International Association
for Cryptologic Research

We introduce a generalization of substitution permutation networks using quasigroups. Then, we prove that for quasigroups isotopic with a group $\mathbb{G}$, the complexity of mounting a differential attack against our generalization is the same as attacking a substitution permutation network based on $\mathbb{G}$. Although the result is negative, we believe that the design can be instructional for teaching students that failure is a natural part of research. Also, we hope to prevent others from making the same mistake by showing where such a path leads.

Over the past 20 years, the efficiency of secure multi-party protocols has been greatly improved. While the seminal protocols from the late 80's require a communication of $\Omega(n^6)$ field elements per multiplication among $n$ parties, recent protocols offer linear communication complexity. This means that each party needs to communicate a constant number of field elements per multiplication, independent of $n$.

However, these efficient protocols only offer active security, which implies that at most $t<n/3$ (perfect security), respectively $t<n/2$ (statistical or computational security) parties may be corrupted. Higher corruption thresholds (i.e., $t\geq n/2$) can only be achieved with degraded security (unfair abort), where one single corrupted party can prevent honest parties from learning their outputs.

The aforementioned upper bounds ($t<n/3$ and $t<n/2$) have been circumvented by considering mixed adversaries (Fitzi et al., Crypto' 98), i.e., adversaries that corrupt, at the same time, some parties actively, some parties passively, and some parties in the fail-stop manner. It is possible, for example, to achieve perfect security even if $2/3$ of the parties are faulty (three quarters of which may abort in the middle of the protocol, and a quarter may even arbitrarily misbehave). This setting is much better suited to many applications, where the crash of a party is more likely than a coordinated active attack.

Surprisingly, since the presentation of the feasibility result for the mixed setting, no progress has been made in terms of efficiency: the state-of-the-art protocol still requires a communication of $\Omega(n^6)$ field elements per multiplication.

In this paper, we present a perfectly-secure MPC protocol for the mixed setting with essentially the same efficiency as the best MPC protocols for the active-only setting. For the first time, this allows to tolerate faulty majorities, while still providing optimal efficiency. As a special case, this also results in the first fully-secure MPC protocol secure against any number of crashing parties, with optimal (i.e., linear in $n$) communication. We provide simulation-based proofs of our construction.

This is a fully-funded Ph.D. position for a UK/EU/International student (tuition fees plus stipend) to pursue a Ph.D. research degree in the Department of Computer Science, University of Warwick. Note that for international students, the overseas tuition gap will be covered as well.

The project is in the area of security and cryptography, in particular, investigating next-generation cryptocurrency that is more scalable, privacy-preserving, and usable than what we have today.

An ideal candidate should have excellent undergraduate and master degrees (equivalent to at least a UK 2.1) in Computer Science or relevant disciplines such as Mathematics and Engineering; a solid mathematical background as well as strong programming skills; experience in security research.

The closing date for application is 30 April 2020.

Interested candidates are encouraged to apply as early as possible. First, express your interest by sending your CV to Prof Feng Hao (feng.hao@warwick.ac.uk). If your background is found suitable, you will be directed to make a formal application. All formal applications will need to be made online through https://warwick.ac.uk/study/postgraduate/apply/research/.

Further information about the research environment: The Department of Computer Science, University of Warwick is one of the leading CS departments in the UK. In the latest 2014 REF (Research Excellence Framework) assessment participated by all UK universities, Warwick Computer Science is ranked the 1st for research output, 2nd for research impact, and 2nd overall among 89 CS departments in the UK. The University of Warwick is consistently ranked among the top 10 universities in the UK. It is also known for its beautiful campus, friendly social environment, vivid student lives, and easy transport links to all major cities in the UK including London.

Closing date for applications:

Contact: Professor Feng Hao

More information: https://warwick.ac.uk/fac/sci/dcs/research/doctoralstudies/fundingadvice/researchstudentships/?newsItem=8a17841b70e3f5d8

We are looking for candidates for 1 Research Fellow / postdoc position (from fresh post-docs to senior research fellows, flexible contract duration) on symmetric-key cryptography and/or side-channel analysis. Candidates are expected to have a proven record of publications in top cryptography/security venues. Salaries are competitive and are determined according to the successful applicants accomplishments, experience and qualifications. Interested applicants should send their detailed CVs, cover letter and references to Prof. Thomas Peyrin (thomas.peyrin@ntu.edu.sg). Review of applications starts immediately and will continue until positions are filled.

