International Association
for Cryptologic Research

Clearmatics is a protocol engineering company. We are building a new financial market architecture that is more open, fair, and resilient than the legacy systems that are in use today. We develop protocols and software that create new markets for risk and more efficient infrastructure for trading, backed by a robust and scalable blockchain network, and secured with modern cryptographic techniques and economic mechanism design.

The Research group at Clearmatics is dedicated to developing solutions to the hard problems needed to advance our mission. We are academics and protocol engineers collaborating with teams inside and outside the company to translate theoretical results into running software implementations.

RESPONSIBILITIES

- Assist in the design of cryptographic protocols

- Collaborate with your colleagues on the implementation of cryptographic primitives and protocols

- Produce technical design specifications

- Produce externally facing artefacts (e.g. blog posts, papers, documentation excerpts etc.)

- Support research colleagues in conducting their research

- Interface with the Engineering team to ease the transition of the research pieces of code into robust production software fully integrated with our stack

- Keep up with new research in the space

REQUIREMENTS​

- Fluency in English (written and spoken)

- Background in applied Computer Science

- Experience with system programming (C/C++/Rust)

- Strong applied cryptography skills (experience implementing robust elliptic curve cryptography)

- Outstanding algorithmic thinking

- Strong focus on code quality/documentation and simplicity

Nice to haves​

- Knowledge of Unix and bash

- Experience with constant time cryptography

- Experience with cryptography on embedded systems

- Experience with Ethereum or other blockchain projects

- Experience contributing to open-source cryptography libraries

- Experience with Python/SageMath

Closing date for applications:

Contact: https://boards.greenhouse.io/clearmatics/jobs/5326634002

More information: https://grnh.se/e40fe3cb2us

Cryptography and Information Security Laboratory is currently looking for a Post-doctoral researcher. Our laboratory is conducting the latest research on the development of cyber threat prediction and response technologies, lightweight cryptography for IoT environment, field-oriented digital forensic, design and development of encryption technologies, etc. We are highly recognized externally for excellent research results. The applicant will have the opportunity to work on our ongoing projects with a team of scientists in the lab and collaborators. We offer an excellent research environment and a highly competitive salary.

Current Research Directions:

Analysis of malware and malicious traffic based on machine learning

Cyber threat prediction and threat intelligence analysis

Design and cryptanalysis of symmetric-key cryptosystems

Fast and efficient implementation of ciphers

Mobile, memory, AI forensics

IoT and Convergence security
Current Research Directions:

Candidate must have recently received (or expect soon) PhD degree in or related to Information Security, Computer Science fields.

Good publication record and prior development experience are highly desirable.
Appointment term: 1 year commitment to postdoctoral training is expected (can be extended depending on performance).
Appointment start date: September 2021
Required Application Materials:

CV

Statement of research interests

Contact information

Closing date for applications:

Contact: Interested candidates should email their application materials to professor Changhoon Lee (chlee@seoultech.ac.kr).

More information: https://cis.seoultech.ac.kr/index.do

The successful candidate for this position will participate in developing cutting edge blockchain methods and tools to provide for world-class new product introduction (NPI), new-to-industry (NTI), and services/support capabilities throughout the company. You will work in a multi-disciplinary team contributing to the applications of designing new better blockchain-based systems, to improve existing designs, and to disseminate knowledge into the community to stand out as thought leaders in the space. Applications include web3, decentralized finance, layer 2 technology, cryptography, proof of work, distributed ledger technology, lending and borrowing, incentivization, with more.

Closing date for applications:

Contact: Martina Burghi (martina@advancedblockchain.com)

More information: https://incredulous.bamboohr.com/jobs/view.php?id=36

Computing the count of distinct elements in large data sets is a common task but naive approaches are memory-expensive. The HyperLogLog (HLL) algorithm (Flajolet et al., 2007) estimates a data set's cardinality while using significantly less memory than a naive approach, at the cost of some accuracy. This trade-off makes the HLL algorithm very attractive for a wide range of applications such as database management and network monitoring, where an exact count may not be needed. The HLL algorithm and variants of it are implemented in systems such as Redis and Google Big Query. Recently, the HLL algorithm has started to be proposed for use in scenarios where the inputs may be adversarially generated, for example counting social network users or detection of network scanning attacks. This prompts an examination of the performance of the HLL algorithm in the face of adversarial inputs. We show that in such a setting, the HLL algorithm's estimate of cardinality can be exponentially bad: when an adversary has access to the internals of the HLL algorithm and has some flexibility in choosing what inputs will be recorded, it can manipulate the cardinality estimate to be exponentially smaller than the true cardinality. We study both the original HLL algorithm and a more modern version of it (Ertl, 2017) that is used in Redis. We present experimental results confirming our theoretical analysis. Finally, we consider attack prevention: we show how to modify HLL in a simple way that provably prevents cardinality estimate manipulation attacks.

