International Association
for Cryptologic Research

The BBS+ signature scheme is one of the most prominent solutions for realizing anonymous credentials. In particular, due to properties like selective disclosure and efficient protocols for creating and showing possession of credentials. In recent years, research in cryptography has increasingly focused on the distribution of cryptographic tasks to mitigate attack surfaces and remove single points of failure.

In this work, we present a threshold BBS+ protocol in the preprocessing model. Our protocol supports an arbitrary $t$-out-of-$n$ threshold and achieves non-interactive signing in the online phase. It relies on a new pseudorandom correlation-based offline protocol producing preprocessing material with sublinear communication complexity in the number of signatures. Both our offline and online protocols are actively secure under the Universal Composability framework. Finally, we estimate the concrete efficiency of our protocol, including an implementation of the online phase. The online protocol without network latency takes less than $15 ms$ for $t \leq 30$ and credentials sizes up to $10$. Further, our results indicate that the influence of $t$ on the online signing is insignificant, $< 6 \%$ for $t \leq 30$, and the overhead of the thresholdization occurs almost exclusively in the offline phase.

The Security and Privacy Research Unit at TU Wien (https://secpriv.wien) is offering a fully funded PhD position within the WWTF project “SCALE2: SeCure, privAte, and interoperabLe layEr 2” (https://www.wwtf.at/funding/programmes/ict/ICT22-045/) under the supervision of Dr. Georgia Avarikioti and Univ.-Prof. Dr. Matteo Maffei.
Your profile:

• Master degree in computer science or equivalent (degree completion by employment start)
• Background in security/blockchain is a plus
• Excellent English, communication, and teamwork skills

Your tasks:

• Conducting world-class research in the design and analysis of scaling protocols for blockchains
• Engaging in research collaborations
• Contributing to teaching blockchain technologies on Masters-level

We offer:

• The Security and Privacy group is internationally renowned, regularly publishes in top security venues, and consists of an international, diverse team with expertise in cryptography, security, privacy, and game theory
• An international English-speaking environment (German not required)
• Personal/professional development, flexible hours
• Central workplace location (U1/U2/U4 Karlsplatz)
• Creative environment in a top-ranked city in livability
• A competitive salary

TU Wien strongly advocates for women, especially in leadership roles, and encourages applications from females and individuals with special needs. If qualifications are equal, female applicants will be prioritized unless specific reasons favor a male candidate.
The application material should include:

• Motivation letter
• Bachelor/Master’s transcripts
• Publication list (if available)
• Curriculum vitae
• Contact information for two referees

Closing date for applications:

Contact: Interested candidates should send the application material to Matteo Maffei (matteo.maffei@tuwien.ac.at) and Georgia Avarikioti (georgia.avarikioti@tuwien.ac.at). Applications received by August 15th will receive full consideration, but applications will be accepted until the position is filled.

Mysten Labs believes that decentralized and open protocols are the bedrock of the internet of value. This is why at Mysten Labs, we are creating foundational infrastructure to accelerate the adoption of decentralized protocols based on blockchain technologies.

Mysten is looking for a Software Engineer who is interested in cryptographic protocols and their application to blockchain. This person would work with us to design, check and implement mission-critical algorithms on range of topics including; cryptographic primitives such as pairing-based cryptography, distributed cryptographic protocols such as signature aggregation and distributed key generation, and zero-knowledge building blocks such as vector commitments and accumulators. They would then put this cryptography into practice in order to realize the scalability required by the next generation of blockchain networks.

What You'll Have:

5+ years of experience in hands-on software engineering for cryptographic operations, such as signature schemes, accumulators, key management, data encryption and compression.

Understanding of fundamental cryptographic algorithms and underlying math for any of the following: hash functions, finite field arithmetic, polynomials (FFT) and elliptic curves.

Experience implementing high-performance and parallelizable protocols in languages such as Go, Rust Java, or C/C++.

Experience with tools, practices, and programming patterns for ensuring software correctness.

Experience implementing zk-SNARK circuits or proof systems (i.e., Groth16, Halo, Plonk, STARKs, Marlin) is considered a plus.

Understanding, research publications or hands-on experience in any of the following is considered a bonus: zero knowledge proofs, threshold signatures, multi-party computations, efficient accumulators, distributed randomness generation, auditing cryptographic software/smart contracts, lightweight and embedded cryptography.

