International Association
for Cryptologic Research

Traditional notions of secure multiparty computation (MPC) allow mutually distrusting parties to jointly compute a function over their private inputs, but typically do not specify how these inputs are chosen. Motivated by real-world applications where corrupt inputs could adversely impact privacy and operational legitimacy, we consider a notion of authenticated MPC where the inputs are authenticated, e.g., signed using a digital signature by some trusted authority. We propose a generic and efficient compiler that transforms any linear secret sharing based MPC protocol into one with input authentication.

Our compiler incurs significantly lower computational costs and competitive communication overheads when compared to the best existing solutions, while entirely avoiding the (potentially expensive) protocol-specific techniques and pre-processing requirements that are inherent to these solutions. For $n$-party MPC protocols with abort security where each party has $\ell$ inputs, our compiler incurs $O(n\log \ell)$ communication overall and a computational overhead of $O(\ell)$ group exponentiations per party (the corresponding overheads for the most efficient existing solution are $O(n^2)$ and $O(\ell n)$). Finally, for a corruption threshold $t
Along the way, we make several technical contributions that are of independent interest. This includes the notion of distributed proofs of knowledge and concrete realizations of the same for several relations of interest, such as proving knowledge of many popularly used digital signature schemes, and proving knowledge of opening of a Pedersen commitment. We also illustrate the practicality of our approach by extending the well-known MP-SPDZ library with our compiler, thus yielding prototype authenticated MPC protocols.

In 1993 Bernstein and Vazirani proposed a quantum algorithm for the Bernstein-Vazirani problem, which is given oracle access to the function $f(a_1,\dots,a_n) = a_1x_1+\cdots + a_nx_n \pmod 2$ with respect to a secret string $x = x_1\dots x_n \in \{0,1\}^n$, where $a_1,\dots,a_n \in \{0,1\}$, find $x$. We give a quantum algorithm for a new problem called the oracle subset product problem, which is given oracle access to the function $f(a_1,\dots,a_n) = a_1^{x_1}\cdots a_n^{x_n}$ with respect to a secret string $x = x_1\dots x_n\in\{0,1\}^n$, where $a_1,\dots,a_n\in \mathbb Z$, find $x$. Similar to the Bernstein-Vazirani algorithm, it is a quantum algorithm for a problem that is originally polynomial time solvable by classical algorithms; and that the advantage of the algorithm over classical algorithms is that it only makes one call to the function instead of $n$ calls.

The tech industry is currently making the transition from Web 2.0 to Web 3.0, and with this transition, authentication and authorization have been reimag- ined. Users can now sign in to websites with their unique public/private key pair rather than generating a username and password for every site. How- ever, many useful features, like role-based access control, dynamic resource owner privileges, and expiration tokens, currently don’t have efficient Web 3.0 solutions. Our solution aims to provide a flexible foundation for resource providers to implement the aforementioned features on any blockchain through a two-step process. The first step, authorization, creates an on-chain asset which is to be presented as an access token when interacting with a resource. The second step, authentication, verifies ownership of an asset through querying the blockchain and cryptographic digital signatures. Our solution also aims to be a multi-chain standard, whereas current Web 3.0 sign-in standards are limited to a single blockchain.

This paper presents a code-based signature scheme based on the well-known syndrome decoding (SD) problem. The scheme builds upon a recent line of research which uses the Multi-Party-Computation-in-the-Head (MPCitH) approach to construct efficient zero-knowledge proofs, such as Syndrome Decoding in the Head (SDitH), and builds signature schemes from them using the Fiat-Shamir transform.