Closing date for applications:

Contact: Thomas Peyrin (thomas.peyrin@ntu.edu.sg)

The Security and Networking Lab (SECAN-Lab, https://secan-lab.uni.lu/) at the University of Luxembourg offers a full-time position for a PhD candidate (3 years, with a possible extension of 1 year) in the area of Application-Driven Cryptographic Protocols, in particular Privacy-Preserving Protocols. Potential application domains include Mobile Payments, Vehicular Networks, Autonomous Driving, etc. We are looking for an ambitious candidate with an excellent Master’s degree (top 10%) in Computer Science, Mathematics, Physics, or Electrical Engineering and a specialization in IT-Security and Cryptography. The position is embedded in an excellent international working environment comprising domain as well as cryptography experts, and comes with a competitive salary.

Closing date for applications:

Contact: Thomas Engel (thomas.engel@uni.lu), Andy Rupp (andy.rupp@uni.lu)

Nakamoto’s Bitcoin protocol inspired interest in the permissionless regime of distributed computing, in which participants may join and leave an internet-scale protocol execution at will, without needing to register with any authority. The permissionless regime poses challenges to the classical techniques used for consensus protocols, in which participants attempt to agree on a function of their inputs. Crucially, classical consensus techniques require honest participants to remain online and active, and to know an upperbound on the number of participants. Bitcoin addresses this issue by requiring Proof of Work in order to send a message in protocol, and other Bitcoin-inspired works have developed Proof of X variants to remediate the shortcomings of Proof of Work. We propose an abstraction for Proof of X called resources, inspired by how many variants are used in practice. We then show that given few additional assumptions, resources are sufficient to achieve consensus in the permissionless regime. In particular, with appropriate assumptions about resources, it is not necessary to know a bound on the network delay, participants do not need clocks, and participants can join and leave the execution arbitrarily. The core idea is to shift focus from the proportion of honest parties in an execution to the proportion of messages sent by honest parties. We formally model consensus protocols in the permissionless regime, and show how to parameterize a permissionless execution using only the long-term proportion of resources acquired by honest participants and an upperbound on the rate at which resources enter the system, relative to the maximum network delay (without needing to know the network delay). Along the way, we provide a generalized definition of blockchains which we call graph consensus. We present a protocol in the permissionless regime that achieves graph consensus, even when resources enter the system at high rates, but the required honest majority increases with the rate. We show how the protocol can be modified slightly to achieve one-bit consensus. Finally, we show that for every graph consensus protocol that outputs a majority of honest vertices there exists a one-bit consensus protocol.

The ElGamal cryptosystem is one of the most widely used public-key cryptosystems that depends on the difficulty of computing the discrete logarithms over finite fields. Over the years, the original system has been modified and altered in order to achieve a higher security and efficiency. In this paper, a generalization for the original ElGamal system is proposed which also relies on the discrete logarithm problem. The encryption process of the scheme is improved such that it depends on the prime factorization of the plaintext. Modular exponentiation is taken twice during the encryption; once with the number of distinct prime factors of the plaintext and then with the secret encryption key. If the plaintext consists of only one distinct prime factor, then the new method is similar to that of the basic ElGamal algorithm. The proposed system preserves the immunity against the Chosen Plaintext Attack (CPA).

Using a novel class of single bit one-way trapdoor functions we construct a theoretical probabilistic public key encryption scheme that has many interesting properties. These functions are constructed from binary quadratic forms and rational quartic reciprocity laws. They are not based on class group operations nor on universal one-way hash functions. Inverting these functions appears to be as difficult as factoring, and other than factoring, we know of no reductions between this new number theory problem and the standard number theoretic problems used cryptographically.

By using quartic reciprocity properties there is less information leakage than with quadratic reciprocity based schemes and consequently this encryption scheme appears to be completely non-malleable as defined by M. Fischlin (2005) and strongly plaintext aware and secret-key aware as well as defined by M. Barbosa and P. Farshim (2009). Assuming that our one-way trapdoor function is computationally hard to invert, then this encryption scheme is provably secure against adaptive chosen ciphertext attacks ($IND-CCA2$).

