International Association
for Cryptologic Research

A major challenge of any asynchronous MPC protocol is the need to reach agreement on the set of private inputs to be used as input for the MPC functionality. Ben-Or, Canetti and Goldreich [STOC 93] call this problem Agreement on a Core Set (ACS) and solve it by running $n$ parallel instances of asynchronous binary Byzantine agreements. To the best of our knowledge, all results in the perfect and statistical security setting used this same paradigm for solving ACS. This leads to a fundamental barrier of expected $\Omega(\log n)$ rounds for any asynchronous MPC protocol (even for constant depth circuits).

We provide a new solution for Agreement on a Core Set that runs in expected $O(1)$ rounds, is perfectly secure, and resilient to $t<\frac{n}{4}$ corruptions. Our solution is based on a new notion of Asynchronously Validated Asynchronous Byzantine Agreement (AVABA) and new information theoretic analogs to techniques used in the authenticated model. We show a similar result with statistical security for $t<\frac{n}{3}$.

Deploying cryptography on embedded systems requires security against physical attacks. At CHES 2019, M&M was proposed as a combined countermeasure applying masking against SCAs and information-theoretic MAC tags against FAs. In this paper, we show that one of the protected AES implementations in the M&M paper is vulnerable to a zero-value SIFA2-like attack. A practical attack is demonstrated on an ASIC board. We propose two versions of the attack: the first follows the SIFA approach to inject faults in the last round, while the second one is an extension of SIFA and FTA but applied to the first round with chosen plaintext. The two versions work at the byte level, but the latter version considerably improves the efficiency of the attack. Moreover, we show that this zero-value SIFA2 attack is specific to the AES tower-field decomposed S-box design. Hence, such attacks are applicable to any implementation featuring this AES S-box architecture.

Then, we propose a countermeasure that prevents these attacks. We extend M&M with a fine-grained detection-based feature capable of detecting the zero-value glitch attacks. In this effort, we also solve the problem of a combined attack on the ciphertext output check of M&M scheme by using Kronecker's delta function. We deploy the countermeasure on FPGA and verify its security against both fault and side-channel analysis with practical experiments.

Homomorphic encryption (HE) allows computing encrypted data in the ciphertext domain without knowing the encryption key. It is possible, however, to break fully homomorphic encryption (FHE) algorithms by using side channels. This article demonstrates side-channel leakages of the Microsoft SEAL HE library. The proposed attack can steal encryption keys during the key generation phase by abusing the leakage of ternary value assignments that occurs during the number theoretic transform (NTT) algorithm. We propose two attacks, one for -O0 flag non-optimized code implementation which targets addition and subtraction operations, and one for -O3 flag compiler optimization which targets guard and mul root operations. In particular, the attacks can steal the secret key coefficients from a single power/electromagnetic measurement trace of SEAL’s NTT implementation. To achieve high accuracy with a single-trace, we develop novel machine-learning side-channel profilers. On an ARM Cortex-M4F processor, our attacks are able to extract secret key coefficients with an accuracy of 98.3% when compiler optimization is disabled, and 98.6% when compiler optimization is enabled. We finally demonstrate that our attack can evade an application of the random delay insertion defense.

Mimblewimble is a cryptocurrency protocol with good privacy and scalability properties. A trade-off of Mimblewimble is the requirement that transactions are interactive between sender and receiver. TariScript is presented as an extension to Mimblewimble that adds scripting capabilities to the protocol. We describe the theoretical basis for TariScript and present the modifications required to make it secure. The trade-offs and use cases for TariScript are briefly covered.

The random oracle model (ROM), introduced by Bellare and Rogaway (CCS 1993), enables a formal security proof for many (efficient) cryptographic primitives and protocols, and has been quite impactful in practice. However, the security model also relies on some very strong and non-standard assumptions on how an adversary interacts with a cryptographic hash function, which might be unrealistic in a real world setting and thus could lead one to question the validity of the security analysis. For example, the ROM allows adaptively programming the hash function or observing the hash evaluations that an adversary makes.

We introduce a substantially weaker variant of the random oracle model in the post-quantum setting, which we call "non-observable quantum random oracle model" (NO QROM). Our model uses weaker heuristics than the quantum random oracle model by Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, and Zhandry (ASIACRYPT 2011), or the non-observable random oracle model proposed by Ananth and Bhaskar (ProvSec 2013). At the same time, we show that our model is a viable option for establishing the post-quantum security of many cryptographic schemes by proving the security of important primitives such as extractable non-malleable commitments, digital signatures, and chosen-ciphertext secure public-key encryption in the NO QROM.

