International Association
for Cryptologic Research

We present the first round-optimal and plausibly quantum-safe oblivious transfer (OT) and multi-party computation (MPC) protocols from the computational CSIDH assumption - the weakest and most widely studied assumption in the CSIDH family of isogeny-based assumptions. We obtain the following results:

- The first round-optimal maliciously secure OT and MPC protocols in the plain model that achieve (black-box) simulation-based security while relying on the computational CSIDH assumption.

- The first round-optimal maliciously secure OT and MPC protocols that achieves Universal Composability (UC) security in the presence of a trusted setup (common reference string plus random oracle) while relying on the computational CSIDH assumption.

Prior plausibly quantum-safe isogeny-based OT protocols (with/without setup assumptions) are either not round-optimal, or rely on potentially stronger assumptions.

We also build a 3-round maliciously-secure OT extension protocol where each base OT protocol requires only 4 isogeny computations. In comparison, the most efficient isogeny-based OT extension protocol till date due to Lai et al. [Eurocrypt 2021] requires 12 isogeny computations and 4 rounds of communication, while relying on the same assumption as our construction, namely the reciprocal CSIDH assumption.

Witness encryption (WE), introduced by Garg, Gentry, Sahai, and Waters (STOC 2013) allows one to encrypt a message to a statement $\mathsf{x}$ for some NP language $\mathcal{L}$, such that any user holding a witness for $\mathsf{x} \in \mathcal{L}$ can decrypt the ciphertext. The extreme power of this primitive comes at the cost of its elusiveness: a construction from established cryptographic assumptions is currently out of reach.

In this work we introduce and construct a new notion of encryption that has a strong flavor of WE and that, crucially, we can build from well-studied assumptions (based on bilinear pairings) for interesting classes of computation. Our new notion, witness encryption for (succinct) functional commitment, takes inspiration from a prior weakening of witness encryption introduced by Benhamouda and Lin (TCC 2020). In a nutshell, theirs is a WE where: the encryption statement consists of a (non compressible) commitment $\mathsf{cm}$, a function $G$ and a value $y$; the decryption witness consists of a (non succinct) NIZK proof about the fact that $\mathsf{cm}$ opens to $v$ such that $y=G(v)$. Benhamouda and Lin showed how to apply this primitive to obtain MPC with non-interactive and reusability properties—dubbed $\mathsf{mrNISC}$—replacing the requirement of WE in existing round-collapsing techniques. Our new WE-like notion is motivated by supporting both commitments of a fixed size and fixed decryption complexity, independent of the size of the value $v$—in contrast to the work by Benhamouda and Lin where this complexity is linear. As a byproduct, our efficiency requirement substantially improves the offline stage of $\mathsf{mrNISC}$ protocols.

From a technical standpoint, our work shows how to solve additional challenges arising from relying on computationally binding commitments and computational soundness (of functional commitments), as opposed to statistical binding and unconditional soundness (of NIZKs), used in Benhamouda and Lin's work. In order to tackle them, we need not only to modify their basic blueprint, but also to model and instantiate different types of projective hash functions as building blocks. Our techniques are of independent interest and may highlight new avenues to design practical variants of witness encryption.

As an additional contribution, we show that our new WE-flavored primitive and its efficiency properties are versatile: we discuss its further applications and show how to extend this primitive to better suit these settings.

This document details the cryptographic analysis of the sVote v2.2.1 system - an e-voting solution developed by Scytl for the Switzerland context. We prove the complete verifiability and privacy under the Swiss legislation's informally stated goals.

First, we derive the trust model for complete verifiability and voting secrecy from the Swiss Chancellery's requirements [1][2], supporting our interpretation by quotes from and references to relevant excerpts of the ordinance and the corresponding technical annex.

Then, based on the derived model, we prove that sVote with Control Components provides complete verifiability and guarantees voting secrecy and the non-disclosure of early provisional results. We demonstrate that sVote fulfills the requirements of the Swiss federal chancellery for completely verifiable E-voting systems. In other words, we show that an adversary cannot break the complete verifiability and voting secrecy properties of sVote without being detected by either the voter or auditors.

