International Association
for Cryptologic Research

Zero-Knowledge Proofs (ZKPs) are cryptographic primitives allowing a party to prove to another party that the former knows some information while keeping it secret. Such a premise can lead to the development of numerous privacy-preserving protocols in different scenarios, like proving knowledge of some credentials to a server without leaking the identity of the user. Even when the applications of ZKPs were endless, they were not exploited in the wild for a couple of decades due to the fact that computing and verifying proofs was too computationally expensive. However, the advent of efficient schemes (in particular, zk-SNARKs) made this primitive to break into the scene in fields like cryptocurrencies, smart-contracts, and more recently, self-sovereign scenarios: private-by-design identity management and authentication. Nevertheless, its adoption in environments like the Internet of Things (IoT) remains unexplored due to the computational limitations of embedded systems. In this paper, we introduce ZPiE, a C library intended to create ZKP applications to be executed in embedded systems. Its main feature is portability: it can be compiled, executed, and used out-of-the-box in a wide variety of devices. Moreover, our proof-of-concept has been proved to work smoothly in different devices with limited resources, which can execute state-of-the-art ZKP authentication protocols.

Attribute-Based Encryption (ABE) is a cryptographic primitive which supports fine-grained access control on encrypted data, making it an appealing building block for many applications. Multi-Authority Attribute-Based Encryption (MA-ABE) is a generalization of ABE where the central authority is distributed across several independent parties.

We provide the first MA-ABE scheme from prime-order pairings where no trusted setup is needed and where the attribute universe of each authority is unbounded. Our constructions rely on a common modular blueprint that uses an Identity-Based Functional Encryption scheme for inner products (ID-IPFE) as an underlying primitive. Our presentation leads to simple proofs of security and brings new insight into the algebraic design choices that seem common to existing schemes. In particular, the well-known MA-ABE construction by Lewko and Waters (EUROCRYPT 2011) can be seen as a specific instantiation of our modular construction.

Our schemes enjoy all of their advantageous features, and the improvements mentioned. Furthermore, different instantiations of the core ID-IPFE primitive lead to various security/efficiency trade-offs: we propose an adaptively secure construction proven in the generic group model and a selectively secure one that relies on SXDH. As in previous work, we rely on a hash function (to generate matching randomness for the same user across different authorities while preserving collusion resistance) that is modeled as a random oracle.

Sender-anonymous end-to-end encrypted messaging allows sending messages to a recipient without revealing the sender’s identity to the messaging platform. Signal recently introduced a sender anonymity feature that includes an abuse mitigation mechanism meant to allow the platform to block malicious senders on behalf of a recipient. We explore the tension between sender anonymity and abuse mitigation. We start by showing limitations of Signal’s deployed mechanism, observing that it results in relatively weak anonymity properties and showing a new griefing attack that allows a malicious sender to drain a victim’s battery. We therefore design a new protocol, called Orca, that allows recipients to register a privacy-preserving blocklist with the platform. Without learning the sender’s identity, the platform can check that the sender is not on the blocklist and that the sender can be identified by the recipient. We construct Orca using a new type of group signature scheme, for which we give formal security notions. Our prototype implementation showcases Orca’s practicality.

Minimizing the energy cost and carbon footprint of the Bitcoin blockchain and related protocols is one of the most widely identified open questions in the cryptocurrency space. Substituting the proof-of-work (PoW) primitive in Nakamoto's longest chain protocol with a {\em proof of useful work} (PoUW) has been long theorized as an ideal solution in many respects but, to this day, the concept still lacks a convincingly secure realization.

In this work we put forth Ofelimos, a novel PoUW-based block\-chain protocol whose consensus mechanism simultaneously realizes a decentralized optimization-problem solver. Our protocol is built around a novel local search algorithm, which we call Doubly Parallel Local Search (DPLS), that is especially crafted to suit implementation as the PoUW component of our blockchain protocol. We provide a thorough security analysis of our protocol and additionally present metrics that reflect the usefulness of the system. As an illustrative example we show how DPLS can implement a variant of WalkSAT and experimentally demonstrate its competitiveness with respect to a vanilla WalkSAT implementation. In this way, our work paves the way for safely using blockchain systems as generic optimization engines for a variety of hard optimization problems for which a publicly verifiable solution is desired.

This work introduces second-order masked implementations of LED, Midori, SKINNY, and PRINCE ciphers which do not require fresh masks to be updated at every clock cycle. The main idea lies on a combination of the constructions given by Shahmirzadi and Moradi at CHES~2021, and the theory presented by Beyne et al. at Asiacrypt~2020. The presented masked designs only use a minimal number of shares, i.e., three to achieve second-order security, and we make use of a trick to pair a couple of S-boxes to reduce their latency. The theoretical security analyses of our constructions are based on the linear-cryptanalytic properties of the underlying masked primitive as well as SILVER, the leakage verification tool presented at Asiacrypt~2020. To improve this cryptanalytic analysis, we use the \emph{noisy probing model} which allows for the inclusion of noise in the framework of Beyne et al. We further provide FPGA-based experimental security analysis confirming second-order protection of our masked implementations.