Decryption is fast, requiring just one modular multiplication and one Jacobi symbol evaluation. The encryption step is polynomial time, but slow, and there is a great deal of message expansion. The encryption step is amenable to parallelization, both across bits, as well as at the level of encrypting a single bit. The computational cost to break an encrypted bit can be optionally adjusted down on a per bit basis.

With no additional keys, multiple senders can individually join secret information to each encrypted bit without changing the parity of the encrypted bit. (Recovering this secret information is harder than recovering the private key.) Each sender can separately and publicly reveal their secret information without revealing the plaintext bit. The senders of the encrypted message bit can also individually authenticate they are senders without the use of a message authentication code and without revealing the plaintext bit.

We introduce the notion of a succinct blockchain, a replicated state machine in which each state transition (block) can be efficiently verified in constant time regardless of the number of prior transitions in the system. Traditional blockchains require verification time linear in the number of transitions. We show how to construct a succinct blockchain using recursively composed succinct non-interactive arguments of knowledge (SNARKs). Finally, we instantiate this construction to implement Coda, a payment system (cryptocurrency) using a succinct blockchain. Coda offers payment functionality similar to Bitcoin, with a dramatically faster verification time of 200ms making it practical for lightweight clients and mobile devices to perform full verification of the system’s history.

A zero-knowledge proof is a method by which one can prove knowledge of general non-deterministic polynomial (NP) statements. SNARKs are in addition non-interactive, short and cheap to verify. This property makes them suitable for recursive proof composition, that is proofs attesting to the validity of other proofs. Recursive proof composi- tion has been empirically demonstrated for pairing-based SNARKs via tailored constructions of expensive elliptic curves. We thus construct on top of the curve BLS12-377 a new pairing-friendly elliptic curve which is STNFS-secure and optimized for one layer composition. We show that it is at least five times faster to verify a composed SNARK proof on this curve compared to the previous state-of-the-art. We propose to name the new curve BW6-761.

The stream cipher ChaCha is an ARX type algorithm developed by Daniel Bernstein in 2008. Since its development, ChaCha has received a lot of attention and is currently being used in several systems. The most powerful cryptanalysis of reduced versions of this cipher was presented by Choudhuri and Maitra on FSE 2017 by using differential-linear cryptanalysis. In their work they show that is possible to obtain linear relations between bits from different rounds with high probability and use the proposed equations to create multi-bit differentials and improve previous attacks. In this work, we provide new linear approximations that can be used in a similar fashion but with increased efficiency. Therefore, we show that using these new equations is possible to improve the attacks against 6 and 7 rounds of ChaCha.

Differential power analysis (DPA) is a statistical analysis of the power traces of cryptographic computations. DPA has many applications including key-recovery on linear feedback shift register based stream ciphers. In 2017, Dobraunig et. al. presented a DPA on Keymill to uncover the bit relations of neighbouring bits in the shift registers, effectively reduces the internal state guessing space to 4-bit. In this work, we generalise the analysis methodology to uncover more bit relations on both linear feedback shift registers (LFSRs) and non-linear feedback shift registers (NLFSRs) and with application to fresh re-keying scheme --- LR-Keymill. In addition, we improve the DPA on Keymill by halving the data resources needed for the attack.

Groups of hidden order have gained a surging interest in recent years due to applications to cryptographic commitments, verifiable delay functions and zero knowledge proofs. Recently, Dobson and Galbraith ([DG20]) proposed Jacobians of genus three hyperelliptic curves as a suitable candidate for such a group. While this looks like a promising idea, certain Jacobians are less secure than others and hence, the curve has to be chosen with caution. In this short note, we explore the types of Jacobians that would be suitable for this purpose.

The efficiency of zero-knowledge protocols is measured by the round complexity. The construction of low round zero-knowledge protocols for any NP language has been a classical and open question.

