IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
23 June 2020
École polytechnique, France
Job PostingDepending on her/his profile, the chosen candidate will become a member of the cryptography team («Grace», joint with INRIA) at the Department of Computer Science, or of the Department of Economics. Candidates must hold a Ph.D. in computer science or in Economics, and have demonstrated great ability in research and teaching. Candidates must present a scientific research project in relation to blockchains.
The mission of the accepted candidate will be to develop research, coordinate with PhD students and researchers, and also support the activities of the chair, by outreaching to the blockchain network in the Paris area, but also worldwide, and by supporting the communication and PR of the chair. If she/he wishes to, the candidate will be able to complement his or her activity by doing lectures, labs and student projects about blockchain platforms.
Through a fast and lightweight process the candidate will be hired from Winter 2020 for two years, which could be extended for two more years after a further review process. The complementary teaching activity, if any, may complement the base salary. Successful candidates will work at Ecole Polytechnique located in Palaiseau, Paris area, France.
Deadline for Application: July 23rd, 2020
Closing date for applications:
Contact: Daniel Augot, Senior researcher, INRIA and École polytechnique. Daniel.Augot@inria.fr
More information: https://blockchain-chair.io/
CryptoLux Group, University of Luxembourg
Job Posting- Design and cryptanalysis of symmetric cryptographic primitives
- Cryptocurrencies, blockchain
- Privacy enhancing technologies, Tor
- Side-channel attacks and countermeasures
- White-box cryptography
The University offers a two-year employment contract, which may be extended up to five years. The University of Luxembourg offers excellent working conditions and a highly competitive salary. Interested candidates are invited to send their application by email to Alex Biryukov before August 1, 2020. The application should contain a brief cover letter explaining the candidate's research interests, CV with photo, a list of publications and the names and contacts of 3 references.
Closing date for applications:
Contact: Prof. Alex Biryukov
More information: https://www.cryptolux.org/index.php/Vacancies
New Jersey Institute of Technology
Job PostingCandidates are expected to mainly teach courses under the umbrella of Cybersecurity in support of our graduate and undergraduate programs. The successful candidate will also be involved in creating course content and materials with a focus on experiential and project-based learning.
Interested applicants should submit their CV and the names of at least two references by applying as soon as possible at https://njit.csod.com/ats/careersite/JobDetails.aspx?site=1&id=1961. Applications will be reviewed on a rolling basis until the position is filled.
Work environment and location:
The Computer Science department, part of the Ying Wu College of Computing Sciences, is the largest at NJIT, comprising one tenth of the student population. It is also the largest computer science department among all research universities in the New York metropolitan area. Located in Northern New Jersey, within the greater New York Metropolitan area, NJIT is part of a vibrant ecosystem of research universities and corporate research centers.
Closing date for applications:
Contact: Reza Curtmola
More information: https://njit.csod.com/ats/careersite/JobDetails.aspx?site=1&id=1961
21 June 2020
University of Lübeck, Institute of IT-Security, Privacy & Security Group, Lübeck, Germany
Job Posting- enhancing or attacking training-data-privacy in machine learning algorithms
- ensuring or attacking the robustness of machine learning algorithms
- privacy-preserving health applications (including epidemiological applications)
- privacy-preserving Smart Grid, Smart City applications
- anonymous communication
- information security, differential privacy, or cryptography
- mathematical statistics and probability theory
- machine learning
Applications should include a curriculum vitae, a brief description of research interests, transcripts of grades, 2-3 letters of recommendation from teachers or employers, and, if possible, the Master's or Bachelor's thesis and publications.
- Application deadline: 30 August 2020 (later applications might also be considered)
- Starting date: 1 October 2020 (negotiable)
Closing date for applications:
Contact: Prof. Dr. Esfandiar Mohammadi
Privacy & Security group
University of Lübeck
https://mohammadi.eu
More information: https://www.its.uni-luebeck.de/fileadmin/files/jobs/privsec_open_positions.pdf
Chalmers University of Technology, Sweden
Job PostingClosing date for applications:
Contact: Prof. Katerina Mitrokotsa
More information: https://www.chalmers.se/en/about-chalmers/Working-at-Chalmers/Vacancies/Pages/default.aspx?rmpage=job&rmjob=p8404
Jia Xu, Yiwen Gao, Hoonwei Lim
ePrint ReportMichel Abdalla, Junqing Gong, Hoeteck Wee
ePrint Report(1) compact public parameters and key sizes that are independent of $N$ and the secret key can decrypt a ciphertext for any a-prior unbounded $N$;
(2) short ciphertexts that grow with $N$ and the size of $z_i$ but not $x_i$;
(3) simulation-based security against unbounded collusions;
(4) relies on the standard $k$-linear assumption in prime-order bilinear groups.