Closing date for applications:

Contact: Please navigate to our job posting if you wish to apply: https://jobs.ashbyhq.com/mystenlabs/a3d0da5b-b3cb-45db-9aa8-dc89ba0cee5e

More information: https://jobs.ashbyhq.com/mystenlabs/a3d0da5b-b3cb-45db-9aa8-dc89ba0cee5e

The University of Birmingham's School of Computer Science continues to thrive during a period of sustained growth. We are inviting applications for full professorial positions [1]. If you are a leader with a passion for computer science (and in particular Cyber Security), this is an extraordinary opportunity to shape the future of our academic community.

Areas of interest include (but are not limited to) systems security, artificial intelligence, network/web security, as well as formal methods and cryptography.

As part of the University of Birmingham, you will have access to state-of-the-art facilities, world-class research centres (in particular the Centre for Cyber Security and Privacy [2]), and a growing network of academic and industry collaborations. Our commitment to diversity and inclusion ensures an inclusive and welcoming environment for all.

The deadline for applications is 30 July 2023. Please note that we reserve the right to close this vacancy early once a sufficient number of applications have been received.

[1] https://www.jobs.ac.uk/job/DBD093/chair-in-computer-science-school-of-computing-science-4-positions-102099

[2] https://www.birmingham.ac.uk/research/centre-for-cyber-security-and-privacy/index.aspx

Closing date for applications:

Contact: For further information, please contact Aad van Moorsel, a.vanmoorsel@bham.ac.uk. For informal enquiries regarding the Centre for Cyber Security and Privacy, please contact David Oswald (d.f.oswald@bham.ac.uk) and Mark Ryan (m.d.ryan@bham.ac.uk).

More information: https://www.jobs.ac.uk/job/DBD093/chair-in-computer-science-school-of-computing-science-4-positions-102099

The responsibilities of this exciting, varied role will include:

• Software security assessment of SoC/IC security architectures and security scope specifications

• Plan, track and execute process, specification as well as software implementation reviews

• Assessment of software security robustness and effectiveness of security mechanisms

• Work with engineering teams and security engineers to innovate solutions to security-related problems

• Manage the NXP’s software secure development lifecycle (SSDLC) applied on product developments to minimize security risks

• Work on continuous improvements to keep up with state-of-the-art security technologies

• Refine software security best practices to assure and efficient and effective application

• Provide consultation on specific areas of security expertise and on the application of the SSDLC

To ensure your successful performance in this role, the following is desired

• Finished a BSEE or MSEE preferred in Security Engineering or Software Engineering

• Have good understanding of embedded software design, programming, documentation, and testing

• Have experience in the design and development of secure software, focus on embedded systems or complete solutions

• Have experience in the security concept/design, thread analysis, risk/threat modelling and mitigation strategies

• Have professional knowledge of software languages (C, Java, Java Card, Python, Rust)

• Knowledge of security compliance and certification processes would be an advantage

• Be familiar with "state of the art" software tools, CI/CD, secure software engineering processes, IoT solutions and service (depending on area of expertise)

• Have excellent communication skills, are willing to listen and adapt

• Are a collaborator with strong soft skills, ideally experienced in multicultural and global working environment

Closing date for applications:

Contact:

Veronika von Hepperger

Senior Talent Acquisition Specialist

(veronika.vonhepperger@nxp.com)

We bring to life fast, permissionless, decentralized computation. The Nillion team is looking for talented cryptographers to help build a new paradigm in decentralized computing to redefine network computation on private data. As a Cryptographer at Nillion, you will research, design, and define cryptographic protocols within the larger framework of distributed systems, formally proving their security. You will be responsible for conducting groundbreaking research that will lead to commercially viable and reliable products by analyzing, proposing, and validating cryptography solutions within a decentralized computing environment. We work in an environment where tangibility and flexibility are key attributes that help us innovate. Our engineering team embodies those qualities, bringing clarity and direction to help move new ideas forward. If you enjoy keeping up to speed on current technological trends and have a background in cryptography and security - get in touch! Requirements: - 5+ years of academic research experience in cryptography - Qualified to a PhD or Postdoc degree in cryptography or related field - Several international scientific publications - Deep understanding of multi-party computation (MPC) -Excellent verbal and written communication skills in English -Extensive experience working with internal and external stakeholders -Have highly effective communication, interpersonal and critical thinking skills -Ability to understand, formally describe and prove mathematical concepts in writing -The ability to write formal security proofs in the UC framework -Publications in the domain of MPC (Publications in the domains of ZKP or FHE are a bonus) Responsibilities: -Developing new protocols and their security proofs -Creating variants of existing protocols (synchronous/asynchronous, computational/ITS, passive/active, static/mobile adversaries, boolean/arithmetic, etc.) -Verifying existing NMC protocols and their security proofs -Proof-reading existing written material (e.g. technical whitepaper) -Writing new security proofs for existing NMC protocols.. See full job description below.