In this paper, we focus on zero-knowledge protocols for NP with low round complexity under the augmented black-box simulation technique, in which the simulator has access to the verifier's secret information, and obtain positive results on 3-round zero-knowledge proofs and 2-round zero-knowledge arguments and proofs. More precisely, our contributions are five-fold: (i) we propose the notion of generalized claw-free function and the notion of trapdoor generalized claw-free function, and then we show a construction of trapdoor generalized claw-free function under the discrete logarithm assumption and the knowledge of exponent assumption, (ii) we propose the notion of completely extractable bit-commitment and give a construction of it from trapdoor generalized claw-free functions, (iii) we present a 3-round zero-knowledge proof for NP based on the completely extractable bit-commitment schemes and Yao's garbling circuit technique, (iv) we show a 2-round zero-knowledge argument for NP based on indistinguishable obfuscator, (v) we transform the basic 2-round honest verifier zero-knowledge proof protocol for quadratic non-residue into a 2-round zero-knowledge proof protocol.

Since Keccak was selected as the SHA-3 standard, both its hash mode and keyed mode have attracted lots of third-party cryptanalysis. Especially in recent years, there is progress in analyzing the collision resistance and preimage resistance of round-reduced Keccak. However, for the preimage attacks on round-reduced Keccak-384/512, we found that the linear relations leaked by the hash value are not well exploited when utilizing the current linear structures. To make full use of the $320+64\times2=448$ and 320 linear relations leaked by the hash value of Keccak-512 and Keccak-384, respectively, we propose a dedicated algebraic attack by expressing the output as a quadratic Boolean equation system in terms of the input. Such a quadratic Boolean equation system can be efficiently solved with linearization techniques. Consequently, we successfully improved the preimage attacks on 2/3/4 rounds of Keccak-384 and 2/3 rounds of Keccak-512. Since similar $\theta$ and $\chi$ operations exist in the round function of Xoodoo, which has been selected by NIST for the second round in the Lightweight Cryptography Standardization process, we make a study of the permutation and construct a practical zero-sum distinguisher for full Xoodoo.

In early nineties Carlet [1] introduced two new classes of bent functions, both derived from the Maiorana-McFarland ($\mathcal{M}$) class, and named them $\cC$ and $ \cD$ class, respectively. Apart from a subclass of $\cD$, denoted by $\cD_0$ by Carlet, which is provably outside two main (completed) primary classes of bent functions, little is known about their efficient constructions. More importantly, both classes may easily remain in the underlying $\mathcal{M}$ class which has already been remarked in [21]. Assuming the possibility of specifying a bent function $f$ that belongs to one of these two classes (apart from $\cD_0$), the most important issue is then to determine whether $f$ is still contained in the known primary classes or lies outside their completed versions. In this article, we further elaborate on the analysis of the set of sufficient conditions given in \cite{OutsideMM} concerning the specification of bent functions in $\cC$ and $ \cD$ which are provably outside $\cM$. It is shown that these conditions, related to bent functions in class $\cD$, can be relaxed so that even those permutations whose component functions admit linear structures still can be used in the design. It is also shown that monomial permutations of the form $x^{2^r+1}$ have inverses which are never quadratic for $n >4$, which gives rise to an infinite class of bent functions in $\cC$ but outside $\cM$. Similarly, using a relaxed set of sufficient conditions for bent functions in $\cD$ and outside $\cM$, one explicit infinite class of such bent functions is identified. We also extend the inclusion property of certain subclasses of bent functions in $ \cC$ and $ \cD$, as addressed initially in [1,21], that are ultimately within the completed $\mathcal{M}$ class. Most notably, we specify {\em another generic and explicit subclass} of $\cD$, which we call $\cD_2^\star$, whose members are bent functions provably outside the completed $\mathcal{M}$ class.

A decade long thrive of cryptocurrency has shown its potential as a source of alternative-finance and the security and the robustness of the underpinning blockchain technology.

However, most cryptocurrencies fail to show inimitability and their meanings in the real world. As a result, they usually start off as favourites but quickly become the outcasts of the digital asset market.

The blockchain society attempts to anchor the value of cryptocurrency with real values by employing smart contracts and link it with computation resources and the digital-productivity that have value and demands in the real world. But their attempts have some undesirable effects due to a limited number of practical applications. This limitation is caused by the dilemma between high performance and decentralisation (universal joinability). The emerging of blockchain sharding models, however, has offered a possible solution to address this dilemma.

In this paper, we explore a financial model for blockchain sharding that will build an active link between the value of cryptocurrency and computation resources as well as the market and labour behaviours. Our model can adjust the price of resources and the compensation for maintaining a system based on those behaviours. We anchor the value of cryptocurrency by the amount of computation resources participated in and give the cryptocurrency a meaning as the exchange between computation resources globally. Finally, we present a working example which, through financial regularities, regulates the behaviour of anonymous participants, also incents/discourages participation dynamically.

