International Association
for Cryptologic Research

In this paper we propose Differential Fault Attack (DFA) on two Fully Homomorphic Encryption (FHE) friendly stream ciphers Rasta and $\text {FiLIP} _ {\text {DSM}} $. Design criteria of Rasta rely on affine layers and nonlinear layers, whereas $\text {FiLIP} _ {\text {DSM}} $ relies on permutations and a nonlinear fil- ter function. Here we show that the secret key of these two ciphers can be recovered by injecting only 1 bit fault in the initial state. Our DFA on full round (# rounds = 6) Rasta with 219 block size requires only one block (i.e., 219 bits) of normal and faulty keystream bits. In the case of our DFA on FiLIP-430 (one instance of $\text {FiLIP} _ {\text {DSM}} $), we need 30000 normal and faulty keystream bits.

Monero is a popular cryptocurrency with strong privacy guarantees for users' transactions. At the heart of Monero's privacy claims lies a complex transaction system called RingCT, which combines several building blocks such as linkable ring signatures, homomorphic commitments, and range proofs, in a unique fashion. In this work, we provide the first rigorous security analysis for RingCT (as given in Zero to Monero, v2.0.0, 2020) in its entirety. This is in contrast to prior works that provided security arguments for only parts of RingCT.

To this end, we provide the first holistic security model for Monero's RingCT. In our model, we then prove the security of RingCT. Our framework is modular in that it allows to view RingCT as a combination of various different sub-protocols. This has the benefit that these components can be easily updated in future versions of RingCT with only minor modifications to our analysis. At a technical level, we introduce several new techniques that we believe to be of independent interest. First, we need to make several subtle modifications to the syntax and security properties of existing building blocks (e.g., linkable ring signatures), which result from the unusual way in which they are combined within RingCT. Then, we show how these building blocks can be combined in order to argue security of the top level transaction scheme. As a technical highlight of our proof, we show that our security goals can be mapped to a suitable graph problem. This allows us to take advantage of ideas from the theory of network flows in our analysis.

We introduce a new primitive called anonymous counting tokens (ACTs) which allows clients to obtain blind signatures or MACs (aka tokens) on messages of their choice, while at the same time enabling issuers to enforce rate limits on the number of tokens that a client can obtain for each message. Our constructions enforce that each client will be able to obtain only one token per message and we show a generic transformation to support other rate limiting as well. We achieve this new property while maintaining the unforgeability and unlinkability properties required for anonymous tokens schemes. We present four ACT constructions with various trade-offs for their efficiency and underlying security assumptions. One construction uses factorization-based primitives and a cyclic group. It is secure in the random oracle model under the q-DDHI assumption (in a cyclic group) and the DCR assumption. Our three other constructions use bilinear maps: one is secure in the standard model under q-DDHI and SXDH, one is secure in the random oracle model under SXDH, and the most efficient of the three is secure in the random oracle model and generic bilinear group model.

Event date: 7 July 2023
Submission deadline: 15 March 2023
Notification: 17 April 2023

A University Professor position for the specialist field of “Privacy” with permanent (full-time) contract is expected to be filled as of 1 March, 2024 at the Institute of Logic and Computation (Faculty of Informatics) at TU Wien, Austria’s largest institution of research and higher education in the fields of technology and natural sciences.

We are looking for a candidate with strong scientific foundations and demonstrated expertise in the design of innovative privacy-enhancing technologies that fulfill the needs of our digital society. Desired core areas of competence include but are not limited to:

• Data Privacy
• Privacy in analytics and machine learning
• Theoretical foundations of and formal methods for privacy
• Privacy-preserving protocols, applications, and systems
• Anonymous communication, censorship-resistance
• Cryptographic techniques for privacy
• Human-centered design and usability of privacy technologies

Besides research, the duties include undergraduate and graduate teaching as well as contributing to usual management and faculty service tasks.

