International Association
for Cryptologic Research

Double-odd curves are curves with order equal to 2 modulo 4. A prime order group with complete formulas and a canonical encoding/decoding process could previously be built over a double-odd curve. In this paper, we reformulate such curves as a specific case of the Jacobi quartic. This allows using slightly faster formulas for point operations, as well as defining a more efficient encoding format, so that decoding and encoding have the same cost as classic point compression (decoding is one square root, encoding is one inversion). We define the prime-order groups jq255e and jq255s as the application of that modified encoding to the do255e and do255s groups. We furthermore define an optimized signature mechanism on these groups, that offers shorter signatures (48 bytes instead of the usual 64 bytes, for 128-bit security) and makes signature verification faster (down to less than 83000 cycles on an Intel x86 Coffee Lake core).

The verifiable encryption of bits is the main computational step that is needed to prepare ballots in many practical voting protocols. Its computational load can also be a practical bottleneck, preventing the deployment of some protocols or requiring the use of computing clusters.

We investigate the question of producing many verifiably encrypted bits in an efficient and portable way, using as a baseline the protocol that is in use in essentially all modern voting systems and libraries supporting homomorphic voting, including ElectionGuard, a state-of-the-art open source voting SDK deployed in government elections. Combining fixed base exponentiation techniques and new encryption and ZK proof mechanisms, we obtain speed-ups by more than one order of magnitude against standard implementations. Our exploration requires balancing conflicting optimization strategies, and the use of asymptotically less efficient protocols that turn out to be very effective in practice. Several of our proposed improvements are now on the ElectionGuard roadmap.

SNARKs for some standard cryptographic primitives tend to be plenty designed with SNARK-unfriendly operations such as XOR. Previous protocols such as [GW20] worked around this problem by the introduction of lookup arguments. However, these protocols were only appliable over the same circuit. RapidUp is a protocol that solves this limitation by unfolding the grand-product polynomial into two (equivalent) polynomials of the same size. Morevoer, a generalization of previous protocols is presented by the introduction of selectors.

The Security Protocol and Data Model (SPDM) defines flows to authenticate hardware identity of a computing device. It also allows for establishing a secure session for confidential and integrity protected data communication between two devices. The present version of SPDM, namely version 1.2, relies on traditional asymmetric cryptographic algorithms that are known to be vulnerable to quantum attacks. This paper describes the means by which support for post-quantum (PQ) cryptography can be added to the SPDM protocol in order to enable SPDM for the upcoming world of quantum computing. We examine SPDM 1.2 protocol and discuss how to negotiate the use of post-quantum cryptography algorithms (PQC), how to support device identity reporting, means to authenticate the device, and how to establish a secure session when using PQC algorithms. We consider so called hybrid modes where both classical and PQC algorithms are used to achieve security properties as these modes are important during the transition period. We also share our experience with implementing PQ-SPDM and provide benchmarks for some of the winning NIST PQC algorithms.

We propose a practical sublinear-size zero-knowledge proof system for Rank-1 Constraint Satisfaction (R1CS) based on lattices. The proof size scales asymptotically with the square root of the witness size. Concretely, the size becomes $2$-$3$ times smaller than Ligero (ACM CCS 2017), which also exhibits square root scaling, for large instances of R1CS. At the core lies an interactive variant of the Schwartz-Zippel Lemma that might be of independent interest.

In this work, we study perfectly-secure multi-party computation (MPC) against general (non-threshold) adversaries. Known protocols in a synchronous network are secure against $Q^{(3)}$ adversary structures, while in an asynchronous network, known protocols are secure against $Q^{(4)}$ adversary structures. A natural question is whether there exists a single protocol which remains secure against $Q^{(3)}$ and $Q^{(4)}$ adversary structures in a synchronous and in an asynchronous network respectively, where the parties are not aware of the network type. We design the first such best-of-both-worlds protocol against general adversaries. Our result generalizes the result of Appan, Chandramouli and Choudhury (PODC 2022), which presents a best-of-both-worlds perfectly-secure protocol against threshold adversaries.

