International Association
for Cryptologic Research

Gradient Boosting Decision Tree (GBDT) and its variants are widely used in industry, due to their strong interpretability. Secure multi-party computation allows multiple data owners to compute a function jointly while keeping their input private. In this work, we present Squirrel, a two-party GBDT training framework on a vertically split dataset, where two data owners each hold different features of the same data samples. Squirrel is private against semi-honest adversaries, and no sensitive intermediate information is revealed during the training process. Squirrel is also scalable to datasets with millions of samples even under a Wide Area Network (WAN). Squirrel achieves its high performance via several novel co-designs of the GBDT algorithms and advanced cryptography. Especially, 1) we propose a new and efficient mechanism to hide the sample distribution on each node using oblivious transfer. 2) We propose a highly optimized method for gradient aggregation using lattice-based homomorphic encryption (HE). Our empirical results show that our method can be three orders of magnitude faster than the existing HE approaches. 3) We propose a novel protocol to evaluate the sigmoid func- tion on secretly shared values, showing 19×-200×-fold im- provements over two existing methods. Combining all these improvements, Squirrel costs less than 6 seconds per tree on a dataset with 50 thousands samples which outperforms Pivot (VLDB 2020) by more than 28×. We also show that Squirrel can scale up to datasets with more than one million samples, e.g., about 170 seconds per tree over a WAN.

A line of recent work has highlighted the importance of context commitment security, which asks that authenticated encryption with associated data (AEAD) schemes will not decrypt the same adversarially-chosen ciphertext under two different, adversarially-chosen contexts (secret key, nonce, and associated data). Despite a spate of recent attacks, many open questions remain around context commitment; most obviously nothing is known about the commitment security of important schemes such as CCM, EAX, and SIV.

We resolve these open questions, and more. Our approach is to, first, introduce a new framework that helps us more granularly define context commitment security in terms of what portions of a context are adversarially controlled. We go on to formulate a new notion, called context discoverability security, which can be viewed as analogous to preimage resistance from the hashing literature. We show that unrestricted context commitment security (the adversary controls all of the two contexts) implies context discoverability security for a class of schemes encompassing most schemes used in practice. Then, we show new context discovery attacks against a wide set of AEAD schemes, including CCM, EAX, SIV, GCM, and OCB3, and, by our general result, this gives new unrestricted context commitment attacks against them.

Finally, we consider restricted context commitment security for the original SIV mode, for which no prior attack techniques work (including our context discovery based ones). We are nevertheless able to give a novel $O(2^{n/3})$ attack using Wagner's k-tree algorithm for the generalized birthday problem.

Recent work in the design of rate $1 - o(1)$ lattice-based cryptosystems have used two distinct design paradigms, namely replacing the noise-tolerant encoding $m \mapsto (q/2)m$ present in many lattice-based cryptosystems with a more efficient encoding, and post-processing traditional lattice-based ciphertexts with a lossy compression algorithm, using a technique very similar to the technique of ``vector quantization'' within coding theory. We introduce a framework for the design of lattice-based encryption that captures both of these paradigms, and prove information-theoretic rate bounds within this framework. These bounds separate the settings of trivial and non-trivial quantization, and show the impossibility of rate $1 - o(1)$ encryption using both trivial quantization and polynomial modulus. They furthermore put strong limits on the rate of constructions that utilize lattices built by tensoring a lattice of small dimension with $\mathbb{Z}^k$, which is ubiquitous in the literature. We additionally introduce a new cryptosystem, that matches the rate of the highest-rate currently known scheme, while encoding messages with a ``gadget'', which may be useful for constructions of Fully Homomorphic Encryption.

