International Association
for Cryptologic Research

Over the past ten years, the statistical properties of random functions have been particularly fruitful for generic attacks. Initially, these attacks targeted iterated hash constructions and their combiners, developing a wide array of methods based on internal collisions and on the average behavior of iterated random functions. More recently, Gilbert et al. (EUROCRYPT 2023) introduced a forgery attack on so-called duplex-based Authenticated Encryption modes which was based on exceptional random functions, i.e., functions whose graph admits a large component with an exceptionally small cycle. In this paper, we expand the use of such functions in generic cryptanalysis with several new attacks. First, we improve the attack of Gilbert et al. from O(2^3c/4) to O(2^2c/3), where c is the capacity. This new attack uses a nested pair of functions with exceptional behavior, where the second function is defined over the cycle of the first one. Next, we introduce several new generic attacks against hash combiners, notably using small cycles to improve the complexities of the best existing attacks on the XOR combiner, Zipper Hash and Hash-Twice. Last but not least, we propose the first quantum second preimage attack against Hash-Twice, reaching a quantum complexity O(2^3n/7).

We explore a very simple distribution of unitaries: random (binary) phase -- Hadamard -- random (binary) phase -- random computational-basis permutation. We show that this distribution is statistically indistinguishable from random Haar unitaries for any polynomial set of orthogonal input states (in any basis) with polynomial multiplicity. This shows that even though real-valued unitaries cannot be completely pseudorandom (Haug, Bharti, Koh, arXiv:2306.11677), we can still obtain some pseudorandom properties without giving up on the simplicity of a real-valued unitary.

Our analysis shows that an even simpler construction: applying a random (binary) phase followed by a random computational-basis permutation, would suffice, assuming that the input is orthogonal and flat (that is, has high min-entropy when measured in the computational basis).

Using quantum-secure one-way functions (which imply quantum-secure pseudorandom functions and permutations), we obtain an efficient cryptographic instantiation of the above.

The elegant paradigm of Anamorphic Encryption (Persiano et al., Eurocrypt 2022) considers the question of establishing a private communication in a world controlled by a dictator. The challenge is to allow two users, sharing some secret anamorphic key, to exchange covert messages without the dictator noticing, even when the latter has full access to the regular secret keys. Over the last year several works considered this question and proposed constructions, novel extensions and strengthened definitions.

In this work we make progress on the study of this primitive in three main directions. First, we show that two general and well established encryption paradigms, namely hybrid encryption and the IBE-to-CCA transform, admit very simple and natural anamorphic extensions. Next, we show that anamorphism, far from being a phenomenon isolated to "basic" encryption schemes, extends also to homomorphic encryption. We show that some existing homomorphic schemes, (and most notably the fully homomorphic one by Gentry, Sahai and Waters) can be made anamorphic, while retaining their homomorphic properties both with respect to the regular and the covert message.

Finally we refine the notion of anamorphic encryption by envisioning the possibility of splitting the anamorphic key into an encryption component (that only allows to encrypt covert messages) and a decryption component. This makes possible for a receiver to set up several, independent, covert channels associated with a single covert key.

Pseudo-random generators are deterministic algorithms that take in input a random secret seed and output a flow of random-looking numbers. The Knapsack generator, presented by Rueppel and Massey in 1985 is one of the many attempt at designing a pseudo-random generator that is cryptographically secure. It is based on the subset-sum problem, a variant of the Knapsack optimization problem, which is considered computationally hard.

In 2011 Simon Knellwolf et Willi Meier found a way to go around this hard problem and exhibited a weakness of this generator. In addition to be able to distinguish the outputs from the uniform distribution, they designed an algorithm that retrieves a large portion of the secret. We present here an alternate version of the attack, with similar costs, that works on the same range of parameters but retrieves a larger portion of the secret.

Physically Unclonable Functions (PUFs) have been a potent choice for enabling low-cost, secure communication. However, in most applications, one party holds the PUF, and the other securely stores the challenge-response pairs (CRPs). It does not remove the need for secure storage entirely, which is one of the goals of PUFs. This paper proposes a PUF-based construction called Harmonizing PUFs ($\textsf{H_PUF}$s), allowing two independent PUFs to generate the same outcome without storing any confidential data. As an application of $\textsf{H_PUF}$ construction, we present $\textsf{H-AKE}$: a low-cost authenticated key exchange protocol for resource-constrained nodes that is secure against replay and impersonation attacks. The novelty of the protocol is that it achieves forward secrecy without requiring to perform asymmetric group operations like elliptic curve scalar multiplications underlying traditional key-exchange techniques.

