International Association
for Cryptologic Research

This paper presents a fast method to compute algebraic norms of integral elements of smooth-degree cyclotomic fields, and, more generally, smooth-degree Galois number fields with commutative Galois groups. The typical scenario arising in $S$-unit searches (for, e.g., class-group computation) is computing a $\Theta(n\log n)$-bit norm of an element of weight $n^{1/2+o(1)}$ in a degree-$n$ field; this method then uses $n(\log n)^{3+o(1)}$ bit operations.

An $n(\log n)^{O(1)}$ operation count was already known in two easier special cases: norms from power-of-2 cyclotomic fields via towers of power-of-2 cyclotomic subfields, and norms from multiquadratic fields via towers of multiquadratic subfields. This paper handles more general Abelian fields by identifying tower-compatible integral bases supporting fast multiplication; in particular, there is a synergy between tower-compatible Gauss-period integral bases and a fast-multiplication idea from Rader.

As a baseline, this paper also analyzes various standard norm-computation techniques that apply to arbitrary number fields, concluding that all of these techniques use at least $n^2(\log n)^{2+o(1)}$ bit operations in the same scenario, even with fast subroutines for continued fractions and for complex FFTs. Compared to this baseline, algorithms dedicated to smooth-degree Abelian fields find each norm $n/(\log n)^{1+o(1)}$ times faster, and finish norm computations inside $S$-unit searches $n^2/(\log n)^{1+o(1)}$ times faster.

The cloud-aided Internet of Things (IoT) overcomes the resource-constrained nature of the traditional IoT and develops rapidly in such fields as smart grid and intelligent transportation. In a cloud-aided IoT system, users can remotely control the IoT devices or send specific instructions to them. When the user's identity is not verified and an adversary delivers malicious instructions to IoT devices, the system's security may be compromised. Besides, the real-time data stored in IoT devices can also be exposed to illegal users, causing security issues. Thus, the authentication mechanism is indispensable. Furthermore, with the exponential growth of interconnected devices, a gateway may connect to mass IoT devices. The efficiency of authentication schemes is easily affected by the computation power of the gateway. Although recent research has proposed many user authentication schemes for IoT, only a dozen schemes are designed for cloud-aided IoT. Therefore, we take a typical scheme (presented at IEEE TDSC 2020) as an example to capture user authentication schemes' common weaknesses and design challenges for cloud-aided IoT. Then, we propose a new secure user authentication scheme for cloud-aided IoT with lightweight computation on gateways. The proposed scheme provides secure access between the remote user and IoT devices with many ideal attributions, such as forward secrecy and multi-factor security. Meanwhile, the security of this scheme is proved under the random oracle model, heuristic analysis, the ProVerif tool and BAN logic. Finally, we compare the proposed scheme with eleven state-of-the-art schemes in security and performance. The results show that the proposed scheme achieves all listed twelve security requirements with minimum computation and storage costs on gateways.

We study a tamper-tolerant implementation security notion for general purpose Multi-Party Computation (MPC) protocols, as an analogue of the leakage-tolerant notion in the MPC literature. An MPC protocol is tamper-tolerant, or more specifically, non-malleable (with respect to a certain type of tampering) if the processing of the protocol under corruption of parties (and tampering of some ideal resource assumed by the protocol) can be simulated by an ideal world adversary who, after the trusted party spit out the output, further decides how the output for honest parties should be tampered with. Intuitively, we relax the correctness of secure computation in a privacy-preserving way, decoupling the two entangled properties that define secure computation. The rationale behind this relaxation is that even the strongest notion of correctness in MPC allows corrupt parties to substitute wrong inputs to the trusted party and the output is incorrect anyway, maybe the importance of insisting on that the adversary does not further tamper with the incorrect output is overrated, at least for some applications. Various weak privacy notions against malicious adversary play an important role in the study of two-party computation, where full security is hard to achieve efficiently.

We begin with the honest majority setting, where efficient constructions for general purpose MPC protocols with full security are well understood assuming secure point-to-point channels. We then focus on non-malleability with respect to tampered secure point-to-point channels. (1) We show achievability of non-malleable MPC against the bounded state tampering adversary in the joint tampering model through a naive compiler approach, exploiting a known construction of interactive non-malleable codes. The construction is currently not efficient and should be understood as showing feasibility in a rather strong tampering model. (2) We show efficient constructions of non-malleable MPC protocols against weaker variants of bounded state tampering adversary in the independent tampering model, where the protocol obtained have the same asymptotic communication complexity as best MPC protocols against honest-but-curious adversary. These are all information-theoretic results and are to be contrasted against impossibility of secure MPC when secure point-to-point channels are compromised.