The Max Planck Institute for Security and Privacy (MPI-SP) is looking for motivated students to apply for a research internship on lattice-based cryptography. In particular, we are looking for students eager to build vector commitments and related primitives from lattices.

Topic: Lattice-based Vector Commitments

Requirements:

• Have working knowledge in constructing and analysing public-key cryptographic primitives
• Are familiar with mathematical proofs
• Are fluent in spoken and written English

Greatly Valued but not Mandatory Attributes:

• Have basic understanding of lattice-based cryptography
• Have basic understanding of vector commitments
• Have experience in prototyping cryptographic primitives

Funding: The position is funded as part of a project in collaboration with Protocol Labs (https://protocol.ai).

Start Date: As soon as possible

Duration: 3 to 6 months

Application Deadline: December 31, 2021, or when a suitable candidate has been found

To apply for the position, send an email to Giulio Malavolta (address below) including the following documents:

• A curriculum vitae
• A brief cover letter (half page at most), e.g. describing your research interests

If you have any question, don’t hesitate to get in touch.

Closing date for applications:

Contact: Giulio Malavolta (giulio.malavolta@mpi-sp.org)

The ENS Lyon crypto group is opening several post-doc positions. Duration and starting dates are flexible. Salary takes seniority into account.

Topics of interest:
Applicants should have expertise in at least one of the following topics:

• Cryptographic protocols
• Lattice-based cryptography
• Lattice algorithms or hardness of lattice problems (quantum/classical)
• Foundational aspects of cryptography
• Computing on encrypted data
• Implementation of cryptographic primitives

Applicants are expected to have already published in top-tier venues in the relevant areas.

How to apply:

Interested applicants should provide a detailed resume and two references. Applications should be sent directly to {benoit.libert,alain.passelegue, damien.stehle}@ens-lyon.fr by Dec. 31, 2021.

Closing date for applications:

Contact: Benoît Libert, Alain Passelègue, and Damien Stehlé
{benoit.libert, alain.passelegue, damien.stehle}@ens-lyon.fr

More information: https://www.ens-lyon.fr/LIP/AriC/crypto

Overview Blockchains are not private enough for safe use by citizens, corporations, or dissidents. Heliax is looking for a research cryptographer interested in fully-homomorphic encryption protocols and their application to distributed ledger technology to work with us to design, evaluate, and implement FHE constructions, then put this cryptography into practice in order to realise privacy and scalability capabilities required by the next generation of blockchain networks. This role offers the chance to work closely with a small team on compelling cross-disciplinary problems in theoretical computer science, cryptography, game theory, economics, and systems design, and enjoy a high degree of independence in working conditions and task prioritization. Responsibilities Evaluate and analyze existing FHE protocols for security, expressivity, and performance, monitor the state of the research field for compelling new theoretical advances, and conduct original exploratory research into new constructions Update & alter existing protocols and implementations (such as nuFHE), customize them for specific proof-of-concept and production use-cases Produce technical specifications for designs & instantiations of said protocols and assist with implementation in coordination with team members Qualifications Academic research background in mathematics, computer science, or cryptography Prior experience with fully-homomorphic encryption in a research context Self-motivated & self-organized Bonus Qualifications Experience with (fully) homomorphic encryption libraries (e.g. SEAL, HElib) Prior experience in low-level systems programming, ideally in Rust Prior experience with distributed ledger (blockchain) technology Misc Remote or local (Zürich/Zug, Berlin). When remote, preferred if mostly located within (+/- 7 hours) Central European time zones. North America is fine. Ideally someone who enjoys travel, nature and hiking. Often we find that protocols are best designed not in a meeting room but rather on a trail ????️.

Closing date for applications:

Contact: jobs@heliax.dev

More information: https://heliax.dev/

Several PhD student openings in the domains of cryptography, computer security, privacy, and blockchain-based systems, are available at the University of Connecticut (UConn), CSE dept., led by Prof. Ghada Almashaqbeh. Start date can be as early as Spring 2022 or later for Fall 2022.

The positions provide a great opportunity for students with interest in interdisciplinary projects that combine knowledge from various fields towards the design of secure systems and protocols. We target real-world timely problems and aim to provide secure and practical solutions backed by rigorous foundations and efficient implementations/thorough performance testing. We are also interested in conceptual projects that contribute in bridging the gap between theory and practice of Cryptography.

For more information about our current and previous projects please check https://ghadaalmashaqbeh.github.io/research/. For interested students, please send your CV to ghada@uconn.edu and provide any relevant information about the topics you want to work on and the skills/related background you have.