We present cryptanalysis of the inhomogenous short integer solution (ISIS) problem for anomalously small moduli \(q\) by exploiting the geometry of BKZ reduced bases of $q$-ary lattices.

We apply this cryptanalysis to examples from the literature where taking such small moduli has been suggested. A recent work [Espitau–Tibouchi–Wallet–Yu, CRYPTO 2022] suggests small \(q\) versions of the lattice signature scheme FALCON and its variant MITAKA.

For one small \(q\) parametrisation of FALCON we reduce the estimated security against signature forgery by approximately 26 bits. For one small \(q\) parametrisation of MITAKA we successfully forge a signature in $15$ seconds.

Column Parity Mixers, or CPMs in short, are a particular type of linear maps, used as the mixing layer in permutation-based cryptographic primitives like Keccak-f (SHA3) and Xoodoo. Although being successfully applied, not much is known regarding their algebraic properties. They are limited to invertibility of CCPMs, and that the set of invertible CCPMs forms a group. A possible explanation is due to the complexity of describing CPMs in terms of linear algebra. In this paper, we introduce a new approach to studying CPMs using module theory from commutative algebra. We show that many interesting algebraic properties can be deduced using this approach, and that known results regarding CPMs turn out to be trivial consequences of module theoretic concepts. We also show how this approach can be used to study the linear layer of Xoodoo, and other linear maps with a similar structure which we call DCD-compositions. Using this approach, we prove that every DCD-composition where the underlying vector space with the same dimension as that of Xoodoo has a low order. This provides a solid mathematical explanation for the low order of the linear layer of Xoodoo, which equals 32. We design a DCD-composition using this module theoretic approach, but with a higher order using a different dimension.

Continuous Group-Key Agreement (CGKA) allows a group of users to maintain a shared key. It is the fundamental cryptographic primitive underlying group messaging schemes and related protocols, most notably TreeKEM, the underlying key agreement protocol of the Messaging Layer Security (MLS) protocol, a standard for group messaging by the IETF. CKGA works in an asynchronous setting where parties only occasionally must come online, and their messages are relayed by an untrusted server. The most expensive operation provided by CKGA is that which allows for a user to refresh their key material in order to achieve forward secrecy (old messages are secure when a user is compromised) and post-compromise security (users can heal from compromise). One caveat of early CGKA protocols is that these update operations had to be performed sequentially, with any user wanting to update their key material having had to receive and process all previous updates. Late versions of TreeKEM do allow for concurrent updates at the cost of a communication overhead per update message that is linear in the number of updating parties. This was shown to be indeed necessary when achieving PCS in just two rounds of communication by [Bienstock et al. TCC'20].

The recently proposed protocol CoCoA [Alwen et al. Eurocrypt'22], however, shows that this overhead can be reduced if PCS requirements are relaxed, and only a logarithmic number of rounds is required. The natural question, thus, is whether CoCoA is optimal in this setting.

In this work we answer this question, providing a lower bound on the cost (concretely, the amount of data to be uploaded to the server) for CGKA protocols that heal in an arbitrary $k$ number of rounds, that shows that CoCoA is very close to optimal. Additionally, we extend CoCoA to heal in an arbitrary number of rounds, and propose a modification of it, with a reduced communication cost for certain $k$.

We prove our bound in a combinatorial setting where the state of the protocol progresses in rounds, and the state of the protocol in each round is captured by a set system, each set specifying a set of users who share a secret key. We show this combinatorial model is equivalent to a symbolic model capturing building blocks including PRFs and public-key encryption, related to the one used by Bienstock et al.

Our lower bound is of order $k\cdot n^{1+1/(k-1)}/\log(k)$, where $2\le k\le \log(n)$ is the number of updates per user the protocol requires to heal. This generalizes the $n^2$ bound for $k=2$ from Bienstock et al. This bound almost matches the $k\cdot n^{1+2/(k-1)}$ or $k^2\cdot n^{1+1/(k-1)}$ efficiency we get for the variants of the CoCoA protocol also introduced in this paper.

