International Association
for Cryptologic Research

In this article we present the BB84 quantum key distribution scheme from two perspectives. First, we provide a theoretical discussion of the steps Alice and Bob take to reach a shared secret using this protocol, while an eavesdropper Eve is either involved or not. Then, we offer and discuss two distinct implementations that simulate BB84 using IBM’s Qiskit framework, the first being an exercise solved during the “IBM Quantum Challenge” event in early May 2020, while the other was developed independently to showcase the intercept-resend attack strategy in detail. We note the latter’s scalability and increased output verbosity, which allow for a statistical analysis to determine the probability of detecting the act of eavesdropping.

The tight security bound of the Key-Alternating Cipher (KAC) construction whose round permutations are independent from each other has been well studied. Then a natural question is how the security bound will change when we use fewer permutations in a KAC construction. In CRYPTO 2014, Chen et al. proved that 2-round KAC with a single permutation (2KACSP) has the same security level as the classic one (i.e., 2-round KAC). But we still know little about the security bound of incompletely-independent KAC constructions with more than 2 rounds. In this paper,we will show that a similar result also holds for 3-round case. More concretely, we prove that 3-round KAC with a single permutation (3KACSP) is secure up to $\varTheta(2^{\frac{3n}{4}})$ queries, which also caps the security of 3-round KAC. To avoid the cumbersome graphical illustration used in Chen et al.'s work, a new representation is introduced to characterize the underlying combinatorial problem. Benefited from it, we can handle the knotty dependence in a modular way, and also show a plausible way to study the security of $r$KACSP. Technically, we abstract a type of problems capturing the intrinsic randomness of $r$KACSP construction, and then propose a high-level framework to handle such problems. Furthermore, our proof techniques show some evidence that for any $r$, $r$KACSP has the same security level as the classic $r$-round KAC in random permutation model.

In this paper we present an analysis of the SpoC cipher, a second round candidate of the NIST Lightweight Crypto Standardization process. First we present a differential analysis on the sLiSCP-light permutation, a core element of SpoC. Then we propose a series of attacks on both versions of SpoC, namely round-reduced differential tag forgery and message recovery attacks, as well as a time-memory trade-off key-recovery attack on the full round version of Spoc-64. Finally, we present an observation regarding the constants used in the sLiSCP-light permutation. To the best of our knowledge, this paper represents the first third-party analysis on both SpoC cipher and the sLiSCP-light permutation.

Studying the security and efficiency of blind signatures is an important goal for privacy sensitive applications. In particular, for large-scale settings (e.g. cryptocurrency tumblers), it is important for schemes to scale well with the number of users in the system. Unfortunately, all practical, group-based schemes either 1) rely on (very strong) number theoretic hardness assumptions and computationally expensive pairing operations over bilinear groups or 2) support only a polylogarithmic number of \emph{concurrent} (i.e., arbitrarily interleaved) signing sessions per public key. Following the recent work of Fuchsbauer et al. (EUROCRYPT `20), we revisit the security of two \emph{pairing-free} blind signature schemes in the algebraic group model (AGM) + Random Oracle Model (ROM). First, we prove that the popular blind Schnorr scheme is secure under the one-more discrete logarithm assumption if (polynomially many) signatures are issued \emph{sequentially}. This stands in stark contrast to the results of Fuchsbauer et al. and Benhamouda et al. (EPRINT `20). Under the same assumptions, their (combined) results imply security against a polynomial time attacker iff the signer opens at most polylogarithmically many \emph{concurrent} signing sessions. We then reconsider the security of Abe's scheme (EUROCRYPT `01), which is known to have a flawed proof in the plain ROM. We give a proof under the discrete logarithm assumption in the AGM+ROM, even for (polynomially many) \emph{concurrent} signing sessions. Finally, we demonstrate that these pairing-free signature schemes are immediately usable in a real-world setting. Using a cryptocurrency tumbling service as a model, we benchmark the Schnorr and Abe schemes under different workloads and degrees of parallelism and conclude that they can both handle large workloads at reasonable security levels, and have distinct optimal use cases.