This paper explores the good-case latency of synchronous Byzantine Fault Tolerant (BFT) consensus protocols in the rotating leader setting. We first present a lower bound that relates the latency of a broadcast when the sender is honest and the latency of switching to the next sender. We then present a matching upper bound with a latency of $2\Delta$ ($\Delta$ is the pessimistic synchronous delay) with an optimistically responsive change to the next sender. The results imply that both our lower and upper bounds are tight. We implement and evaluate our protocol and show that our protocol obtains similar latency compared to state-of-the-art stable-leader protocol Sync~HotStuff while allowing optimistically responsive leader rotation.

Due to the advent of quantum computers, the security of existing public-key cryptography is threatened since quantum computers are expected to be able to solve the underlying mathematical problems efficiently. Hence, quantum resistant alternatives are required. Consequently, about 70 post-quantum scheme candidates were submitted to the National Institute of Standards and Technology (NIST) standardization effort. One candidate is the qTESLA signature scheme. We present an efficient shared-memory parallelization of qTESLA’s core routines, analyze the speedup in-depth and show that it can compete with the two most commonly used signature schemes RSA and ECDSA which are quantum-vulnerable. The speed is further increased by semi-automatic tuning of qTESLA’s configuration parameters based on results of multi-parameter performance models. We show how to considerably increase qTESLA’s usability through the Java Native Interface (JNI) without performance penalty. The analysis on x86 and ARM architecture employing three operating systems demonstrates the achieved portability. The enhanced performance, its straight forward usability and the high portability of our implementation make it a quantum-safe replacement for the state-of-the-art schemes.

Since quantum computers will be able to break all public-key encryption schemes employed today efficiently, quantum-safe cryptographic alternatives are required. One group of candidates are lattice-based schemes since they are efficient and versatile. To make them practical, their security level must be assessed on classical HPC systems in order to determine efficient but secure parameterization. In this paper, we propose a novel parallelization strategy for the open source framework p3Enum which is designed to solve the important lattice problem of finding the shortest non-zero vector in a lattice (SVP). We also present the p3Enum extreme pruning function generator (p3Enum-epfg) which generates optimized extreme pruning functions for p3Enum’s pruned lattice enumeration by employing a parallelized simulated annealing approach. We demonstrate the quality of the pruning functions delivered. Combining the new parallelization with optimized pruning functions speeds up p3Enum by a factor up to 3 compared to the previous version. Additionally, we compare the required runtime to solve the SVPs with state-of-the art tools and, for the first time, also visualize the statistical effects in the runtime of the algorithms under consideration. This allows a considerably better understanding of the behavior of the implementations than previous average-value considerations and demonstrates the relative stability of p3Enum’s parallel runtimes which improve reproducibility and predictability. All these advancements make it the fastest SVP solver for lattice dimensions 66 to 92 and a suitable building block as SVP-oracle in lattice basis reduction.

Computation on ciphertexts of all known fully homomorphic encryption (FHE) schemes induces some noise, which, if too large, will destroy the plaintext. Therefore, the bootstrapping technique that re-encrypts a ciphertext and reduces the noise level remains the only known way of building FHE schemes for arbitrary unbounded computations. The bootstrapping step is also the major efficiency bottleneck in current FHE schemes. A promising direction towards improving concrete efficiency is to exploit the bootstrapping process to perform useful computation while reducing the noise at the same time. We show a bootstrapping algorithm, which embeds a lookup table and evaluates arbitrary functions of the plaintext while reducing the noise. Depending on the choice of parameters, the resulting homomorphic encryption scheme may be either an exact FHE or homomorphic encryption for approximate arithmetic. Since we can evaluate arbitrary functions over the plaintext space, we can use the natural homomorphism of Regev encryption to compute affine functions without bootstrapping almost for free. Consequently, our algorithms are particularly suitable for circuits with many additions and scalar multiplication gates. We achieve record speeds for such circuits. For example, in the exact FHE setting, we achieve a speedup of a factor of over 3000x over state-of-the-art methods. Effectively, we bring the evaluation time from weeks or days down to a few hours or minutes. Furthermore, we note that the speedup gets more significant with the size of the affine function. We provide a tight error analysis and show several parameter sets for our bootstrapping. Finally, we implement our algorithm and provide extensive tests. We demonstrate our algorithms by evaluating different neural networks in several parameter and accuracy settings.