To design our protocol, we present two important building blocks which are of independent interest. The first building block is a best-of-both-worlds perfectly-secure Byzantine agreement (BA) protocol for $Q^{(3)}$ adversary structures, which remains secure both in a synchronous, as well as an asynchronous network. The second building block is a best-of-both-worlds perfectly-secure verifiable secret-sharing (VSS) protocol, which remains secure against $Q^{(3)}$ and $Q^{(4)}$ adversary structures in a synchronous network and an asynchronous network respectively.

A multi-message multi-recipient PKE (mmPKE) encrypts a batch of messages, in one go, to a corresponding set of independently chosen receiver public keys. The resulting "multi-recipient ciphertext" can be then be reduced (by any 3rd party) to a shorter, receiver specific, "invidual ciphertext". Finally, to recover the $i$-th message in the batch from their indvidual ciphertext the $i$-th receiver only needs their own decryption key. A special case of mmPKE is multi-recipient PKE where all receivers are sent the same message. By treating (m)mPKE and their KEM counterparts as a stand-alone primitives we allow for more efficient constructions than trivially composing individual PKE/KEM instances. This is especially valuable in the post-quantum setting, where PKE/KEM ciphertexts and public keys tend to be far larger than their classic counterparts.

In this work we describe a collection of new results around batched KEMs and PKE. We provide both classic and post-quantum proofs for all results. Our results are geared towards practical constructions and applications (for example in the domain of PQ-secure group messaging).

Concretely, our results include a new non-adaptive to adaptive compiler for CPA-secure mKEMs resulting in public keys roughly half the size of the previous state-of-the-art [Hashimoto et.al., CCS'21]. We also prove their FO transform for mKEMs to be secure in the quantum random oracle model. We provide the first mKEM combiner as well as two mmPKE constructions. The first is an arbitrary message-length black-box construction from an mKEM (e.g. one produced by combining a PQ with a classic mKEM). The second is optimized for short messages and achieves hybrid PQ/classic security more directly. When encrypting $n$ short messages (e.g. as in several recent mmPKE applications) at 256-bits of security the mmPKE ciphertext are $144 n$ bytes shorter than the generic construction. Finally, we provide an optimized implementation of the (CCA secure) mKEM construction based on the NIST PQC winner Kyber and report benchmarks showing a significant speedup for batched encapsulation and up to 79% savings in ciphertext size compared to a naive solution.

Verifiable random functions (Micali et al., FOCS'99) allow a key-pair holder to verifiably evaluate a pseudorandom function under that particular key pair. These primitives enable fair and verifiable pseudorandom lotteries, essential in proof-of-stake blockchains such as Algorand and Cardano, and are being used to secure billions of dollars of capital. As a result, there is an ongoing IRTF effort to standardize VRFs, with a proposed ECVRF based on elliptic-curve cryptography appearing as the most promising candidate.

In this work, towards understanding the general security of VRFs and in particular the ECVRF construction, we provide an ideal functionality in the Universal Composability (UC) framework (Canetti, FOCS'01) that captures VRF security, and show that ECVRF UC-realizes this functionality.

We further show how the range of a VRF can generically be extended in a modular fashion based on the above functionality. This observation is particularly useful for protocols such as Ouroboros since it allows to reduce the number of VRF evaluations (per slot) and VRF verifications (per block) from two to one at the price of additional (but much faster) hash-function evaluations.

Finally, we study batch verification in the context of VRFs. We provide a UC-functionality capturing a VRF with batch-verification capability, and propose modifications to ECVRF that allow for this feature. We again prove that our proposal UC-realizes the desired functionality. We provide a performance analysis showing that verification can yield a factor-two speedup for batches with 1024 proofs, at the cost of increasing the proof size from 80 to 128 bytes.

Many online applications, such as online file backup services, support the sharing of indexed data between a set of devices. These systems may offer client-side encryption of the data, so that the stored data is inaccessible to the online host. A potentially desirable goal in this setting would be to protect not just the contents of the backed-up files, but also their identifiers. However, as these identifiers are typically used for indexing, a deterministic consistent mapping across devices is necessary. Additionally, in a multi-device setting, it may be desirable to maintain an ability to revoke a device’s access—e.g. through rotating encryption keys for new data.