Closing date for applications:

Contact: Ghada Almashaqbeh

More information: https://ghadaalmashaqbeh.github.io/

Job role: One year-Post-doctoral position as a product Security Engineer

Department:
R&D – Product Security Location / Working place Meyreuil, France
SAS Campus George Charpak Provence, Gardanne, France

Mission:
Participate in security certifications: hardware and software platforms
Porting post-quantum cryptographic libraries to Wisekey’s components
Implement side channel / deep learning attacks in Wisekey’s security lab
Maintain Wisekey’s attack benches

Main responsabilities:
Standardization follow-up on post-quantum algorithms
Implement an attack bench on component using post-quantum cryptographic libraries
Keep abreast of new attacks (conferences, fairs, scientific articles)

Requirements:
Educational background / diplomas: PhD
Skills: Cryptography, Safety of embedded systems, Security certifications (CC, EMVCo, FIPS), Development on embedded systems
Starting date: ASAP
To apply please send your CV, a cover letter, and contact information of 2 references

Closing date for applications:

Contact: Nadia EL Mrabet (EMSE Gardanne), nadia.el-mrabet@emse.fr
Jean-Pierre Enguent (VP-R&D Wisekey), jpenguent@WISEKEY.COM

The University of Luxembourg invites applications from M.Sc. holders in the general area of applied cryptography. Cryptolux.org is a team of cryptographers and security researchers interested in applied cryptography, cryptanalysis, privacy, network security, cryptographic blockchains and is led by Prof. Alex Biryukov. We are affiliated to the Department of Computer Science (DCS) and to the interdisciplinary Security and Trust center (SnT).

Area (potential topics of the thesis)

• Cryptanalysis and design of cryptographic primitives, ex. Lightweight block ciphers, hash functions, authenticated encryption schemes
• Privacy Enhancing Technology (Tor-like networks, privacy for cryptocurrencies)
• Cryptography for blockchains
• White-box cryptography

The University offers a Ph.D. study program with an initial contract of 36 months, with a further possible 1-year extension if required. The University offers highly competitive salaries and is an equal opportunity employer. You will work in one of the most international universities in the world and will participate in the development of a large information security research center.

Starting date 1-Jan-2022 or later upon agreement. Early submission is encouraged; applications will be processed upon receipt.

Closing date for applications:

Contact: Prof. Alex Biryukov

More information: https://cryptolux.org

The celebrated Fiat-Shamir transformation turns any public-coin interactive proof into an non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called $\Sigma$-protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a $(2\mu + 1)$-move protocol is, in general, $Q^\mu$, where $Q$ is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the $\mu$-fold sequential repetition of $\Sigma$-protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss.

In this work, we give positive and negative results on this question. On the positive side, we show that for $(k_1, \ldots, k_\mu)$-special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in $Q$ (instead of $Q^\mu$). On the negative side, we show that for $t$-fold parallel repetitions of typical $(k_1, \ldots, k_\mu)$-special-sound protocols, there is an attack which results in a security loss of about $(Q/\mu)^\mu \mu^{-t}$, assuming for simplicity that $t$ is an integer multiple of $\mu$.

We consider the task of designing secure computation protocols in an unstable network where honest parties can drop out at any time, according to a schedule provided by the adversary. This type of setting, where even honest parties are prone to failures, is more realistic than traditional models, and has therefore gained a lot of attention recently. Unlike previous works in the literature, we allow parties to return to the computation according to an adversarially chosen schedule and, moreover, we do not assume that these parties receive the messages that were sent to them while being offline. However, we do assume an upper bound on the number of rounds that an honest party can be off-line---otherwise protocols in this setting cannot guarantee termination within a bounded number of rounds.

We study the settings of perfect, statistical and computational security and design MPC protocols in each of these scenarios. We assume that the intersection of online-and-honest parties from one round to the next is at least $2t+1$, $t+1$ and $1$ respectively, where $t$ is the number of (actively) corrupt parties. We show the intersection requirements to be optimal. Our (positive) results are obtained in a way that may be of independent interest: we implement a traditional stable network on top of the unstable one, which allows us to plug in \textit{any} MPC protocol on top. This approach adds a necessary overhead to the round count of the protocols, which is related to the maximal number of rounds an honest party can be offline. We also present a novel, perfectly secure MPC protocol that avoids this overhead by following a more ``direct'' approach rather than building a stable network on top. We introduce our network model in the UC-framework and prove the security of our protocols within this setting.

In this paper, we present new techniques for proving the security of multi- and threshold signature schemes under discrete logarithm assumptions in the random oracle model. The purpose is to provide a simple framework for analyzing the relatively complex interactions of these schemes in a concurrent model, thereby reducing the risk of attacks. We make use of proofs of possession and prove that a Schnorr signature suffices as a proof of possession in the algebraic group model without any tightness loss. We introduce and prove the security of a simple, three-round multisignature $\mathsf{SimpleMuSig}$.