[1] Technical and administrative requirements for electronic vote casting v 2.0 https://www.bk.admin.ch/dam/bk/en/dokumente/pore/Annex_of_the_Federal_Chancellery_Ordinance_on_Electronic_Voting_V2.0_July_2018.pdf.download.pdf/Annex_of_the_Federal_Chancellery_Ordinance_on_Electronic_Voting_V2.0_July_2018.pdf [2] Federal Chancellery Ordinance on Electronic Voting https://www.fedlex.admin.ch/eli/cc/2013/859/en

In this work, we present the first construction of a fully non-interactive publicly-verifiable delegation scheme for committed programs. More specifically, we consider a setting where Alice is a trusted author who delegates to an untrusted worker the task of hosting a program $P$, represented as a Boolean circuit. Alice also commits to a succinct value based on $P$. Any arbitrary user/verifier without knowledge of $P$ should be convinced that they are receiving from the worker an actual computation of Alice's program on a given input $x$.

Before our work, the only object known to imply this challenging form of delegation was a SNARG/SNARK for $\mathcal{NP}$. This is because from the point of view of the user/verifier, the program $P$ is an unknown witness to the computation. However, constructing a SNARG for $\mathcal{NP}$ from standard assumptions remains a major open problem.

In our work, we show how to achieve delegation in this challenging context assuming only the hardness of the Learning With Errors (LWE) assumption, bypassing the apparent need for a SNARG for $\mathcal{NP}$.

The efficiency of the profiling side-channel analysis can be improved significantly with machine learning techniques. Although powerful, a fundamental machine learning limitation of being data hungry received little attention in the side-channel community. In practice, the maximum number of leakage traces that evaluators/attackers can obtain is constrained by the scheme requirements or the limited accessibility of the target. Even worse, various countermeasures in modern devices increase the conditions on the profiling size to break the target.

This work demonstrates a practical approach to dealing with the lack of profiling traces. Instead of learning from a one-hot encoded label, transferring the labels to their distribution can significantly speed up the convergence of guessing entropy. Besides, by studying the relationship between all possible key candidates, we propose a new metric, denoted augmented guessing entropy (AGE), to evaluate the generalization ability of the profiling model. We validate AGE with two common use cases: early stopping and network architecture search, and the results indicate its superior performance.

Cloud based storage-as-a-service is quickly gaining popularity due to its many advantages such as scalability and pay-as-you-use cost model. However, storing data in the clear on third-party servers creates vulnerabilities, especially pertaining to data privacy. Applications typically encrypt their data before off-loading it to cloud storage to ensure data privacy. To serve a client’s read or write requests, an application either reads or updates the encrypted data on the cloud, revealing the type of client access to the untrusted cloud. An adversary however can exploit this information leak to compromise a user’s privacy by tracking read/write access patterns. Existing approaches (used in Oblivious RAM (ORAM) and frequency smoothing datastores) hide the type of client access by always reading the data followed by writing it, sequentially, irrespective of a read or write request, rendering one of these rounds redundant with respect to a client request. To mitigate this redundancy, we propose ORTOA- a One Round Trip Oblivious Access protocol that reads or writes data stored on remote storage in one round without revealing the type of access. To our knowledge, ORTOA is the first generalized protocol to obfuscate the type of access in a single round, reducing the communication overhead in half. ORTOA hides the type of individual access as well as the read/write workload distribution of an application, and due to its generalized design, it can be integrated with many existing obliviousness techniques that hide access patterns such as ORAM or frequency smoothing. Our experimental evaluations show that ORTOA’s throughput is 2.8x that of a baseline that requires two rounds to hide the type of access; and the baseline incurs 1.9x higher latency than ORTOA.

