IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
30 May 2021
National Sun Yat-sen University, Department of Computer Science and Engineering; Kaohsiung, Taiwan
Job PostingResponsibilities: Apart from academic work, student must involve in several activities in a group or individually, such as (not limited to):
Requirements: Apart from the university's basic admission policies (https://cse.nsysu.edu.tw/?Lang=en), students are desired to have following key requirements:
Scholarship:
What students can expect:
What the supervisor can expect: Apart from academic and research works, students are expected to have
Closing date for applications:
Contact: Arijit Karati (arijit.karati@mail.cse.nsysu.edu.tw)
More information: https://cse.nsysu.edu.tw/?Lang=en
NXP Semiconductors (Gratkorn, Hamburg, Leuven or Eindhoven)
Job Posting• Specification of innovative and disruptive crypto & security solutions
• Definition of crypto & security algorithms and related IP architectures
• Definition of advanced crypto protocols
• Definition of crypto & security mechanisms in hardware, firmware, etc.
• Specification and review of crypto & security architectures
• Detailed attack modeling and security mechanism specification for hardware and software blocks
• Advising and training the product and IP teams on design, implementation and test
• Root cause analysis of security defects
• Technical interface to customers, evaluation labs and to the product development team
• Certification support and technical interface with evaluator and certifier
Your Profile:
• Have a PhD/Master in Cryptography, Security or Mathematics
• Very good knowledge of cryptography (incl. symmetric and asymmetric crypto)
• Very good knowledge of discrete mathematics, algebra and number theory
• Good knowledge of SoCs and/or Secure Element products
• Good knowledge of crypto hardware implementation
• Strong security background
• Have >5 years of experience in embedded security
• Used to an independent working style
• Be willing to listen and to adapt
• Very good communication skills
• Be willing to travel
Closing date for applications:
Contact: Sebastian Stappert (sebastian.stappert@nxp.com) or Joppe Bos (joppe.bos@nxp.com)
IMDEA Software Institute, Madrid, Spain
Job PostingThe IMDEA Software Institute invites applications for a Software Engineer with a specialization in Cryptography. The successful candidate will collaborate closely with researchers to work on implementing and experimenting novel cryptographic protocols, including zkSNARKs, verifiable computation and homomorphic encryption schemes, and randomness generation protocols.
The ideal candidate should have:- MS or PhD in computer science, mathematics, or a related discipline
- In-depth knowledge of cryptography (e.g., has taken a university courses)
- Solid background in math (number theory, abstract algebra) and algorithms
- Programming experience in one or more of the following languages: C, C++, Rust
- Prior experience with implementation of cryptographic protocols Familiarity with the UNIX command line and developer tools (e.g., git, svn)
- Familiarity with reading cryptography research papers will be considered positively
How to apply? The application requires a CV and possibly the names of 2-3 persons that can provide references about you and your work. Applicants interested in the position should submit their application at https://careers.software.imdea.org/. Review of applications will start immediately and close when positions are filled or on July 2nd, 2021. We do encourage to submit applications as early as possible.
Closing date for applications:
Contact: Ignacio Cascudo (ignacio.cascudo (at) imdea.org), Dario Fiore (dario.fiore (at) imdea.org)
More information: https://software.imdea.org//open_positions/2021-05-programmer-zk.html
28 May 2021
Anubhab Baksi, Shivam Bhasin, Jakub Breier, Mustafa Khairallah, Thomas Peyrin, Sumanta Sarkar, Siang Meng Sim
ePrint ReportJoppe W. Bos, Maximilian Ofner, Joost Renes, Tobias Schneider, Christine van Vredendaal
ePrint ReportYuncong Zhang, Ren Zhang, Geng Wang, Dawu Gu
ePrint ReportWe apply our methodology to construct three zkSNARKs, each targeting a constraint system: the Rank-1 Constaint System (R1CS), the Hadamard Product Relation (HPR), and a modified PLONK circuit. All three zkSNARKs achieve shorter proofs and/or smaller verification costs compared to the state-of-the-art constructions targeting the same constraint systems. Specifically, VCProof/R1CS defeats Marlin in proof size, with a slightly higher verification cost; VCProof/HPR and VCProof/POV outperform Sonic and PLONK, respectively, in both proof sizes and verification costs. In particular, the proof of VCProof/POV has only two field elements and six group elements, thus becoming the shortest among all existing universal-setup zkSNARKs.