Tassos Dimitriou
ePrint ReportIn this work, we develop a privacy-preserving reputation scheme for collaborative systems such as P2P networks in which peers can represent themselves with different pseudonyms when interacting with others. All these pseudonyms, however, are bound to the same reputation token. This allows honest peers maintain their good record even when switching to a new pseudonym, while preventing malicious peers from making a fresh start. Apart from an initial offline setup phase which is only needed to ensure reputation soundness but not privacy, our system is truly decentralized. Using an append-only distributed ledger such as Bitcoins blockchain, we show how participants can make anonymous yet verifiable assertions about their own reputation. Thus the system maintains soundness, peer-pseudonym unlinkability as well as unlinkability among pseudonyms of the same peer. We formally prove these properties, we discuss ways to eliminate the setup phase and we evaluate the efficiency of the various operations.
Rémi Clarisse, Sylvain Duquesne, Olivier Sanders
ePrint ReportBecause a randomly picked elliptic curve will not support an efficient pairing (the embedding degree will usually be too large to make any computation practical), a pairing-friendly curve has to be carefully constructed. This has led to famous curves, e.g. Barreto-Naehrig curves.
However, the computation of the discrete logarithm problem on the finite-field side has received much interest and its complexity has recently decreased. Hence the need to propose new curves has emerged.
In this work, we give one new curve that is specifically tailored to be fast over the first pairing-group, which is well suited for several cryptographic schemes, such as group signatures and their variants (EPID, anonymous attestation, etc) or accumulators.
Susan Hohenberger, Venkata Koppula, Brent Waters
ePrint ReportSrinath Setty, Sebastian Angel, Jonathan Lee
ePrint ReportGabriel Zaid, Lilian Bossuet, Amaury Habrard, Alexandre Venelli
ePrint ReportShan Chen, Manuel Barbosa, Alexandra Boldyreva, Bogdan Warinschi
ePrint ReportOur analysis is modular. For CTAP2 and WebAuthn, in turn, we propose appropriate security models that aim to capture their intended security goals and use the models to analyze security. We identify a series of shortcomings and propose stronger protocols designed to withstand stronger yet realistic adversaries. Next, we prove the security guarantees FIDO2 provides based on the security of its components.
We expect that our models and provable security results will help clarify the security guarantees of the FIDO2 protocols. In addition, our proposed constructions should pave the way towards the design and deployment of more secure passwordless user authentication protocols.
Samuel Jaques, Hart Montgomery, Arnab Roy
ePrint ReportWe systematically address these drawbacks. We define formal notions of sequential functions, the building blocks of time-release cryptography. The new definitions are robust against change of machine models, making them more amenable to complexity theoretic treatment. We demonstrate the equivalence of various types of sequential functions under standard cryptographic assumptions. The time-release primitives in the literature (such as those defined by Bitansky et al. (ITCS '16)) imply that these primitives exist, as well as the converse.
However, showing that a given construction is a sequential function is a hard circuit lower bound problem. To our knowledge, no results show that standard cryptographic assumptions imply any sequentiality. For example, repeated squaring over RSA groups is assumed to be sequential, but nothing connects this conjecture to standard hardness assumptions. To circumvent this, we construct a function that we prove is sequential if there exists any sequential function, without needing any specific knowledge of this hypothetical function. Our techniques use universal circuits and fully homomorphic encryption and generalize some of the elegant techniques of the recent work on lattice NIZKs (Canetti et al., STOC '19).
Using our reductions and sequential function constructions, we build VDFs and sequential proofs of work from fully homomorphic encryption, incremental verifiable computation, and the existence of a sequential function. Though our constructions are theoretical in nature and not competitive with existing techniques, they are built from much weaker assumptions than known constructions.
Arka Rai Choudhuri, Aarushi Goel, Matthew Green, Abhishek Jain, Gabriel Kaptchuk
ePrint ReportIn this work, we initiate the study of ``fluid MPC'', where parties can dynamically join and leave the computation. The minimum commitment required from each participant is referred to as ``fluidity'', measured in the number of rounds of communication that it must stay online. Our contributions are threefold:
1) We provide a formal treatment of fluid MPC, exploring various possible modeling choices.
2) We construct information-theoretic fluid MPC protocols in the honest-majority setting. Our protocols achieve ``maximal fluidity'', meaning that a party can exit the computation after receiving and sending messages in one round.
3) We implement our protocol and test it in multiple network settings.