We propose BSC, a Bitcoin Smart Contract implementation. It integrates the functionality of smart contracts into the Bitcoin system, giving developers the ability to build decentralized applications on Bitcoin. BSC will require a new hard fork, on which Bitcoin holders can use their existing funds directly. BSC combines the unlimited creative space of smart contracts and the vast network effect of Bitcoin, which will bring even more possibilities to the cryptocurrency world.

In the context of the Cluster of Excellence CASA (Cyber-Security in the Age of Large-Scale Adversaries), the Department of Electrical Engineering and Information Sciences at Ruhr-Universität Bochum invites applications for the position of a Full Professor (W3) for Data-Driven Security to start as soon as possible. The candidate is expected to establish an excellent research program, to conduct and publish innovative research, be an effective lecturer and mentor of both undergraduate and graduate students, and participate in institutional and professional processes. We are looking for scientists with an internationally visible research profile in Quantum Information, in at least one of the following subfields:

Computer security and machine learning

Security in distributed systems

Secure and dependable software systems

Privacy Enhancing Technologies

The successful applicant is expected to cooperate with the Horst Görtz IT Security Research Department (HGI) and especially with the recently granted Cluster of Excellence CASA. The recently founded Max Planck Institute for Cybersecurity and Privacy offers additional possibilities for collaboration.

International visibility through publications and projects and above-average third-party funding are expected, as well as the willingness and ability to lead and participate in large collaborative projects. Positive evaluation as a junior professor or equivalent academic achievement (e.g. Habilitation) or significant post-doctoral research contributions and teaching experience is as much required as the willingness to participate in the self-governing bodies of the RUB. Furthermore, a strong commitment to academic teaching, the readiness to participate in interdisciplinary research and the proven experience in successful acquisition of third-party funds are expected. Ruhr-Universität Bochum is an equal opportunity employer and offers a dual career program (see https://www.dcnruhr.de/en for details).

Closing date for applications:

Contact: Applications including a CV, copies of academic certificates, list of publications, list of self-raised third-party funds, teaching record, and a statement of research interests should be sent by email to Prof. Dr.-Ing. Thomas Musch
Bewerbung-dds@ei.rub.de

More information: https://casa.rub.de/ and https://www.ei.rub.de/

Ruhr-Universität Bochum (RUB) is one of Germany’s leading research universities.
In the context of the Cluster of Excellence CASA (Cyber-Security in the Age of Large-ScaleAdversaries), the Department of Electrical Engineering and Information Sciences at Ruhr-Universität Bochum invites applications for the position of an Assistant Professor (W1) for Software Security with Tenure Track to start as soon as possible.
The candidate is expected to establish an excellent research program, to conduct and publish innovative research, be an effective lecturer and mentor of both undergraduate and graduate students, and have an interest to participate in institutional and professional processes. We are looking for scientists with an internationally visible research profile in computer security, in at least one of the following subfields:

Software-based side channel and micro-architectural attacks

Software aspects of network and Internet security

Security and Privacy

Security in new application domains

The successful applicant is expected to cooperate with the Horst Görtz IT Security Research Department (HGI) and especially with the recently granted Cluster of Excellence CASA. The recently founded Max Planck Institute for Cybersecurity and Privacy offers additional possibilities for collaboration.

We expect:

Excellent scientific qualifications, usually proven by a Ph.D. thesis of outstanding quality and first-class international publications

strong commitment to academic teaching at graduate and undergraduate level

willingness to participate in interdisciplinary research

willingness and ability to attract external funding

readiness to contribute to joint research projects

The position includes a tenure track option, after a positive evaluation the position will be turned into a tenured professorship (W2). Complete applications including CV, copies of academic certificates, list of publications, list of self-raised third-party funds, teaching record, and a statement of research interests should be sent by email to the

Closing date for applications:

Contact: Dean of the Faculty of Electrical Engineering and Information Technology Prof. Dr.-Ing. Thomas Musch
Bewerbung-sosi@ei.rub.de

More information: https://www.stellenwerk-bochum.de/jobboerse/professuren-w1-assistant-professor-software-security-tenure-track-bo-2020-03