Rishab Goyal, Ridwan Syed, Brent Waters
ePrint ReportPaul Grubbs, Varun Maram, Kenneth G. Paterson
ePrint ReportThis paper offers a systematic study of anonymity and robustness for post-quantum PKE schemes. We focus on two theoretical aspects. Firstly, we study the crucial role of implicit/explicit rejection for the KEM used in the standard KEM-DEM paradigm and how it affects anonymity and robustness of the resulting PKE scheme. Secondly, we examine how the Fujisaki-Okamoto (FO) transforms (Fujisaki and Okamtoto, Journal of Cryptology 2013) confer robustness and enhance weak anonymity of a base PKE scheme to strong anonymity for the resulting KEM.
We then leverage our theoretical results to study the anonymity and robustness of the four NIST finalists: Classic McEliece, Kyber, NTRU and Saber. We exhibit a striking property of the PKE scheme obtained from the Classic McEliece KEM using the standard KEM-DEM construction: for any message 'm', we can construct a single hybrid ciphertext 'c' which decrypts to the chosen 'm' under any Classic McEliece private key. This highlights that Classic McEliece does not lead to a robust PKE scheme and presents a barrier to using our proof techniques to establish the anonymity of Classic McEliece. As a side-result of our treatment, we identify (and repair) technical gaps in the IND-CCA security claims for Saber; we also provide positive anonymity and robustness results for Saber. Similarly, we identify issues with the IND-CCA security claims for Kyber; these also act as a barrier to proving its anonymity. Finally, we describe technical barriers to applying our techniques to NTRU.
Our work, as well as being of theoretical interest, directly contributes to the broad-spectrum evaluation of NIST candidate algorithms.
Gabrielle De Micheli, Pierrick Gaudry, Cécile Pierrot
ePrint ReportAndrea Basso, Péter Kutas, Simon-Philipp Merz, Christophe Petit, Antonio Sanso
ePrint ReportYi Chen, Hongbo Yu
ePrint ReportIn this paper, we filled in the three research gaps: (1) we first propose the Extended Differential-Linear Connectivity Table (EDLCT) which is a generic tool describing a cipher. Features corresponding to the EDLCT are designed to describe a ciphertext pair. Based on these features, various machine learning-based distinguishers including the ND are built. To explore various NDs from the EDLCT view, we propose a Feature Set Sensitivity Test (FSST) to identify which features may have a significant influence on NDs. Features identified by FSST share the same characteristic related to the cipher's round function. Surrogate models of NDs are also built based on identified features. Experiments on Speck32/64 and DES confirm that features corresponding to the EDLCT are learned by NDs. (2) We explain phenomena related to NDs via EDLCT. (3) We show how to use machine learning to search differential-linear propagations ∆ → λ with a high correlation, which is a tough task in the differential-linear attack. Applications in Chaskey and DES demonstrate the advantages of machine learning. Furthermore, we provide some optional inputs to improve ND
Elli Androulaki, Ilie Circiumaru, Jesus Diaz Vico, Miguel Prada, Alessandro Sorniotti, Marc Stoecklin, Marko Vukolic, Marie Wallace
ePrint ReportIn a nutshell, IBM Digital Health Pass technology enables issuers, i.e., authorised healthcare providers onboarded to the system by health authorities of a given country or jurisdiction, to produce digital attestations about individuals health status. These attestations, called Health Certificates are issued to individuals, called subjects or holders, and are stored on a piece of paper or within subjects mobile phone wallets. Subjects can then demonstrate the authenticity of one or more of their Health Certificates to third parties of their choice called verifiers, when the necessity of demonstrating COVID19 related health status arises. Subjects can also demonstrate their association with each of their Health Certificates.
