International Association
for Cryptologic Research

Reductions between problems, the mainstay of theoretical computer science, efficiently map an instance of one problem to an instance of another in such a way that solving the latter allows solving the former. The subject of this work is ``lossy'' reductions, where the reduction loses some information about the input instance. We show that such reductions, when they exist, have interesting and powerful consequences for lifting hardness into ``useful'' hardness, namely cryptography.

Our first, conceptual, contribution is a definition of lossy reductions in the language of mutual information. Roughly speaking, our definition says that a reduction $\mathsf{C}$ is $t$-lossy if, for any distribution $X$ over its inputs, the mutual information $I(X;\mathsf{C}(X)) \leq t$. Our treatment generalizes a variety of seemingly related but distinct notions such as worst-case to average-case reductions, randomized encodings (Ishai and Kushilevitz, FOCS 2000), homomorphic computations (Gentry, STOC 2009), and instance compression (Harnik and Naor, FOCS 2006).

We then proceed to show several consequences of lossy reductions:

1. We say that a language $L$ has an $f$-reduction to a language $L'$ for a Boolean function $f$ if there is a (randomized) polynomial-time algorithm $\mathsf{C}$ that takes an $m$-tuple of strings $X = (x_1,\ldots,x_m)$, with each $x_i\in\{0,1\}^n$, and outputs a string $z$ such that with high probability, \begin{align*} L'(z) = f(L(x_1),L(x_2),\ldots,L(x_m)) \end{align*} 2. Suppose a language $L$ has an $f$-reduction $\mathsf{C}$ to $L'$ that is $t$-lossy. Our first result is that one-way functions exist if $L$ is worst-case hard and one of the following conditions holds: - $f$ is the OR function, $t \leq m/100$, and $L'$ is the same as $L$ - $f$ is the Majority function, and $t \leq m/100$ - $f$ is the OR function, $t \leq O(m\log{n})$, and the reduction has no error

This improves on the implications that follow from combining (Drucker, FOCS 2012) with (Ostrovsky and Wigderson, ISTCS 1993) that result in {\em auxiliary-input} one-way functions.

3. Our second result is about the stronger notion of $t$-compressing $f$-reductions -- reductions that only output $t$ bits. We show that if there is an average-case hard language $L$ that has a $t$-compressing Majority reduction to some language for $t=m/100$, then there exist collision-resistant hash functions.

This improves on the result of (Harnik and Naor, STOC 2006), whose starting point is a cryptographic primitive (namely, one-way functions) rather than average-case hardness, and whose assumption is a compressing OR-reduction of SAT (which is now known to be false unless the polynomial hierarchy collapses).

Along the way, we define a non-standard one-sided notion of average-case hardness, which is the notion of hardness used in the second result above, that may be of independent interest.

We propose a new approach to construct general-purpose indistinguishability obfuscation (iO). Our construction is obtained via a new intermediate primitive that we call split fully-homomorphic encryption (split FHE), which we show to be sufficient for constructing iO. Specifically, split FHE is FHE where decryption takes the following two-step syntactic form: (i) A secret decryption step uses the secret key and produces a hint which is (asymptotically) shorter than the length of the encrypted message, and (ii) a public decryption step that only requires the ciphertext and the previously generated hint (and not the entire secret key), and recovers the encrypted message. In terms of security, the hints for a set of ciphertexts should not allow one to violate semantic security for any other ciphertexts.

Next, we show a generic candidate construction of split FHE based on three building blocks: (i) A standard FHE scheme with linear decrypt-and-multiply (which can be instantiated with essentially all LWE-based constructions), (ii) a linearly homomorphic encryption scheme with short decryption hints (such as the Damgard-Jurik encryption scheme, based on the DCR problem), and (iii) a cryptographic hash function (which can be based on a variety of standard assumptions). Our approach is heuristic in the sense that our construction is not provably secure and makes implicit assumptions about the interplay between these underlying primitives. We show evidence that this construction is secure by providing an argument in an appropriately defined oracle model.

We view our construction as a big departure from the state-of-the-art constructions, and it is in fact quite simple.

