International Association
for Cryptologic Research

CISPA is looking for candidates that hold a doctoral degree in computer science or related areas and have an outstanding research track record in all areas related to efficient algorithms and the foundations of theoretical computer science, including theory of cryptography, differential privacy, algorithmic fairness, computational complexity, data structures and the design of efficient algorithms.

CISPA offers two main types of faculty positions.

Tenure track: these positions are intended for candidates with excellent research credentials and the potential to pursue a program of innovative research. The positions are comparable to tenure-track positions at a leading university, and come with two full time research staff positions and generous support for other expenses.

Tenured: these positions are intended for established leading researchers with an outstanding scientific track record, and can be compared to an endowed chair at a leading university. All applicants are expected to build up a research team that pursues an internationally visible research agenda. Candidates for senior positions must be internationally renowned scientists.

All applicants are strongly encouraged to submit their complete application by November 30, 2020 for full consideration. However, applications will continue to be accepted until December 10, 2020.

CISPA values diversity and is committed to equality. We provide special support for dual-career couples. We highly encourage female researchers to apply. For more information about CISPA, see https://cispa.saarland

Closing date for applications:

Contact: scientific-recruiting@cispa.saarland

More information: https://jobs.cispa.saarland/jobs/department/faculty-14

CISPA is looking for candidates that hold a doctoral degree in computer science or related areas and have an outstanding research track record in all areas related to information security and privacy , especially in the fields of software security, security of critical infrastructure and embedded systems.

CISPA offers two main types of faculty positions.

Tenure track: these positions are intended for candidates with excellent research credentials and the potential to pursue a program of innovative research. The positions are comparable to tenure-track positions at a leading university, and come with two full time research staff positions and generous support for other expenses.

Tenured: these positions are intended for established leading researchers with an outstanding scientific track record, and can be compared to an endowed chair at a leading university. All applicants are expected to build up a research team that pursues an internationally visible research agenda. Candidates for senior positions must be internationally renowned scientists.

All applicants are strongly encouraged to submit their complete application by November 30, 2020 for full consideration. However, applications will continue to be accepted until December 10, 2020.

CISPA values diversity and is committed to equality. We provide special support for dual-career couples. We highly encourage female researchers to apply. For more information about CISPA, see https://cispa.saarland

Closing date for applications:

Contact: scientific-recruiting@cispa.saarland

More information: https://jobs.cispa.saarland/de_DE/jobs/department/faculty-14

Prof. Fan Zhang at the Dept. of Computer Science at Duke University, Durham, NC is looking for multiple PhD students to work on related topics in security, privacy, and applied cryptography, including:

• Blockchain and smart contract security
• Trusted hardware security
• Scalable and fair consensus protocols
• Privacy enhancing technology (e.g., anonymous communication)

The positions start in 2021 Fall. Visit http://fanzhang.me to learn more about Prof. Zhang and his research.

Closing date for applications:

Contact: Fan Zhang

More information: https://www.fanzhang.me/opening/ads.html

Symmetric Key and Lightweight Cryptography Lab (SyLLab) at Nanyang Technological University (Singapore) is looking for candidates for 2 Research Fellow / Post-Doc positions (from fresh Post-Docs to Senior Research Fellow, flexible contract duration) on various topics, such as symmetric-key design/cryptanalysis, lightweight cryptography, cryptography for automotive industry, side-channel analysis, machine learning aided cryptanalysis. Candidates are expected to have a proven record of publications in top cryptography/security venues. Salaries are competitive and are determined according to the successful applicants' accomplishments, experience and qualifications. Interested applicants should send their detailed CVs, cover letter and references to Prof. Thomas Peyrin (thomas.peyrin@ntu.edu.sg). Review of applications starts immediately and will continue until positions are filled.

Closing date for applications:

Contact: Thomas Peyrin: thomas.peyrin@ntu.edu.sg

Our Computational Privacy Group at Imperial College London is offering fully funded PhD positions for 2021 to study privacy, data protection, and the impact of algorithms on society.

