vulnerability of isogeny-based systems to zero-value attacks. In this work, we expand on such attacks by analyzing the behavior of the zero curve $E_0$ and six curve $E_6$ in CSIDH and SIKE. We demonstrate an attack on static-key CSIDH and SIKE implementations that recovers bits of the secret key by observing via zero-value-based resp. exploiting correlation-collision-based side-channel analysis whether secret isogeny walks pass over the zero or six curve. We apply this attack to fully recover secret keys of SIKE and two state-of-the-art CSIDH-based implementations: CTIDH and SQALE. We show the feasibility of exploiting side-channel information for the proposed attacks based on simulations with various realistic noise levels. Additionally, we discuss countermeasures to prevent zero-value and correlation-collision attacks against CSIDH and SIKE in our attacker model.

This paper presents an approach to uncover and analyze power side-channel leakages on a processor cycle level precision. By carefully designing and evaluating the measurement setup, accurate trace timing is enabled, which is used to overlay the trace with the corresponding assembly code. This methodology allows to expose the sources of leakage on a processor cycle scale, which allows for evaluating new implementations. It also exposes that the default ChipWhisperer configuration for STM32F4 targets used in prior work includes wait cycles that are rarely used in real-world applications, but affect power side-channel leakage. As an application for our setup, we target the widely used Sign-Flip function of Gaussian sampling code used in multiple Post-Quantum Key-Exchange Mechanisms and Signature schemes. We propose new implementations for the Sign-Flip function based on our analysis on the original implementation and further evaluate their leakage. Our findings allow the conclusion that unmasked cryptographic implementations of schemes based on Gaussian random numbers for STM32F4 cannot be secure against power side-channel, and that masking just the Gaussian sampler is not a viable option.

In the current digital world, large organizations (sometimes referred to as tech giants) provide service to extremely large numbers of users. The service provider is often interested in computing various data analyses over the private data of its users, which in turn have their incentives to cooperate, but do not necessarily trust the service provider.

In this work, we introduce the \emph{Gulliver multi-party computation model} (GMPC) to realistically capture the above scenario. The GMPC model considers a single highly powerful party, called the {\em server} or {\em Gulliver}, that is connected to $n$ users over a star topology network (alternatively formulated as a full network, where the server can block any message). The users are significantly less powerful than the server, and, in particular, should have both computation and communication complexities that are polylogarithmic in $n$. Protocols in the GMPC model should be secure against malicious adversaries that may corrupt a subset of the users and/or the server.

Designing protocols in the GMPC model is a delicate task, since users can only hold information about $\operatorname{polylog}(n)$ other users (and, in particular, can only communicate with $\operatorname{polylog}(n)$ other users). In addition, the server can block any message between any pair of honest parties. Thus, reaching an agreement becomes a challenging task. Nevertheless, we design generic protocols in the GMPC model, assuming that at most $\alpha<1/6$ fraction of the users may be corrupted (in addition to the server). Our main contribution is a variant of Feige's committee election protocol [FOCS 1999] that is secure in the GMPC model. Given this tool we show: \begin{enumerate} \item Assuming fully homomorphic encryption (FHE), any computationally efficient function with $O\left(n\cdot\operatorname{polylog}(n)\right)$-size output can be securely computed in the GMPC model.

\item Any function that can be computed by a circuit of $O(\operatorname{polylog}(n))$ depth, $O\left(n\cdot\operatorname{polylog}(n)\right)$ size, and bounded fan-in and fan-out can be securely computed in the GMPC model {\em without assuming FHE}.

\item In particular, {\em sorting} can be securely computed in the GMPC model without assuming FHE. This has important applications for the {\em shuffle model of differential privacy}, and resolves an open question of Bell et al. [CCS 2020]. \end{enumerate}

Garbling schemes, invented in the 80's by Yao (FOCS'86), have been a versatile and fundamental tool in modern cryptography. A prominent application of garbled circuits is constant round secure two-party computation, led to a long line of study of this object, where one of the most influential optimizations is Free-XOR (Kolesnikov and Schneider ICALP'08), introducing a global offset $\Delta$ for all garbled wire values where XOR gates are computed directly without garbling them.