Registration-based encryption (RBE) was recently introduced as an alternative to identity-based encryption (IBE), to resolve the key-escrow problem: In RBE, the trusted authority is substituted with a weaker entity, called the key curator, who has no knowledge of any secret key. Users generate keys on their own and then publicly "register" their identities and their corresponding public keys to the key curator. RBE is a promising alternative to IBE, retaining many of its advantages while removing the key-escrow problem, the major drawback of IBE. Unfortunately, all existing constructions of RBE use cryptographic schemes in a non black-box way, which makes them prohibitively expensive. It has been estimated that the size of an RBE ciphertext would be in the order of terabytes (though no RBE has even been implemented).

In this work, we propose a new approach to construct RBE, from well-studied assumptions in bilinear groups. Our scheme is black-box, and it is concretely highly efficient---a ciphertext is 866 bytes. To substantiate this claim, we implemented a prototype of our scheme, and we show that it scales to "millions of users". The public parameters of the scheme are in the order of kilobytes. The most expensive operation (registration) takes a handful of seconds, whereas the encryption and decryption runtimes are in the order of milliseconds. This is the first-ever implementation of an RBE scheme and demonstrates that the practical deployment of RBE is already possible with today's hardware.

A multiparty computation protocol is {\em perfectly secure} for some function $f$ if it perfectly emulates an ideal computation of $f$. Thus, perfect security is the strongest and most desirable notion of security, as it guarantees security in the face of any adversary and eliminates the dependency on any security parameter. Ben-Or et al. [STOC '88] and Chaum et al. [STOC '88] showed that any function can be computed with perfect security if strictly less than one-third of the parties can be corrupted. For two-party sender-receiver functionalities (where only one party receives an output), Ishai et al. [TCC '13] showed that any function can be computed with perfect security in the correlated randomness model. Unfortunately, they also showed that perfect security cannot be achieved in general for two-party functions that give outputs to both parties (even in the correlated randomness model).

We study the feasibility of obtaining perfect security for deterministic symmetric two-party functionalities (i.e., where both parties obtain the same output) in the face of malicious adversaries. We explore both the plain model as well as the correlated randomness model. We provide positive results in the plain model, and negative results in the correlated randomness model. As a corollary, we obtain the following results. \begin{enumerate} \item We provide a characterization of symmetric functionalities with (up to) four possible outputs that can be computed with perfect security. The characterization is further refined when restricted to three possible outputs and to Boolean functions. All characterizations are the same for both the plain model and the correlated randomness model. \item We show that if a functionality contains an embedded XOR or an embedded AND, then it cannot be computed with perfect security (even in the correlated randomness model). \end{enumerate}

The classical (parallel) black pebbling game is a useful abstraction which allows us to analyze the resources (space, space-time, cumulative space) necessary to evaluate a function $f$ with a static data-dependency graph $G$. Of particular interest in the field of cryptography are data-independent memory-hard functions $f_{G,H}$ which are defined by a directed acyclic graph (DAG) $G$ and a cryptographic hash function $H$. The pebbling complexity of the graph $G$ characterizes the amortized cost of evaluating $f_{G,H}$ multiple times as well as the total cost to run a brute-force preimage attack over a fixed domain $\mathcal{X}$, i.e., given $y \in \{0,1\}^*$ find $x \in \mathcal{X}$ such that $f_{G,H}(x)=y$. While a classical attacker will need to evaluate the function $f_{G,H}$ at least $m=|\mathcal{X}|$ times a quantum attacker running Grover's algorithm only requires $\mathcal{O}(\sqrt{m})$ blackbox calls to a quantum circuit $C_{G,H}$ evaluating the function $f_{G,H}$. Thus, to analyze the cost of a quantum attack it is crucial to understand the space-time cost (equivalently width times depth) of the quantum circuit $C_{G,H}$. We first observe that a legal black pebbling strategy for the graph $G$ does not necessarily imply the existence of a quantum circuit with comparable complexity --- in contrast to the classical setting where any efficient pebbling strategy for $G$ corresponds to an algorithm with comparable complexity for evaluating $f_{G,H}$. Motivated by this observation we introduce a new parallel reversible pebbling game which captures additional restrictions imposed by the No-Deletion Theorem in Quantum Computing. We apply our new reversible pebbling game to analyze the reversible space-time complexity of several important graphs: Line Graphs, Argon2i-A, Argon2i-B, and DRSample. Specifically, (1) we show that a line graph of size $N$ has reversible space-time complexity at most $\mathcal{O}\left(N^{1+\frac{2}{\sqrt{\log N}}}\right)$. (2) We show that any $(e,d)$-reducible DAG has reversible space-time complexity at most $\mathcal{O}(Ne+dN2^d)$. In particular, this implies that the reversible space-time complexity of Argon2i-A and Argon2i-B are at most $\mathcal{O}(N^2 \log \log N/\sqrt{\log N})$ and $\mathcal{O}(N^2/\sqrt[3]{\log N})$, respectively. (3) We show that the reversible space-time complexity of DRSample is at most $\mathcal{O}(N^2 \log \log N/\log N)$. We also study the cumulative pebbling cost of reversible pebblings extending a (non-reversible) pebbling attack of Alwen and Blocki on depth-reducible graphs.