Though general non-malleable MPC in no honest majority setting is beyond the scope of this work, we discuss interesting applications of honest majority non-malleable MPC in the celebrated MPC-in-the-head paradigm. Other than an abstract result concerning non-malleability, we also derive, in standard model where there is no tampering, that strong (ideal/real world) privacy against malicious adversary can be achieved in a conceptually very simple way.

In this paper, we aim to present a quantum setting oriented preimage attack against 4-round Keccak-224. An important technique we called the allocating rotational cryptanalysis takes the preimage attack into the situation of 2-block preimage recovery. With the conditions on the middle state proposed by Li et al., we use the generic quantum preimage attack to deal with the finding of first preimage block. By using the newly explored propagation of rotational relations, we significantly increase the number of eigenpoints at the end of 4-round modified Keccak-f from 0 to 32, and therefore improving the accuracy of determining the rotational number for a certain rotational counterpart in the quantum setting by more than 10 orders of magnitude. On the basis of the above, we design an efficient unitary oracle operator with only twice calling of the 4-round modified Keccak-f, which costs half of previous results, to mark a rotational counterpart of the second preimage block in order that the second preimage block can be found indirectly from a quickly generated specified search space. As a result on the 4-round Keccak-224: In the classical setting, the preimage attack with the complexity decreased to 2^218 is better than the result based on the pioneered rotational cryptanalysis. In the quantum setting, the amplitude amplification driven preimage attack with a complexity of 2^110 is by far the best dedicated quantum preimage attack. Additionally, the SKW algorithm is applied to the dedicated quantum preimage attack against the 4-round Keccak-224 for the first time, which is exponentially easier to implement in quantum circuit than the former, with a complexity of 2^111.

Non-fungible tokens (NFTs) are a blockchain application that has recently witnessed significant success. However, NFT marketplaces are majorly built on popular blockchain platforms that do not provide privacy tools. As a result, NFTs are easily visible to everyone. This has naturally given rise to various issues, including stolen/duplicate NFTs and attacks like shill trading. Furthermore, this architecture fails to reflect the real-life privacy notion as it digitizes unique physical goods. In this project, we build Paras - a blockchain-agnostic protocol that offers privacy to NFTs. Specifically, one may hide the real NFTs and only display a reference to them on marketplaces, hide seller and bidder identities, hide bid values and user wallet balances.

Paras is based on cryptographic primitives, such as, threshold encryption and robust secret sharing. It does not rely on any trusted execution environments for security, unlike some existing protocols in this direction.

The School of Computing and Information Technology (SCIT) is one of six Schools within the Faculty of Engineering and Information Sciences at the University of Wollongong. The SCIT aims to be a world class Research School, and this position is expected to contribute towards this aim. The Senior Lecturer/Lecturer, Cryptography will provide development, teaching and research within the Bachelor of Computer Science (majoring Cybersecurity and Digital Systems Security). The candidate is expected to be research active in the area of cryptography and other relevant topics, and be equipped with sufficient experience for teaching undergraduate and postgraduate studies. The successful candidate will have a national reputation in cryptography and/or cyber security research, innovative teaching experience, an established research profile and a demonstrable commitment to positive change. The candidate should demonstrate research excellence and potential to become an effective teacher in the area of Computer Science and Information Technology. As women are underrepresented in this area, women are strongly encouraged for these positions. You will be prompted to respond to a selection criteria questionnaire as part of the application process.

Closing date for applications:

Contact: Prof Willy Susilo

More information: https://www.seek.com.au/job/57956072

As a FHE Researcher, you will:

• Conduct research on state-of-the-art FHE schemes.
• Conduct Research on new Verifiable Computation (VC) schemes applied to FHE
• Design and implementation of new FHE and VC schemes.