highlighting a looming cyber threat emanating from fast developing artificial intelligence. This strategic threat is further magnified with the advent of quantum computers. AI and quantum-AI (QAI) represent a totally new and effective vector of cryptanalytic attack. Much as modern AI successfully completes browser search phrases, so it is increasingly capable of guessing a rather narrow a-priori list of plausible plaintexts. This guessing is most effective over device cryptography where the message space is limited. Matching these guesses with the captured ciphertext will greatly accelerate the code breaking process. We never faced such a plaintext-originated attack on a strategic level, and never had to prepare for it. Now we do. Proposing to apply a well-known martial art tactics: using the opponent's strength against them: constructing ciphertexts that would provide false answers to the AI attacker and lead them astray. We are achieving this defensive measure by pivoting away from the norm of small, known-size key and pattern-loaded ciphers. Using instead large keys of secret size, augmented with ad-hoc unilateral randomness of unbound limits, and deploying a pattern-devoid algorithm with a remarkably low computational burden, so it can easily handle very large keys. Thereby we achieve large as desired unicity distances. This strategy has become feasible just when the AI threat looms. It exploits three new technologies coming together: (i) non-algorithmic randomness, (ii) very large and inexpensive memory chips, and (iii) high throughout communication networks. These pattern-devoid, randomness rich ciphers also turn up to be an important option in the toolbox NIST prepares to meet the quantum challenge. Avoiding the computational load of mainstay ciphers, AIR-cryptography presents itself as the ciphers of choice for medical, military and other battery-limited devices for which data security is paramount. In summary: we are pointing out a fast emerging cyber challenges, and laying out a matching cryptographic answer.

While the round function of the AEGIS authenticated encryption algorithms is highly parallelizable, their mode of operation is not.

We introduce two new modes to overcome that limitation: AEGIS-128X and AEGIS-256X, that require minimal changes to existing implementations and retain the security properties of AEGIS-128L and AEGIS-256.

From hashing and commitment schemes to Fiat-Shamir and encryption, hash functions are everywhere in zero-knowledge proofsystems (ZKPs), and minor performance changes in ``vanilla'' implementations can translate in major discrepancies when the hash is processed as a circuit within the proofsystem.

Protocol designers have resorted to a number of techniques and custom modes to optimize hash functions for ZKPs settings, but so far without a single established, well-studied construction. To address this need, we define the Sponge API for Field Elements (SAFE), a unified framework for permutation-based schemes (including AEAD, Sigma, PRNGs, and so on). SAFE eliminates the performance overhead, is pluggable in any field-oriented protocol, and is suitable for any permutation algorithm.

SAFE is implemented in Filecoin's Neptune hash framework, {which is} our reference implementation (in Rust). SAFE is also being integrated in other prominent ZKP projects. This report specifies SAFE and describes some use cases.

Among other improvements, our construction is among the first to store the protocol metadata in the sponge inner part in a provably secure way, which may be of independent interest to the sponge use cases outside of ZKP.

Secure computation is of critical importance to not only the DoD, but across financial institutions, healthcare, and anywhere personally identifiable information (PII) is accessed. Traditional security techniques require data to be decrypted before performing any computation. When processed on untrusted systems the decrypted data is vulnerable to attacks to extract the sensitive information. To address these vulnerabilities Fully Homomorphic Encryption (FHE) keeps the data encrypted during computation and secures the results, even in these untrusted environments. However, FHE requires a significant amount of computation to perform equivalent unencrypted operations. To be useful, FHE must significantly close the computation gap (within 10x) to make encrypted processing practical. To accomplish this ambitious goal the TREBUCHET project is leading research and development in FHE processing hardware to accelerate deep computations on encrypted data, as part of the DARPA MTO Data Privacy for Virtual Environments (DPRIVE) program. We accelerate the major secure standardized FHE schemes (BGV, BFV, CKKS, FHEW, etc.) at >=128-bit security while integrating with the open-source PALISADE and OpenFHE libraries currently used in the DoD and in industry. We utilize a novel tile-based chip design with highly parallel ALUs optimized for vectorized 128b modulo arithmetic. The TREBUCHET coprocessor design provides a highly modular, flexible, and extensible FHE accelerator for easy reconfiguration, deployment, integration and application on other hardware form factors, such as System-on-Chip or alternate chip areas

We provide security foundations for SAFE, a recently introduced API framework for sponge-based hash functions tailored to prime-field-based protocols. SAFE aims to provide a robust and foolproof interface, has been implemented in the Neptune hash framework and some zero-knowledge proof projects, but currently lacks any security proof. In this work we identify the SAFECore as versatile variant sponge construction underlying SAFE, we prove indifferentiability of SAFECore for all (binary and prime) fields up to around $|\mathbb{F}_p|^{c/2}$ queries, where $\mathbb{F}_p$ is the underlying field and $c$ the capacity, and we apply this security result to various use cases. We show that the SAFE-based protocols of plain hashing, authenticated encryption, verifiable computation, non-interactive proofs, and commitment schemes are secure against a wide class of adversaries, including those dealing with multiple invocations of a sponge in a single application. Our results pave the way of using SAFE with the full taxonomy of hash functions, including SNARK-, lattice-, and x86-friendly hashes.