The generic-group model (GGM) has been very successful in making the analyses of many cryptographic assumptions and protocols tractable. It is, however, well known that the GGM is “uninstantiable,” i.e., there are protocols secure in the GGM that are insecure when using any real-world group. This motivates the study of standard-model notions formalizing that a real-world group in some sense “looks generic.”

We introduce a standard-model definition called pseudo-generic group (PGG), where we require exponentiations with base an (initially) unknown group generator to result in random-looking group elements. In essence, our framework delicately lifts the influential notion of Universal Computational Extractors of Bellare, Hoang, and Keelveedhi (BHK, CRYPTO 2013) to a setting where the underlying ideal reference object is a generic group. The definition we obtain simultaneously generalizes the Uber assumption family, as group exponents no longer need to be polynomially induced. At the core of our definitional contribution is a new notion of algebraic unpredictability, which reinterprets the standard Schwartz–Zippel lemma as a restriction on sources. We prove the soundness of our definition in the GGM with auxiliary-input (AI-GGM).

Our remaining results focus on applications of PGGs. We first show that PGGs are indeed a generalization of Uber. We then present a number of applications in settings where exponents are not polynomially induced. In particular we prove that simple variants of ElGamal meet several advanced security goals previously achieved only by complex and inefficient schemes. We also show that PGGs imply UCEs for split sources, which in turn are sufficient in several applications. As corollaries of our AI-GGM feasibility, we obtain the security of all these applications in the presence of preprocessing attacks.

Some of our implications utilize a novel type of hash function, which we call linear-dependence destroyers (LDDs) and use to convert standard into algebraic unpredictability. We give an LDD for low-degree sources, and establish their plausibility for all sources by showing, via a compression argument, that random functions meet this definition.

Event date: 26 March 2023

A candidate will work in the area of post-quantum cryptography. The candidate will conduct research on analysis of post-quantum cryptography; the emphasis is on quantum analysis on symmetric cipher and PQC. The work requires to carry out some simulations.

Applicants are expected to have a PhD degree in Mathematics/Physics/Computer Science and a strong background in quantum algorithm, algebra, linear algebra or algebraic number theory.

Preferred candidates are expected to be proficient in Magma software or SAGEMATH software; or have knowledge on quantum software (eg. Qiskit, etc), a team worker and able to conduct independent research.

Interested candidates will kindly include their full CV and transcripts in their applications and send to Dr Chik How Tan, tsltch@nus.edu.sg. Deadline for applications is January 31st, 2023. We encourage early applications and review of applications will begin immediately. Only shortlisted applications will be notified.

Closing date for applications:

Contact: Dr Chik How Tan (tsltch@nus.edu.sg)

The Department of Mathematical Sciences at Florida Atlantic University has availability for PhD student positions to work in various areas of mathematical cryptology, including but not limited to:

• post-quantum cryptography
• lattice-based cryptography
• code-based cryptography
• cryptanalysis
• elliptic curves and isogenies
• zero-knowledge proofs
• ...