We present a new primitive, called the Oblivious Revocable Function (ORF), which operates in the above setting and allows identifiers to be obliviously mapped to a consistent value across multiple devices, while enabling the server to permanently remove an individual device’s ability to map values. This permits a stronger threat model against metadata, in which metadata cannot be derived from identifiers by a revoked device colluding with the service provider, so long as the service provider was honest at the instant of revocation. We describe a simple Diffie- Hellman-based construction that achieves ORFs and provide a proof of security under the UC framework.

We present experimental findings on the decoding failure rate (DFR) of BIKE, a fourth-round candidate in the NIST Post-Quantum Standardization process, at the 20-bit security level. We select parameters according to BIKE design principles and conduct a series of experiments. We directly compute the average DFR on a range of BIKE block sizes and identify both the waterfall and error floor regions of the DFR curve. We then study the influence on the average DFR of three sets $\mathcal{C}$, $\mathcal{N}$, and $2\mathcal{N}$ of near-codewords --- vectors of low weight that induce syndromes of low weight --- defined by Vasseur in 2021. We find that error vectors leading to decoding failures have small maximum support intersection with elements of these sets; further, the distribution of intersections is quite similar to that of sampling random error vectors and counting the intersections with $\mathcal{C}$, $\mathcal{N}$, and $2\mathcal{N}$. Our results indicate that these three sets are not sufficient in classifying vectors expected to cause decoding failures. Finally, we study the role of syndrome weight on the decoding behavior and conclude that the set of error vectors that lead to decoding failures differ from random vectors by having low syndrome weight.

Lightweight cryptography is characterized by the need for low implementation cost, while still providing sufficient security. This requires careful analysis of building blocks and their composition. SKINNY is an ISO/IEC standardized family of tweakable block ciphers and is used in the NIST lightweight cryptography standardization process finalist Romulus. We present non-trivial linear approximations of two- round SKINNY that have correlation one or minus one and that hold for a large fraction of all round tweakeys. Moreover, we show how these could have been avoided.

This note discusses lattice-based cryptography over the field with $p= 2^{64} - 2^{32} + 1$ elements, with an eye to supporting lattice-based cryptography operations in virtual machines such as Miden VM that operate natively over this field. It discusses how to support Dilithium and Falcon, two lattice-based signature scheme recently selected by the NIST PQC project; and proposes parameters for efficient public key encryption and publicly re-randomizable commitments modulo $p$.

The emergence of distributed digital currencies has raised the need for a reliable consensus mechanism. In proof-of-stake cryptocur- rencies, the participants periodically choose a closed set of validators, who can vote and append transactions to the blockchain. Each valida- tor can become a leader with the probability proportional to its stake. Keeping the leader private yet unique until it publishes a new block can significantly reduce the attack vector of an adversary and improve the throughput of the network. The problem of Single Secret Leader Election (SSLE) was first formally defined by Boneh et al. in 2020. In this work, we propose a novel framework for constructing SSLE proto- cols, which relies on secure multi-party computation (MPC) and satisfies the desired security properties. Our framework does not use any shuffle or sort operations and has a computational cost for N parties as low as O(N) of basic MPC operations per party. We improve the state-of-the- art for SSLE protocols that do not assume a trusted setup. Moreover, our SSLE scheme efficiently handles weighted elections. That is, for a total weight S of N parties, the associated costs are only increased by a factor of logS. When the MPC layer is instantiated with techniques based on Shamir’s secret-sharing, our SSLE has a communication cost of O(N2) which is spread over O(log N) rounds, can tolerate up to t < N/2 of faulty nodes without restarting the protocol, and its security relies on DDH in the random oracle model. When the MPC layer is instantiated with more efficient techniques based on garbled circuits, our SSLE re- quires all parties to participate, up to N − 1 of which can be malicious, and its security is based on the random oracle model.

The 2022 election is being held to fill four Officer positions and three of nine Director positions.

Nominations are due by October 1st, 2022.

Information about the vacant positions and the nomination process is available at https://iacr.org/elections/2022/announcement.html.

The Coding Theory and Cryptology group is looking for an excellent candidate for a fully funded Ph.D. position as part of QSI (Quantum-Safe Internet), a Marie Curie Innovative Training Network (MSCA-ITN). The QSI network involves top-ranking partner universities from France, Italy, Germany, the Netherlands, Denmark, Spain, the UK, and Switzerland, as well as industrial partners.