We study the problem of secure two-party computation of arithmetic circuits in the presence of active (``malicious'') parties. This problem is motivated by privacy-preserving numerical computations, such as ones arising in the context of machine learning training and classification, as well as in threshold cryptographic schemes.

In this work, we design, optimize, and implement an actively secure protocol for secure two-party arithmetic computation. A distinctive feature of our protocol is that it can make a fully modular black-box use of any passively secure implementation of oblivious linear function evaluation (OLE). OLE is a commonly used primitive for secure arithmetic computation, analogously to the role of oblivious transfer in secure computation for Boolean circuits.

For typical (large but not-too-narrow) circuits, our protocol requires roughly 4 invocations of passively secure OLE per multiplication gate. This significantly improves over the recent TinyOLE protocol (Dottling et al., ACM CCS 2017), which requires 22 invocations of actively secure OLE in general, or 44 invocations of a specific code-based passively secure OLE.

Our protocol follows the high level approach of the IPS compiler (Ishai et al., CRYPTO 2008, TCC 2009), optimizing it in several ways. In particular, we adapt optimization ideas that were used in the context of the practical zero-knowledge argument system Ligero (Ames et al., ACM CCS 2017) to the more general setting of secure computation, and explore the possibility of boosting efficiency by employing a ``leaky'' passively secure OLE protocol. The latter is motivated by recent (passively secure) lattice-based OLE implementations in which allowing such leakage enables better efficiency.

We showcase the performance of our protocol by applying its implementation to several useful instances of secure arithmetic computation. On ``wide'' circuits, such as ones computing a fixed function on many different inputs, our protocol is 5x faster and transmits 4x less data than the state-of-the-art Overdrive (Keller et al., Eurocrypt 2018). Our benchmarks include a general passive-to-active OLE compiler, authenticated generation of ``Beaver triples'', and a system for securely outsourcing neural network classification. The latter is the first actively secure implementation of its kind, strengthening the passive security provided by recent related works (Mohassel and Zhang, IEEE S&P 2017; Juvekar et al., USENIX 2018).

LRBC is a new lightweight block cipher that has been proposed for resource-constrained IoT devices. The cipher is claimed to be secure against differential cryptanalysis and linear cryptanalysis. However, beside short state length which is only 16-bits, the structures of the cipher only use the linear operations, the its s-boxes, and this is a reason why the cipher is completely insecure against the mentioned attacks. we present a few examples to show that. Also, we show that the round function of LRBC has some structural problem and even if we fix them the cipher does not provide complete diffusion. Hence, even with replacement of the cipher s-boxes with proper s-boxes, the problem will not be fixed and it is possible to provide deterministic distinguisher for any number of round of the cipher. In addition, we show that for any fixed key, it is possible to create a full code book for the cipher with the complexity of $2^{n/2}$, which should be compared with $2^{n}$ for any secure $n$-bit block cipher.

The implementation of isogeny-based cryptography mainly use Montgomery curves as they offer fast elliptic curve arithmetic and isogeny compuation. However, although Montgomery curves have efficient 3- and 4-isogenies, it becomes inefficient when recovering the coefficient of the image curve for large degree isogenies. This is the main bottleneck of using a Montgomery curve for CSIDH as it requires odd-degree isogenies up to at least 587. In this paper, we present a new optimization method for faster CSIDH protocols entirely on Montgomery curves. To this end, we present a new parameter for CSIDH in which the rational 2-torsion points are defined over $\mathbb{F}_p$. By using the proposed parameters the CSIDH moves around the surface. The curve coefficient of the image curve can be recovered by a 2-torsion point. We also proved that the CSIDH using the proposed parameter guarantees a free and transitive group action. Additionally, we present the implementation result using our method. We demonstrated that our method is 8.6% faster than the original CSIDH. Our works show that quite higher performance of CSIDH is achieved using only Montgomery curves.

The Franco-Prussian war (1870--1871) was the first major European conflict during which extensive telegraph use enabled fast communication across large distances. Field officers would therefore have to learn how to use secret codes. But training officers also raises the probability that defectors would reveal these codes to the enemy. Practically all known secret codes at the time could be broken if the enemy knew how they worked.