The Advanced Encryption Standard (AES) is one of the most commonly used and analyzed encryption algorithms. In this work, we present new combinations of some prominent attacks on AES, achieving new records in data requirements among attacks, utilizing only $2^4$ and $2^{16}$ chosen plaintexts (CP) for 6-round and 7-round AES-192/256 respectively. One of our attacks is a combination of a meet-in-the-middle (MiTM) attack with a square attack mounted on 6-round AES-192/256 while another attack combines an MiTM attack and an integral attack, utilizing key space partitioning technique, on 7-round AES-192/256. Moreover, we illustrate that impossible differential (ID) attacks can be viewed as the dual of MiTM attacks in certain aspects which enables us to recover the correct key using the meet-in-the-middle (MiTM) technique instead of sieving through all potential wrong keys in our ID attack. Furthermore, we introduce the constant guessing technique in the inner rounds which significantly reduces the number of key bytes to be searched. The time and memory complexities of our attacks remain marginal.

Private Information Retrieval (PIR) is a two player protocol where the client, given some query $x \in [N]$ interacts with the server, which holds a $N$-bit string $\textsf{DB}$ in order to privately retrieve $\textsf{DB}[x]$. In this work, we focus on the single server client-preprocessing model, initially idealized by Corrigan-Gibbs and Kogan (EUROCRYPT 2020), where the client and server first run some joint preprocessing algorithm, after which the client can retrieve elements of the server's string $\textsf{DB}$ privately in time sublinear in $N$.

All known constructions of single server client-preprocessing PIR rely on one of the following two paradigms: (1) a linear-bandwidth offline phase where the client downloads the whole database from the server, or (2) a sublinear-bandwidth offline phase where however the server has to compute a large-depth ($O_\lambda (N)$) circuit under FHE in order to execute the preprocessing phase.

In this paper, we construct a single server client-preprocessing PIR scheme which achieves both sublinear offline bandwidth (the client does not have to download the whole database offline) and a low-depth (i.e. $O_\lambda(1)$), highly parallelizable preprocessing circuit. We estimate that on a single thread, our scheme's preprocessing time should be more than 350x times faster than in prior single server client-preprocessing PIR constructions. Moreover, with parallelization, the latency reduction would be even more drastic. In addition, this construction also allows for updates in $O_\lambda (1)$ time, something not achieved before in this model.

Event date: 12 May to 15 May 2025
Submission deadline: 16 October 2024
Notification: 5 February 2025

Event date: 4 May to 8 May 2025

Event date: 30 July to 2 August 2024

Ready to join the future of innovation in Crypto & Security at NXP?

Become part of a highly talented and dynamic international development team that develops state-of-the art secure cryptographic libraries which are protected against physical and logical attacks, which have applications across all different NXP domains and business lines (payment, identification, mobile, IoT, Automotive, Edge Processing, etc.).

When you join NXP you have the opportunity to broaden your technical knowledge in all of these areas.

Responsibilities

• You will develop crypto algorithms (incl. Post Quantum Crypto) based on specifications, being involved from the coding/programming, test, code review, release stages.
• You will align with our innovation team, architectural team, hardware teams and support teams to develop the algorithms which contribute to a complete security subsystem in all of NXP's business lines.

Your Profile

• Bachelor + 3-5 years of relevant experience Or​ You are a graduate with a Master or PhD Degree in Computer Science, Electronics Engineering, Mathematics, Information Technology, Cryptography
• You have a passion for technology, you bring ideas to the table and you are proud of your results.

We offer

• We offer you the opportunity to learn and build on your technical knowledge and experience in some of the following areas: algorithm development including post quantum cryptography (DES, AES, RSA, ECC, SHA and many more)
• embedded software development in C and Assembly
• work with ARM Cortex M and RISC V platforms
• Work on hardware and software countermeasures against side channel (SCA) and fault attacks, (FA).