IBM Digital Health Pass is built around preserving individuals privacy as a first-class requirement, based on established public key cryptography concepts in a way that can easily scale to millions of Health Certificates.
Zhenzhen Bao, Jian Guo, Shun Li, Phuong Pham
ePrint ReportColin Boyd, Gareth T. Davies, Bor de Kock, Kai Gellert, Tibor Jager, Lise Millerjord
ePrint ReportSamir Bouftass.
ePrint ReportRobi Pedersen
ePrint ReportHiroshi Onuki, Tomoki Moriya
ePrint ReportMasahito Ishizaka, Shinsaku Kiyomoto
ePrint ReportAs a generalized primitive of TSS, we propose multi-dimensional \textit{sub}-range signatures (MDSBRS). As a related primitive, we also propose multi-dimensional \textit{super}-range signatures (MDSPRS). In MDSBRS (resp. MDSPRS) with $D\in\mathbb{N}$ dimensions, each secret-key is associated with a set of $D$ ranges $\{[l_i,r_i]\mid i\in[1,D]\}$ s.t. $0 \leq l_i\leq r_i\leq T_i-1$ and a threshold value $d\in[1,D]$, and it correctly produces a signature on any message under a set of $D$ ranges $\{[L_i,R_i]\mid i\in[1,D]\}$ s.t. $0 \leq L_i\leq R_i\leq T_i-1$, if and only if total number of key-ranges every one $[l_i,r_i]$ of which is a \textit{sub}-range (resp. \textit{super}-range) of the corresponded signature-range $[L_i,R_i]$, i.e., $L_i\leq l_i\leq r_i\leq R_i$ (resp. $l_i\leq L_i\leq R_i\leq r_i$), is more than $d-1$. We show that, by extending (or generalizing) an existing TSS scheme, we obtain MDSBRS and MDSPRS schemes each one of which is secure, i.e., existentially unforgeable and perfectly (signer-)private, under standard assumption and asymptotically efficient.
Deepak Maram, Iddo Bentov, Mahimna Kelkar, Ari Juels
ePrint ReportHowever, a PoRep actually offers limited robustness. Indeed if all the file replicas are stored on a single hard disk, a single catastrophic event is enough to lose the file.
We introduce a new primitive, Proof of Geo-Retrievability or in short "GeoPoRet", that enables proving that a file is located within a strict geographic boundary. Using GeoPoRet, one can trivially construct a PoRep by proving that a file is in several distinct geographic regions. We define what it means for a GeoPoRet scheme to be complete and sound, in the process making important extensions to prior formalism.
We propose GoAT, a practical GeoPoRet scheme to prove file geolocation. Unlike previous geolocation systems that rely on trusted-verifiers, GoAT bootstraps using public timestamping servers on the internet that serve as geolocation anchors, tolerating a local threshold of dishonest anchors. GoAT internally uses a communication-efficient Proof-of-Retrievability (PoRet) scheme in a novel way to achieve constant-size PoRet-component in its proofs.
We validate GoAT's practicality by conducting an initial measurement study to find usable anchors and also perform a real-world experiment. The results show that a significant fraction of the internet can be used as GoAT anchors. Furthermore, GoAT achieves geolocation radii as little as 1000km.
Edward Eaton, Douglas Stebila
ePrint ReportIn this paper, we make the first steps towards formalizing the quantum-annoying property. We consider a classical adversary in an extension of the generic group model in which the adversary has access to an oracle that solves discrete logarithms. While this idealized model does not fully capture the range of operations available to an adversary with a general-purpose quantum computer, this model does allow us to quantify security in terms of the number of discrete logarithms solved. We apply this approach to the CPace protocol, a balanced PAKE advancing through the CFRG standardization process, and show that the CPaceBase variant is secure in the generic group model with a discrete logarithm oracle.