Topics of current interests include, for instance, individual privacy in large-scale behavioral datasets; re-identification attacks against privacy-preserving data systems or aggregates, privacy of machine learning models, privacy engineering solutions such as differential privacy and query-based systems, ethics and fairness in AI, and computational social science.

For full details, please consult https://cpg.doc.ic.ac.uk/openings/

Deadline: Nov 1th 2020 (first deadline)

Recommended prerequisites. MSc or MEng (4y BEng will be considered) in computer science, statistics, mathematics, physics, electrical engineering, or a related field. Experience in data science, statistics and/or machine learning is a plus.

We encourage all qualified candidates to apply, in particular women, disabled, BAME, and LGBTQIA+ candidates.

About Imperial. Imperial College London, ranked 9th globally, is one of the top universities in the world. A full-time PhD at the South Kensington Campus takes 3-4 years, is fully funded and usually starts in October or January.

Closing date for applications:

Contact:
demontjoye@imperial.ac.uk
- Using as subject: “PhD Application 2020: YOUR NAME”
- Including a link (e.g. Imperial’s Filedrop system or Dropbox) to your CV and transcripts for each degree

More information: https://cpg.doc.ic.ac.uk/openings/

We provide a formal proof for the indifferentiability of SKINNY-HASH internal function from a random oracle. SKINNY-HASH is a family of function-based sponge hash functions, and it was selected as one of the second round candidates of the NIST lightweight cryptography competition. Its internal function is constructed from the tweakable block cipher SKINNY. The construction of the internal function is very simple and the designers claim $n$-bit security, where $n$ is the block length of SKINNY. However, a formal security proof of this claim is not given in the original specification of SKINNY-HASH. In this paper, we formally prove that the internal function of SKINNY-HASH has $n$-bit security, i.e., it is indifferentiable from a random oracle up to $O(2^n)$ queries, substantiating the security claim of the designers.

The deadline for nominating IACR members for the 2021 IACR Fellows class is extended to December 1st for this year.

The IACR Fellows Program recognizes outstanding IACR members for technical and professional contributions to the field of cryptology.

Information about nominating a Fellow is available here.

The contributions of this paper are twofold. First, we simplify the description of the Unbalanced Oil and Vinegar scheme (UOV) and its Rainbow variant, which makes it easier to understand the scheme and the existing attacks. We hope that this will make UOV and Rainbow more approachable for cryptanalysts. Secondly, we give two new attacks against the UOV and Rainbow signature schemes; the intersection attack that applies to both UOV and Rainbow and the rectangular MinRank attack that applies only to Rainbow. Our attacks are more powerful than existing attacks. In particular, we estimate that compared to previously known attacks, our new attacks reduce the cost of a key recovery by a factor of $2^{17}$, $2^{53}$, and $2^{73}$ for the parameter sets submitted to the second round of the NIST PQC standardization project targeting the security levels I, III, and V respectively. For the third round parameters, the cost is reduced by a factor of $2^{20}$, $2^{40}$, and $2^{55}$ respectively. This means all these parameter sets fall short of the security requirements set out by NIST.

Dynamic searchable symmetric encryption (SSE) supports updates and keyword searches in tandem on outsourced symmetrically encrypted data, while aiming to minimize the information revealed to the (untrusted) host server. The literature on dynamic SSE has identified two crucial security properties in this regard - forward and backward privacy. Forward privacy makes it hard for the server to correlate an update operation with previously executed search operations. Backward privacy limits the amount of information learnt by the server about documents that have already been deleted from the database.

To date, work on forward and backward private SSE has focused mainly on single keyword search. However, for any SSE scheme to be truly practical, it should at least support conjunctive keyword search. In this setting, most prior SSE constructions with sub-linear search complexity do not support dynamic databases. The only exception is the scheme of Kamara and Moataz (EUROCRYPT'17); however it only achieves forward privacy. Achieving both forward and backward privacy, which is the most desirable security notion for any dynamic SSE scheme, has remained open in the setting of conjunctive keyword search.