Application deadline: 4 May 2023

For all details and to apply, see: jobs.tuwien.ac.at/Job/203700

Closing date for applications:

Contact: Carmen Keck

More information: https://jobs.tuwien.ac.at/Job/203700

Description

As a Senior Cryptography Engineer in Applied Cryptography at IOG you must be an engineer, an architect, an applied cryptographer and leader - it’s a multifaceted role. You have the exciting challenge of working with bleeding-edge research and technology, always with a focus on the market's needs. You will be a leader to an exceptional team. Working on everything from Post-Quantum prototypes to hand-optimisation of existing primitives to completely new products.

Your mission
- Champion of the applied cryptography team
- Captain end to end development and delivery of new products
- Spearhead prototyping of cryptographic products
- Translate research into rigorous engineering specifications & implementations
- Meticulously review cryptographic protocols and proposed primitives
- Expert knowledge of ZK protocols, including PlonK and IPA commitment scheme
- Expert knowledge of elliptic curve cryptography
- Familiarity with blockchain cryptography and constructions
- Practical experience with implementation of cryptographic primitives
- Expert in terms of secure design (constant time, operational security, management of key material)
- Document code and APIs concisely and unambiguously
- Pragmatically adhere to software engineering principles (modularity, incremental development, no premature optimization, no feature creep, no speculative generality, ...)
- Security sensibility related to cryptographic implementation
- Good theoretical cryptography and mathematical knowledge
- Ability to read cryptographic papers, explain them, and manage delivery of their implementation

Your expertise
Degree in Computer Science/Engineering or Applied Mathematics is desirable but not essential
A minimum of 4-5 years development experience (professional or otherwise) in Rust
Experience working with Git and version control
Expert knowledge of applied cryptographic engineering & best practices

Closing date for applications:

Contact: Marios Nicolaides

Description

As Cryptographic Engineer at IO Global, you will have the exciting challenge of working on cutting-edge research and technology focusing on the market’s needs. You will be working on Midnight, specifically on the zero-knowledge proofs that power Midnight.

The Cryptography Engineering team is growing with the goal of bringing recent academic papers into production. In this team, you will work closely with researchers and engineers, being the bridge between both teams. As Cryptography Engineer you are responsible for writing high-quality code. To support you, our products have software architects, product managers, delivery managers, formal methods specialists, and QA test engineers, with whom you must communicate professionally, effectively, and efficiently.

Your mission
- Working with teams across time zones
- Working independently on software development tasks
- Being proactive and requiring minimal supervision or mentoring to complete tasks
- Reviewing specifications produced by architects and formal methods specialists
- Contributing to the design of algorithms
- Troubleshooting, debugging, and upgrading software
- Writing documentation for the code
- Writing technical user manuals
- Understanding complex cryptographic concepts from academic papers
- Bridging ideas from academic papers to production-ready systems

Requirements
Your expertise
- Excellent Mathematical and Analytical skills.
- Experience with Rust. Not necessarily in industry.
- Knowledge of basic cryptographic concepts (Hash Functions,
- Signature Schemes or Elliptic Curves).
- Degree in computer science or mathematics is desirable, but not essential.
- Experience with systems programming (Rust)
- Skilled in software development methods such as agile programming and test-driven development
- Experience in developing cryptography protocols would be a bonus, as would blockchain experience.

Location IOG is a distributed organization and therefore this is a remote position.

Closing date for applications:

Contact: Marios Nicolaides marios.nicolaides@iohk.io

More information: https://apply.workable.com/io-global/j/4437128D09/

The Cryptography and Cybersecurity team of Télécom Paris (https://www.telecom-paris.fr/C2) is seeking for excellent and motivated candidates who are interested in doing a PhD thesis/Post-doc in cryptography. We have several fundings, for three years PhD thesis or 1-2 years Post-doc, on topics related to advanced encrypted mechanisms for data security and privacy. The successful candidates will be supervised or co-supervised by Professor Sébastien Canard, Professor Duong Hieu Phan or Assistant Professor Weiqiang Wen. Applicants for PhD are expected to hold a MSc degree in Mathematics or Computer Science. Knowledge on cryptographic primitives is desirable.

