International Association
for Cryptologic Research

Applications are invited for the MS and Ph.D. positions in Information Security at the Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan. The successful candidate will work under the guidance of Dr. Arijit Karati on diverse topics in Applied Cryptology.

Responsibilities: Apart from academic work, the student must involve in several activities in a group or individually, such as (not limited to):

Design and implementation of security protocol.

Assessment of the security and performance metric.

Meeting with the supervisor.

Requirements: Apart from the university's basic admission policies (https://cse.nsysu.edu.tw/?Lang=en), students are desired to have the following key requirements:

Strong motivation on information security.

Knowledge of modern technology.

Knowledge of Basic mathematics for cryptography.

Knowledge of at least two programming languages, such as Python/Java/C/C++.

Scholarship:

Under the university policy.

Project funding (based on availability for master students).

What students can expect:

Cooperation from the supervisor and lab mates.

The rich culture in research and related activities.

Flexibility in communication, e.g., English.

What the supervisor can expect: Apart from academic and research works, students are expected to have

Good moral character.

Hardworking and dedication.

Closing date for applications:

Contact: Dr. Arijit Karati (arijit.karati@mail.cse.nsysu.edu.tw)

Applications are invited for the Postdoc position in applied cryptography at the Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung, Taiwan. Applicants with experience in at least one of the following areas are preferred: automotive security, lightweight security, quantum-resistant cryptography, developing novel cryptographic primitives and protocols, side-channel analysis, digital design on FPGA, and machine learning attacks for safety applications. Applicants require knowledge of formal security analysis, secure coding, and practical application domain security integration.

Essential Qualifications:

PhD degree in CSE/Mathematics/IT/electrical engineering with a specialization in Information/Network Security from a reputable Institution.

Outstanding track record of publications in Journals (preferably JCR-Q1 or prestigious IEEE journals) and security-related conferences.

Closing date for applications:

Contact: Dr. Arijit Karati (arijit.karati@mail.cse.nsysu.edu.tw)

Monash cybersecurity group has several openings for PhD positions. The topics of interest are

1. Post-quantum cryptography (based on lattices and/or hash) and its applications
2. Privacy-enhancing technologies (e.g. zero-knowledge proofs) and their applications

We provide

1. highly competitive tuition fee and stipend scholarships
2. opportunities to collaborate with leading academic and industry experts in the related areas
3. opportunities to participate in international grant-funded projects
4. collaborative and friendly research environment
5. an opportunity to live/study in one of the most liveable and safest cities in the world

The positions will be filled as soon as suitable candidates are found.

Requirements. A strong mathematical and cryptography background is required. Some knowledge/experience in coding (for example, Python, C/C++, SageMath) is a plus. Candidates must have completed (or be about to complete within the next 6 months) a significant research component either as part of their undergraduate (honours) degree or masters degree. They should have excellent English verbal and written communication skills.

How to apply. Please fill in the following form (also clickable from the advertisement title): https://docs.google.com/forms/d/e/1FAIpQLSetFZLvDNug5SzzE-iH97P9TGzFGkZB-ly_EBGOrAYe3zUYBw/viewform?usp=sf_link

Closing date for applications:

Contact: Ron Steinfeld

More information: https://docs.google.com/forms/d/e/1FAIpQLSetFZLvDNug5SzzE-iH97P9TGzFGkZB-ly_EBGOrAYe3zUYBw/viewform?usp=sf_link

A scholarship is available for a strong candidate interested in doing a PhD in privacy-preserving machine learning at Monash University in Melbourne (frequently ranked among the most liveable cities in the world).

