International Association
for Cryptologic Research

Group signature (GS) schemes are an important primitive in cryptography that provides anonymity and traceability for a group of users. In this paper, we propose a new approach to constructing GS schemes using the homomorphic trapdoor function (HTDF). We focus on constructing an identity-based homomorphic signature (IBHS) scheme using the trapdoor, providing a simpler scheme that has no zero-knowledge proofs. Our scheme allows packing more data into the signatures by elevating the existing homomorphic trapdoor from the SIS assumption to the MSIS assumption to enable packing techniques. Compared to the existing group signature schemes, we provide a straightforward and alternate construction that is efficient and secure under the standard model. Overall, our proposed scheme provides an efficient and secure solution for GS schemes using HTDF.

Despite its popularity, password based authentication is susceptible to various kinds of attacks, such as online or offline dictionary attacks. Employing biometric credentials in the authentication process can strengthen the provided security guarantees, but raises significant privacy concerns. This is mainly due to the inherent variability of biometric readings that prevents us from simply applying a standard hash function to them. In this paper we first propose an ideal functionality for modeling secure, privacy preserving biometric based two-factor authentication in the framework of universal composability (UC). The functionality is of independent interest and can be used to analyze other two-factor authentication protocols. We then present a generic protocol for biometric based two-factor authentication and prove its security (relative to our proposed functionality) in the UC framework. The first factor in our protocol is the possession of a device that stores the required secret keys and the second factor is the user's biometric template. Our construction can be instantiated with function hiding functional encryption, which computes for example the distance of the encrypted templates or the predicate indicating whether the templates are close enough. Our contribution can be split into three parts:

- We model privacy preserving biometric based two-factor authentication as an ideal functionality in the UC framework. To the best of our knowledge, this is the first description of an ideal functionality for biometric based two-factor authentication in the UC framework. - We propose a general protocol that uses functional encryption and prove that it UC-realizes our ideal functionality. - We show how to instantiate our framework with efficient, state of the art inner-product functional encryption. This allows the computation of the Euclidean distance, Hamming distance or cosine similarity between encrypted biometric templates. In order to show its practicality, we implemented our protocol and evaluated its performance.

Fully homomorphic encryption (FHE) is a powerful cryptographic technique allowing to perform computation directly over encrypted data. Motivated by the overhead induced by the homomorphic ciphertexts during encryption and transmission, the transciphering technique, consisting in switching from a symmetric encryption to FHE encrypted data was investigated in several papers. Different stream and block ciphers were evaluated in terms of their "FHE-friendliness", meaning practical implementations costs while maintaining sufficient security levels. In this work, we present a first evaluation of hash functions in the homomorphic domain, based on well-chosen block ciphers. More precisely, we investigate the cost of transforming PRINCE, SIMON, SPECK, and LowMC, a set of lightweight block-ciphers into secure hash primitives using well-established hash functions constructions based on block-ciphers, and provide evaluation under bootstrappable FHE schemes. We also motivate the necessity of practical homomorphic evaluation of hash functions by providing several use cases in which the integrity of private data is also required. In particular, our hash constructions can be of significant use in a threshold-homomorphic based protocol for the single secret leader election problem occurring in blockchains with Proof-of-stake consensus. Our experiments showed that using a TFHE implementation of a hash function, we are able to achieve practical runtime, and appropriate security levels (e.g., for PRINCE it takes 1.28 minutes to obtain a 128 bits of hash).

Agrawal et al. (Asiacrypt 2013) proved the discrete Gaussian leftover hash lemma, which states that the linear transformation of the discrete spherical Gaussian is statistically close to the discrete ellipsoid Gaussian. Showing that it is statistically close to the discrete spherical Gaussian, which we call the discrete spherical Gaussian leftover hash lemma (SGLHL), is an open problem posed by Agrawal et al. In this paper, we solve the problem in a weak sense: we show that the distribution of the linear transformation of the discrete spherical Gaussian and the discrete spherical Gaussian are close with respect to the Rényi divergence (RD), which we call the weak SGLHL (wSGLHL). As an application of wSGLHL, we construct a sharper self-reduction of the learning with errors problem (LWE) problem. Applebaum et al. (CRYPTO 2009) showed that linear sums of LWE samples are statistically close to (plain) LWE samples with some unknown error parameter. In contrast, we show that linear sums of LWE samples and (plain) LWE samples with a known error parameter are close with respect to RD. As another application, we weaken the independence heuristic required for the fully homomorphic encryption scheme TFHE.