Under Kerckhoffs' impulsion, the French military thus developed new codes, meant to resist even if the adversary knew the encoding and decoding algorithms, but simple enough to be explained and taught to military personnel.

Many of these codes were lost to history. One of the designs however, due to Major H. D. Josse, has been recovered and this article describes the features, history, and role of this particular construction. Josse's code was considered for field deployment and underwent some experimental tests in the late 1800s, the result of which were condensed in a short handwritten report. During World War II, German forces got hold of documents describing Josse's work, and brought them to Berlin to be analyzed. A few years later these documents moved to Russia, where they have resided since.

Encoding an arbitrary bit string, by parceling it out to randomized size subsections, encoding each subsection through a unary alphabet, thereby expressing the original string via a much larger one, which upon transposition projects up to perfect mathematical secrecy. The attraction of TEAM (Transposition Encryption Alphabet Method) is in the fact that it replaces common floating-point complex computational ciphers with the utter simplicity and speed of nothing more than one round of transposition. Also enabling decoy bits, which are recognized as noise by the intended recipient, while presenting a cryptanalytic burden on the attacker. Implemented in hardware TEAM is very battery-friendly, fitting for Internet of Things application. TEAM security is based on equivocation, which classifies it as post quantum cryptography. TEAM’s efficacy may be upgraded unilaterally by the transmitter through increased use of ad-hoc, not pre-shared randomness.

This paper introduces 4 way vectorization of Montgomery ladder on any Montgomery form elliptic curve. Our algorithm takes 2M^4+1S^4 (M^4: A vector of four field multiplications, S^4: A vector of four field squarings) per ladder step for variable-scalar variable-point multiplication. This paper also introduces new formulas for doing arithmetic over GF(2^255-19).

Noisy measurements of a physical unclonable function (PUF) are used to store secret keys with reliability, security, privacy, and complexity constraints. A new set of low-complexity and orthogonal transforms with no multiplication is proposed to obtain bit-error probability results significantly better than all methods previously proposed for key binding with PUFs. The uniqueness and security performance of a transform selected from the proposed set is shown to be close to optimal. An error-correction code with a low-complexity decoder and a high code rate is shown to provide a block-error probability significantly smaller than provided by previously proposed codes with the same or smaller code rates.

While accountability is a well-known concept in distributed systems and cryptography, in the literature on blockchains (and, more generally, distributed ledgers) the formal treatment of accountability has been a blind spot: there does not exist a formalization let alone a formal proof of accountability for any blockchain yet.

Therefore, in this work we put forward and propose a formal treatment of accountability in this domain. Our goal is to formally state and prove that if in a run of a blockchain a central security property, such as consistency, is not satisfied, then misbehaving parties can be identified and held accountable. Accountability is particularly useful for permissioned blockchains where all parties know each other, and hence, accountability incentivizes all parties to behave honestly.

We exemplify our approach for one of the most prominent permissioned blockchains: Hyperledger Fabric in its most common instantiation.

Private intersection-sum with cardinality allows two parties, where each party holds a private set and one of the parties additionally holds a private integer value associated with each element in her set, to jointly compute the cardinality of the intersection of the two sets as well as the sum of the associated integer values for all the elements in the intersection, and nothing beyond that.

We present a new construction for private intersection sum with cardinality that provides malicious security with abort and guarantees that both parties receive the output upon successful completion of the protocol. A central building block for our constructions is a primitive called shuffled distributed oblivious PRF (DOPRF), which is a PRF that offers oblivious evaluation using a secret key shared between two parties, and in addition to this allows obliviously permuting the PRF outputs of several parallel oblivious evaluations. We present the first construction for shuffled DOPRF with malicious security. We further present several new sigma proof protocols for relations across Pedersen commitments, ElGamal encryptions, and Camenisch-Shoup encryptions that we use in our main construction, for which we develop new batching techniques to reduce communication.