Closing date for applications:

Contact: If you want to apply or have more information, please contact Sébastien Canard (sebastien.canard@telecom-paris.fr) or Duong Hieu Phan (hieu.phan@telecom-paris.fr).

Event date: 24 August to 25 August 2023
Submission deadline: 15 April 2023
Notification: 15 June 2023

Data outsourcing is a solution aimed at addressing the security and reliability issues of data storage by ensuring professional handling of the data. The growing use of outsourcing is causing concern among users due to the lack of assurance regarding the security and reliability of data stored on servers. To address these issues, some attempts have been made to implement Secret Sharing-based Data Outsourcing (SSDO) schemes. The low efficiency of these schemes led researchers to use an index server (IS). However, IS are susceptible to frequency analysis. Bucket-Chain $B^+Tree$ ($BCB^+Tree$) was proposed to tackle the frequency analysis in the current Index Server Secret Sharing-based Data Outsourcing (ISSDO) schemes. Nevertheless, this scheme works very well when the data is discrete with a limited range. Otherwise, the scheme's efficiency declines significantly as it has to store one index in each bucket and the number of buckets rises significantly, rendering the use of an IS useless. In this paper, a new data structure is proposed to store the indexes in IS to mitigate this efficiency concern. Briefly, the domain of values is divided into several segments, and indexes of values in each segment are stored inside a $Shard$. Additionally, a data outsourcing scheme has been presented based on the proposed data structure. It can withstand collaboration from up to $k-1$ dishonest servers even if they have access to the IS.

We construct algebraic structures where rising to the non-associative power indices is no longer tied with the Discrete Logarithm Problem but with a problem that has been analysed in the last two decades and does not have a quantum polynomial algorithm that solves it. The problem is called Exponential Congruences Problem. By this, \emph{we disprove} the claims presented in the ePrint report 2021/583 titled "Entropoids: Groups in Disguise" by Lorenz Panny that \emph{"all instantiations of the entropoid framework should be breakable in polynomial time on a quantum computer."}

Additionally, we construct an Arithmetic for power indices and propose generic recipe guidelines that we call "Entropic-Lift" for transforming some of the existing classical cryptographic schemes that depend on the hardness of Discrete Logarithm Problem to post-quantum cryptographic schemes that will base their security on the hardness of the Exponential Congruences Problem.

As concrete examples, we show how to transform the classical Diffie-Hellman key exchange, DSA and Schnorr signature schemes.

We also post one open problem: From the perspective of provable security, specifically from the standpoint of security of post-quantum cryptographic schemes, to precisely formalize and analyze the potentials and limits of the Entropic-Lift transformation.

Unit group computations are a cryptographic primitive for which one has a fast quantum algorithm, but the required number of qubits is $\tilde{O}(m^5)$. In this work we propose a modification of the algorithm for which the number of qubits is $\tilde{O}(m^2)$ in the case of cyclotomic fields. Moreover, under a recent conjecture on the size of the class group of $\mathbb{Q}(\zeta_m+\zeta_m^{-1})$, the quantum algorithms is much simpler because it is a hidden subgroup problem (HSP) algorithm rather than its error estimation counterpart: continuous hidden subgroup problem (CHSP). We also discuss the (minor) speed-up obtained when exploiting Galois automorphisms thnaks to the Buchmann-Pohst algorithm over $\mathcal{O}_K$-lattices.

Impossible differential (ID) cryptanalysis is one of the most important cryptanalytic approaches for block ciphers. How to evaluate the security of Substitution-Permutation Network (SPN) block ciphers against ID is a valuable problem. In this paper, a series of methods for bounding the length of IDs of SPN block ciphers are proposed. From the perspective of overall structure, we propose a general framework and three implementation strategies. The three implementation strategies are compared and analyzed in terms of efficiency and accuracy. From the perspective of implementation technologies, we give the methods for determining representative set, partition table and ladder and integrating them into searching models. Moreover, the rotation-equivalence ID sets of ciphers are explored to reduce the number of models need to be considered. Thus, the ID bounds of SPN block ciphers can be effectively evaluated. As applications, we show that 9-round PRESENT, 8-round GIFT-64, 12-round GIFT-128, 5-round AES, 6-round Rijndael-160, 7-round Rijndael-192, 7-round Rijndael-224, 7-round Rijndael-256 and 10-round Midori64 do not have any ID under the sole assumption that the round keys are uniformly random. The results of PRESENT, GIFT-128, Rijndael-160, Rijndael-192, Rijndael-224, Rijndael-256 and Midori64 are obtained for the first time. Moreover, the ID bounds of AES, Rijndael-160, Rijndael-192, Rijndael-224 and Rijndael-256 are infimum.