Skills required for the job

• Knowledge of fully homomorphic encryption
• Deep understanding of lattice-based cryptography
• Knowledge on Verifiable Computation schemes is advisable
• Experience in C desired, C++, Rust or Go relevant as well
• Familiarity with hardware languages is a plus
• Solid engineering practices and processes, such as development and testing methodology and documentation
• Quick learner, geared towards implementation
• Eager to develop new skills and willing to take ownership of projects

Qualifications:

Ph.D. degree in Cryptography, Applied Cryptography, Cybersecurity, Mathematics, Computer Science or Engineering

Closing date for applications:

Contact: Dr. Najwa Aaraj, naaraj@alumni.princeton.edu

As a MPC Researcher, you will:

• Conduct research on state-of-the-art secure Multi Party Computation.
• Work on MPC building blocks such as,
  • Secret Sharing schemes
  • FHE
  • Garbled Circuits
• Design and implementation of building blocks to utilize privacy-preserving cryptographic techniques to cloud computing and machine learning applications.

Skills required for the job

• Knowledge on secure Multi Party Computation.
• Knowledge in some of the following is valuable:
  • Secret Sharing schemes
  • Garbled Circuits
  • FHE schemes
  • Zero-Knowledge proofs
• Experience in C desired, C++, Rust and Python relevant as well.
• Solid engineering practices and processes, such as development and testing methodology and documentation.
• Quick learner, geared towards implementation. Eager to develop new skills and willing to take ownership of projects.
• Knowledge on machine learning would be valuable.

Qualifications:

Ph.D. degree in Cryptography, Applied Cryptography, Cybersecurity, Mathematics or Computer Science or Engineering

Closing date for applications:

Contact: Dr. Najwa Aaraj, naaraj@alumni.princeton.edu

As a Post-Quantum Protocol expert, you will

• Work on security protocols based on post-quantum primitives such as Public Key Encryption, Key Encapsulation Mechanism, Key Exchange, and Digital Signatures schemes
• Analyze existing and propose new protocol designs, with special focus on post-quantum IPSec, VPNs, SSL, TLS, etc.
• Focus on protocols for lightweight environment
• Test and benchmark optimized and secure implementations of different protocols and study the impact on real life applications
• Investigate security properties and performance-security trade-offs
• Conduct research on new and/or state-of-the-art attacks
• Design and implementation of hybrid (post quantum – classical) solutions

Skills required for the job

• Knowledge on cryptography and cybersecurity, in particular a solid background in network security, especially protocol design and evaluation
• Excellent with C, C++, Python, (JAVA and Rust will be valuable as well)
• Hard and organized worker, quick learner, geared towards implementation. Eager to develop new skills and willing to take ownership of projects

Qualifications

• Ph.D. degree in Cryptography, Applied Cryptography, Cybersecurity, Mathematics or Computer Science or Engineering

Closing date for applications:

Contact: Najwa Aaraj, naaraj@alumni.Princeton.edu

As a Post-Quantum Cryptography expert, you will

• Work on all aspects of post-quantum primitives such as Public Key Encryption, Key Encapsulation Mechanism, Key Exchange, and Digital Signatures schemes
• Analyze existing designs
• Propose new designs
• Work on optimized and secure implementations in software and/or hardware platforms
• Investigate security properties and performance-security trade-offs
• Study the impact on lightweight environment
• Conduct research on new and/or state-of-the-art attacks
• Participate to the review and evaluation of post-quantum schemes that are under NIST scrutiny for standardization
• Design and implementation of hybrid (post-quantum – classical) solutions
• Contribute to the development of cryptographic libraries and security frameworks

Skills required for the job

• Knowledge on cryptography and cybersecurity, in particular at least one among
• Solid mathematical background on either lattices, codes, or multivariate systems
• Solid programming skills either in software or hardware
• Solid background in network security, especially protocol design and evaluation
• Excellent with C, C++, Python, (JAVA and Rust will be valuable as well)
• Hard and organized worker, quick learner, geared towards implementation. Eager to develop new skills and willing to take ownership of projects

Qualifications

• Ph.D. degree in Cryptography, Applied Cryptography, Cybersecurity, Mathematics or Computer Science or Engineering

Closing date for applications:

Contact: Najwa Aaraj, naaraj@alumni.princeton.edu

Event date: 16 December to 18 December 2022

Event date: 11 December to 13 December 2022
Submission deadline: 1 September 2022
Notification: 1 November 2022

Event date: 8 December to 9 December 2022
Submission deadline: 23 October 2022
Notification: 1 November 2022

Event date: 24 April to 27 April 2023
Submission deadline: 18 October 2022
Notification: 10 January 2023

Event date: 23 November to 25 November 2022
Submission deadline: 15 August 2022
Notification: 15 September 2022

We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a "glue-and-split" theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core. This is a preliminary version of a longer article in preparation.