Closing date for applications:

Contact: Roisin Kavanagh, Head of People and Talent.

More information: https://apply.workable.com/nillion/j/CD9D0CFCD3/

The random oracle model is an instrument used for proving that protocol has no structural flaws when settling with standard hash properties is impossible or fairly difficult. In practice, however, random oracles have to be instantiated with some specific hash functions, which are not random oracles. Hence, in the real world, an adversary has broader capabilities than considered in the random oracle proof — it can exploit the peculiarities of a specific hash function to achieve its goal. In a case when a hash function is based on some building block, one can go further and show that even if the adversary has access to that building block, the hash function still behaves like a random oracle under some assumptions made about the building block. Thereby, the protocol can be proved secure against more powerful adversaries under less complex assumptions. The indifferentiability notion formalizes that approach.

In this paper we study whether Streebog, a Russian standardized hash function, can instantiate a random oracle from that point of view. We prove that Streebog is indifferentiable from a random oracle under an ideal cipher assumption for the underlying block cipher.

The post-quantum digital signature scheme CRYSTALS-Dilithium has been recently selected by the NIST for standardization. Implementing CRYSTALS-Dilithium, and other post-quantum cryptography schemes, on embedded devices raises a new set of challenges, including ones related to performance in terms of speed and memory requirements, but also related to side-channel and fault injection attacks security. In this work, we investigated the latter and describe a differential fault attack on the randomized and deterministic versions of CRYSTALS-Dilithium. Notably, the attack requires a few instructions skips and is able to reduce the MLWE problem that Dilithium is based on to a smaller RLWE problem which can be practically solved with lattice reduction techniques. Accordingly, we demonstrated key recoveries using hints extracted on the secret keys from the same faulted signatures using the LWE with side-information framework introduced by Dachman-Soled et al. at CRYPTO’20. As a final contribution, we proposed algorithmic countermeasures against this attack and in particular showed that the second one can be parameterized to only induce a negligible overhead over the signature generation.

The analysis of real-life incidents has revealed that state-level efforts are made to camouflage the intentional flaws in the mathematical layer of an S-Box to exploit the information-theoretic properties, i.e., Kuznyechik. To extract and investigate the common features in the backdoored S-Box(es), this research thoroughly examines them from the perspective of 24 cryptanalytic attack vectors available in the open literature. We have debunked the earlier claims by the backdoor engineers that their designs are stealthy against statistical distinguishers. A backdoored architecture fulfils the notions of randomness but lacks the strength to resist sophisticated cryptanalytic attacks. Our analysis has revealed that during the backdoor insertion phase, a malicious designer compromises vital cryptographic properties, prominently the algebraic degree, differential trails, avalanche characteristics and leaving the open ground for hybrid attacks. It is observed that these mappings attain the upper bound of BCT, FBCT and DLCT, thus paving the way for hybrid attacks with high probability.

We present a simple and lightweight single-server sublinear private information retrieval scheme based on new techniques in hint construction and usage. Our scheme has small amortized response and close to optimal online response, which is only twice that of simply fetching the desired entry without privacy. For a 128 GB database with 64-byte entries, each query consumes only 117 KB of communication and 7.5 milliseconds of computation, amortized.

We establish new results on the Fiat-Shamir (FS) security of several protocols that are widely used in practice, and we provide general tools for establishing similar results for others. More precisely, we: (1) prove the FS security of the FRI and batched FRI protocols; (2) analyze a general class of protocols, which we call $\delta$-correlated, that use low-degree proximity testing as a subroutine (this includes many "Plonk-like" protocols (e.g., Plonky2 and Redshift), ethSTARK, RISC Zero, etc.); and (3) prove FS security of the aforementioned "Plonk-like" protocols, and sketch how to prove the same for the others.

We obtain our first result by analyzing the round-by-round (RBR) soundness and RBR knowledge soundness of FRI. For the second result, we prove that if a $\delta$-correlated protocol is RBR (knowledge) sound under the assumption that adversaries always send low-degree polynomials, then it is RBR (knowledge) sound in general. Equipped with this tool, we prove our third result by formally showing that "Plonk-like" protocols are RBR (knowledge) sound under the assumption that adversaries always send low-degree polynomials. We then outline analogous arguments for the remainder of the aforementioned protocols.