We propose a new inner product argument (IPA), called TENET, which features sublogarithmic proof size and sublinear verifier without a trusted setup. IPA is a core primitive for various advanced proof systems including range proofs, circuit satisfiability, and polynomial commitment, particularly where a trusted setup is hard to apply. At ASIACRYPT 2022, Kim, Lee, and Seo showed that pairings can be utilized to exceed the complexity barrier of the previous discrete logarithm-based IPA without a trusted setup. More precisely, they proposed two pairing-based IPAs, one with sublogarithmic proof size and the other one with sublinear verifier cost, but they left achieving both complexities simultaneously as an open problem. We investigate the obstacles for this open problem and then provide our solution TENET, which achieves both sublogarithmic proof size and sublinear verifier. We prove the soundness of TENET under the discrete logarithm assumption and double pairing assumption.

Non-malleability is one of the basic security goals for encryption schemes which ensures the resistance of the scheme against ciphertext modifications in the sense that any adversary, given a ciphertext of a plaintext, cannot generate another ciphertext whose underlying plaintext is meaningfully related to the initial one. There are multiple formulations of non-malleable encryption schemes, depending on whether they are based on simulation or comparison, or whether they impose valid ciphertext condition, in which an adversary is required to generate only valid ciphertexts, or not. In addition to the simulation-based and comparison-based formulations (SNM and CNM), an indistinguishability-based characterization of non-malleability (IND), called ciphertext indistinguishability against parallel chosen-ciphertext attacks has been proposed. These three formulations, SNM, CNM and IND, have been shown equivalent if the valid ciphertext condition is not imposed; however, if that condition is imposed, then they have been shown equivalent only against the strongest type of attack models, and the relations among them against the weaker types of the attack models remain open. This work answers this open question by showing the separations SNM*$\not\rightarrow$CNM* and IND*$\not\rightarrow$SNM* against the weaker types of the attack models, where the asterisk attached to the short-hand notations represents that the valid ciphertext condition is imposed. Moreover, motivated by the proof of the latter separation, this paper introduces simulation-based and comparison-based formulations of semantic security (SSS* and CSS*) against parallel chosen-ciphertext attacks, and shows the equivalences SSS*$\leftrightarrow$SNM* and CSS*$\leftrightarrow$CNM* against all types of the attack models. It thus follows that IND*$\not\rightarrow$SSS*, that is, semantic security and ciphertext indistinguishability, which have been shown equivalent in various settings, separate against the weaker parallel chosen-ciphertext attacks under the valid ciphertext condition.

Private set intersection (PSI) is a cryptographic primitive that allows two or more parties to learn the intersection of their input sets and nothing else. In this paper, we present a private set intersection protocol based on a new secure multi-party quantum protocol for greatest common divisor (GCD). The protocol is mainly inspired by the recent quantum private set union protocol based on least common multiple by Liu, Yang, and Li. Performance analysis guarantees the correctness and it also shows that the proposed protocols are completely secure in semi-honest model. Moreover, the complexity is proven to be efficient (poly logarithmic) in the size of the input sets.

Event date: 16 August to 18 August 2023
Submission deadline: 16 May 2023
Notification: 3 July 2023

Dfns is seeking Ph.D. students with a strong research background and an interest in applied cryptography for short-term (10-12 weeks), remote research internships. Areas of research interest include threshold cryptography, secure computation, zero-knowledge proofs, and blockchain security. Research internships will be available year-round, beginning in the summer of 2023 . We encourage applicants with different backgrounds who can offer unique perspectives to apply.
What You'll Do:

Pursue fundamental and applied research in collaboration with the research team

Work with the engineering team on technical problems that arise

Contribute to academic publications and blog posts

Contribute to the company's research roadmap

Our Ideal Candidate Will:

Be enrolled in a Ph.D. program in Computer Science or related technical field.