Order-preserving encryption (OPE) allows efficient comparison operations over encrypted data and thus is popular in encrypted databases. However, most existing OPE schemes are vulnerable to inference attacks as they leak plaintext frequency. To this end, some frequency-hiding order-preserving encryption (FH-OPE) schemes are proposed and claim to prevent the leakage of frequency. FH-OPE schemes are considered an important step towards mitigating inference attacks.

Unfortunately, there are still vulnerabilities in all existing FH-OPE schemes. In this work, we revisit the security of all existing FH-OPE schemes. We are the first to demonstrate that plaintext frequency hidden by them is recoverable. We present three ciphertext-only attacks named frequency-revealing attacks to recover plaintext frequency. We evaluate our attacks in three real-world datasets. They recover over 90% of plaintext frequency hidden by any existing FH-OPE scheme. With frequency revealed, we also show the potentiality to apply inference attacks on existing FH-OPE schemes.

Our findings highlight the limitations of current FH-OPE schemes. Our attacks demonstrate that achieving frequency-hiding requires addressing the leakages of both non-uniform ciphertext distribution and insertion orders of ciphertexts, even though the leakage of insertion orders is always ignored in OPE.

Public randomness is a fundamental component in many cryptographic protocols and distributed systems and often plays a crucial role in ensuring their security, fairness, and transparency properties. Driven by the surge of interest in blockchain and cryptocurrency platforms and the usefulness of such component in those areas, designing secure protocols to generate public randomness in a distributed manner has received considerable attention in recent years. This paper presents a systematization of knowledge on the topic of public randomness with a focus on cryptographic tools providing public verifiability and key themes underlying these systems. We provide concrete insights on how state-of-the-art protocols achieve this task efficiently in an adversarial setting and present various research gaps that may be suitable for future research.

We present TVA, a multi-party computation (MPC) system for secure analytics on secret-shared time series data. TVA achieves strong security guarantees in the semi-honest and malicious settings, and high expressivity by enabling complex analytics on inputs with unordered and irregular timestamps. TVA is the first system to support arbitrary composition of oblivious window operators, keyed aggregations, and multiple filter predicates, while keeping all data attributes private, including record timestamps and user-defined values in query predicates. At the core of the TVA system lie novel protocols for secure window assignment: (i) a tumbling window protocol that groups records into fixed-length time buckets and (ii) two session window protocols that identify periods of activity followed by periods of inactivity. We also contribute a new protocol for secure division with a public divisor, which may be of independent interest. We evaluate TVA on real LAN and WAN environments and show that it can efficiently compute complex window-based analytics on inputs of $2^{22}$ records with modest use of resources. When compared to the state-of-the-art, TVA achieves up to $5.8\times$ lower latency in queries with multiple filters and two orders of magnitude better performance in window aggregation.

We have several open positions for PhD students and Postdocs to join our group at the Hasso-Plattner-Institute (HPI) in the area of cryptography and privacy. The HPI is academically structured as the independent Faculty of Digital Engineering at the University of Potsdam, and unites excellent research and teaching with the advantages of a privately financed institute.

Your tasks

• Development and analysis of provably secure cryptographic protocols for real-world problems. Topics of interest include (but are not limited to):
  • Privacy-preserving protocols
  • Hardware-based cryptography
  • User- and privacy-friendly identity management
  • Foundations for real-world protocols
• Publish and present results at top-tier international conferences
• Participate in teaching activities

Your skills

• Master's degree (or PhD for postdoctoral position) in Computer Science, Mathematics, or a related area by the time of appointment
• Strong algorithmic or mathematical background and good knowledge in the area of cryptography (for postdoctoral candidates proven in the form of publications)
• Fluent in English

We look forward to your application including a CV and motivation letter. Applications for the PhD position should also include a list of attended Master courses and grades, whereas applications for the Postdoc position should include contact information for two references.

Closing date for applications:

Contact: Anja Lehmann; anja.lehmann [at] hpi.de

More information: https://hpi.de/lehmann/home.html

The Cryptography Research Group at University College Cork (UCC) is looking for a highly motivated Post-Doctoral or Senior Post-Doctoral Researcher in homomorphic encryption. The researcher will be employed on the Horizon Europe project “SECURED”, aimed at scaling up the secure processing of health data, and will focus on homomorphic encryption and secure multi-party computation, and how they can be efficiently used in the e-health context. The Principal Investigator of the project in UCC is Dr. Paolo Palmieri.