In this short paper we find an efficient binary approximation of the FSM of ZUC-256 with high correlation around $2^{-21.1}$ between the keystream words and the LFSR. Thereafter, we make a conjecture on a theoretical complexity of a hypothetical correlation attack on ZUC-256.

We argue that for all integers $N \geq 2$ and $g \geq 1$ there exist "multiradical" isogeny formulae, that can be iteratively applied to compute $(N^k, \ldots, N^k)$-isogenies between principally polarized $g$-dimensional abelian varieties, for any value of $k \geq 2$. The formulae are complete: each iteration involves the extraction of $g(g+1)/2$ different $N$th roots (whence the epithet multiradical) and by varying which roots are chosen one computes all $N^{g(g+1)/2}$ extensions to an $(N^k, \ldots, N^k)$-isogeny of the incoming $(N^{k-1}, \ldots, N^{k-1})$-isogeny. Our argumentation is heuristic, but we provide concrete formulae for several prominent families. As our main application, we illustrate the use of multiradical isogenies by implementing a hash function from $(3,3)$-isogenies between Jacobians of superspecial genus-$2$ curves, showing that it outperforms its $(2,2)$-counterpart by an asymptotic factor $\approx 9$ in terms of speed.

The isogeny-based post-quantum schemes SIKE (NIST PQC round 3 alternate candidate) and CSIDH (Asiacrypt 2018) have received only little attention with respect to their fault attack resilience so far. We aim to fill this gap and provide a better understanding of their vulnerability by analyzing their resistance towards safe-error attacks. We present four safe-error attacks, two against SIKE and two against a constant-time implementation of CSIDH that uses dummy isogenies. The attacks use targeted bitflips during the respective isogeny-graph traversals. All four attacks lead to full key recovery. By using voltage and clock glitching, we physically carried out two of the attacks - one against each scheme -, thus demonstrate that full key recovery is also possible in practice.

The 2021 election is being held to fill the three IACR Director positions currently held by Mark Fischlin, Nadia Heninger and Anna Lysyanskaya, whose 3-year terms are ending.

Nominations are due by October 1st, 2021.
Information about nomination is available at https://iacr.org/elections/2021/announcement.html.

Multi-Key fully homomorphic encryption (MKFHE) allows computation on data encrypted under different and independent keys. The previous researches show that the ciphertext size of MKFHE scheme usually increases linearly or squarely with the number of parties, which restricts the application of the MKFHE scheme. In this paper, we propose a general construction of MKFHE scheme with compact ciphertext. Firstly, we construct the accumulated public key of the parties set with compact by accumulating every party’s public key under the CRS model. Secondly, all parties provide the ciphertext of their secret keys key which is encrypted by the accumulated public-key as the accumulated evaluation key. Thirdly, we run the bootstrapping process (or key switching process) on each party's ciphertext and accumulated evaluation key to refresh the ciphertext. Finally, We homomorphically calculate the refreshed ciphertext and decrypt it by the joint secret key. Furthermore, according to the advantages of TFHE-type scheme’s efficient bootstrapping and CKKS scheme supporting approximate data homomorphic computation, we improve the bootstrapping in our general scheme and specifically propose two efficient MKFHE schemes with compact ciphertext. Our work has two advantages. The one is that the ciphertext size of the proposed general scheme is independent of the number of parties, and the homomorphic computation is as efficient as the single-party full homomorphic encryption scheme. When the parties' set is updated, the ciphertext of the original set can continue to be used for homomorphic computation of the new parties' set after refreshed. Another advantage is that only by authorization can a party’s data be used in the homomorphic operation of a set, i.e., all parties need to regenerate their accumulated evaluation key with the set. Compared with the fully dynamic MKFHE scheme, the authorized MKFHE scheme we proposed supports parties to effectively control which set their data.

Here we consider a method for quickly testing for group membership in the groups $\G_1$, $\G_2$ and $\G_T$ (all of prime order $r$) as they arise on a type-3 pairing-friendly curve. As is well known endomorphisms exist for each of these groups which allows for faster point multiplication for elements of order $r$. The endomorphism applies if an element is of order $r$. Here we show that, under relatively mild conditions, the endomorphism applies {\bf if and only if} an element is of order $r$. This results in a faster method of confirming group membership. In particular we show that the conditions are met for the popular BLS family of curves.