You will conduct research at the intersection of quantum and post-quantum cryptography and publish/present the results at top venues for research in crypto/IT Security. This is a joint doctorate, supervised by A. Hülsing, K. Hövelmanns and B. Škorić.

You must meet the following requirements:

• Master’s degree or equivalent in computer science, mathematics, or a related field.
• Outstanding grades in classes related to cryptography, IT security, theoretical CS, or mathematics. (Familiarity with provable security and/or a strong mathematical background are a plus.)
• Excellent communication/writing skills in English. (No Dutch required.)
• Compliance with the MSCA-ITN mobility rule: You must not have resided or carried out your main activity (work, studies, etc.) in the Netherlands for more than 12 months in the 36 months immediately before your recruitment date.

We offer:

• Full-time employment for the duration of the PhD (four years at TU/e).
• A well-rounded training offered by the QSI network, covering a range of topics related to secure communications in the quantum era, as well as complementary training intended to enhance your personal development.
• Generous travel budget that allows for, e.g., exposure to different sectors via planned placements and attendance to summer schools.
• Salary and benefits in accordance with the collective labour agreement for Dutch universities. Candidates from abroad can be eligible to an additional tax reduction scheme.

The positions is to be filled as soon as possible. We strongly encourage applications from members of any underrepresented group in our research area.

Closing date for applications:

Contact: To apply or for questions, use itn-applications@huelsing.net. Applications should contain (in a single PDF):

• Cover letter describing your research interests
• CV, including transcripts
• Contact details of 2-3 potential references

The Cybersecurity and AI Group led by Prof. Gerhard Wunder (https://www.mi.fu-berlin.de/en/inf/groups/ag-comm/index.html/) and the Information Security Group led by Prof. Marian Margraf (https://www.mi.fu-berlin.de/inf/groups/ag-idm/index.html/) at Freie Universität Berlin are looking for one PhD student in the area of cryptographic security, post-quantum codes and signatures.

The position is connected to UltraSec, which is a research project focusing on the immensely potential Ultra Wide Band (UWB) wireless technology. The collaborative project consists of partners from leading academia, IoT and security centric startup, research institute, and industry. The PhD candidate contributes to the theoretical foundations, design, and implementation of security architecture for UWB based IoT-development platform thereby closely collaborating with the partners in the consortium. Candidates are expected to co-author articles published in high-quality academic venues such as IEEE/ACM conferences and journals. Within the framework of the externally funded research project, the opportunity for writing a doctoral-thesis is granted.

Your profile

• Applicants must possess a master degree in computer science, mathematics, electrical engineering or similar.
• Solid mathematical background in classical cryptography, post-quantum cryptography, and good coding skills in C/Go/Rust/Python/MATLAB is desirable.
• General understanding of coding quality and solid practice of source code and project management tools (Git, Travis-CI etc) is a plus.
• Moreover, the candidate should be able and willing to work and cooperate with the members of group and the project consortium.

Starting Date: October/ November 2022.

Further information can be found here: https://www.mi.fu-berlin.de/en/inf/groups/ag-comm/open-positions/wimis/index.html

Closing date for applications:

Contact: Applications including all the relevant documents should be sent electronically by e-mail to g.wunder@fu-berlin.de (cc: stefanie.bahe@fu-berlin.de), preferably as a single pdf-document.

More information: https://www.mi.fu-berlin.de/en/inf/groups/ag-comm/open-positions/wimis/index.html

Simula UiB is a research centre in Cryptography and Information Theory located in Bergen, Norway. We are currently looking for an outstanding candidate for a 4-year PhD researcher position in the area of symmetric-key cryptography. The successful candidate will work under the supervision of Prof Carlos Cid, towards a PhD degree from the University of Bergen. The research topic will be one of the following:

• Design and analysis of dedicated symmetric-key ciphers for privacy-preserving mechanisms (e.g. MPC, FHE, ZKP schemes); or,
• Quantum cryptanalysis of symmetric-key primitives.

We are looking for a candidate who has recently completed, or is about to complete, a master’s degree in cryptography, mathematics, or a closely related field. The master’s degree must have been awarded, with good results, before their start in the PhD position – in particular the candidate must satisfy the enrolment requirements for the PhD programme at the University of Bergen. The candidate must be highly motivated and be able to demonstrate their potential for conducting original research in cryptography. Simula UiB currently has 13 Early Career Researchers working on a range of research problems in cryptography and information theory and can offer a vibrant, stimulating and inclusive working environment to the successful candidate.