At the heart of our proposal is a new approach to amplify the soundness of any MPC protocol that uses additive secret sharing. An MPCitH protocol with $N$ parties can be repeated $D$ times using parallel composition to reach the same soundness as a protocol run with $N^D$ parties. However, the former comes with $D$ times higher communication costs, often mainly contributed by the usage of $D$ `auxiliary' states (which in general have a significantly bigger impact on size than random states). Instead of that, we begin by generating $N^D$ shares, arranged into a $D$-dimensional hypercube of side $N$ containing only one `auxiliary' state. We derive from this hypercube $D$ sharings of size $N$ which are used to run $D$ instances of an $N$ party MPC protocol. This approach leads to an MPCitH protocol with $1/N^D$ soundness error, requiring $N^D$ offline computation, only $ND$ online computation, and only $1$ `auxiliary'. As the, potentially offline, share generation phase is generally inexpensive, this leads to trade-offs that are superior to just using parallel composition.

Our novel method of share generation and aggregation not only improves certain MPCitH protocols in general but also shows in concrete improvements of signature schemes. Specifically, we apply it to the work of Feneuil, Joux, and Rivain (CRYPTO'22) on code-based signatures, and obtain a new signature scheme that achieves a 3.3x improvement in global runtime, and a 15x improvement in online runtime for their shortest signatures size (8.5 kB). It is also possible to leverage the fact that most computations are offline to define parameter sets leading to smaller signatures: 6.7 kB for 60 ms offline, or 5.6 kB for 700 ms offline. For NIST security level 1, online signature cost is around 3 million cycles (1 ms on commodity processors), regardless of signature size.

In this paper, we examine one of the public key exchange protocols proposed in [M. I. Durcheva. An application of different dioids in public key cryptography. In AIP Conference Proceedings, vol. 1631, pp 336-343. AIP, 2014] which uses max-times and min-times algebras. We discuss properties of powers of matrices over these algebras and introduce a fast attack on this protocol.

As end-to-end encrypted messaging services become widely adopted, law enforcement agencies have increasingly expressed concern that such services interfere with their ability to maintain public safety. Indeed, there is a direct tension between preserving user privacy and enabling content moderation on these platforms. Recent research has begun to address this tension, proposing systems that purport to strike a balance between the privacy of ''honest'' users and traceability of ''malicious'' users. Unfortunately, these systems suffer from a lack of protection against malicious or coerced service providers.

In this work, we address the privacy vs. content moderation question through the lens of pre-constrained cryptography [Ananth et al., ITCS 2022]. We introduce the notion of set pre-constrained (SPC) group signatures that guarantees security against malicious key generators. SPC group signatures offer the ability to trace users in messaging systems who originate pre-defined illegal content (such as child sexual abuse material), while providing security against malicious service providers.

We construct concretely efficient protocols for SPC group signatures, and demonstrate the real-world feasibility of our approach via an implementation. The starting point for our solution is the recently introduced Apple PSI system, which we significantly modify to improve security and expand functionality.

Technology Innovation Institute (TII) is a recently-established publicly-funded research institute in Abu Dhabi (UAE). It is home to a diverse community of leading scientists and engineers from across the globe.

Job Description

We are looking for permanent researchers to join the Cryptographic Protocols team within the Cryptography Research Center (CRC) at TII. The main aim of the team is to conduct applied academic research in areas relating to cryptographic protocols, such as: TLS, QUIC, Tor, Key Exchange, Secure Channels, Cryptographic Primitives, Privacy Enhancing Technologies, MLS and Secure Messaging, and Probabilistic Data Structures in Adversarial Environments. The nature of the research spans both theory and practice, covering aspects such as provable security, security models, efficient designs, implementation aspects, and attacks.

Applicants should have completed (or be close to completing) their PhD in a related area, and postdoctoral research experience will be valued. Preference will be given to applicants with publications in top-tier venues such as CRYPTO, EUROCRYPT, ASIACRYPT, ACM CCS, IEEE S&P, and USENIX.

Required Skills:

• Fluency in English (verbal and written) and an ability to communicate research effectively.
• Good problem-solving skills and an ability to conduct research independently.
• Good interpersonal and collaborative skills.
• Solid knowledge in cryptography.