In this work, we develop the first forward and backward private SSE scheme for conjunctive keyword searches. Our proposed scheme, called Oblivious Dynamic Cross Tags (or ODXT in short) scales to very large arbitrarily-structured databases (including both attribute-value and free-text databases). ODXT provides a realistic trade-off between performance and security by efficiently supporting fast updates and conjunctive keyword searches over very large databases, while incurring only moderate access pattern leakages to the server that conform to existing notions of forward and backward privacy. We precisely define the leakage profile of ODXT, and present a detailed formal analysis of its security. We then demonstrate the practicality of ODXT by developing a prototype implementation and evaluating its performance on real world databases containing millions of documents.

We introduce a new primitive in information-theoretic cryptography, namely zero-communication reductions (ZCR), with different levels of security. We relate ZCR to several other important primitives, and obtain new results on upper and lower bounds. In particular, we obtain new upper bounds for PSM, CDS and OT complexity of functions, which are exponential in the information complexity of the functions. These upper bounds complement the results of Beimel et al. (2014) which broke the circuit-complexity barrier for ``high complexity'' functions; our results break the barrier of input size for ``low complexity'' functions. We also show that lower bounds on secure ZCR can be used to establish lower bounds for OT-complexity. We recover the known (linear) lower bounds on OT-complexity by Beimal and Malkin (2004) via this new route. We also formulate the lower bound problem for secure ZCR in purely linear-algebraic terms, by defining the invertible rank of a matrix. We present an Invertible Rank Conjecture, proving which will establish super-linear lower bounds for OT-complexity (and if accompanied by an explicit construction, will provide explicit functions with super-linear circuit lower bounds).

We report the homomorphic evaluation of the SM4 symmetric block-cipher based on BGV homomorphic encryption scheme. We implement bootstrapping and non-bootstrapping homomorphic evaluation of the 32-rounds SM4 based on HELib with about 128-bit security level. Our ways refer to and are similar as the AES homomorphic evaluation. The implementation uses packed ciphertexts and bytes in slots. The S-Box evaluation is similar as the AES evaluation method, and the Linear Transform layer uses the permutation of the bytes in states. Since the rounds are more than the AES and the SM4's feistel structer is different with the AES, the depths and levels of homomorphic evaluation of the SM4 are much more than AES, so need larger parameter(non-bootstrapping) and more bootstrapping. Our bootstrapping implementaion(3 ciphertexts, 360 blocks) runs about 1.5 hours on Macbook Pro(MacOS catalina 10.15, 16G), and the non-bootstrapping(1 ciphertext, 480 block) implementation runs about 6 hours on Macbook Pro(MacOS catalina 10.15, 16G).

Quantum copy protection uses the unclonability of quantum states to construct quantum software that provably cannot be pirated. Copy protection would be immensely useful, but unfortunately little is known about how to achieve it in general. In this work, we make progress on this goal, by giving the following results: –We show how to copy protect any program that cannot be learned from its input/output behavior, relative to a classical oracle. This improves on Aaronson [CCC’09], which achieves the same relative to a quantum oracle. By instantiating the oracle with post-quantum candidate obfuscation schemes, we obtain a heuristic construction of copy protection. –We show, roughly, that any program which can be watermarked can be copy detected, a weaker version of copy protection that does not prevent copying, but guarantees that any copying can be detected. Our scheme relies on the security of the assumed watermarking, plus the assumed existence of public key quantum money. Our construction is general, applicable to many recent watermarking schemes.