Earliest start date is in the Spring 2023, or thereafter. For more information about the department, its members, and the areas of research, visit http://www.math.fau.edu/mathdepartment/crypto.php

Closing date for applications:

Contact: Edoardo Persichetti (epersichetti@fau.edu); Shi Bai (sbai@fau.edu); Francesco Sica (sicaf@fau.edu)

Blockchains are not private enough for safe use by citizens, corporations, or dissidents. Heliax is looking for a research cryptographer interested in fully-homomorphic encryption protocols and their application to distributed ledger technology to work with us to design, evaluate, and implement FHE constructions, then put this cryptography into practice in order to realise privacy and scalability capabilities required by the next generation of blockchain networks. This role offers the chance to work closely with a small team on compelling cross-disciplinary problems in theoretical computer science, cryptography, game theory, economics, and systems design, and enjoy a high degree of independence in working conditions and task prioritization.

Closing date for applications:

Contact: Christopher Goes

More information: https://heliax.dev/jobs/research-cryptographer-FHE/

Event date: 22 April to 23 April 2023
Submission deadline: 5 January 2023
Notification: 9 February 2023

Event date: 26 June to 29 June 2023
Submission deadline: 18 November 2022
Notification: 20 January 2023

Event date: 28 December to 31 December 2022
Submission deadline: 30 October 2022
Notification: 30 November 2022

Event date: 28 December to 31 December 2022
Submission deadline: 30 October 2022
Notification: 30 November 2022

Up to three PhD positions are available. The PhD research project is in the area of cryptology and includes an investigation into one of the following research topics:

Security and design of primitives in cryptology adapted for use in 5G/6G mobile communication systems with special focus on low latency and high reliability algorithms and protocols.

Analysis of cryptographic primitives through side-channel attacks that exploit measurement of power consumption and/or time delays to determine protected information.

Study of digital signatures in the field of post-quantum encryption. The work aims to investigate the security of proposed digital signatures, based on the hard problem "Learning-With-Errors" (LWE) or related problems.

Third cycle studies at Lund University consist of full-time studies for 4 years. A doctoral studentship is a fixed-term employment of a maximum of 5 years (including 20% departmental duties). Starting salary is around 3100Euro per month. For further information and information on how to apply, see https://lu.varbi.com/en/what:job/jobID:557529/

Closing date for applications:

Contact: Thomas Johansson: thomas (at) eit.lth.se

More information: https://lu.varbi.com/en/what:job/jobID:557529/

PhD position available at the AtlanTTic Research Center (https://atlanttic.uvigo.es/en/), Universidade de Vigo, Spain. Start in early 2023, covering full PhD duration (3-4 years), and including travel budget for conferences and summer schools.

The workplace is in the city of Vigo, being ranked by OCU as the Spanish city with the highest life quality (https://www.idealista.com/en/news/lifestyle-in-spain/2021/06/02/13426-quality-of-life-in-spain-spanish-cities-with-the-best-and-worst-quality-of-life).

The position will be part-time in two projects related to privacy and intellectual property protection for federated machine learning: 1) TRUMPET, an European project on privacy enhancing methods and privacy metrics for federated learning (FL); 2) FELDSPAR, a Spanish project to use DNN watermarking for protecting the intellectual property of FL models.

PhD candidates will carry out research on: 1) identifying threat models and measuring privacy leaks in FL; 2) develop novel DNN watermarking algorithms in FL robust to collusion attacks.

Intended tasks:

Research on methods and metrics to measure the privacy leakage in FL models without and with crypto/differential privacy protection.

Develop tools for automatic measurement/learning of privacy leaks.

Research and implementation of methods for watermarking-based fingerprinting of federated models robust to collusion attacks.

Simulation of realistic conditions to test performance.

Publications in journals and/or conference proceedings.

Your profile:

Master’s degree or equivalent in Electrical/Telecommunications Engineering, Computer Science, Mathematics or similar. Strong background in machine learning (theory and implementations) required. Knowledge of privacy enhancing technologies and of information theory will be positively evaluated.

Good communication/writing skills in English.

Good programming skills and experience working with machine learning libraries.

Closing date for applications:

Contact: For more details, send an email to Prof. Fernando Pérez-González (fperez@gts.uvigo.es).