Valuable Skills:

• Research experience in Key Exchange, Signatures, Onion Routing, Privacy-Enhancing Technologies, and Zero Knowledge.
• Programming, Software Engineering, experience in implementing cryptographic primitives and attacks on real-world cryptosystems, reverse engineering of closed-source protocols.

What we offer:

• Vibrant working environment, flexible working conditions, and travel funding.
• Industry-competitive tax-free salary.
• Family-wide health insurance and children’s education allowance.
• Sunshine all year round.

Closing date for applications:

Contact: Jean Paul Degabriele (jeanpaul.degabriele@tii.ae).

The Centre for Doctoral Training (CDT) at Royal Holloway, University of London seeks to recruit PhD students to work in the area of cryptography. Examples for potential topics include:

• Foundations of Witness Encryption and Smart Encryption (supervised by Saqib Kakvi)
• Secure Coded Caching (supervised by Siaw-Lynn Ng)
• Applications of Time and Delay in Cryptographic Protocols (supervised by Elizabeth Quaglia)
• Privacy-Preserving Applications based on Secure Multi-Party Computation (supervised by Christian Weinert)

You can find more details for these and other project proposals on FindAPhD.com [1].

The crypto team at Royal Holloway, as part of the Information Security Group (ISG), has a strong track record in cryptographic research, including algorithm design and analysis, post-quantum cryptography, homomorphic encryption, and applications of secure computation.

Applicants are expected to have a background in mathematics, computer science, or a related discipline. Prospective applicants are welcome to contact CDT administrator Claire Hudson (CyberSecurityCDT@rhul.ac.uk) or any member of staff they might be interested to work with. For more information about the crypto team, please visit our website [2].

The CDT can offer approximately ten studentships per year, three of which can be awarded to international students (including EU and EEA). Please ensure you are familiar with the eligibility criteria set by UKRI and their terms and conditions. In order to apply, please visit the CDT website [3] and follow the application instructions. The studentship includes a (tax-free) maintenance of £23,668.00 for each academic year.

[1] https://www.findaphd.com/phds/information-security-group/?c0MPwk50
[2] https://cryptography.isg.rhul.ac.uk
[3] https://www.royalholloway.ac.uk/cdt

Closing date for applications:

Contact: CyberSecurityCDT@rhul.ac.uk

Applications are invited for one Postdoctoral Research Fellow position at Eötvös Loránd University, Budapest. The candidate is expected to carry out research in the topic of post-quantum cryptography (lattice-based, multivariate, code-based or isogeny -based cyrptography). The research will be conducted as part of the Quantum Information National Laboratory, which is a collaboration between several universities and research institutes in Budapest. The applicant is supposed to hold a Phd in Computer Science or Mathematics (the degree should be obtained by the starting date). The position is for two years and expected starting date is April 2023, however the starting date is negotiable (but not later than September 2023). If you want to apply for this position please send the following documents to Péter Kutas (kuppabt@inf.elte.hu):

• CV
• Motivation Letter
• Two recommendation letters (these should be sent by the recommending person directly to the above e-mail address)

Please send your applications by 31st January 2023.

Closing date for applications:

Contact: Péter Kutas (kuppabt@inf.elte.hu)

The School of Engineering at the Universidad Católica de Chile, one of the leading engineering academic institutions in Latin America and ranked among the top four emerging leaders for engineering education worldwide, invites outstanding candidates for a full-time faculty position in the area of cybersecurity. Duties: High-quality teaching (at undergraduate and graduate levels), and conducting independent research. Additional duties include knowledge transfer, outreach, and university administrative tasks. The new position should conduct teaching, research, and technological innovation activities in cybersecurity and cryptography, including but not limited to privacy, data protection, computer network security, information technology security, software and application security, blockchain, computer forensics, smart contracts, data integrity, among others. The selected candidate is expected to develop a strong externally funded research program, support doctoral programs, and teach three courses per year, at least two of these courses should belong to the bachelor of science in computer science program, and another course according to their expertise. Requirements: Applicants must hold a Ph.D., preferably in Computer Science, and/or have demonstrable expertise in the fields. Due to the nature of our School, the applicant will have the opportunity and should be willing to work collaboratively with other Departments in the School of Engineering. Previous postdoctoral or international academic experience should be stated in the application. Candidates do not need to be fluent in Spanish at the time of application, but should be prepared to learn the language well enough to teach in this language in the short term (two years maximum). English is a requirement.