We implement and evaluate the efficiency of our protocol and show that we can achieve communication cost that is only 4-5 times greater than the most efficient semi-honest protocol. When measuring monetary cost of executing the protocol in the cloud, our protocol is 25 times more expensive than the semi-honest protocol. Our construction also allows for different parameter regimes that enable trade-offs between communication and computation.

This article discusses a fixed critical security bug in Google Tink's Ed25519 Java implementation. The bug allows remote attackers to extract the private key with only two Ed25519 signatures. The vulnerability comes from the misunderstanding of what "final" in Java programming language means. The bug was discovered during security review before Google Tink was officially released. It reinforces the challenge in writing safe cryptographic code and the importance of the security review process even for the code written by professional cryptographers.

Mines Saint-Etienne, an IMT graduate school under the supervision of the French Ministry of Economy and Finance, is recruiting an assistant professor in Electronics and Embedded Systems at the Centre of Microelectronics in Provence.

The Centre of Microelectronics in Provence (CMP) is one of the 5 research centres and it is located in Gardanne (France, Bouches-du-Rhône). It is composed of 4 research departments including the Secure Architectures and Systems (SAS) department. The SAS department applies research to guarantee the integrity of electronic components and their contents against physical attacks by developing hardware and/or software protection schemes. The SAS department is a common research team with CEA-Tech. This team is composed of 27 persons (14 associate professors or research engineers and 13 PhD students).

The candidate must hold a PhD degree with knowledge of security and/or embedded system design. You must have a track record of research publications and/or industrial experience to contribute to the development of research interests of the SAS department. You will also demonstrate substantial proven experience of delivering teaching, learning and student support at University level.

Complete application including a cover letter, a CV with the most significant teaching and research experience, a list of publications (10 pages maximum), reference letters, a copy of your PhD degree and a copy of your passport ID should be sent to Elodie EXBRAYAT by mail : elodie.exbrayat@emse.fr before the April 30th 2020.

Closing date for applications:

Contact: Jean-Max DUTERTRE by phone + 33 (0)4 42 61 67 36 or Mail : dutertre@emse.fr for further information on the research department project

More information: https://www.mines-stetienne.fr/en/jobs-opportunities/

The Department of Computer Science at the University of Copenhagen is seeking candidates for a full professorship in Theoretical Computer Science (TCS). More specifically, we are inviting exceptional candidates from the broad fields of algorithms, complexity, and cryptography including privacy.

We are looking for an outstanding, experienced researcher with an innovative mind-set and intellectual curiosity to strengthen and complement the research profile of the Algorithms and Complexity Section, headed by Professor Mikkel Thorup. The Algorithms and Complexity Section is part of an exciting environment including the Basic Algorithms Research Copenhagen (BARC) centre, joint with the IT University of Copenhagen, and involving extensive collaborations with the Technical University of Denmark (DTU) and Lund University on the Swedish side of the Oresund Bridge. We aim to attract top talent from around the world to an ambitious, creative, collaborative, and fun environment. Using the power of mathematics, we strive to create fundamental breakthroughs in algorithms and complexity theory, but we also have a track record of start-ups and surprising algorithmic discoveries leading to major industrial applications.

The University of Copenhagen was founded in 1479 and is the oldest and largest university in Denmark. It is often ranked as the best university in Scandinavia and consistently as one of the top places in Europe. Within computer science, it is ranked number 1 in the European Union (post-Brexit) by the Shanghai Ranking.

The department offers a friendly and thriving international research and working environment with opportunities to build up internationally competitive research groups. Working conditions at the University of Copenhagen support a healthy work-life balance and Copenhagen is a family-friendly capital city.

The application deadline is May 24, 2020.

For more information, see https://candidate.hr-manager.net/ApplicationInit.aspx/?cid=1307&departmentId=18971&ProjectId=151668

Closing date for applications:

Contact: Head of Section, Professor Mikkel Thorup (mthorup@di.ku.dk; cell phone +45 2117 9123) and Head of Department, Professor Mads Nielsen (madsn@di.ku.dk; cell phone +45 2460 0599).