Let $\mathbb{F}_{\!q}$ be a finite field and $E_b\!: y_0^2 = x_0^3 + b$ be an ordinary elliptic $\mathbb{F}_{\!q}$-curve of $j$-invariant $0$ such that $\sqrt{b} \in \mathbb{F}_{\!q}$. In particular, this condition is fulfilled for the curve BLS12-381 and for one of sextic twists of the curve BW6-761 (in both cases $b=4$). These curves are very popular in pairing-based cryptography. The article provides an efficient constant-time hashing $h\!: \mathbb{F}_{\!q} \to E_b(\mathbb{F}_{\!q})$ of an absolutely new type for which at worst $\#\mathrm{Im}(h) \approx q/6$. The main idea of our hashing consists in extracting in $\mathbb{F}_{\!q}$ a cubic root instead of a square root as in the well known (universal) SWU hashing and in its simplified analogue. Besides, the new hashing can be implemented without quadratic and cubic residuosity tests (as well as without inversions) in $\mathbb{F}_{\!q}$. Thus in addition to the protection against timing attacks, $h$ is much more efficient than the SWU hashing, which generally requires to perform two quadratic residuosity tests in $\mathbb{F}_{\!q}$. For instance, in the case of BW6-761 this allows to avoid at least approximately $2 \!\cdot\! 761 \approx 1500$ field multiplications.

We address the problem of constructing zkSNARKs whose SRS is $\mathit{universal}$ – valid for all relations within a size-bound – and $\mathit{updatable}$ – a dynamic set of participants can add secret randomness to it indefinitely thus increasing confidence in the setup. We investigate formal frameworks and techniques to design efficient universal updatable zkSNARKs with linear-size SRS and their commit-and-prove variants.

We achieve a collection of zkSNARKs with different tradeoffs. One of our constructions achieves the smallest proof size and proving time compared to the state of art for proofs for arithmetic circuits. The language supported by this scheme is a variant of R1CS, called R1CS-lite, introduced by this work. Another of our constructions supports directly standard R1CS and improves on previous work achieving the fastest proving time for this type of constraint systems.

We achieve this result via the combination of different contributions: (1) a new algebraically-flavored variant of IOPs that we call $\mathit{Polynomial}$ $\mathit{Holographic}$ $\mathit{IOPs}$ (PHPs), (2) a new compiler that combines our PHPs with $\mathit{commit}$-$\mathit{and}$-$\mathit{prove}$ $\mathit{\ zkSNARKs}$ for committed polynomials, (3) pairing-based realizations of these CP-SNARKs for polynomials, (4) constructions of PHPs for R1CS and R1CS-lite, (5) a variant of the compiler that yields a commit-and-prove universal zkSNARK.

Private Information Retrieval (PIR) is one of the promising techniques to preserve user privacy in the presence of trusted-but- curious servers. The information-theoretically private query construction assures the highest user privacy over curious and unbounded computation servers. Therefore, the need for information-theoretic private retrieval was fulfilled by various schemes in a variety of PIR settings. To augment previous work, we propose a combination of new bit connection methods called rail-shape and signal-shape and new quadratic residuosity assumption based family of trapdoor functions for generic single database Private Block Retrieval (PBR). The main goal of this work is to show that the possibility of mapping from computationally bounded privacy to information-theoretic privacy or vice-versa in a single database setting using newly constructed bit connection and trapdoor function combinations. The proposed bit connection and trapdoor function combinations have achieved the following results. • Single Database information-theoretic PBR (SitPBR): The proposed combinations are used to construct SitPBR in which the user privacy is preserved through the generation of information-theoretic queries and data privacy is preserved using quadratic residuosity assumption. • Single Database computationally bounded PBR (ScPBR): The proposed combinations are used to construct ScPBR in which both user privacy and data privacy are preserved using a well-known intractability assumption called quadratic residuosity assumption. • Map(SitPBR)→ScPBR: The proposed combinations can be used to transform (or map) SitPBR into ScPBR scheme by choosing appropriate function parameters. • Map(ScPBR)→SitPBR: The proposed combinations can be used to transform (or map) ScPBR into SitPBR scheme by choosing appropriate function parameters. All the proposed schemes are single round, memoryless and plain database schemes (at their basic constructions).