In this paper, the authors construct a new type of cryptographic sequence which is named an extra-super increasing sequence, and give the definitions of the minimal super increasing sequence {a[1], a[2], ..., a[n]} and minimal extra-super increasing sequence {z[1], z[2], ..., z[n]}. Prove that the minimal extra-super increasing sequence is the odd-positioned subsequence of the Fibonacci sequence, namely {z[1], z[2], ..., z[n], ...} = {F[1], F[3], ..., F[2n-1], ...}, which indicates that the approach to the golden ratio phi through the difference (z[n+1] / z[n] - 1]) is more smooth and expeditious than through the ratio (F[n+1] / F[n]). Further prove that the limit of the term ratio difference between the two cryptographic sequences equals the golden ratio conjugate PHI, namely lim (n to infinity) (z[n+1] / z[n] - a[n+1] / a[n]) = PHI, which reveals the beauty of cryptography.

We study non-malleable secret sharing against joint leakage and joint tampering attacks. Our main result is the first threshold secret sharing scheme in the plain model achieving resilience to noisy-leakage and continuous tampering. The above holds under (necessary) minimal computational assumptions (i.e., the existence of one-to-one one-way functions), and in a model where the adversary commits to a fixed partition of all the shares into non-overlapping subsets of at most $t-1$ shares (where $t$ is the reconstruction threshold), and subsequently jointly leaks from and tampers with the shares within each partition.

We also study the capacity (i.e., the maximum achievable asymptotic information rate) of continuously non-malleable secret sharing against joint continuous tampering attacks. In particular, we prove that whenever the attacker can tamper jointly with $k > t/2$ shares, the capacity is at most $t - k$. The rate of our construction matches this upper bound.

An important corollary of our results is the first non-malleable secret sharing scheme against independent tampering attacks breaking the rate-one barrier (under the same computational assumptions as above).

Authenticated Key Exchange (AKE) protocols, by definition, guarantee both session key secrecy and entity authentication. Informally, session key secrecy means that only the legitimate parties learn the established key and mutual authentication means that one party can assure itself the session key is actually established with the other party. Today, an important application area for AKE is Internet of Things (IoT) systems, where an IoT device runs the protocol to establish a session key with a remote server. In this paper, we identify two additional security requirements for IoT-oriented AKE, namely Key Compromise Impersonation (KCI) resilience and Server Compromise Impersonation (SCI) resilience. These properties provide an additional layer of security when the IoT device and the server get compromised respectively. Inspired by Chan et al.'s bigdata-based unilateral authentication protocol, we propose a novel AKE protocol which achieves mutual authentication, session key secrecy (including perfect forward secrecy), and the above two resilience properties. To demonstrate its practicality, we implement our protocol and show that one execution costs about 15.19 ms (or, 84.73 ms) for the IoT device and 2.44 ms (or, 12.51 ms) for the server for security parameter λ =128 (or, λ =256). We finally propose an enhanced protocol to reduce the computational complexity on the end of IoT by outsourcing an exponentiation computation to the server. By instantiating the signature scheme with NIST's round three alternate candidate Picnic, we show that one protocol execution costs about 14.44 ms (or, 58.45 ms) for the IoT device and 12.78 ms (or, 46.34 ms) for the server for security parameter λ =128 (or, λ =256).

We introduce the concept of turn-based communication channel between two mutually distrustful parties with communication consistency, i.e. both parties have the same message history, and happens in sets of exchanged messages across a limited number of turns. Our construction leverages on timed primitives. Namely, we introduce a novel Delta-delay hash function definition in order to establish turns in the channel. Concretely, we introduce the one-way turn-based communication scheme and the two-way turn-based communication protocol and provide a concrete instantiation that achieves communication consistency.

Differential privacy is a concept to quantify the disclosure of private information that is controlled by the privacy parameter~$\varepsilon$. However, an intuitive interpretation of $\varepsilon$ is needed to explain the privacy loss to data engineers and data subjects. In this paper, we conduct a worst-case study of differential privacy risks. We generalize an existing model and reduce complexity to provide more understandable statements on the privacy loss. To this end, we analyze the impact of parameters and introduce the notion of a global privacy risk and global privacy leak.

Fault attacks have gained particular attention in recent years as they present a severe threat to security in rapidly rising Internet-of-Things (IoT) devices. IoT devices are generally security-critical and resource-constrained. Therefore, any security protocol deployed in these devices has to satisfy several constraints such as small area footprint, low power, and memory consumption. Combinational circuit implementation of S-box is preferable over look-up table (LUT) in terms of memory consumption as the memory operations are usually the costliest part of lightweight cipher implementations. In this work, we analyze the S-box of AES against a novel fault analysis technique, Semi-Permanent Stuck-At (SPSA) fault analysis. We pinpoint hotspots in an optimized implementation of AES S-box that weaken the cryptographic properties of the S-box, leading to key recovery attacks. Our work investigates new vulnerabilities towards fault analysis in combinational circuit implementation.