Digital signatures ensure legitimate access through identity authentication. It is also used to build blocks in blockchains and to authenticate transactions. The Courtois-Finiasz-Sendrier (CFS) digital signature is a well-known code-based digital signature scheme based on the Niederreiter cryptosystem. The CFS signature, however, is not widely used due to the long processing time required by its signing algorithm. Most code-based digital signature schemes are based on Niederreiter. The paper proposes a new code-based digital signature based on the McEliece cryptosystem. The proposed McEliece code-based scheme also gives less complexity and a higher success rate. The scheme provides an efficient code-based algorithm to sign a document in a shorter processing time. The scheme is also secure against public key structural attacks. The proposed scheme is the efficient code-based digital signature based on McEliece with a lower processing time required to construct a valid digital signature. The proposed signing algorithm also creates smaller signatures. In addition, the verification algorithm checks the integrity value to avoid any forgery before final verification.

Besides the U.S. NIST standard SHA-3(Keccak), another sponge-based primitive Ascon was selected as the NIST standard for lightweight applications, recently. Exploring the security against attacks on the sponge-based hash functions is very important. At EUROCRYPT 2023, Qin et al. introduced the MitM preimage attack framework and the automatic tools for Keccak, Ascon, and Xoodyak.

In this paper, we extend Qin et al.'s MitM attack framework into collision attack and also develop various techniques to improve the automatic tools for both preimage and collision attacks. We introduce a novel initial structure called weak-diffusion structure that enjoys many more degrees of freedom to build the blue/red neutral sets than Qin et al.'s. In addition, a more flexible condition scheme is introduced to reduce the diffusion of variables. To further accelerate the solving of automatic model, we propose a heuristic two-stage searching strategy, which first finds many blue neutral sets with naturally weak-diffusion properties, and then solves different automatic models with different blue neutral sets prefixed. Also symmetry property of Keccak is applied to speed up the search.

At last, we introduce the first collision attack on 4-round Keccak-512. Besides, the first MitM-based preimage attack on 4-round Keccak-384 is found that outperforms all previous attacks, while Qin et al. only found attack on Keccak-512. Moreover, we find collision attacks on reduced Xoodyak and Ascon with 1-2 rounds improvements than before. The complexities of preimage attacks on reduced Xoodyak and Ascon are also improved.

Secure multi-party computation has been considered by the cryptographic community for a number of years. Until recently it has been a purely theoretical area, with few implementations with which to test various ideas. This has led to a number of optimisations being proposed which are quite restricted in their application. In this paper we describe an implementation of the two-party case, using Yao’s garbled circuits, and present various algorithmic protocol improvements. These optimisations are analysed both theoretically and empirically, using experiments of various adversarial situations. Our experimental data is provided for reasonably large circuits, including one which performs an AES encryption, a problem which we discuss in the context of various possible applications.

Event date: 23 November to 24 November 2023
Submission deadline: 20 September 2023
Notification: 1 November 2023

Event date: 12 December to 14 December 2023
Submission deadline: 28 June 2023
Notification: 6 September 2023

The Applied Cryptography Unit (https://groups.oist.jp/appcrypto) at the Okinawa Institute of Science and Technology (OIST) is seeking to hire up to four postdoctoral scholars in cryptography.

The Applied Cryptography Unit, led by Prof Carlos Cid, was established in 2022, to conduct research in the design and analysis of modern cryptographic primitives and schemes used to protect confidentiality and integrity of data, both in the classical and in the quantum settings. To forge and develop its research activities, we are now seeking to hire up to four outstanding post-doctoral researchers to work in the following topics: post-quantum / quantum cryptography (design and analysis), quantum cryptanalysis, post-quantum cryptographic techniques for privacy-preserving mechanisms.

The postdocs will be provided with funding and access to world-class facilities to pursue their research. The Unit aims to establish a highly collaborative environment, and we expect there will be several opportunities to work with other research groups at OIST, in Japan and overseas.