PhD candidate to work on Cryptography secured against physical attacks. The traditional application of cryptography is the protection of communication lines. In modern applications the attacker often has physical access to the device that is executing the cryptographic algorithm, and can measure side channels (execution time, power consumption, electro-magnetic radiation) or perform fault attacks. With the advent of the IOT, the interest in embedded cryptographic systems and side-channel/fault attacks on these systems is steadily increasing. Protection against side channel attacks (SCA) is usually done via masking, i.e. by randomizing any sensitive data manipulated during computations. Protection against fault injection attacks (FA)is typically done either by duplication or by using infection, i.e., ensuring that any induced fault results in a garbage output. The research direction of combined countermeasures -that is, countermeasures against both SCA and FA -is quite young and experimental. We are looking for a postdoc to work on: (1) formal security definitions and methods to defend implementations against combined attacks as well as new countermeasures against combined attacks which have improved performance and a more realistic adversary model. (2) the development of robust automated verification tools capable of handling entire and practical implementations. (3) defining metrics for combined security and to develop procedures for their evaluation using verification tools. Specific Skills Required: The candidates should hold a PhD degree with aproven research track record in any aspects of Cryptography or Embedded Security. We are especially looking for researchers with a broad research spectrum, going from mathematical aspects, to implementations on FPGA and physical attacks evaluation.

Closing date for applications:

Contact: jobs-cosic@esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

We are looking for a Post-Doc in post-quantum cryptography, including cryptanalysis, secure implementation, hardness of underlying problems, novel primitives and protocols. We are in particular interested in people who have hands on experience with the design, implementation and/or analysis of cryptosystems submitted to NIST's post-quantum standardization effort. Strong background in mathematics is an absolute must, together with computer science and cryptography. A proven research track record in any aspects of post-quantum cryptography is required. We are especially looking for researchers with a broad research spectrum, going from mathematical aspects, to very practical such as implementation aspects

Closing date for applications:

Contact: jobs-cosic@esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

PhD position on Cybersecurity Attacks on the Electric Supply System (CYPRESS project) We haven an open PhD position in the domain of cybersecurity of critical infrastructures –more particular of the electric energy supply system. The position is funded by the federal ETF project CYPRESS. This is a fundamental research project, in collaboration with other Belgian research groups, with the ambition to contribute to the cyber-physical reliability management of the electric transmission grid. The three goals of the projects are to: (i) improve modeling practice, (ii) perform cyber-physical risk assessment, and (iii) develop appropriate mitigation approaches. The cyber-physical risks considered in the projects range from simple bugs and configuration errors to malicious tampering and cybersecurity attacks. The security researcher that will be working on this project, will focus in particular on the security evaluation of critical (embedded) components in the electric energy supply system and corresponding countermeasures to mitigate these security threats. The security evaluation work in the CYPRESS project includes both risk and threat modeling as well as actual lab work (i.e. embedded security analysis –hacking–of the components in a lab setup). Candidates must hold a master’s degree in electronics engineering or computer science, have good grades and have a keen interest in cryptography and embedded security. The applicant should have a strong background in C and C++. Prior research experience in embedded security, reverse-engineering and/or hacking of IoT devices is an advantage.

Closing date for applications:

Contact: jobs-cosic@esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

HashCloak Inc is a R&D lab and consultancy focused on privacy, anonymity and scalability for blockchains and cryptocurrencies. Our team is well-known for working on state of the art Ethereum projects such as Ethereum 2.0, Shyft Network and Althea, for pioneering optimistic rollups and bringing forth the first empirical analysis of Ethereum's privacy guarantees and applications.

We are hiring our very first research engineer that will help us bring our internal research projects to the world. As a research engineer at HashCloak, you will have the opportunity to work on anonymous networking, private information retrieval, zero-knowledge proofs and many more exciting areas at the intersection pf cryptography, game theory and finance!

You will be working with a small, young and international team based in different time zones around the world. We are a remote-only company and have a very flexible and relaxed culture.