Closing date for applications:

Contact: Marcelo Arenas, marenas@ing.puc.cl

More information: https://www.ing.uc.cl/trabaja-con-nosotros/areas-to-apply-2/

A postdoctoral position is available in the APSIA research group (led by Prof. Peter Y. A. Ryan) in the Department of computer Science at the University of Luxembourg. The successful candidate is expected to do research in line with ‘’quantum safe proofs’’ (QSP) project funded by Luxembourg National Research Fund. The successful candidate will conduct the QSP project in collaboration with Prof. Peter Y. A. Ryan, Prof. Anne Broadbent (University of Ottawa, Canada) and Dr. Ehsan Ebrahimi (PI, University of Luxemburg).

The duration of the position is two years. The yearly gross salary for every Postdoctoral researcher at the UL is around EUR 77167 (full time) . The starting date would be as early as 02.01.2023 (Feb 2023).

The successful candidate will conduct the following tasks:

• Research on post-quantum security of proof systems and its impact to applications like cryptocurrencies and electronic voting systems.
• Research on Quantum Proof Systems: for instance, complexity classes QMA, QIP, etc.
• Participate in teaching tasks and Ph.D. and M.Sc. students supervisions
• Collaboration with writing progress reports

we expect:

• A Ph.D. degree in Computer Science, Mathematics or Physics with the focus on Cryptography and its intersection with Quantum Computation & Information.
• Experience working on quantum-secure proof systems or quantum proof systems is a plus
• Competitive research record in cryptography or quantum computation & information
• Strong mathematical CS background
• Fluent written and verbal communication skills in English are required

Applications should include a short letter of motivation, a CV, a publication list with short summery for each publication, and names of at least 2 reference letter writers . Early application is highly encouraged, as the applications will be processed upon reception.

Closing date for applications:

Contact: Ehsan Ebrahimi, ehsan.ebrahimi@uni.lu

Looking for candidates with a strong background in theory interested in the foundations of cryptography, information-theoretic cryptography, or related areas of complexity theory and algorithms. Multiple positions available, hosted by Prashant Nalini Vasudevan. See website for more details: https://www.comp.nus.edu.sg/~prashant/ads.html

Closing date for applications:

Contact: prashant@comp.nus.edu.sg

More information: https://www.comp.nus.edu.sg/~prashant/ads.html

We’re looking for two PhD students in one the following research directions (but not limited to): e-voting, applied cryptography, postquantum cryptography, provable security, privacy-preserving technologies, and formal verification. The PhD will be under the supervision of Dr. Catalin Dragan. International candidates are welcomed to apply. Final Year BSc students can apply.

Position 1: Department of Computer Science Studentship. The application deadline is 6th January 2023, with a start date of October 2023. Applications are made via CS application page https://www.surrey.ac.uk/postgraduate/computer-science-phd.

Position 2: University of Surrey’s Breaking Barriers Studentship award. The application deadline is 16 December 2022, with a start date of October 2023. More information is available on https://www.surrey.ac.uk/fees-and-funding/studentships/breaking-barriers-studentship-award-2023.