Closing date for applications:

Contact: Rafael Dowsley Email: rafael.dowsley@monash.edu

Industrial control systems (ICS) operate critical infrastructures, such as railway networks, gas and electricity grids. Although these systems perform critical functions, many still use legacy embedded systems to perform their tasks. An ICS operator can connect commercial off-the-shelf (COTS) devices to the ICS network directly through USB or serial connection or remotely through a virtual private network. For example, an electricity utility company may depend on its staff to use their hand-held devices to install or maintain (e.g. troubleshooting) smart meters. COTS devices are usually internet connected devices and hence, can be compromised by an attacker. Such compromised COTS device can be used to launch attacks on legacy embedded systems and its ecosystem. In this project, we will use existing Trusted Execution Environment (TEE) on COTS devices and implement a framework which will allow the use of the COTS devices without any compromise on trust. In this case, the ICS operator will issue the applications for the COTS operator that will be able to communicate with the ICS devices using the required protocol and perform the necessary maintenance tasks. The project work will involve proposing novel architectural solution and/or novel operating system-based solution.

Closing date for applications:

Contact: Arnab Kumar Biswas

More information: https://www.qub.ac.uk/courses/postgraduate-research/phd-opportunities/a-trusted-execution-environment-based-framework-for-securing-legacy-embedded-systems.html

Traditional satellite communication network involves mainly two or three segments – the satellite, ground station and possible ground users. This method of communication has several disadvantages from resource usage point of view. As a solution, federated satellite system concept is introduced. Under this concept, several satellites from different organisations can cooperate to increase resource utilization under a profitable business agreement (e.g., usage-based pricing). This cooperation model is further extended by multi-tenant spacecraft concept where several users can reuse the resources of same spacecraft. But all these scenarios also require robust security solutions so that malicious actors cannot profit from any existing vulnerabilities in the whole system for example during routing, network access, and handover. This project aims to solve this security problem and to help the sector to grow further. In this project, the student will develop novel computer architecture required to support the security protocols proposed and/or standardized by CCSDS and will also propose new protocols. The student will also work on Software defined Satellite networking to enable programmability and reconfigurability of the system. The work will involve design of novel computer architecture and/or novel operating system and/or novel multiparty security protocol.

Closing date for applications:

Contact: Arnab Kumar Biswas

More information: https://www.qub.ac.uk/courses/postgraduate-research/phd-opportunities/secure-multitenant-and-federated-satellite-system.html

Event date: 11 October to 13 October 2023

Event date: 10 December to 13 December 2023
Submission deadline: 7 September 2023
Notification: 15 October 2023

The question of whether public-key encryption (PKE) can be constructed from the assumption that one-way functions (OWF) exist remains a central open problem. In this paper we give two constructions of bit PKE scheme derived from any NP language L, along with a polynomial-time instance-witness sampling algorithm. Furthermore, we prove that if L is average hard NP language, the the presented schemes is CPA secure. Our results give a positive answer to this longstanding problem, as the existence of OWF implies the existence of average hard NP language with a polynomial-time instance-witness sampling algorithm.

Additionally, we obtain a witness encryption (WE) scheme for NP language based on the presented PKE scheme. This result highlights that WE scheme can also be established based on the existence of OWF.

Recently, the FinTracer algorithm was introduced as a versatile framework for detecting economic crime typologies in a privacy-preserving fashion. Under the hood, FinTracer stores its data in a structure known as the ``FinTracer tag’’. One limitation of FinTracer tags, however, is that because their underlying cryptographic implementation relies on additive semi-homomorphic encryption, all the system's oblivious computations on tag data are linear in their input ciphertexts. This allows a FinTracer user to combine information from multiple tags in some ways, but not generically. In this paper, we describe an efficient method to perform general nonlinear computations on FinTracer tags, and show how this ability can be used to detect a wide range of complex crime typologies, as well as to extract many new types of information, while retaining all of FinTracer's original privacy guarantees.