To date, garbling sachems were not studied per their side-channel attacks (SCA) security characteristics, even though SCA pose a significant security threat to cryptographic devices. In this research we demonstrate that adversaries utilizing advanced SCA tools such as horizontal attacks, mixed with advanced hypothesis building and standard (vertical) SCA tools, can jeopardize garbling implementations.

Our main observation is that garbling schemes utilizing a global secret $\Delta$ open a door to quite trivial side-channel attacks. We model our side-channel attacks on the garbler's device and discuss the asymmetric setting where various computations are not performed on the evaluator side. This enables dangerous leakage extraction on the garbler and renders our attack impossible on the evaluator's side.

Theoretically, we first demonstrate on a simulated environment, that such attacks are quite devastating. Concretely, our attack is capable of extracting $\Delta$ when the circuit embeds only $8$ input non-linear gates with fifth/first-order attack Success-Rates of $0.65$/$0.7$. With as little as $3$ such gates, our attack reduces the first-order Guessing Entropy of $\Delta$ from $128$ to $\sim48$-bits. We further demonstrate our attack via an implementation and measurements data over an STM 32-bit processor software implementing circuit garbling, and discuss their limitations and mitigation tactics on logical, protocol and implementation layers.

SQISign is an isogeny-based signature scheme that has short keys and signatures and is expected to be a post-quantum scheme. Its security depends on the hardness of the problem to find an isogeny between given two elliptic curves over $\mathbb{F}_{p^2}$, where $p$ is a large prime. For efficiency reasons, a public key in SQISign is taken from a set of supersingular elliptic curves with a particular property. In this paper, we investigate the security related to public keys in SQISign. First, we show some properties of the set of public keys. Next, we show that a key generation procedure used in implementing SQISign could not generate all public keys and propose a modification for the procedure. In addition, we confirm the latter result through an experiment.

In this paper, we propose CryptMed, a system framework that enables medical service providers to offer secure, lightweight, and accurate medical diagnostic service to their customers via an execution of neural network inference in the ciphertext domain. CryptMed ensures the privacy of both parties with cryptographic guarantees. Our technical contributions include: 1) presenting a secret sharing based inference protocol that can well cope with the commonly-used linear and non-linear NN layers; 2) devising an optimized secure comparison function that can efficiently support comparison-based activation functions in NN architectures; 3) constructing a suite of secure smooth functions built on precise approximation approaches for accurate medical diagnoses. We evaluate CryptMed on 6 neural network architectures across a wide range of non-linear activation functions over two benchmark and four real-world medical datasets. We comprehensively compare our system with prior art in terms of end-to-end service workload and prediction accuracy. Our empirical results demonstrate that CryptMed achieves up to respectively $413\times$, $19\times$, and $43\times$ bandwidth savings for MNIST, CIFAR-10, and medical applications compared with prior art. For the smooth activation based inference, the best choice of our proposed approximations preserve the precision of original functions, with less than 1.2\% accuracy loss and could enhance the precision due to the newly introduced activation function family.

A distributed network has Mempool Privacy if transactions remain en- crypted until their inclusion is finalized, and inclusion guarantees decryption and execution. Mempool Privacy is highly desirable to prevent transaction censorship and a broad class of MEV attacks. We present Ferveo, a fast protocol for Mempool Privacy on BFT consensus blockchains, such as those based on Tendermint. Blockchain validators use new Distributed Key Generation and Threshold Public Key Encryption schemes to decrypt transactions encrypted to a threshold public key, closely aligning security assumptions with Tendermint and providing concrete scalability up to thousands of transactions per block. The blockchain security and efficiency models are quite different than typically studied in the academic literature, requiring several new ideas for both the abstract scheme and implementation.

In this paper we resolve the question of whether or not constrained pseudorandom functions (CPRFs) can be built directly from pseudorandom synthesizers. In particular, we demonstrate that the generic PRF construction from pseudorandom synthesizers due to Naor and Reingold can be used to construct CPRFs with bit-fixed predicates using the "direct-line'' approach. We further introduce a property of CPRFs that may be of independent interest.

Event date: 7 November 2022
Submission deadline: 16 July 2022
Notification: 31 August 2022

Event date: 19 June to 22 June 2023
Submission deadline: 8 September 2022
Notification: 10 November 2022

We define new families of Tillich-Zémor hash functions, using higher dimensional special linear groups over finite fields as platforms. The Cayley graphs of these groups combine fast mixing properties and high girth, which together give rise to good preimage and collision resistance of the corresponding hash functions. We justify the claim that the resulting hash functions are post-quantum secure.