The candidate should hold a PhD degree in cryptography or related area, with a good track record of publications. Ideally, they will have experience in homomorphic encryption, or related areas such as lattice-based or other post-quantum cryptography, secure multiparty computation etc. Candidates with a background in other areas of cryptography, but with a strong interest in homomorphic encryption will also be considered. A strong mathematical background is expected, complemented with programming skills. Experience with relevant libraries such as SEAL, HElib etc. is an asset.

The position is for 2 years, with a possibility of extension subject to availability of funding. The successful candidate will be appointed at Post-Doctoral or Senior Post-Doctoral level depending on their experience and qualifications. A budget for travel, equipment, publications and other research expenses is available as part of the project.

The Cryptography Research Group is led by Dr. Paolo Palmieri and consists of 8 researchers at doctoral and post-doctoral level. The hired researcher will be encouraged to collaborate with other members of the group, and to take a mentoring role with some of the more junior researchers. There will also be ample opportunities to work with other partners in the SECURED project (including some of the top research groups in cryptography, both in industry and academia), as well as with the group’s extensive network of international collaborations.

Closing date for applications:

Contact: Informal inquiries can be made by e-mail to Paolo Palmieri at p.palmieri@cs.ucc.ie but applications must be made online at http://ore.ucc.ie/ (reference number 069532) before 12:00 (noon), August 10, 2023.

More information: https://security.ucc.ie/vacancies.html

We are seeking a PhD candidate interested in interdisciplinary research on the development, efficient implementation (hardware and software), use, orchestration, and improvement of privacy-preserving and data anonymization techniques.


What are you going to do?

Carry out original research in the field of implementation and applications of privacy preserving technologies for data analytics in healthcare

Be active in the fundamental and/or applied research area, publishing in high level international journals and presenting at leading conferences

Take part in ongoing educational activities, such as assisting in a course and guiding student thesis projects, at the BSc or MSc level

Collaborate with other groups, institutes and/or companies by contributing expertise to joint research projects

Contribute to activities and deliverables of the SECURED Horizon Europe Project


What do you have to offer?

An MSc degree in Computer Science, Computer Engineering, or Electrical Engineering (or a related discipline)

Strong analytical and technical skills, good problem-solving skills

An interdisciplinary mindset and an open and proactive personality in interacting with researchers from different disciplines

A strong scientific interest in security and privacy, in particular in at least one of the following fields: efficient implementation of cryptographic and privacy preserving primitives, both in hardware and in software application, orchestration, and improvement of privacy-preserving techniques to achieve given data protection objectives

The willingness to work in a highly international research team

Fluency in oral and written English and good presentation skills

Closing date for applications:

Contact: Francesco Regazzoni

More information: https://vacatures.uva.nl/UvA/job/PhD-Position-on-Efficient-Privacy-preserving-Techniques-for-Data-Analysis-and-Machine-Learning/760571702/

As an experiment to manage the problem of growing program committee sizes, the PC chairs of Crypto 2024 are soliciting nominations (including self-nominations) for program committee service. The bulk of the work will take place from mid-February to the first week of May. Each PC member will be expected to review approximately 15 papers.

Please submit nominations via this form by July 31: https://forms.gle/wwvx4SkAoooX5SEA9

As a multi-receiver variants of public key encryption with keyword search (PEKS), broadcast encryption with keyword search (BEKS) has been proposed (Attrapadung et al. at ASIACRYPT 2006/Chatterjee-Mukherjee at INDOCRYPT 2018). Unlike broadcast encryption, no receiver anonymity is considered because the test algorithm takes a set of receivers as input and thus a set of receivers needs to be contained in a ciphertext. In this paper, we propose a generic construction of BEKS from anonymous and weakly robust 3-level hierarchical identity-based encryption (HIBE). The proposed generic construction provides outsider anonymity, where an adversary is allowed to obtain secret keys of outsiders who do not belong to the challenge sets, and provides sublinear-size ciphertext in terms of the number of receivers. Moreover, the proposed construction considers security against chosen-ciphertext attack (CCA) where an adversary is allowed to access a test oracle in the searchable encryption context. The proposed generic construction can be seen as an extension to the Fazio-Perera generic construction of anonymous broadcast encryption (PKC 2012) from anonymous and weakly robust identity-based encryption (IBE) and the Boneh et al. generic construction of PEKS (EUROCRYPT 2004) from anonymous IBE. We run the Fazio-Perera construction employs on the first-level identity and run the Boneh et al. generic construction on the second-level identity, i.e., a keyword is regarded as a second-level identity. The third-level identity is used for providing CCA security by employing one-time signatures. We also introduce weak robustness in the HIBE setting, and demonstrate that the Abdalla et al. generic transformation (TCC 2010/JoC 2018) for providing weak robustness to IBE works for HIBE with an appropriate parameter setting. We also explicitly introduce attractive concrete instantiations of the proposed generic construction from pairings and lattices, respectively.