Ready to create a smarter world? Join the future of Innovation. Join NXP. Apply online!

https://nxp.wd3.myworkdayjobs.com/fr-FR/careers/job/Gratkorn/Embedded-Crypto-Software-Developer--m-f-d-_R-10052127

Closing date for applications:

Contact: Veronika von Hepperger (veronika.vonhepperger@nxp.com)

More information: https://nxp.wd3.myworkdayjobs.com/fr-FR/careers/job/Gratkorn/Embedded-Crypto-Software-Developer--m-f-d-_R-10052127

I-2421 – POST DOC IN SOFTWARE AND DATA SECURITY Temporary contract | 24 months | Belval Are you passionate about research? So are we! Come and join us Do you want to know more about LIST? Check our website: https://www.list.lu/ Discover our IT for Innovative Services department: https://www.list.lu/en/informatics/ How will you contribute? Your specific mission includes, but is not limited to, participating into the following activities along the project partners: • to design and develop DevSecOps solutions and Data security solutions • to prototype ML-based anti-fuzzing, vulnerability detection, information sharing technologies for cybersecurity, and anomaly detection solutions • to develop open-source software • to validate the effectiveness of developed technologies You are in charge of disseminating and promoting the research activities that will be carried out, whether through publications, prototype development or technical reports. You’re highly motivated and have proven skills in machine learning & cybersecurity to address the security concerns in software development and data protection. You have already good experience in collaborative cyberthreat intelligence systems that use advanced analytics solutions as can offer significant advantages over the local systems by detecting cyberattacks early and promptly responding to them. And last, but not least, you’re a great practitioner of cybersecurity techniques such as vulnerability detection, information sharing, fuzzing, anti-fuzzing. Is Your profile described below? Are you our future colleague? Apply now! As to join us, you: • hold a PhD. degree in Computer Science or related disciplines • have good programming skills (particularly experience on Python and C++) • have good track record on applied ML for cybersecurity, such as fuzzing and ML-based vulner

Closing date for applications:

Contact: SCHWARTZ Cathy

More information: https://bit.ly/3xa6NAy

At the Chair of Quantum Information Systems at RWTH Aachen, Germany, we have several phd and postdoc positions available in the area of quantum formal verification, quantum programs, quantum crypto, connected to the ERC project "Certified Quantum Security".

Supervisor would be Dominique Unruh.

In particular, there are the following topics, but we accept phd and postdoc applications for other topics if they fit into the general direction of our group.

• PhD position “Verification of Quantum Key Distribution”
• PhD position “Functional quantum programs in F*”
• PhD position “Certified quantum compilation”

All positions are fully funded (German salary class TV-L E13).

Application deadline is April 15, 2024. See the webpage for application instructions.

Closing date for applications:

Contact: Dominique Unruh, email: job.igxkb0@rwth.unruh.de

More information: https://qis.rwth-aachen.de/positions/

The ZK-lab (zk-lab.org) and Blockchain Technology Laboratory (https://www.ed.ac.uk/informatics/blockchain) at Edinburgh University has several open Ph.D. and postdoc positions to work on zero-knowledge proofs, succinct arguments, and multi-party computation with applications to decentralization and privacy protection. You will work in a dynamic collaborative environment with a focus on conceptual and foundational problems of practical relevance. To express interest, send an email including a CV to markulf.kohlweiss@ed.ac.uk and jan.bobolz@ed.ac.uk. Positions are open until filled, but we give priority to applications received by May 31st. Female candidates and other underrepresented groups are strongly encouraged to apply.

Closing date for applications:

Contact: Markulf Kohlweiss (markulf.kohlweiss@ed.ac.uk), Jan Bobolz (jan.bobolz@ed.ac.uk)

More information: https://zk-lab.org

The Department of Computer Systems at Tallinn University of Technology invites PhD holders in Computer Science or relevant fields to apply for a post-doctoral researcher position in the NSF IMPRESS-U project titled "Hardware-Efficient Realization of UA Cryptographic Standards". Ukraine has its standardized cryptographic algorithms, namely Kalyna – block cipher and Kupyna – hash function, which are significantly dissimilar to other standardized solutions adopted by NIST in the US. For several reasons, including performance and security, hardware implementations of cryptographic algorithms are sought. In this project, the partners based in US, Estonia, and Ukraine will jointly investigate how to implement these algorithms in an Application Specific Integrated Circuit (ASIC) while disseminating knowledge in both directions. The Estonian partner is responsible for accomplishing three main tasks: (i) security-aware design exploration of cryptographic primitives in Kalyna and Kupyna, such as substitution and linear transformation operations; (ii) realization of design architectures targeting high performance and low power dissipation; (iii) secure design of Kalyna and Kupyna against well-known attacks, such as side-channel analysis and fault injection.