Have an understanding of theoretical and practical aspects of cryptography.

Have familiarity with publishing in peer-reviewed conferences and journals.

Be passionate and knowledgeable about blockchains/web3 and their underlying technologies.

Have excellent written and verbal communication skills

Closing date for applications:

Contact: Please send your CV to research-jobs@dfns.co Contact Xianrui Meng (xm@dfns.co) and Jon Katz (jkatz@dfns.co) for more information.

iTrust is a Cyber Security Research Center in SUTD and a National Satellite of Excellence in Singapore for securing critical infrastructure. iTrust hosts the world-class cyber-physical system (CPS) testbeds which are used for research, education, training, live-fire exercise, and technology validation.

We are looking for postdocs / research fellows with expertise on cybersecurity in general and CPS security in particular. The candidates should meet the following requirements.

A PhD in any computer science, computer engineering or related field.

Demonstrated expertise in computer networks and/or software testing and/or software security and/or applied cryptography and/or applied machine learning.

Have track record of strong R&D capability, with publications at leading cybersecurity conferences.

Working knowledge of the C/C++ or Python programming language.

Working knowledge in binary analysis and code reverse engineering is preferred.

Familiar with shipboard OT systems is preferred.

Fresh PhD graduates are welcome to apply. Only short-listed candidates will be contacted for interview. Successful candidates will be offered internationally competitive remuneration.

Interested candidates please send your CV to Prof. Jianying Zhou. Email: jianying_zhou (at) sutd.edu.sg. Home: http://jianying.space/

Closing date for applications:

Contact: Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg]

More information: http://jianying.space/

Event date: 10 September 2023
Submission deadline: 1 June 2023
Notification: 31 July 2023

Event date: 25 March to 27 March 2024

We seek to hire an outstanding PhD candidate. The successful candidate will participate in the activities of the CRISES research group, which focuses on theoretical advances for computer security and privacy. The University offers a 4-year PhD scholarship to work in an exciting international environment located at the sunny and mediterranean city of Tarragona, Spain.

Closing date for applications:

Contact: Dr. Rolando Trujillo

More information: https://rolandotr.bitbucket.io/open-positions.html

We are seeking a highly motivated candidate for a PhD or post-doctoral research position in quantum safe cryptography.

The aim of the project is to make strides towards the real-world usage of cryptographic schemes based on the difficulty of computing isogenies between elliptic curves or higher-dimensional Abelian varieties. In the past decade, through ups and downs, isogenies have emerged as an important foundation for cryptography, both pre- and post-quantum. Schemes for key exchange, digital signature, and even more advanced primitives are being consider today for real-world deployment, but there are still many gaps to close before the field can be considered mature. The project will shrink those gaps by researching the mathematical and algorithmic aspects of elliptic curves and Abelian varieties, as well as their secure and efficient implementation.

The successful candidate will be employed by the SNSF-funded project "CryptonIs: Advanced Cryptography Based on Isogenies", and will join the very dynamic Foundations of Cryptography group at IBM Research in Zurich, under the mentorship of Dr. Luca De Feo. The starting date can be any time between April 2023 and March 2024.

Closing date for applications:

Contact: Luca De Feo

More information: https://www.zurich.ibm.com/careers/2023_007.html

The hardness of solving the quadratic residuosity problem is the basis for establishing the security of many cryptographic schemes. Two of these are the public key encryption scheme and the identity-based encryption scheme proposed by Cocks. In this paper, we introduce a new computational problem: the problem of distinguishing between the Jacobi symbols of the solutions of a quadratic congruence modulo an RSA integer. We show that the security of the two encryption schemes is equivalent to the hardness of this problem, while the quadratic residuosity problem reduces to this new problem. We then specialize the problem to roots of quadratic residues and establish several computational indistinguishability relationships.

STARK is a widely used transparent proof system that uses low-degree tests for proving the correctness of a computer program. STARK consumes an intermediate representation known as AIR that is more appropriate for programs with a relatively short and structured description. However, an AIR is not able to succinctly express non-equality constraints, leading to the incorporation of unwanted polynomials. We present the eSTARK protocol, a new probabilistic proof that generalizes the STARK family through the introduction of a more generic intermediate representa- tion called eAIR. We describe eSTARK in the polynomial IOP model, which com- bines the optimized version of the STARK protocol with the incorporation of three arguments into the protocol. We also explain various techniques that enhance the vanilla STARK complexity, including optimizations applied to polynomial computa- tions, and analyze the tradeoffs between controlling the constraint degree either at the representation of the AIR or inside the eSTARK itself.