The applications typically requiring CV, cover letter, transcripts, and references. However, we strongly encourage candidates to contact Catalin for an informal chat before applying (there is no need to submit any documents for this). The PhD studentships comes with a stipend of £17.5K – £19K per annum plus tuition fees covered for the duration of 3.5 years

Closing date for applications:

Contact: Dr. Cătălin Drăgan (c.dragan@surrey.ac.uk)

More information: https://www.surrey.ac.uk/postgraduate/computer-science-phd

We are looking for a talented postdoctoral researcher in the field of trustworthy edge computing, with focus on secure Internet infrastructure for future solutions based on Artificial Intelligence (AI), to join our team and help us fulfil the project's goals, producing quality research. The position is placed at the Sensible Things that Communicate (STC) research center, who is a leading Scandinavian research center in Industrial IoT, and are doing research on fields ranging from wireless connectivity, network security and cryptography, distributed systems, ML/AI, embedded systems, visualization and measurement systems. We seek an outstanding talent with a Ph.D. in Computer Science, Computer and Electrical Engineering, or similar. The ideal candidate have a solid background in edge computing, security, network protocols and programming. Previous experiences in ML/AI, embedded systems, and IoT prototyping is an advantage. The work will involve network and security aspects, including algorithm development, simulations and testing, modelling and prototyping, publishing high-quality research papers in high-ranked journals and to contribute to the preparation and drafting of research bids and proposals.

Closing date for applications:

Contact: Professor Mikael Gidlund

More information: https://www.miun.se/en/work-at-the-university/career/jobs/vacancy/postdoc-in-trustworthy-edge-computing/

About Aztec At Aztec we believe privacy isn’t just a fundamental right, but a creative force for web3. Our goal is to unleash the full potential of decentralized technologies by building an open, privacy-first network with no compromises. Privacy enables use cases that otherwise would not be possible and accelerates mainstream adoption. The next wave of web3 applications will require programmable privacy. Aztec’s technology empowers developers with the tools to build private applications and bring their ideas to reality. Our journey started while building an application to bring syndicated loans on chain. We realized that our idea was a nonstarter without privacy. There were no solutions to offer privacy on public blockchains - so we sought out to build it ourselves. Since then, we've made industry-leading advances in cryptography, and deployed a private money platform and a private DeFi platform. To realize our vision of implementing privacy on a public blockchain, we are building a world-class team of cryptographers, engineers, and ecosystem builders. Supporting us on this journey are leading investors including Paradigm, Variant, Consensys, and a_capital.

Closing date for applications:

Contact: travis@aztecprotocol.com

More information: https://boards.eu.greenhouse.io/aztec/jobs/4099676101

Popular Ethereum wallets (e.g., MetaMask) entrust centralized infrastructure providers (e.g., Infura) to run the consensus client logic on their behalf. As a result, these wallets are light-weight and high-performant, but come with security risks. A malicious provider can mislead the wallet, e.g., fake payments and balances, or censor transactions. On the other hand, light clients, which are not in popular use today, allow decentralization, but at inefficient linear bootstrapping complexity. This poses a dilemma between decentralization and performance. In this paper, we design, implement, and evaluate a new proof-of-stake (PoS) superlight client with logarithmic bootstrapping complexity. These proofs of proof-of-stake (PoPoS) take the form of a Merkle tree of PoS epochs. The verifier enrolls the provers in a bisection game, in which the honest prover is destined to win once an adversarial Merkle tree is challenged at sufficient depth. We evaluate our superlight protocol by providing a client implementation that is compatible with mainnet PoS Ethereum: compared to the state-of-the-art light client construction proposed for PoS Ethereum, our client improves time-to-completion by $9\times$, communication by $180\times$, and energy usage by $30\times$ (when bootstrapping after $10$ years of consensus execution). We prove our construction is secure and show how to employ it for other PoS systems such as Cardano (with full adaptivity), Algorand, and Snow White.