Abstract. In this paper, we present different implementations of point multiplication over Curve448. Curve448 has recently been recommended by NIST to provide 224-bit security over elliptic curve cryptography. Although implementing high-security cryptosystems should be considered due to recent improvements in cryptanalysis, hardware implementation of Curve488 has been investigated in a few studies. Hence, in this study, we propose three variable-base-point FPGA-based Curve448 implementations, i.e., lightweight, area-time efficient, and high-performance architectures, which aim to be used for different applications. Synthesized on a Xilinx Zynq 7020 FPGA, our proposed high-performance design increases 12% throughput with executing 1,219 point multiplication per second and increases 40% efficiency in terms of required clock cycles\timesutilized area compared to the best previous work. Furthermore, the proposed lightweight architecture works in 250 MHz and saves 96% of resources with the same performance. Additionally, our area-time efficient design considers a trade-off between time and required resources, which shows a 48% efficiency improvement with 52% fewer resources. Finally, effective side-channel countermeasures are added to our proposed designs, which also outperform previous works.

An extensive research of MPC protocols in different adversarial settings over the past few years has led to various improvements in this domain. Goyal et al(2019) in their paper addressed the issue of an efficient MPC protocol in active adversarial setting by removing the dependency on multiplication depth $D_m$ in the arithmetic circuit. This development was followed by Hirt et al.(2020) which proposed an efficient MPC protocol tolerating mixed adversary with communication complexity of $O((c_i + c_m + c_o)nk + c_iBA(k) + D_m(n^3k + nBA(k)))$ bits, where $D_m$ is the multiplicative depth of the circuit. Additionally, Hirt et al., proposed an open problem to construct a protocol for the mixed adversarial setting, independent of the multiplicative depth $D_m$, with linear communication complexity. In this paper, we resolve this problem in the affirmative by providing an efficient MPC protocol in the mixed adversarial setting independent of the multiplicative depth of the circuit.

Efficient computation of polynomial multiplication for characteristic three fields, $\mathbb{F}_{3^{n}}$ for $n\geq1$, is an important attribute for many cryptographic protocols. In this paper, we propose three new polynomial multiplication algorithms over $\mathbb{F}_{3}[x]$ and show that they are more efficient than the current state-of-the-art algorithms. We first examine through the well-known multiplication algorithms in $\mathbb{F}_{3}[x]$ including Karatsuba-2-way and 3-way split formulas along with the recent enhancements. Then, we propose a new 4-way split polynomial multiplication algorithm and an improved version of it which are both derived by using interpolation in $\mathbb{F}_{9}$. Moreover, we propose a 5-way split multiplication algorithm, and then compare the efficiencies of these algorithms altogether. We apply the proposed algorithms to the NTRU Prime protocol, a post-quantum key encapsulation mechanism (KEM), submitted to the NIST PQC Competition by Bernstein et al., performing polynomial multiplication in characteristic three fields in its decapsulation phase. We observe that the new hybrid algorithms provide a $12.9\%$ reduction in the arithmetic complexity. Furthermore, we implement these new hybrid methods on Intel (R) Core (TM) i7-9750H architecture using C and obtain a $37.3\%$ reduction in the implementation cycle count.

Homomorphic encryption (HE) is a promising cryptographic primitive that enables computation over encrypted data, with various applications to medical, genomic, and financial tasks. In such applications, data typically contain some errors from their true values. The CKKS encryption scheme proposed by Cheon et al. (Asiacrypt 2017) supports approximate computation over encrypted data. However, HE schemes including CKKS commonly suffer from slow encryption speed and large ciphertext expansion compared to symmetric cryptography.

To address these problems, in particular, focusing on the client-side online computational overload and the ciphertext expansion, we propose a novel hybrid framework that supports CKKS. Since it seems to be infeasible to design a stream cipher operating on real numbers, we combine the CKKS and the FV homomorphic encryption schemes, and use a stream cipher using modular arithmetic in between. The proposed framework is thus dubbed the CKKS-FV transciphering framework. As a result, real numbers can be encrypted without significant ciphertext expansion or computational overload on the client side.