Closing date for applications:

Contact: Levent Aksoy (levent.aksoy@taltech.ee)

More information: https://candidate.recrur.com/public/jobad/en/b98a4a29-7

We are looking for a bright and ambitious Postdoc to join PQShield's R&D team, focusing on advancing post-quantum secure messaging. This 2-year position, preferably starting before July 1st, 2024 , offers the opportunity to contribute to exciting research in Tokyo, Japan or Paris, France. While physical presence in these locations is preferred for collaboration with our researchers, remote work arrangements can be negotiated.

What you’ll be doing: The primary responsibility of this position will be to advance the state of post-quantum secure messaging such as Signal and Message Layer Security (MLS). While the main focus is to conduct groundbreaking research, we encourage and support translating academic research into tangible contributions, such as proposals to the Internet Engineering Task Force (IETF) for standardisation.

Qualifications: While you will mostly collaborate with a group, it is preferred that you have some of the following backgrounds to ensure a smooth start into the project:

Previous involvement with secure protocols are helpful to better understand the open problems posed by post-quantum secure messaging.

Ability to conduct formal security proofs and to propose new security models are important to handle a complex protocol such as secure messaging.

A general knowledge of lattice-based cryptography is preferred to understanding the pros/cons compared to classical cryptography.

In addition to cryptographic expertise, we seek candidates with:

Previous experience working with diverse teams on projects that cover various cryptographic fields.

PhD qualified in Cryptography.

Strong communication and presentation skills.

The ability to work both independently and collaboratively within a diverse team.

Closing date for applications:

Contact: Please apply to the job through the PQShield's Careers page or through the link below:

PQShield Career page: https://pqshield.com/careers/apply/?gh_jid=4309579101

More information: https://pqshield.com/careers/apply/?gh_jid=4309579101

The Research Training Group "Cybercrime and Forensic Computing" aims to systematically analyse research questions arising from the interaction between computer science and criminal law. The following research areas are particularly relevant to the PhD position: Cryptography, Provable Security, and Secure Messaging. PhD students from computer science (especially applied cryptography and information security) and law collaborate and are supervised by a large group of PIs. The particular research project supervised by Paul Rösler focuses on stronger privacy and anonymity in secure messaging protocols. More information about the project can be found at https://cybercrime.fau.de

Necessary qualifications: Applicants should have an excellent academic record and hold an MSc or an equivalent university degree in computer science or related disciplines, and have the goal to finish a PhD degree within three years.

Supplementary description: The positions will commence on October 1, 2024. FAU aims to increase the number of women in scientific positions. Female candidates are therefore particularly encouraged to apply. In case of equal qualifications, candidates with disabilities will take precedence. Please submit your complete application documents by April 10, 2024 to cybercrime-applications@fau.de. Please mention in your application at least one research area from the above list which you are specifically interested in. Interviews will commence between 13. and 17.05.2024 in Erlangen.

Founded in 1743 and situated at the heart of the Nuremberg Metropolitan Region, FAU is a strong research university with an international perspective and one of the largest universities in Germany. FAU’s outstanding research and teaching is reflected in top positions in both national and international rankings, as well as the high amount of DFG funding which its researchers are able to secure.

Closing date for applications:

Contact: Paul Rösler (paul.roesler@fau.de)

More information: https://www.jobs.fau.de/jobs/2-phd-positions-m-f-d-salary-level-13-tv-l-in-computer-science-full-time-and-1-phd-position-m-f-d-salary-level-13-tv-l-in-law-part-time-75-91270455/

A verifiable delay function $\texttt{VDF}(x,T)\rightarrow (y,\pi)$ maps an input $x$ and time parameter $T$ to an output $y$ together with an efficiently verifiable proof $\pi$ certifying that $y$ was correctly computed. The function runs in $T$ sequential steps, and it should not be possible to compute $y$ much faster than that. The only known practical VDFs use sequential squaring in groups of unknown order as the sequential function, i.e., $y=x^{2^T}$. There are two constructions for the proof of exponentiation (PoE) certifying that $y=x^{2^T}$, with Wesolowski (Eurocrypt'19) having very short proofs, but they are more expensive to compute and the soundness relies on stronger assumptions than the PoE proposed by Pietrzak (ITCS'19).

A recent application of VDFs by Arun, Bonneau and Clark (Asiacrypt'22) are short-lived proofs and signatures, which are proofs and signatures which are only sound for some time $t$, but after that can be forged by anyone. For this they rely on "watermarkable VDFs", where the proof embeds a prover chosen watermark. To achieve stronger notions of proofs/signatures with reusable forgeability, they rely on "zero-knowledge VDFs", where instead of the output $y$, one just proves knowledge of this output. The existing proposals for watermarkable and zero-knowledge VDFs all build on Wesolowski's PoE, for the watermarkable VDFs there's currently no security proof.