Using our new techniques, we prove the concurrent security of a variant of the $\mathsf{MuSig2}$ multisignature scheme that includes proofs of possession as well as the $\mathsf{FROST}$ threshold signature scheme. These are currently the most efficient schemes in the literature for generating Schnorr signatures in a multiparty setting. Our variant of $\mathsf{MuSig2}$, which we call $\mathsf{SpeedyMuSig}$, has faster key aggregation due to the proofs of possession.

Differential fault analysis (DFA) is a very powerful attack vector on implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of $2^{64}$ is impractical.

In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT's strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys.

We present a new OT-based two-party multiplication protocol that is almost as efficient as Gilboa's semi-honest protocol (Crypto '99), but has a high-level of security against malicious adversaries without further compilation. The achieved security suffices for many applications, and, assuming DDH, can be cheaply compiled into full security.

Drone-based applications continue to garner a lot of attention due to their significant potential in both commercial and non-commercial use. Owing to this increasing popularity, researchers have begun to pay attention to the communication security requirements involved in deploying drone-based applications and services on a large scale, with particular emphasis on group communication. The majority of existing works in this field focus on the use of symmetric key cryptographic schemes or group key agreement schemes. However, in this paper, we propose a pairing-free certificateless group authenticated key distribution protocol for drone-based applications which takes into consideration drones with varying computational resources. The proposed scheme ensures key freshness, group key secrecy, forward secrecy, and backward secrecy while ensuring that the scheme is lightweight enough to be implemented on very resource-constrained drones or smart devices. We extensively prove the security of our scheme and demonstrate its real-world applicability by evaluating its performance on three different kinds of drone boards (UP Xtreme i7 board, SamL11-Xpro board, and a Zolertia Re-mote Revb board).

Attribute-based encryption with equality test ($\mathsf{ABEET}$) is an extension of the ordinary attribute-based encryption ($\mathsf{ABE}$), where trapdoors enable us to check whether two ciphertexts are encryptions of the same message. Thus far, several CCA-secure $\mathsf{ABEET}$ schemes have been proposed for monotone span programs satisfying selective security under $q$-type assumptions. In this paper, we propose a generic construction of CCA-secure $\mathsf{ABEET}$ from delegatable $\mathsf{ABE}$. Specifically, our construction is an attribute-based extension of Lee et al.'s generic construction of identity-based encryption with equality test from hierarchical identity-based encryption. Even as far as we know, there are various delegatable $\mathsf{ABE}$ schemes. Therefore, we obtain various $\mathsf{ABEET}$ schemes with new properties that have not been achieved before such as various predicates, adaptive security, standard assumptions, compact ciphertexts/secret keys, and lattice-based constructions.

In crowd-sourced data aggregation, participants share their data points with curators. However, the lack of privacy guarantees may discourage participation, which motivates the need for privacy-preserving aggregation protocols. Unfortunately, existing solutions do not support public auditing without revealing the participants' data. In real-world applications, there is a need for public verifiability (i.e., verifying the protocol correctness) while preserving the privacy of the participants' inputs since the participants do not always trust the data curator. Likewise, public distributed ledgers (e.g., blockchains) provide public auditing but may reveal sensitive information.

We present Masquerade, a novel protocol for computing private statistics, such as sum, average, and histograms without revealing anything about participants' data. We propose a tailored multiplicative commitment scheme to ensure the integrity of data aggregations and publish all the participants' commitments on a ledger to provide public verifiability. We complement our methodology with two zero-knowledge proof protocols that detect potentially untrusted participants who attempt to poison the aggregation results. Thus, Masquerade ensures the validity of shared data points before being aggregated, enabling a broad range of numerical and categorical. In our experiments, we evaluate our protocol's runtime and communication overhead using homomorphic ciphertexts and commitments for a variable number of participants.

In the third round of the NIST PQC standardization process, the only isogeny-based candidate, SIKE, suffers from slow performance when compared to other contenders. The large-degree isogeny computation performs a series of isogenous mappings between curves, to account for about 80% of SIKE’s latency. Here, we propose, implement, and evaluate a new method for computing large-degree isogenies of an odd power. Our new strategy for this computation avoids expensive recomputation of temporary isogeny results.We modified open-source libraries targeting x86, ARM64, and ARM32 platforms. Across each of these implementations, our new method achieves 10% and 5% speedups in SIKE’s key encapsulation and decapsulation operations, respectively. Additionally, these implementations use 3% less stack space at only a 48 byte increase in code size. Given the benefit and simplicity of our approach, we recommend this method for current and emerging SIKE implementations.