Blockchain has been broadly recognized as a breakthrough technology of the world. Web3, recently, is emerging as a buzzword, indicating the next generation of Internet based on Blockchain, envisioning \textit{the Internet of Money} to store and transfer value. However, when people want a comprehensive view throughout advancements in the Blockchain space, there is a missing in the academic domain and scientific publications regarding distributed ledger technology (DLT) classification and taxonomy for the evolution of public Blockchain generations. In this research, the author attempts to classify DLTs in terms of data structure (ledger type), governance and accessibility. Furthermore, based on the well-known problems and the most technical challenges in Blockchain space, the author studies breaking and significant inventions of various blockchain protocols to give a taxonomy for the evolution of four public Blockchain generations, blockchain layers (0, 1, 2, 3). The first and second generations are dominated by Bitcoin and Ethereum, respectively. The latest state-of-the-art blockchain protocols are developing and shaping the third and fourth generations, where several ``Ethereum-killer" candidates are trying to solve major problems, to offer fantastic functions and capacity, by their own outstanding innovations and distinguished architectural designs. This work helps readers quickly capture historical evolution and innovations of Blockchain, envisioning the next advancements of Web3 as well as the Internet of Value (Internet 2.0).

We give the first examples of public-key encryption schemes which can be proven to achieve multi-challenge, multi-user CCA security via reductions that are tight in time, advantage, and memory. Our constructions are obtained by applying the KEM-DEM paradigm to variants of Hashed ElGamal and the Fujisaki-Okamoto transformation that are augmented by adding uniformly random strings to their ciphertexts and/or keys.

The reductions carefully combine recent proof techniques introduced by Bhattacharyya’20 and Ghoshal- Ghosal-Jaeger-Tessaro’22. Our proofs for the augmented ECIES version of Hashed-ElGamal make use of a new computational Diffie-Hellman assumption wherein the adversary is given access to a pairing to a random group, which we believe may be of independent interest.

Protecting metadata of communications has been an area of active research since the dining cryptographers problem was introduced by David Chaum in 1988. The Snowden revelations from 2013 resparked research in this direction. Consequently over the last decade we have witnessed a flurry of novel systems designed to protect metadata of users' communications online. However, these systems are often guided by the application they cater to, and leverage different assumptions and design choices to achieve their goal; resulting in a scattered view of the desirable properties, potential vulnerabilities, and limitations of existing metadata-protecting communication systems (MPCS).

In this work we survey 31 systems targeting metadata-protected communications, and present a unified view of the current state of affairs. We provide two different taxonomies for existing MPCS, first into three different categories by the precise type of metadata protections they offer, and next into six families based on the core techniques that underlie them. By contrasting these systems we identify potential vulnerabilities, as well as subtle privacy implications of design choices of existing MPCS. Furthermore, we identify promising avenues for future research for MPCS, and desirable properties that merit more attention.

Cryptographic wallets have become an essential tool to secure users' secret keys and consequently their funds in Blockchain networks. The most prominent wallet standard that is widely adopted in practice is the BIP32 specification. This standard specifies so-called hierarchical deterministic wallets, which are organized in a tree-like structure such that each node in the tree represents a wallet instance and such that a parent node can derive a new child node in a deterministic fashion. BIP32 considers two types of child nodes, namely non-hardened and hardened nodes, which differ in the security guarantees they provide. While the corruption of a hardened wallet does not affect the security of any other wallet instance in the tree, the corruption of a non-hardened node leads to a breach of the entire scheme.