Oblivious sorting is arguably the most important building block in the design of efficient oblivious algorithms. We propose new oblivious sorting algorithms for hardware enclaves. Our algorithms achieve asymptotic optimality in terms of both computational overhead and the number of page swaps the enclave has to make to fetch data from insecure memory or disk. We also aim to minimize the concrete constants inside the big-O. One of our algorithms achieve bounds tight to the constant in terms of the number of page swaps. We have implemented our algorithms and made them publicly available through open source. In comparison with (an unoptimized version of) bitonic sort, which is asymptotically non-optimal but the de facto algorithm used in practice, we achieve a speedup of 2000 times for 12 GB inputs.

Vector Oblivious Linear Evaluation (VOLE) supports fast and scalable interactive Zero-Knowledge (ZK) proofs. Despite recent improvements to VOLE-based ZK, compiling proof statements to a control-flow oblivious form (e.g., a circuit) continues to lead to expensive proofs. One useful setting where this inefficiency stands out is when the statement is a disjunction of clauses L1 ∨ · · · ∨ LB. Typically, ZK requires paying the price to handle all B branches. Prior works have shown how to avoid this price in communication, but not in computation.

Our main result, Batchman, is asymptotically and concretely efficient VOLE-based ZK for batched disjunctions, i.e. statements containing R repetitions of the same disjunction. This is crucial for, e.g., emulating CPU steps in ZK. Our prover and verifier complexity is only O(RB + R|C| + B|C|), where |C| is the maximum circuit size of the B branches. Prior works’ computation scales in RB|C|.

For non-batched disjunctions, we also construct a VOLE-based ZK protocol, Robin, which is (only) communication efficient. For small fields and for statistical security parameter λ, this protocol’s communication improves over the previous state of the art (Mac′n′Cheese, Baum et al., CRYPTO’21) by up to factor λ.

Our implementation outperforms prior state of the art. E.g., we achieve up to $6×$ improvement over Mac′n′Cheese (Boolean, single disjunction), and for arithmetic batched disjunctions our experiments show we improve over QuickSilver (Yang et al., CCS’21) by up to $70×$ and over AntMan (Weng et al., CCS’22) by up to $36×$.

Interactive oracle proofs (IOPs) (Ben-Sasson et al., TCC 2016) have emerged as a powerful model for proof systems which generalizes both Interactive Proofs (IPs) and Probabilistically Checkable Proofs (PCPs). While IOPs are not any more powerful than PCPs from a complexity theory perspective, their potential to create succinct proofs and arguments has been demonstrated by many recent constructions achieving better parameters such as total proof length, alphabet size, and query complexity. In this work, we establish new results on the relationship between various notions of soundness for IOPs. First, we formally generalize the notion of round-by-round soundness (Canetti et al., STOC 2019) and round-by-round knowledge soundness (Chiesa et al., TCC 2019). Given this generalization, we then examine its relationship to the notions of generalized special soundness (Attema et al., CRYPTO 2021) and generalized special unsoundness (Attema et al., TCC 2022). We show that: 1. generalized special soundness implies generalized round-by-round soundness; 2. generalized round-by-round knowledge soundness implies generalized special soundness; 3. generalized special soundness does not imply generalized round-by-round knowledge soundness; 4. generalized round-by-round soundness (resp., special unsoundness) is an upper bound (resp., a lower bound) on standard soundness, and that this relationship is tight when the round-by-round soundness and special unsoundness errors are equal; and 5. any special sound IOP can be transformed via (a variant of) the Fiat-Shamir transformation into a non-interactive proof that is adaptively sound in the Quantum Random Oracle Model.

We describe a pairing-based Snark with a universal updateable CRS that can be instantiated with any pairing-friendly curve endowed with a sufficiently large prime scalar field. We use the monomial basis, thus sidestepping the need for large smooth order subgroups in the scalar field. In particular, the scheme can be instantiated with outer curves to widely used curves such as Ed25519, secp256k1, BN254 and BLS12-381. This allows us to largely circumvent the overhead of non-native field arithmetic for succinct proofs of valid signatures in Ed25519 and secp256k1 and one layer recursion with BN254 or BLS12-381.