As our first research engineer, you will have many of the following qualifications:

• Master's degree or above in cryptography, computer science, mathematics or related fields
• 3+ years programming experience in a systems programming language such as C/C++, Go (Preferred), Rust (Preferred).
• Knowledge of one or more of the following: anonymous networking, zero-knowledge proofs, PIR, MPC
• Knowledge of secure software practices
• Experience in deploying production-ready applications

At HashCloak, you will have the following responsibilities:

• Implement PoCs and prototypes for our internal research projects
• Conducting research in one of the previously mentioned fields
• Collaborate with our clients and research partners
• Write papers targeted at top conferences as well as blog posts targeted at general audiences
• Contribute to open source projects that we use in our research
• Stay up to date on research and development in the blockchain and cryptography ecosystems

For consideration, please send a CV/Resume with a link to Github or any other website that showcases code you have written to careers@hashcloak.com with the subject line "Rese

Closing date for applications:

Contact: Mikerah Quintyne-Collins - CEO and Founder

Multiple positions are available. Candidates should have the expertise on applied crypto, ML, IoT/CPS security and programming skill.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou. Only short-listed candidates will be contacted for interview.

Closing date for applications:

Contact: Prof. Jianying Zhou (jianying_zhou@sutd.edu.sg)

More information: http://jianying.space/

(COVID-19 may slow down the process, but our hiring is not disrupted) The Cryptanalysis Taskforce at Nanyang Technological University in Singapore led by Prof. Jian Guo is seeking for candidates to fill 3 post-doctoral research fellow positions on symmetric-key cryptography, including but not limited to the following sub-areas:

• tool aided cryptanalysis, such as MILP, CP, STP, and SAT
• machine learning aided cryptanalysis and designs
• privacy-preserving friendly symmetric-key designs
• quantum cryptanalysis
• theory and Proof
• cryptanalysis against SHA-3 and AES

Established in 2014, the Cryptanalysis Taskforce is a group dedicated for research in symmetric-key cryptography. Since then, the team has been active in both publications in and services for IACR. It has done quite some cryptanalysis work on various important targets such as SHA-3, and is expanding its interests to the areas mentioned above, with strong funding support from the university and government agencies in Singapore. We offer competitive salary package with extremely low tax, as well as excellent environment dedicating for research in Singapore. The contract will be initially for 2 years, and has the possibility to be extended. Candidates are expected to have proven record of publications in IACR conferences. Interested candidates are to send their CV and 2 reference letters to Jian Guo. Review of applicants will start immediately until the positions are filled. More information about the Cryptanalysis Taskforce research group can be found via http://team.crypto.sg

Closing date for applications:

Contact: Asst Prof. Jian Guo, guojian@ntu.edu.sg

More information: http://team.crypto.sg

This paper presents a constant time hardware implementation of the NIST round 2 post-quantum cryptographic algorithm Streamlined NTRU Prime. We implement the entire KEM algorithm, including all steps for key generation, encapsulation and decapsulation, and all en- and decoding. We focus on optimizing the resources used, as well as applying optimization and parallelism available due to the hardware design. We show the core en- and decapsulation requires only a fraction of the total FPGA fabric resource cost, which is dominated by that of the hash function, and the en- and decoding algorithm. For the NIST Security Level 3, our implementation uses a total of 1841 slices on a Xilinx Zynq Ultrascale+ FPGA, together with 14 BRAMs and 19 DSPs. The maximum achieved frequency is 271 MHz, at which the key generation, encapsulation and decapsulation take 4808 μs, 524 μs and 958 μs respectively. To our knowledge, this work is the first full hardware implementation where the entire algorithm is implemented.

In this work, we propose different techniques that can be used to implement the ROLLO, and partially RQC, family of algorithms in a standalone, efficient and constant time library. For simplicity, we focus our attention on one specific instance of this family, ROLLO-I-128. For each of these techniques, we present explicit code (with intrinsics when required), or pseudo-code and performance measures to show their impact. More precisely, we use a combination of original and known results and describe procedures for Gaussian reduction of binary matrices, generation of vectors of given rank, multiplication with lazy reduction and inversion of polynomials in a composite Galois field. We also carry out a global performance analysis to show the impact of these improvements on ROLLO-I-128. Through the SUPERCOP framework, we compare it to other 128-bit secure KEMs in the NIST competition. To our knowledge, this is the first optimized full constant time implementation of ROLLO-I-128.