Interested and qualified candidates should apply at https://www.simula.no/about/job/phd-student-symmetric-key-cryptography
Deadline for application is 31 October 2022; however applications will be screened continuously, and we may conclude recruitment as soon as we find the right candidate. The starting date is negotiable.

Closing date for applications:

Contact: For additional enquiries about this position, please contact Carlos Cid (carlos@simula.no)

More information: https://www.simula.no/about/job/phd-student-symmetric-key-cryptography

We are looking for a motivated research engineer to join the cybersecurity and applied cryptography group at the university of St. Gallen.
More specifically, the job includes:

• Development and implementation of concepts and research results, both individually and in collaboration with researchers and PhD students;
• Run of experiments and simulation of realistic conditions to test the performance of developed algorithms and protocols;
• Development, maintenance and organization of software;
• Support to BSc, MSc and PhD students, postdocs and researchers who use the lab;
• Responsibility for day routines in the lab, for example purchases, installations, bookings, inventory;

Your profile:

We are looking for a strongly motivated and self-driven person who is able to work and learn new things independently.

Good command of English is required.

You should have a good academic track record and well developed analytical and problem solving skills.

Excellent programming skills and familiarity with cryptographic libraries.

Previous experience in implementation projects with C++, Matlab, Python is desired.

Deadline: 31 August 2022 Apply online: https://jobs.unisg.ch/offene-stellen/cryptography-engineer-m-w-d/ccfd1b3a-e89c-4918-81e7-478348b0c48d

Closing date for applications:

Contact: Katerina Mitrokotsa

More information: https://jobs.unisg.ch/offene-stellen/cryptography-engineer-m-w-d/ccfd1b3a-e89c-4918-81e7-478348b0c48d

We are looking for a bright and motivated PhD student for a 3-year fully funded PhD position starting 1 November 2022 (negotiable). The project is financed by the Independent Research Fund Denmark, and it is a collaboration between DTU, the University of Cambridge, the University of Colorado, Colorado Springs, and Telenor Denmark. It is an excellent opportunity to be involved in advanced research on cyber-security, with important practical applications.

The project’s emphasis will be on digital ghost ships (DGS). A DGS is defined as any online resource (e.g. an IoT device) that has been connected to the Internet and has been subsequently abandoned (in terms of management, updates, or security patches). Hence, DGS may include systems with default usernames and passwords as well as systems that lack important security updates. We aim at proposing novel ways for identifying such DGS, which is the first step into making them secure or taking them down. To do this, the project will not only research novel network detection techniques but also examine how human psychology plays a role in creating DGS.

Closing date for applications:

Contact: Emmanouil Vasilomanolakis

More information: https://www.compute.dtu.dk/english/sitecore/indhold/dtu/dtuenglish-old/forside/about/job-and-career/vacant%20positions/job?id=5ffc257d-616c-4f97-b39d-d16d483459c3

The Ph.D. will focus on discovering new security threats introduced by cloud FPGAs and developing new secure architectures to safeguard cloud infrastructures and their users. A secure deployment strategy of cloud FPGAs will be developed; it should cover all known security threats and new security threats discovered during the project. The overall research project will be conducted on both local experimental setups and online real-world FPGA-integrated cloud environments.

Requirements: PhD candidates are required to have a master degree in computer science, mathematics, electrical engineering, or comparable areas. Candidates that are expected to finish their M.Sc. thesis in the near future can also apply. Candidates should have a clear interest in fundamental research, should be creative and solid in their research, should have (potential) interest in computer security and computer engineering, and should be able to cooperate with experts from different disciplines. It is essential that you have good academic writing and presentation skills. Candidates are expected to have an excellent command of English.

Information and application: The application deadline is 31 August 2022. All applications should include a motivation letter, a detailed CV, and a list of grades and courses.

Interested candidate can learn more information at https://www.cwi.nl/jobs/vacancies/946698

Closing date for applications:

Contact: Dr. Chenglu Jin, chenglu.jin@cwi.nl

More information: https://www.cwi.nl/jobs/vacancies/946698