In this work we give the first constructions that transform any PoEs in hidden order groups into watermarkable VDFs and into zkVDFs, solving an open question by Arun et al.. Unlike our watermarkable VDF, the zkVDF (required for reusable forgeability) is not very practical as the number of group elements in the proof is a security parameter. To address this, we introduce the notion of zero-knowledge proofs of sequential work (zkPoSW), a notion that relaxes zkVDFs by not requiring that the output is unique. We show that zkPoSW are sufficient to construct proofs or signatures with reusable forgeability, and construct efficient zkPoSW from any PoE, ultimately achieving short lived proofs and signatures that improve upon Arun et al's construction in several dimensions (faster forging times, weaker assumptions).

A key idea underlying our constructions is to not directly construct a (watermarked or zk) proof for $y=x^{2^T}$, but instead give a (watermarked or zk) proof for the more basic statement that $x',y'$ satisfy $x'=x^r,y'=y^r$ for some $r$, together with a normal PoE for $y'=(x')^{2^T}$.

This paper introduces a new approach to construct zero-knowledge large language models (zkLLM) based on the Folding technique. We first review the concept of Incrementally Verifiable Computation (IVC) and compare the IVC constructions based on SNARK and Folding. Then we discuss the necessity of Non-uniform IVC (NIVC) and present several Folding schemes that support more expressive circuits, such as SuperNova, Sangria, Origami, HyperNova, and Protostar. Based on these techniques, we propose a zkLLM design that uses a RAM machine architecture with a set of opcodes. We define corresponding constraint circuits for each opcode and describe the workflows of the prover and verifier. Finally, we provide examples of opcodes to demonstrate the circuit construction methods. Our zkLLM design achieves high efficiency and expressiveness, showing great potential for practical applications.

Multi-valued Validated Asynchronous Byzantine Agreement ($\mathsf{MVBA}$) is one essential primitive for many distributed protocols, such as asynchronous Byzantine fault-tolerant scenarios like atomic broadcast ($\mathsf{ABC}$), asynchronous distributed key generation, and many others. Recent surge of efforts have pushed the communication complexity of such protocols from $O(\ell n^2 + \lambda n^2 + n^3)$ (Cachin et al, CRYPTO'00), to $O(\ell n^2 + \lambda n^2)$ (Abbraham et al, PODC'19) and finally to optimal $O(\ell n + \lambda n^2)$ (Lu et al, PODC' 20), for $\ell$-bit inputs across a network of $n$ nodes, with security parameter $\lambda$.

However, those constructions of $\mathsf{MVBA}$ heavily rely on ``heavyweight'' cryptographic tools, such as non-interactive threshold signatures. The computational cost of algebraic operations, the susceptibility to quantum attacks, and the necessity of a trusted setup associated with threshold signatures present significant remaining challenges. There is a growing interest in information-theoretic or hash-based constructions (historically called signature-free constructions). Unfortunately, the state-of-the-art hash-based $\mathsf{MVBA}$ (Duan et al., CCS'23) incurs a large $O(\ell n^2 + \lambda n^3)$-bits communication, which in turn makes the hash-based $\mathsf{MVBA}$ inferior performance-wise comparing with the ``classical'' ones. Indeed, this was clearly demonstrated in our experimental evaluations.

To make hash-based $\mathsf{MVBA}$ actually realize its full potential, in this paper, we introduce an $\mathsf{MVBA}$ with adaptive security, and $\widetilde{O}(\ell n + \lambda n^2)$ communication, exclusively leveraging conventional hash functions. Our new $\mathsf{MVBA}$ achieves nearly optimal communication, devoid of heavy operations, surpassing both threshold signature-based schemes and the hash-based scheme in many practical settings, as demonstrated in our experiments. For example, in scenarios with a network size of $n = 201$ and an input size of $1.75$ MB, our $\mathsf{MVBA}$ exhibits a latency that is 81\% lower than that of the existing hash-based $\mathsf{MVBA}$ and 47\% lower than the threshold signature-based $\mathsf{MVBA}$. Our new construction also achieves optimal parameters in other metrics such as $O(1)$ rounds and $O(n^2)$ message complexity, except with a sub-optimal resilience, tolerating up to $20\%$ Byzantine corruptions (instead of $33\%$). Given its practical performance advantages, our new hash-based $\mathsf{MVBA}$ naturally leads to better asynchronous distributed protocols, by simply plugging it into existing frameworks.