Side-channel attacks based on machine learning have recently been introduced to recover the secret information from software and hardware implementations of mathematically secure algorithms. Convolutional Neural Networks (CNNs) have proven to outperform the template attacks due to their ability of handling misalignment in the symmetric algorithms leakage data traces. However, one of the limitations of deep learning algorithms is the requirement of huge datasets for model training. For evaluation scenarios, where limited leakage trace instances are available, simple machine learning with the selection of proper feature engineering, data splitting, and validation techniques, can be more effective. Moreover, limited analysis exists for public-key algorithms, especially on non-traditional implementations like those using Residue Number System (RNS). Template attacks are successful on RNS-based Elliptic Curve Cryptography (ECC), only if the aligned portion is used in templates. In this study, we present a systematic methodology for the evaluation of ECC cryptosystems with and without countermeasures against machine learning side-channel attacks using two attack models. RNS-based ECC datasets have been evaluated using four machine learning classifiers and comparison is provided with existing state-of-the-art template attacks. Moreover, we analyze the impact of raw features and advanced hybrid feature engineering techniques, along with the effect of splitting ratio. We discuss the metrics and procedures that can be used for accurate classification on the imbalance datasets. The experimental results demonstrate that, for ECC RNS datasets, the efficiency of simple machine learning algorithms is better than the complex deep learning techniques when such datasets are not so huge.

I describe a non-interactive transaction scheme for Mimblewimble protocol, so as to overcome the usability issue of the Mimblewimble wallet. With the Diffie–Hellman, we can use an Ephemeral Key shared between the sender and the receiver, a public nonce R is added to the output for that, removing the interactive cooperation procedure. And an additional one-time public key P' is used to lock the output to make it only spendable for the receiver, i.e. the owner of P'. The new data R and P' can be committed into the bulletproof to avoid the miner’s modification. Furtherly, to keep Mimblewimble privacy character, the Stealth Address is used in this new transaction scheme. All the cost of these new features is 66-bytes additional data (the public nonce R and the one-time public key P') in each output, and 64-bytes additional signature data in each input. That is about 12% payload size increasing in a typical single input double outputs Mimblewimble transaction.

This paper constructs unbounded simulation sound proofs for boolean circuit satisfiability under standard assumptions with proof size O(n+d) bilinear group elements, where d is the depth and n is the input size of the circuit. Our technical contribution is to add unbounded simulation soundness to a recent NIZK of González and Ràfols (ASIACRYPT'19) with very small overhead. We give two different constructions: the first one is more efficient but not tight, and the second one is tight. Our new scheme can be used to construct Signatures of Knowledge based on standard assumptions that also can be composed universally with other cryptographic protocols/primitives.

As an independent contribution we also detail a simple formula to encode Boolean circuits as Quadratic Arithmetic Programs.

We present the implementation of Grover's algorithm in a quantum simulator to perform a quantum search for preimages of two scaled hash functions, whose design only uses modular addition, word rotation, and bitwise exclusive or. Our implementation provides the means to assess with precision the scaling of the number of gates and depth of a full-fledged quantum circuit designed to find the preimages of a given hash digest. The detailed construction of the quantum oracle shows that the presence of AND gates, OR gates, shifts of bits and the reuse of the initial state along the computation, require extra quantum resources as compared with other hash functions based on modular additions, XOR gates and rotations. We also track the entanglement entropy present in the quantum register at every step along the computation, showing that it becomes maximal at the inner core of the first action of the quantum oracle, which implies that no classical simulation based on Tensor Networks would be of relevance. Finally, we show that strategies that suggest a shortcut based on sampling the quantum register after a few steps of Grover's algorithm can only provide some marginal practical advantage in terms of error mitigation.

In the conference “Fast Software Encryption 2015”, a new line of research was proposed by introducing the first small-state stream cipher (SSC). The goal was to design lightweight stream ciphers for hardware application by going beyond the rule that the internal state size must be at least twice the intended security level. Time-memory-data trade-off (TMDTO) attacks and fast correlation attacks (FCA) were successfully applied to all proposed SSCs which can be implemented by less than 1000 gate equivalents in hardware. It is possible to increase the security of stream ciphers against FCA by exploiting more complicated functions for the nonlinear feedback shift register and the output function, but we use lightweight functions to design the lightest SSC in the world while providing more security against FCA. Our proposed cipher provides 80-bit security against TMDTO distinguishing attacks, while Lizard and Plantlet provide only 60-bit and 58-bit security against distinguishing attacks, respectively. Our main contribution is to propose a lightweight round key function with a very long period that increases the security of SSCs against FCA.