More information: https://candidate.hr-manager.net/ApplicationInit.aspx/?cid=1307&departmentId=18971&ProjectId=151668

Event date: 12 November to 13 November 2020
Submission deadline: 26 July 2020
Notification: 16 August 2020

Event date: to
Submission deadline: 30 July 2020

The Institute of Cybersecurity and Cryptology (iC2) at the School of Computing and Information Technology (SCIT), University of Wollongong, Australia, is looking to recruit a new Associate Research Fellow (Level A) who will work on the ARC DP200100144 project titled “Securing Public Cloud Storage with Protection against Malicious Senders”. The Associate Research Fellow will perform the research tasks specified by the project, which include the design of advanced Attribute-Based Encryption and Zero-Knowledge proof systems and their implementations in the cloud platform. The candidate must have solid background and research experience in cryptographic scheme design and implementation. It is expected that the candidate will complete all the research tasks required by the project within the specified timeframe and make significant contributions to the research activities within iC2. The candidate will be mentored by the iC2 Director Professor Willy Susilo to develop novel security solutions for achieving the goals aimed by the ARC DP200100144 project. You will be prompted to respond to a selection criteria questionnaire as part of the application process. Please make sure that you address the selection criteria in addition to submitting your CV. For further information about the position please contact Professor Willy Susilo. Women are underrepresented in this discipline and are encouraged to apply.

Closing date for applications:

Contact: Prof. Willy Susilo (wsusilo at uow dot edu dot au)

More information: https://uowjobs.taleo.net/careersection/in/jobdetail.ftl?job=200507&tz=GMT%2B10%3A00&tzname=Australia%2FSydney

We are proud to announce the winners of the 2020 IACR Test-of-Time Award. This award honors papers published at the 3 IACR flagship conferences 15 years ago which have had a lasting impact on the field.

The Test-of-Time award for Eurocrypt 2005 is awarded to "Fuzzy Identity-Based Encryption " (Amit Sahai and Brent Waters), for laying the foundations of attribute-based encryption and other advanced notions of encryption.

The Test-of-Time award for Crypto 2005 is awarded to "Finding collisions in the full SHA-1 " (Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu), for a breakthrough in the cryptanalysis of hash functions.

The Test-of-Time award for Asiacrypt 2005 is awarded to "Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log" (Pascal Paillier and Damien Vergnaud), developing a new meta-reduction approach in the security proof of cryptosystems.

For more information, see https://www.iacr.org/testoftime.

We present novel strategies and concrete algorithms for the parallel computation of the Supersingular Isogeny-based Diffie-Hellman key exchange (SIDH) protocol when executed on multi-core platforms. The most relevant design idea exploited by our approach is that of concurrently computing scalar multiplication operations along with a parallelized version of the strategies required for constructing and evaluating large smooth degree isogenies. We report experimental results showing that a three-core implementation of our parallel approach achieves an acceleration factor of 1.57 compared against a sequential implementation of the SIKE protocol.

Incentive systems (such as customer loyalty systems) are omnipresent nowadays and deployed in several areas such as retail, travel, and financial services. Despite the benefits for customers and companies, this involves large amounts of sensitive data being transferred and analyzed. These concerns initiated research on privacy-preserving incentive systems, where users register with a provider and are then able to privately earn and spend incentive points.

In this paper we construct an incentive system that improves upon the state-of-the-art in several ways: – We improve efficiency of the Earn protocol by replacing costly zero-knowledge proofs with a short structure-preserving signature on equivalence classes. – We enable tracing of remainder tokens from double-spending transactions without losing backward unlinkability. – We allow for secure recovery of failed Spend protocol runs (where usually, any retries would be counted as double-spending attempts). – We guarantee that corrupt users cannot falsely blame other corrupt users for their double-spending.

We propose an extended formal model of incentive systems and a concrete instantiation using homomorphic Pedersen commitments, ElGamal encryption, structure-preserving signatures on equivalence classes (SPS-EQ), and zero-knowledge proofs of knowledge. We formally prove our construction secure and present benchmarks showing its practical efficiency.