To the best of our knowledge, ours is the first formal analysis of the Fiat-Shamir security of FRI and widely deployed protocols that invoke it.

Privacy-preserving payment systems face the difficult task of balancing privacy and accountability: on one hand, users should be able to transact privately and anonymously, on the other hand, no illegal activities should be tolerated. The challenging question of finding the right balance lies at the core of the research on accountable privacy that stipulates the use of cryptographic techniques for policy enforcement, but still allows an authority to revoke the anonymity of transactions whenever such an automatic enforcement is technically not supported. Current state-of-the-art systems are only able to enforce rather limited policies, such as spending or transaction limits, or assertions about participants, but are unable to enforce more complex policies that for example jointly evaluate both, the private credentials of sender and recipient-let alone to do this without an auditor in the loop during payment. This limits the cases where privacy revocation can be avoided as the method to fulfill regulations, which is unsatisfactory from a data-protection viewpoint and shows the need for cryptographic solutions that are able to elevate accountable privacy to a more fine-grained level.

In this work, we present such a solution. We show how to enforce complex policies while offering strong privacy and anonymity guarantees by enhancing the notion of policy-compliant signatures (PCS) introduced by Badertscher, Matt and Waldner (TCC'21). In more detail, we first define the notion of unlinkable PCS (ul-PCS) and show how this cryptographic primitive can be generically integrated with a wide range of systems including UTxO-based ledgers, privacy-preserving protocols like Monero or Zcash, and central-bank digital currencies. We give a generic construction for ul-PCS for any policy, and optimized constructions tailored for special policy classes, such as role-based policies and separable policies.

To bridge the gap between theory and practice, we provide prototype implementations for all our schemes. We give the first benchmarks for policy-compliant signatures in general, and demonstrate their feasibility for reasonably sized attribute sets for the special cases.

URL shorteners are a common online service that allows the shortening of a long URL (often a Google Maps URL or similar) into a much shorter one, to use for example on social media or in QR codes. However, URL shorteners are free to behave dishonestly: they can, for instance, map a short URL into a long URL honestly for one party, while redirecting some other party into a different malicious long URL for the same short URL.

DuckyZip is the first provably honest URL shortening service which cannot selectively provide different "long URLs" to different parties undetected. DuckyZip uses a combination of Verifiable Random Function (VRF) constructions and a smart contract in order to provide a URL shortening service with strong security guarantees: despite the transparency of the smart contract log, observers cannot feasibly create a mapping of all short URLs to long URLs that is faster than classical enumeration.

Although power LEDs have been integrated in various devices that perform cryptographic operations for decades, the cryptanalysis risk they pose has not yet been investigated. In this paper, we present optical cryptanalysis, a new form of cryptanalytic side-channel attack, in which secret keys are extracted by using a photodiode to measure the light emitted by a device’s power LED and analyzing subtle fluctuations in the light intensity during cryptographic operations. We analyze the optical leakage of power LEDs of various consumer devices and the factors that affect the optical SNR. We then demonstrate end-to-end optical cryptanalytic attacks against a range of consumer devices (smartphone, smartcard, and Raspberry Pi, along with their USB peripherals) and recover secret keys (RSA, ECDSA, SIKE) from prior and recent versions of popular cryptographic libraries (GnuPG, Libgcrypt, PQCrypto-SIDH) from a maximum distance of 25 meters

Most succinct arguments (SNARKs) are initially only proven knowledge sound (KS). We show that the commonly employed compilation strategy from polynomial interactive oracle proofs (PIOP) via polynomial commitments to knowledge sound SNARKS actually also achieves other desirable properties: weak unique response (WUR) and trapdoorless zero-knowledge (TLZK); and that together they imply simulation extractability (SIM-EXT).

The factoring of SIM-EXT into KS + WUR + TLZK is becoming a cornerstone of the analysis of non-malleable SNARK systems. We show how to prove WUR and TLZK for PIOP compiled SNARKs under mild falsifiable assumptions on the polynomial commitment scheme. This means that the analysis of knowledge soundness from PIOP properties that inherently relies on non-falsifiable or idealized assumption such as the algebraic group model (AGM) or generic group model (GGM) need not be repeated.

While the proof of WUR requires only mild assumptions on the PIOP, TLZK is a different matter. As perfectly hiding polynomial commitments sometimes come at a substantial performance premium, SNARK designers prefer to employ deterministic commitments with some leakage. This results in the need for a stronger zero-knowledge property for the PIOP.