A blind signature scheme is a digital signature scheme that allows the signature recipient to obtain a digital signature on a message of her choice without revealing anything about the message or the resulting signature to the signer. Blind signature schemes have recently found applications for privacy-preserving web browsing and ad ecosystems, and as such, are ripe for standardization.

Recently, Denis, Jacobs and Wood [18, 17] submitted an IETF draft for a standard for a blind version of RSA-PSS. Here, we show that this proposed standard constitutes a one-more unforgeable blind signature scheme in the random-oracle model under the one-more-RSA assumption. Further, we show that the blind version of RSA-FDH proposed and analyzed by Bellare, Namprempre, Pointcheval and Semanko does not satisfy blindness when the public key (N,e) is chosen maliciously, but satisfies a weaker notion of a blind token.

Encrypted database draws much attention as it provides privacy-protection services for sensitive data outsourced to a third party. Recent studies show that the security guarantee of encrypted databases are challenged by several leakage-abuse attacks on its search module, and corresponding countermeasures are also proposed. Most of these studies focus on static databases, yet the case for dynamic has not been well investigated. To fill this gap, in this paper, we focus on exploring privacy risks in dynamic encrypted databases and devising effective mitigation techniques. To begin with, we systematically study the exploitable information disclosed during the database querying process, and consider two types of attacks that can recover encrypted queries. The first active attack works by injecting encoded files and correlating file volume information. The second passive attack works by identifying queries’ unique relational characteristics across updates, assuming certain background knowledge of plaintext databases. To mitigate these attacks, we propose a two-layer encrypted database hardening approach, which obfuscates both search indexes and files in a continuous way. As a result, the unique characteristics emerging after data updates can be eliminated constantly. We conduct a series of experiments to confirm the severity of our attacks and the effectiveness of our countermeasures.

NJS is a cryptographic protection algorithm for relational databases with non-deterministic symmetric encryption, making it possible to search data with almost the same speed as a clear text search (depending on the parameterization). The algorithm has the characteristic of performing a fast encryption on the data and a slightly slower decryption that is only performed on the client workstation. The entire process of searching, changing, adding and deleting data is performed on the server with the encrypted data. The NJS cipher is not a form of homomorphic encryption, but it can replace it with some search limitations. One advantage is the fact that noise added to the message does not interfere with its decryption, regardless of the number of operations performed on each record in a database table.

Secure multi-party computation (MPC) is an essential tool for privacy-preserving machine learning (ML). However, secure training of large-scale ML models currently requires a prohibitively long time to complete. Given that large ML inference and training tasks in the plaintext setting are significantly accelerated by Graphical Processing Units (GPUs), this raises the natural question: can secure MPC leverage GPU acceleration? A few recent works have studied this question in the context of accelerating specific components or protocols, but do not provide a general-purpose solution. Consequently, MPC developers must be both experts in cryptographic protocol design and proficient at low-level GPU kernel development to achieve good performance on any new protocol implementation.

We present Piranha, a general-purpose, modular platform for accelerating secret sharing-based MPC protocols using GPUs. Piranha allows the MPC community to easily leverage the benefits of a GPU without requiring GPU expertise. Piranha contributes a three-layer architecture: (1) a device layer that can independently accelerate secret-sharing protocols by providing integer-based kernels absent in current general-purpose GPU libraries, (2) a modular protocol layer that allows developers to maximize utility of limited GPU memory with in-place computation and iterator-based support for non-standard memory access patterns, and (3) an application layer that allows applications to remain completely agnostic to the underlying protocols they use.

To demonstrate the benefits of Piranha, we implement 3 state-of-the-art linear secret sharing MPC protocols for secure NN training: 2-party SecureML (IEEE S&P ’17), 3-party Falcon (PETS ’21), and 4-party FantasticFour (USENIX Security ’21). Compared to their CPU-based implementations, the same protocols implemented on top of Piranha’s protocol-agnostic acceleration exhibit a 16−48× decrease in training time. For the first time, Piranha demonstrates the feasibility of training a realistic neural network (e.g. VGG), end-to-end, using MPC in a little over one day. Piranha is open source and available at https://github.com/ucbrise/piranha.