Submission Documents

Applicants should prepare a single pdf file with:

• Cover letter, outlining the motivation for applying for the position, research interests, experience and qualifications of relevance for the position;
• CV with a list of publications;
• Names and contact information of two referees, one of which should be a previous employer.

and submit it at https://www.oist.jp/careers/postdoctoral-scholars-applied-cryptography-unit

Application Deadline:

Applicants will be considered until the positions are filled, but submissions by 28 May 2023 will guarantee full consideration.

Closing date for applications:

Contact: Carlos Cid (carlos.cid@oist.jp)

More information: https://www.oist.jp/careers/postdoctoral-scholars-applied-cryptography-unit

iTrust is a Cyber Security Research Center in SUTD and a National Satellite of Excellence in Singapore for securing critical infrastructure. iTrust hosts the world-class cyber-physical system (CPS) testbeds which are used for research, education, training, live-fire exercise, and technology validation.

We offer PhD scholarship on cybersecurity in general and CPS security in particular (especially on IoT and maritime). The candidates should have an excellent background (with Bachelor or Master degree and CGPA>80%) in mathematics or computer science/engineering. Acquaintance with cryptography and network/system security concepts as well as some programming skills is preferred. Interested candidates please send your CV to Prof. Jianying Zhou or Prof. Sudipta Chattopadhyay. Only short-listed candidates will be contacted for interview.

Closing date for applications:

Contact: Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg] or Prof. Sudipta Chattopadhyay [sudipta_chattopadhyay@sutd.edu.sg]

More information: https://itrust.sutd.edu.sg/

The Digital Security Department of EURECOM, Sophia-Antipolis France, invites applications for a PhD position.
Topic - Artificial Intelligence (AI) technologies can efficiently process large amounts of data, to help stakeholders improve their services and propose applications tailored to end-user needs. While the benefits of AI technologies for the society are manifold and range from personalized services to improved healthcare, their adoption remains unfortunately slow due to various obstacles among which the lack of trustworthiness. Indeed, the performance and robustness of AI technologies rely on the access to large datasets of good quality. Such datasets usually include privacy-sensitive information. In this context, Federated learning (FL) is emerging as a powerful paradigm to collaboratively train a machine-learning (ML) model among thousands or even millions of participants. FL inherently promises (some) privacy and governance guarantees for the clients because the training data never leaves the client’s premises. Nevertheless, the collaborative aggregation of models’ parameters can potentially expose clients' specific information, and opens up to security breaches with potential loss of privacy. The successful candidate will study, the privacy and security challenges associated with federated learning and design and evaluate scalable and efficient privacy-enhancing technologies for FL using advanced cryptographic techniques such as multi-key homomorphic encryption or multi-party computation.
Requirements - Applicants should hold a Master degree or equivalent in Computer Science or a closely related area with a strong background on cryptography. Some background in machine learning is appreciated.
The application requires, among other documents, a CV, a cover letter describing the applicant’s research interests, the contact details of 2/3 persons that can provide references about the candidate and the transcripts of courses taken at graduate (and optionally undergraduate) level.

Closing date for applications:

Contact: Applicants are invited to send their applications via e-mail under reference [PhD-FLP] to melek.onen@eurecom.fr

Dfns Labs, the research division of Dfns, seeks MS/Ph.D scholars with a substantial aptitude in applied cryptography for remote internships spanning 10-12 weeks. These internships encompass designing and implementing threshold cryptographic protocols. Opportunities for internships are available throughout the year, commencing in the summer of 2023. We welcome applications from individuals of diverse backgrounds with distinctive outlooks.

Dfns is a cybersecurity company that builds custody SaaS solutions for web3 apps. Dfns gives financial institutions and businesses—from fintechs to e-commerce sites—the freedom to own and transfer crypto using a battle-designed security infrastructure.

Job Description

Develop proof-of-concepts exhibiting common MPC, threshold cryptography, and zero-knowledge proof implementations.

Collaborate with the research and engineering team on technical research tasks.

Contribute to academic articles and blog posts.

Stay apprised of the newest advancements in crypto, DeFi, and blockchain.

Interact with a team of cryptographers and engineers to contribute to the company's research plan.