Jitsi Meet is an open-source video conferencing system, and a popular alternative to proprietary services such as Zoom and Google Meet. The Jitsi project makes strong privacy and security claims in its advertising, but there is no published research into the merits of these claims. Moreover, Jitsi announced end-to-end encryption (E2EE) support in April 2020, and prominently features this in its marketing.

We present an in-depth analysis of the design of Jitsi and its use of cryptography. Based on our analysis, we demonstrate two practical attacks that compromised server components can mount against the E2EE layer: we show how the bridge can break integrity by injecting inauthentic media into E2EE conferences, whilst the signaling server can defeat the encryption entirely. On top of its susceptibility to these attacks, the E2EE feature does not apply to text-based communications. This is not made apparent to users and would be a reasonable expectation given how Jitsi is marketed. Further, we identify critical issues with Jitsi's poll feature, which allow any meeting participant to arbitrarily manipulate voting results. Our findings are backed by proof-of-concept implementations and were verified to be exploitable in practice.

We communicated our findings to Jitsi via a coordinated disclosure process. Jitsi has addressed the vulnerabilities via a mix of technical improvements and documentation changes.

Masking is a well-studied method for achieving provable security against side-channel attacks. In masking, each sensitive variable is split into $d$ randomized shares, and computations are performed with those shares. In addition to the computational overhead of masked arithmetic, masking also has a storage cost, increasing the requirements for working memory and secret key storage proportionally with $d$.

In this work, we introduce mask compression. This conceptually simple technique is based on standard, non-masked symmetric cryptography. Mask compression allows an implementation to dynamically replace individual shares of large arithmetic objects (such as polynomial rings) with $\kappa$-bit cryptographic seeds (or temporary keys) when they are not in computational use. Since $\kappa$ does not need to be larger than the security parameter (e.g., $\kappa=256$ bits) and each polynomial share may be several kilobytes in size, this radically reduces the memory requirement of high-order masking. Overall provable security properties can be maintained by using appropriate gadgets to manage the compressed shares. We describe gadgets with Non-Inteference (NI) and composable Strong-Non Interference (SNI) security arguments.

Mask compression can be applied in various settings, including symmetric cryptography, code-based cryptography, and lattice-based cryptography. It is especially useful for cryptographic primitives that allow quasilinear-complexity masking and hence are practically capable of very high masking orders. We illustrate this with a $d=32$ (Order-31) implementation of the recently introduced lattice-based signature scheme Raccoon on an FPGA platform with limited memory resources.

This paper explores the use of a system of equations to factor semiprime numbers. Semiprime numbers are a special type of omposite number that are the product of two prime numbers. Factoring semiprime numbers is important in cryptography and number theory. In this study, we present a method that applies a system of polynomial equations to factor semiprime number $M$. Where $M$ can be any semiprime number. In fact, we build a family of systems where each system compose from three polynomial equations with three variables. The results of this study show that a solution for one system results with a complete factorization for a semiprime number. It may be possible to apply well known algorithms, such as Grobner method to solve one of those systems for a particular semiprime number $M$.

We optimize Zero Knowledge (ZK) proofs of statements expressed as RAM programs over arithmetic values. Our arithmetic-circuit-based read/write memory uses only 4 input gates and 6 multiplication gates per memory access. This is an almost 3× total gate improvement over prior state of the art (Delpech de Saint Guilhem et al., SCN’22).

We implemented our memory in the context of ZK proofs based on vector oblivious linear evaluation (VOLE), and we further optimize based on techniques available in the VOLE setting. Our experiments show that (1) our total runtime improves over that of the prior best VOLE-ZK RAM (Franzese et al., CCS’21) by up to 20× and (2) on a typical hardware setup, we can achieve ≈ 600K RAM accesses per second.

We also develop improved read-only memory and set ZK data structures. These are used internally in our read/write memory and improve over prior work.