A good differential is a start for a successful differential attack. However, a differential might be invalid, i.e., there is no right pair following the differential1, due to some complicated contradictions that are hard to be considered. In this paper, we present a novel and handy method to search and verify a differential characteristic (DC) based on a recently proposed algebraic perspective on the differential(-linear) cryptanalysis (CRYPTO 2021). From this algebraic perspective, exact Boolean expressions of differentials over a cryptographic primitive can be conveniently established, thus verifying a given DC is naturally a Boolean satisfiability problem (SAT problem). With this observation, our approach simulates the round function of the target cipher symbolically and derives a set of Boolean equations in Algebraic Normal Form (ANF). These Boolean equations can be solved by off-the-shelf SAT solvers such as Bosphorus, which accept ANFs as their input. To demonstrate the power of our new tool, we apply it to Gimli, Ascon, and Xoodoo. For Gimli, we improve the efficiency of searching for a valid 8-round colliding DC compared with the previous MILP model (CRYPTO 2020). Our approach takes about one minute to find a valid 8-round DC, while the previous MILP model could not find any such DCs in practical time. Based on this DC, a practical semi-free-start collision attack on the intermediate 8-round Gimli-Hash is thus successfully mounted, i.e., a colliding message pair is found. For Ascon, we check several DCs reported at FSE 2021. Firstly, we verify a 2-round DC used in the collision attack on Ascon-Hash by giving a right pair (such a right pair requires $2^{156}$ attempts to find in a random search). Secondly, a 4-round differential used in the forgery attack on Ascon-128’s iteration phase is proven invalid, as a result, the corresponding forgery attack is invalid, too. For Xoodoo, we verify tens of thousands of 3-round DCs and two 4-round DCs extended from the so-called differential trail cores found by the designers or our search tool. We find all of these DCs are valid, which well demonstrates the sound independence of the differential propagation over Xoodoo’s round functions. Besides, as an independent interest, we develop a SAT-based automatic search toolkit called XoodooSat to search for 2-, 3-, and 4-round differential trail cores of Xoodoo. Our toolkit finds two more 3-round differential trail cores of weight 48 that were missed by the designers which enhance the security analysis of Xoodoo.

In this paper we introduce the differential-meet-in-the-middle framework, a new cryptanalysis technique against symmetric primitives. The idea of this new cryptanalysis method consists in combining into one attack techniques from both meet-in-the-middle and differential cryptanalysis. The introduced technique can be seen as a way of extending meet-in-the-middle attacks and their variants but also as a new way to perform the key recovery part in differential attacks. We provide a simple tool to search, given a differential, for efficient applications of this new attack and apply our approach, in combination with some additional techniques, to SKINNY-128-384. Our attack on SKINNY-128-384 permits to break 25 out of the 56 rounds of this variant and improves by two rounds the previous best known attacks in the single key model.

Adopting Post-Quantum Cryptography (PQC) in network protocols is a challenging subject. Larger PQC public keys and signatures can significantly slow the Transport Layer Security (TLS) protocol. In this context, KEMTLS is a promising approach that replaces the handshake signatures by using PQC Key Encapsulation Mechanisms (KEMs), which have, in general, smaller sizes. However, for broad PQC adoption, hybrid cryptography has its advantages over PQC-only approaches, mainly about the confidence in the security of existing cryptographic schemes. This work brings hybrid cryptography to the KEMTLS and KEMTLS-PDK protocols. We analyze different network conditions and show that the penalty when using Hybrid KEMTLS over PQC-only KEMTLS is minor under certain security levels. We also compare Hybrid KEMTLS with a hybrid version of PQTLS. Overall, the benefits of using hybrid protocols outweigh the slowdown penalties in higher security parameters, which encourages its use in practice.

The study of symmetric structures based on quasigroups is relatively new and certain gaps can be found in the literature. In this paper, we want to fill one of these gaps. More precisely, in this work we study substitution permutation networks based on quasigroups that make use of permutation layers that are non-linear relative to the quasigroup operation. We prove that for quasigroups isotopic with a group $\mathbb{G}$, the complexity of mounting a differential attack against this type of substitution permutation network is the same as attacking another symmetric structure based on $\mathbb{G}$. The resulting structure is interesting and new, and we hope that it will form the basis for future secure block ciphers.