The proof size is constant ($10$ $\mathbb{G}_1$, $20$ $\mathbb{F}_p$), as is the verification time, which is dominated by a single pairing check (i.e. two pairings). The Prover time is dominated by the $10$ multi-scalar multiplications in $\mathbb{G}_1$ - with a combined MSM length of $22\cdot |\mathrm{Circuit}|$- and, to a lesser extent, the computation of a single sum of polynomial products over the prime scalar field via multimodular FFTs.

The scheme supports succinct lookup arguments for subsets as well as subsequences. Our construction relies on homomorphic table commitments, which makes them amenable to vector lookups. The Prover algorithm runs in runtime $O(M\cdot \log(M))$, where $M = \max \{|\text{Circuit}| , \;|\text{Table}|\}.$

Furthermore, the scheme supports custom gates, albeit at the cost of a larger proof size. As an application of the techniques in this paper, we describe a protocol that supports multiple *univariate* custom gates $\mathcal{G}_i$ of high degree that are sparsely distributed in the sense that $$\sum_{i} \deg(\mathcal{G}_i)\cdot \#(\mathcal{G}_i\;\text{gates}) \; = \; O(|\text{Circuit}|). $$ This comes at the cost of three additional $\mathbb{G}_1$ elements and does not blow up the proof generation time, i.e. it does not entail MSMs or FFTs of length larger than the circuit size.

We initiate the study of lattice-based pseudo-random functions (PRFs) for use in multi-party computation protocols, motivated by their application to distributed key management. We show that the LWE-based PRF of Boneh et al. (CRYPTO'13) can be turned into a distributed PRF protocol that runs in only 8 online rounds, improving over the state-of-the-art by an order of magnitude. The resulting protocol can be used as a method for distributed key derivation and reduces the amount of managed key material in distributed key management systems from linear in the number of users to constant. Finally, we support our findings by implementing and evaluating our protocol using the MP-SPDZ framework (CCS'20).

An important consideration in the context of distributed ledger protocols is fairness in terms of transaction ordering. Recent work [Crypto 2020] revealed a deep connection of (receiver) order fairness to social choice theory and related impossibility results arising from the Condorcet paradox. As a result of the impossibility, various relaxations of order fairness were investigated in prior works. Given that distributed ledger protocols, especially those processing smart contracts, must serialize the input transactions, a natural objective is to minimize the distance (in terms of injected number of transactions) between any pair of unfairly ordered transactions in the output ledger — a concept we call bounded unfairness. In state machine replication (SMR) parlance this asks for minimizing the number of unfair state updates occurring before the processing of any transaction. This unfairness minimization objective gives rise to a natural class of parametric order fairness definitions that has not been studied before. As we observe, previous realizable relaxations of order fairness do not yield good unfairness bounds.

Achieving optimal order fairness in the sense of bounded unfairness turns out to be connected to the graph theoretic properties of the underlying transaction dependency graph and specifically the bandwidth metric of strongly connected components in this graph. This gives rise to a specific instance of the definition that we call ``directed bandwidth order-fairness'' which we show that it captures the best possible that any protocol can achieve in terms of bounding unfairness. We prove ordering transactions in this fashion is NP-hard and non-approximable for any constant ratio. Towards realizing the property, we put forth a new distributed ledger protocol called Taxis that achieves directed bandwidth order-fairness in the permissionless setting. We present two variants of our protocol, one that matches the property perfectly but (necessarily) lacks in performance and liveness, and a second variant that achieves liveness and better complexity while offering a slightly relaxed version of the directed bandwidth definition. Finally, we comment on applications of our work to social choice theory, a direction which we believe to be of independent interest.