As a stream cipher to instantiate the CKKS-FV framework, we propose a new HE-friendly cipher, dubbed HERA, and analyze its security and efficiency. HERA is a stream cipher that features a simple randomized key schedule (RKS). Compared to recent HE-friendly ciphers such as FLIP and Rasta using randomized linear layers, HERA needs smaller number of random bits, leading to efficiency improvement on both the client and the server sides.

Our implementation shows that the CKKS-FV framework using HERA is $3.634$ to $398$ times faster on the client-side, compared to the environment where CKKS is only used, in terms of encryption time. Our framework also enjoys $2.4$ to $436.7$ times smaller ciphertext expansion according to the plaintext length.

The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti {\it et al.} (STOC'19) and Peikert-Shiehian (Crypto'19) showed that, under the Learning-With-Errors ($\LWE{}$) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to so-called trapdoor $\Sigma$-protocols. In order to be compatible with CI hash functions based on standard LWE assumptions with polynomial approximation factors, all known such protocols have been obtained via parallel repetitions of a basic protocol with binary challenges. In this paper, we consider languages related to Paillier's composite residuosity assumption (DCR) for which we give the first trapdoor $\Sigma$-protocols providing soundness in one shot, via exponentially large challenge spaces. This improvement is analogous to the one enabled by Schnorr over the original Fiat-Shamir protocol in the random oracle model. Using the correlation-intractable hash function paradigm, we then obtain simulation-sound NIZK arguments showing that an element of $\mathbb{Z}_{N^2}^\ast$ is a composite residue. As a main application, we build logarithmic-size ring signatures (assuming a common reference string) which yield the shortest signature length among schemes based on standard assumptions in the standard model. We prove security under the DCR and LWE assumptions, while keeping the signature size comparable with that of random-oracle-based schemes.

We propose an improvement for the inner product argument of Bootle et al. (EUROCRYPT’16). The new argument replaces the unstructured common reference string (the commitment key) by a structured one. We give two instantiations of this argument, for two different distributions of the CRS. In the designated verifier setting, this structure can be used to reduce verification from linear to logarithmic in the circuit size. The argument can be compiled to the publicly verifiable setting in asymmetric bilinear groups. The new common reference string can easily be updateable. The argument can be directly used to improve verification of Bulletproofs range proofs (IEEE SP’18). On the other hand, to use the improved argument to prove circuit satisfiability with logarithmic verification, we adapt recent techniques from Sonic (ACM CCS’19) to work with the new common reference string. The resulting argument is secure under standard assumptions (in the Random Oracle Model), in contrast with Sonic and recent works that improve its efficiency (Plonk, Marlin, AuroraLight), which, apart from the Random Oracle Model, need either the Algebraic Group Model or Knowledge Type assumptions.

Protecting the privacy of voters is a basic requirement of any electronic voting scheme, and formal definitions can be used to prove that a scheme satisfies privacy. In this work, we provide new game-based definitions of ballot secrecy for electronic voting schemes. First, we propose an intuitive definition in the honest model, i.e., a model in which all election officials are honest. Then, we show that this definition can be easily extended to the malicious ballot box setting and a setting that allows for a distributed tallier. In fact, to the best of our knowledge, we provide the first game-based definition of ballot secrecy that models both a malicious ballot box and a malicious subset of talliers. We demonstrate that our definitions of ballot secrecy are satisfiable, defining electronic voting scheme constructions which we prove satisfy our definitions. Finally, we revisit existing definitions, exploring their limitations and contextualising our contributions to the field.

TCC 2020 will take place virtually on Nov 16-19 2020.

The registration to TCC 2020 and its virtual affiliated event is open: https://tcc.iacr.org/2020/registration.php

The affiliated event "Matches made in heaven: Cryptography and Theoretical Computer Science" will focus on the tight relationship between these areas (check out the speakers at https://tcc.iacr.org/2020/program.php, a web page with abstract and title is coming soon) and will take place before and after TCC talks.