Thomas Attema, Ronald Cramer, Serge Fehr
ePrint ReportIn this paper we focus on the discrete logarithms (DL) setting; the prover's claim pertains to knowledge of discrete logarithms of $k$-out-of-$n$ given elements from a group supporting DL-based cryptography. Groth and Kohlweiss (EUROCRYPT 2015) have shown how to solve the special case $k=1$ and general $n$ with logarithmic communication instead of linear. However, their method, which is original, takes explicit advantage of $k=1$ and does not generalize to $k>1$ without losing all advantage over prior work.
Our contributions are as follows. We show a solution with logarithmic communication for general $k,n$ instead of just $k=1$ and general $n$ from prior work. Applying the Fiat-Shamir transform renders a non-interactive logarithmic-size zero-knowledge proof. Our approach deploys a novel twist on a basic primitive from Compressed $\Sigma$-Protocol Theory (CRYPTO 2020) that we then utilize to compress a carefully chosen adaptation of the CRYPTO 1994 approach down to logarithmic size. Interestingly, even for $k=1$ and general $n$ our approach improves prior work as it reduces communication up to almost a factor $1/2$.
We also generalize this to proofs of partial knowledge about compact commitments of long vectors. Optionally, the prover may at the same time demonstrate his secret to satisfy some arbitrary given constraint. Finally, we also generalize from threshold to arbitrary access structures.
Joël Alwen, Sandro Coretti, Daniel Jost, Marta Mularczyk
ePrint ReportThe work of Alwen et al. (CRYPTO'20), introduced the CGKA primitive and identified it as a crucial component for constructing end-to-end secure group messaging protocols (SGM) (though we believe there are certainly more applications given the fundamental nature of key agreement). The authors analyzed the TreeKEM CGKA, which lies at the heart of the SGM protocol under development by the IETF working group on Messaging Layer Security (MLS).
In this work, we continue the study of CGKA as a stand-alone cryptographic primitive. We present $3$ new security notions with increasingly powerful adversaries. Even the weakest of the 3 (passive security) already permits attacks to which all prior constructions (including all variants of TreeKEM) are vulnerable.
Going further, the 2 stronger (active security) notions additionally allow the adversary to use parties' exposed states (and full network control) to mount attacks. These are closely related to so-called insider attacks, which involve malicious group members actively deviating from the protocol. Insider attacks present a significant challenge in the study of CGKA (and SGM). Indeed, we believe ours to be the first security notions (and constructions) to formulate meaningful guarantees (e.g. PCFS) against such powerful adversaries. They are also the first composable security notions for CGKA of any type at all.
In terms of constructions, for each of the 3 security notions we provide a new CGKA scheme enjoying sub-linear (potentially even logarithmic) communication complexity in the number of group members. We prove each scheme optimally secure, in the sense that the only security violations possible are those necessarily implied by correctness.
Nils Albartus, Max Hoffmann, Sebastian Temme, Leonid Azriel, Christof Paar
ePrint ReportThis work presents DANA, a generic, technology-agnostic, and fully automated dataflow analysis methodology for flattened gate-level netlists. By analyzing the flow of data between individual FFs, DANA recovers high-level registers. The key idea behind DANA is to combine independent metrics based on structural and control information with a powerful automated architecture. Notably, DANA works without any thresholds, scenario-dependent parameters, or other "magic" values that the user must choose. We evaluate DANA on nine modern hardware designs, ranging from cryptographic co-processors, over CPUs, to the OpenTitan, a state-of-the-art SOC, which is maintained by the lowRISC initiative with supporting industry partners like Google and Western Digital. Our results demonstrate almost perfect recovery of registers for all case studies, regardless whether they were synthesized as FPGA or ASIC netlists. Furthermore, we explore two applications for dataflow analysis: we show that the raw output of DANA often already allows to identify crucial components and high-level architecture features and also demonstrate its applicability for detecting simple hardware Trojans.
Hence, DANA can be applied universally as the first step when investigating unknown netlists and provides major guidance for human analysts by structuring and condensing the otherwise incomprehensible sea of gates. The implementation of DANA, synthesized netlists, and detailed results will be released as open source.
Max Hoffmann, Christof Paar
ePrint ReportIn this work, we present Doppelganger, the first generic design-level obfuscation technique that is based on low-level camouflaging. Doppelganger obstructs central control modules of digital designs, e.g., FSMs or bus controllers, resulting in two different design functionalities: an apparent one that is recovered during reverse engineering and the actual one that is executed during operation. Notably, both functionalities are under the designer's control.
In two case studies, we apply Doppelganger to a universal cryptographic coprocessor. First, we show the defensive capabilities by presenting the reverse engineer with a different mode of operation than the one that is actually executed at an area overhead of less than 0.6%. Then, for the first time, we demonstrate the considerable threat potential through low-level obfuscation. We show how an invisible, remotely exploitable key-leakage Trojan can be injected into the same cryptographic coprocessor just through obfuscation at an area overhead of mere 0.01%.