Side-channel analysis certification is a process designed to certify the resilience of cryptographic hardware and software implementations against side-channel attacks. In certain cases, third-party evaluations by external companies or departments are necessary due to limited budget, time, or even expertise with the penalty of a significant exchange of sensitive information during the evaluation process. In this work, we investigate the potential of Homomorphic Encryption (HE) in performing side-channel analysis on HE-encrypted measurements. With HE applied to side-channel analysis (SCA), a third party can perform SCA on encrypted measurement data and provide the outcome of the analysis without gaining insights about the actual cryptographic implementation under test. To this end, we evaluate its feasibility by analyzing the impact of AI-based side-channel analysis using HE (private SCA) on accuracy and execution time and compare the results with an ordinary AI-based side-channel analysis (plain SCA). Our work suggests that both unprotected and protected cryptographic implementations can be successfully attacked already today with standard server equipment and modern HE protocols/libraries, while the traces are HE-encrypted.

In this paper, we introduce the family $\mathsf{DeuringVRF}_{y,z}$ of Verifiable Random Function (VRF) protocols. Based on isogenies between supersingular curves, the random function at the heart of our scheme is the one that computes the codomain of an isogeny of big prime degree from its kernel.

In $\mathsf{DeuringVRF}_{y,z}$, the evaluation is done with algorithms for the Deuring correspondence that make use of isogenies in dimension $z$, and the verification is based on the isogeny representation obtained from isogenies in dimension $y$.

The main advantage of the $\mathsf{DeuringVRF}_{y,z}$ family is its compactness, with proof sizes of a few hundred bytes, which is orders of magnitude smaller than other generic purpose post-quantum VRF constructions.

We describe four variants of our scheme with $(y,z) \in \lbrace (2,1),(2,2),(4,1), (4,2) \rbrace$ each offering different tradeoffs between compactness, evaluation efficiency and verification efficiency.

In the process, we introduce several new algorithms that might be of independent interest. In particular, for the variants with $z=2$, we introduce the first algorithm to translate an ideal into the corresponding isogeny of dimension $1$ using isogenies between abelian variety of dimension $2$ as a tool. The main advantage of this new algorithm compared to existing solution is the relaxation of the constraints on the prime characteristic: our new algorithm can run efficiently with ``SIDH primes" that are very easy to generate unlike ``SQIsign primes" that are currently required by the state of the art appoach. We believe that this algorithm opens a promising research direction to speed-up other schemes based on the Deuring correspondence such as the SQIsign signature scheme.

A revealable functional commitment allows a prover to commit to a secret polynomial size function $f$. Later, the prover has the ability to (1) prove that $y = f(x)$ for public $x, y$ and (2) open a small window into $f$'s machinery, via an encoded set of constraints - all without divulging any other information about $f$. In this way, revealable functional commitments allow the operator of a proprietary function to prove desired predicate about the function. For example, a government can commit to a bail decision algorithm, and prove that the same algorithm is being used for all defendants. They can also quell concerns about bias, and increase transparency processes by revealing windows into what their function does - while keeping most of their function secret to prevent exploitation. To build a revealable functional commitment, we introduce a 'proof of reveal', to show that a set of constraints, combined with a set of guarantees about those constraints, is consistent with a committed secret function. We show that combining a algebraic holomorphic proof (AHP), a 'proof of function relation' (PFR), and a proof of reveal yields a secure revealable functional commitment scheme. Additionally, we construct proof of reveals for two popular PFR-equipped AHPs, and obtain two instantiations of revealable functional commitments. Towards that end, we also develop interactive protocols that prove properties of committed polynomials, which may have independent value.

From the work by Laguillaumie and Vergnaud in ICICS'04, it has been widely believed that multi-designated verifier signature schemes (MDVS) can be constructed from ring signature schemes in general. However in this paper, somewhat surprisingly, we prove that it is impossible to construct an MDVS scheme from a ring signature scheme in a black-box sense (in the standard model). The impossibility stems from the difference between the definitions of unforgeability. To the best of our knowledge, existing works demonstrating the constructions do not provide formal reduction from an MDVS scheme to a ring signature scheme, and thus the impossibility has been overlooked for a long time.