The modularity of our approach implies that any analysis improvements, e.g. in terms of tightness, credibility of the knowledge assumption and model of the KS analysis, or the precision of capturing real-world optimizations for TLZK also benefits the SIM-EXT guarantees.

In this paper, we provide a systematic treatment for the batch arithmetic circuit satisfiability and evaluation problem. Building on the core idea which treats circuit inputs/outputs as a low-degree polynomials, we explore various interactive argument and proof schemes that can produce succinct proofs with short verification time. In particular, for the batch satisfiability problem, we provide a construction of succinct interactive argument of knowledge for generic log-space uniform circuits based on the bilinear pairing and common reference string assumption. Our argument has size in $O(poly(\lambda) \cdot (|\mathbf{w}| + d \log |C|))$, where $\lambda$ is the security parameter, $|\mathbf{w}|$ is the size of the witness, and $d$ and $|C|$ are the depth and size of the circuit, respectively. Note that the argument size is independent of the batch size. To the best of our knowledge, asymptotically it is the smallest among all known batch argument schemes that allow public verification. The batch satisfiablity problem simplifies to a batch evaluation problem when the circuit only takes in public inputs (i.e., no witness). For the evaluation problem, we construct statistically sound interactive proofs for various special yet highly important types of circuits, including linear circuits, and circuits representing sum of polynomials. Our proposed protocols are able to achieve proof sizes independent of the batch size. We also describe protocols optimized specifically for batch FFT and batch matrix multiplication which achieve desirable properties, including lower prover time and better composability. We believe these protocols are of interest in their own right and can be used as primitives in more complex applications.

We show that the key agreement scheme [IEEE Internet Things J., 9(12), 2022, 9918--9933] is flawed. In order to authenticate each other, all participants use message authentication code (MAC) to generate tags for exchanged data. But MAC is a cryptographic technique which requires that the sender and receiver share a symmetric key. The scheme tries to establish a new shared key by using an old shared key, which results in a vicious circle. To the best of our knowledge, it is the first time to discuss such a flaw in the related literatures.

We prove that the problem of decoding a quasi-cyclic code is NPhard, and the corresponding decision problem is NP-complete. Our proof is based on a new characterization of quasi-cyclic codes closely related to linear random codes. We also discuss the cryptographic significance of this result.

We design DiStefano: an efficient framework for generating private commitments over TLS-encrypted web traffic for a designated, untrusted third-party. DiStefano provides many improvements over previous TLS commitment systems, including: a modular security model that is applicable to TLS 1.3 traffic, and support for generating verifiable claims using applicable zero-knowledge systems; inherent 1-out-of-n privacy for the TLS server that the client communicates with; and various cryptographic optimisations to ensure fast online performance of the TLS session. We build an open-source implementation of DiStefano integrated into the BoringSSL cryptographic library, that is used within Chromium-based Internet browsers. We show that DiStefano is practical for committing to facts in arbitrary TLS traffic, with online times that are comparable with existing TLS 1.2 solutions. We also make improvements to certain cryptographic primitives used inside DiStefano, leading to 3x and 2x improvements in online computation time and bandwidth in specific situations.

We show that every language in NP has an Interactive Oracle Proof (IOP) with inverse polynomial soundness error and small query complexity. This achieves parameters that surpass all previously known PCPs and IOPs. Specifically, we construct an IOP with perfect completeness, soundness error $1/n$, round complexity $O(\log \log n)$, proof length $poly(n)$ over an alphabet of size $O(n)$, and query complexity $O(\log \log n)$. This is a step forward in the quest to establish the sliding-scale conjecture for IOPs (which would additionally require query complexity $O(1)$).

Our main technical contribution is a high-soundness small-query proximity test for the Reed-Solomon code. We construct an IOP of proximity for Reed-Solomon codes, over a field $\mathbb{F}$ with evaluation domain $L$ and degree $d$, with perfect completeness, soundness error (roughly) $\max\{1-\delta , O(\rho^{1/4})\}$ for $\delta$-far functions, round complexity $O(\log \log d)$, proof length $O(|L|/\rho)$ over $\mathbb{F}$, and query complexity $O(\log \log d)$; here $\rho = (d+1)/|L|$ is the code rate. En route, we obtain a new high-soundness proximity test for bivariate Reed-Muller codes.

The IOP for NP is then obtained via a high-soundness reduction from NP to Reed-Solomon proximity testing with rate $\rho = 1/poly(n)$ and distance $\delta = 1-1/poly(n)$ (and applying our proximity test). Our constructions are direct and efficient, and hold the potential for practical realizations that would improve the state-of-the-art in real-world applications of IOPs.