Basic Qualifications

Must be enrolled in a Ph.D. or Masters program in Computer Science or a related technical field.

Must possess formidable software engineering skills in common programming languages (e.g. C/C++, Rust (preferred), Python, Java).

Should possess a working knowledge of cryptography and privacy-enhancing technologies.

Must possess superior written and verbal communication skills.

Additional Information

Compensation: Attractive salary, equity options, paid time-off, etc.

Location: Hybrid – Home or Office-based

Closing date for applications:

Contact: Please send your CV to research-jobs@dfns.co
Contact Xianrui Meng (xm@dfns.co) and Jon Katz (jkatz@dfns.co) for more information.

Applications are invited for 6 Research Fellow posts to perform research in the area of AI-enabled cybersecurity. The posts are associated with the newly-created Cyber-AI Technologies Hub at CSIT, which is a collaboration with cyber security companies on projects in AI-enabled cyber security. The Cyber-AI Technologies Hub is a physical environment where companies and academia are co-located to collaborate on the advancement and demonstration of AI and cyber security.

Research Fellows will have the opportunity to advance research in areas such as: threat intelligence and monitoring, ICS malware detection and network intrusion detection, device trust, hardware/embedded systems security, security and verification of AI and threat prediction and prevention.

The successful candidates must have obtained, or be about to obtain, a PhD in engineering or physical sciences. At least 3 years’ high quality research experience in cybersecurity, and/or machine learning/AI, as evidenced by a strong track record of publications in leading journals and conferences in relevant areas.

Closing Date: 17/04/2023

Closing date for applications:

Contact: Paul Miller (p.miller@qub.ac.uk)

More information: https://hrwebapp.qub.ac.uk/tlive_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=411415IzIk&WVID=6273090Lgx&LANG=USA

Lattice-based cryptography has laid the foundation of various modern-day cryptosystems that cater to several applications, including post-quantum cryptography. For structured lattice-based schemes, polynomial arithmetic is a fundamental part. In several instances, the performance optimizations come from implementing compact multipliers due to the small range of the secret polynomial coefficients. However, this optimization does not easily translate to side-channel protected implementations since masking requires secret polynomial coefficients to be distributed over a large range. In this work, we address this problem and propose two novel generalized techniques, one for the number theoretic transform (NTT) based and another for the non-NTT-based polynomial arithmetic. Both these proposals enable masked polynomial multiplication while utilizing and retaining the small secret property.

For demonstration, we used the proposed technique and instantiated masked multipliers for schoolbook as well as NTT-based polynomial multiplication. Both of these can utilize the compact multipliers used in the unmasked implementations. The schoolbook multiplication requires an extra polynomial accumulation along with the two polynomial multiplications for a first-order protected implementation. However, this cost is nothing compared to the area saved by utilizing the existing cheap multiplication units. We also extensively test the side-channel resistance of the proposed design through TVLA to guarantee its first-order security.

A distributed oblivious RAM (DORAM) is a method for accessing a secret-shared memory while hiding the accessed locations. DORAMs are the key tool for secure multiparty computation (MPC) for RAM programs that avoids expensive RAM-to-circuit transformations.

We present new and improved 3-party DORAM protocols. For a logical memory of size $N$ and for each logical operation, our DORAM requires $O(\log N)$ local CPU computation steps. This is known to be asymptotically optimal. Our DORAM satisfies passive security in the honest majority setting. Our technique results with concretely-efficient protocols and does not use expensive cryptography (such as re-randomizable or homomorphic encryption). Specifically, our DORAM is 25X faster than the known most efficient DORAM in the same setting.

Lastly, we extend our technique to handle malicious attackers at the expense of using slightly larger blocks (i.e., $\omega(\log^2 N)$ vs. $\Omega(\log N)$). To the best of our knowledge, this is the first concretely-efficient maliciously secure DORAM.

Technically, our construction relies on a novel concretely-efficient 3-party oblivious permutation protocol. We combine it with efficient non-oblivious hashing techniques (i.e., Cuckoo hashing) to get a distributed oblivious hash table. From this, we build a full-fledged DORAM using a distributed variant of the hierarchical approach of Goldreich and Ostrovsky (J. ACM '96). These ideas, and especially the permutation protocol, are of independent interest.