Central Bank Digital Currencies (CBDCs) aspire to offer a digital replacement for physical cash and as such need to tackle two fundamental requirements that are in conflict. On the one hand, it is desired they are $\textit{private}$ so that a financial ``panopticon'' is avoided, while on the other, they should be $\textit{regulation friendly}$ in the sense of facilitating any threshold-limiting, tracing, and counterparty auditing functionality that is necessary to comply with regulations such as Know Your Customer (KYC), Anti Money Laundering (AML) and Combating Financing of Terrorism (CFT) as well as financial stability considerations. In this work, we put forth a new model for CBDCs and an efficient construction that, for the first time, fully addresses these issues simultaneously. Moreover, recognizing the importance of avoiding a $\textit{single point of failure}$, our construction is distributed so that all its properties can withstand a suitably bounded minority of participating entities getting corrupted by an adversary. Achieving all the above properties efficiently is technically involved; among others, our construction uses suitable cryptographic tools to thwart man-in-the-middle attacks, it showcases a novel traceability mechanism with significant performance gains compared to previously known techniques and, perhaps surprisingly, shows how to obviate Byzantine agreement or broadcast from the optimistic execution path of a payment, something that results in an essentially optimal communication pattern and communication overhead when the sender and receiver are honest. Going beyond ``simple'' payments, we also discuss how our scheme can facilitate one-off large transfers complying with Know Your Transaction (KYT) disclosure requirements. Our CBDC concept is expressed and realized in the Universal Composition (UC) framework providing in this way a modular and secure way to embed it within a larger financial ecosystem.

In the light of NIST’s announced reopening of the call for digital signature proposals in 2023 due to lacking diversity, there is a strong need for constructions based on other established hardness assumptions. In this work we construct a new post-quantum secure digital signature scheme based on the $MinRank$ problem, a problem with a long history of applications in cryptanalysis that led to a strong belief in its hardness. Initially following a design by Courtois (Asiacrypt '01) based on the Fiat--Shamir transform, we make use of several recent developments in the design of sigma protocols to reduce signature size and improve efficiency. This includes the recently introduced $sigma \; protocol \; with \; helper$ paradigm (Eurocrypt '19) and combinations with $cut$-$and$-$choose$ techniques (CCS '18). Moreover, we introduce several improvements to the core of the scheme to further reduce its signature size.

One of the most popular ways to turn a keyless hash function into a keyed one is the HMAC algorithm. This approach is too expensive in some cases due to double hashing. Excessive overhead can sometimes be avoided by using certain features of the hash function itself. The paper presents a simple and safe way to create a keyed cryptoalgorithm (conventionally called "Streebog-K") from hash function Streebog $\mathsf{H}(M)$. Let $K$ be a secret key, then $\mathsf{KH}(K,M)=\mathsf{H}(K||M)$ is a secure pseudorandom function (PRF) and, therefore, a good message authentification code (MAC). The proof is obtained by reduction of the security of the presented construction to the resistance of the underlying compression function to the related key attacks (PRF-RKA). The security bounds of Streebog-K are essentially the same as those of HMAC-Streebog, but the computing speed doubles when short messages are used.

Secret sharing is an essential tool for many distributed applications, including distributed key generation and multiparty computation. For many practical applications, we would like to tolerate network churn, meaning participants can dynamically enter and leave the pool of protocol participants as they please. Such protocols, called Dynamic-committee Proactive Secret Sharing (DPSS) have recently been studied; however, existing DPSS protocols do not gracefully handle faults: the presence of even one unexpectedly slow node can often slow down the whole protocol by a factor of $O(n)$.

In this work, we explore optimally fault-tolerant asynchronous DPSS that is not slowed down by crash faults and even handles byzantine faults while maintaining the same performance. We first introduce the first high-threshold DPSS, which offers favorable characteristics relative to prior non-synchronous works in the presence of faults while simultaneously supporting higher privacy thresholds. We then batch-amortize this scheme along with a parallel non-high-threshold scheme which achieves optimal bandwidth characteristics. We implement our schemes and demonstrate that they can compete with prior work in best-case performance while outperforming it in non-optimal settings.