Computationally sound protocol verification tools promise to deliver full-strength cryptographic proofs for security protocols. Unfortunately, current tools lack either modularity or automation.

We propose a new approach based on a novel use of information flow and refinement types for sound cryptographic proofs. Our framework, Owl, allows type-based modular descriptions of security protocols, wherein disjoint subprotocols can be programmed and automatically proved secure separately.

We give a formal security proof for Owl via a core language which supports standard symmetric and asymmetric primitives, Diffie-Hellman operations, and hashing via random oracles. We also implement a type checker for Owl along with a prototype extraction mechanism to Rust, and evaluate it on 14 case studies, including (simplified forms of) SSH key exchange and Kerberos.

Blockchain security relies on incentives to ensure participants, called miners, cooperate and behave as the protocol dictates. Such protocols have a security threshold – a miner whose relative computational power is larger than the threshold can deviate to improve her revenue. Moreover, blockchain participants can behave in a petty compliant manner: usually follow the protocol, but deviate to increase revenue when deviation cannot be distinguished externally from the prescribed behavior. The effect of petty compliant miners on the security threshold of blockchains is not well understood. Due to the complexity of the analysis, it remained an open question since Carlsten et al. identified it in 2016. In this work, we use deep Reinforcement Learning (RL) to analyze how a rational miner performs selfish mining by deviating from the protocol to maximize revenue when petty compliant miners are present. We find that a selfish miner can exploit petty compliant miners to increase her revenue by bribing them. Our method reveals that the security threshold is lower when petty compliant miners are present. In particular, with parameters estimated from the Bitcoin blockchain, we find the threshold drops from the known value of 25% to only 21% (or 19%) when 50% (or 75%) of the other miners are petty compliant. Hence, our deep RL analysis puts the open question to rest; the presence of petty compliant miners exacerbates a blockchain’s vulnerability to selfish mining and is a major security threat.

An aggregate signature scheme allows multiple signatures generated by different people for different messages to be aggregated into a compact aggregate signature. We propose the first signature aggregation scheme that (1) grows the size of the aggregate signature only logarithmically in the number of signatures to be aggregated, (2) is many-time, (3) supports non-interactive aggregation, (4) its security is based on the standard lattice assumption in the random oracle model. To obtain the result, we construct a new compact non-interactive batch argument (BARG) for NP. Our BARG has a very compact proof and its security is based on the standard modulo lattice assumptions in the random oracle model.

Password Authenticated Key Exchange (PAKE) have become a key building block in many security products as they provide interesting efficiency/security trade-offs. Indeed, a PAKE allows to dispense with the heavy public key infrastructures and its efficiency and portability make it well suited for applications such as Internet of Things or e-passports. With the emerging quantum threat and the effervescent development of post-quantum public key algorithms in the last five years, one would wonder how to modify existing password authenticated key exchange protocols that currently rely on Diffie-Hellman problems in order to include newly introduced and soon-to-be-standardized post-quantum key encapsulation mechanisms (KEM). A generic solution is desirable for maintaining modularity and adaptability with the many post-quantum KEM that have been introduced.

In this paper, we propose two new generic and natural constructions proven in the Universal Composability (UC) model to transform, in a black-box manner, a KEM into a PAKE with very limited performance overhead: one or two extra symmetric encryptions. Behind the simplicity of the designs, establishing security proofs in the UC model is actually non-trivial and requires some additional properties on the underlying KEM like fuzziness and anonymity. Luckily, post-quantum KEM protocols often enjoy these two extra properties. As a demonstration, we prove that it is possible to apply our transformations to Crystals-Kyber, a lattice-based post-quantum KEM that will soon be standardized by the National Institute of Standards and Technology (NIST).

In a nutshell, this work opens up the possibility to securely include post-quantum cryptography in PAKE-based real-world protocols.