In this work, we address this significant drawback of non-hardened nodes by laying out the design for the first hierarchical deterministic wallet scheme with thresholdized non-hardened nodes. We first provide a game-based notion of threshold signatures with rerandomizable keys and show an instantiation via the Gennaro and Goldfeder threshold ECDSA scheme (CCS'18). We further observe that the derivation of hardened child wallets according to the BIP32 specification does not translate easily to the threshold setting. Therefore, we devise a new and efficient derivation mechanism for hardened wallets in the threshold setting that satisfies the same properties as the original BIP32 derivation mechanism and therefore allows for efficient constructions of BIP32-compatible threshold wallets.

We provide a generic construction to turn any classical Zero-Knowledge (ZK) protocol into a composable (quantum) oblivious transfer (OT) protocol, mostly lifting the round-complexity properties and security guarantees (plain-model/statistical security/unstructured functions…) of the ZK protocol to the resulting OT protocol. Such a construction is unlikely to exist classically as Cryptomania is believed to be different from Minicrypt.

In particular, by instantiating our construction using Non-Interactive ZK (NIZK), we provide the first round-optimal (2-message) quantum OT protocol secure in the random oracle model, and round-optimal extensions to string and $k$-out-of-$n$ OT. At the heart of our construction lies a new method that allows us to prove properties on a received quantum state without revealing (too much) information on it, even in a non-interactive way and/or with statistical guarantees when using an appropriate classical ZK protocol. We can notably prove that a state has been partially measured (with arbitrary constraints on the set of measured qubits), without revealing any additional information on this set. This notion can be seen as an analog of ZK to quantum states, and we expect it to be of independent interest as it extends complexity theory to quantum languages, as illustrated by the two new complexity classes we introduce, ZKstateQIP and ZKstateQMA.

Secure RAM computation allows a number of parties to evaluate a function represented as a RAM program in a way that reveals nothing about the private inputs of the parties except from what is already revealed by the function output itself. In this work we present Ramen, which is a new protocol for computing RAM programs securely among three parties, tolerating up to one passive corruption. Ramen provides reasonable asymptotic guarantees and is concretely efficient at the same time. We have implemented our protocol and provide extensive benchmarks for various settings.

Asymptotically, our protocol requires a constant number of rounds and a amortized sublinear amount of communication and computation per memory access. In terms of concrete efficiency, our protocol outperforms previous solutions. For a memory of size $2^{26}$ our memory accesses are \(30\times\) faster in the LAN and \(8.7\times\) faster in the WAN setting, when compared to the previously fastest solution by Vadapalli, Henry, and Goldberg (ePrint 2022). Due to our superior asymptotic guarantees, the efficiency gap is only widening as the memory gets larger and for this reason Ramen provides the currently most scalable concretely efficient solution for securely computing RAM programs.

Trick-taking games are traditional card games played all over the world. There are many such games, and most of them can be played online through dedicated applications, either for fun or for betting money. However, these games have an intrinsic drawback: each player plays its cards according to several secret constraints (unknown to the other players), and if a player does not respect these constraints, the other players will not realize it until much later in the game.

In 2019, X. Bultel and P. Lafourcade proposed a cryptographic protocol for Spades in the random oracle model allowing peer-to-peer trick-taking games to be played securely without the possibility of cheating, even by playing a card that does not respect the secret constraints. However, to simulate card shuffling, this protocol requires a custom proof of shuffle with quadratic complexity in the number of cards, which makes the protocol inefficient in practice. In this paper, we improve their work in several ways. First, we extend their model to cover a broader range of games, such as those implying a set of cards set aside during the deal (for instance Triomphe or French Tarot). Then, we propose a new efficient construction for Spades in the standard model (without random oracles), where cards are represented by partially homomorphic ciphertexts. It can be instantiated by any standard generic proof of shuffle, which significantly improves the efficiency. We demonstrate the feasibility of our approach by giving an implementation of our protocol, and we compare the performances of the new shuffle protocol with the previous one. Finally, we give a similar protocol for French Tarot, with comparable efficiency.