International Association
for Cryptologic Research

Mixed integer linear programming (MILP) based tools are used to estimate the strength of block ciphers against the cryptanalytic attacks. The existing tools use partial difference distribution table (p-DDT) approach to optimize the probability of differential characteristics for large (≥8-bit) S-box based ciphers. We propose to use the full difference distribution table (DDT) with the probability of each possible propagation for MILP modeling of large S-boxes. This requires more than 16 variables to represent the linear inequalities of each propagation and corresponding probabilities. The existing tools (viz. Logic Friday) cannot handle the linear inequalities in more than 16 variables. In this paper, we present a new tool (namely MILES) to minimize the linear inequalities in more than 16 variables. This tool reduces the number of inequalities by minimizing the truth table corresponding to the DDT of S-box. We use our tool to minimize the linear inequalities for 8-bit S-boxes (AES and SKINNY) and get better results than existing tools. We show the application of MILES on 8-bit S-box based lightweight block cipher PIPO. There are 20621 inequalities in 23 variables corresponding to the possible propagations in DDT and these are minimized to 6035 inequalities using MILES. MILP model based on these linear inequalities is used to optimizethe probability of differential characteristics for round-reduced PIPO. For the first time, the MILP problem consisting the inequalities of full DDT for 8-bit S-box is solved to optimize the probability of differential characteristics.

We define the class of triplicate functions as a generalization of 3-to-1 functions over the finite field F 2 n for even values of n. We investigate the properties and behavior of triplicate functions, and of 3-to-1 among triplicate functions, with particular attention to the conditions under which such functions can be APN. We compute the exact number of distinct differential sets of power APN functions, quadratic 3-to-1 functions, and quadratic APN permutations; we show that, in this sense, quadratic 3-to-1 functions are a generalization of quadratic power APN functions for even dimensions, while quadratic APN permutations are generalizations of quadratic power APN functions for odd dimensions. We survey all known infinite families of APN functions with respect to the presence of 3-to-1 functions among them, and conclude that for even n almost all of the known infinite families contain functions that are quadratic 3-to-1 or EA-equivalent to quadratic 3-to-1 functions. Using the developed framework, we give the first proof that the infinite APN families of Budaghyan, Helleseth and Kaleyski; of Gologlu; and of Zheng, Kan, Li, Peng, and Tang have a Gold-like Walsh spectrum. We also give a simpler univariate representation of the Gogloglu family for dimensions n = 2m with m odd than the ones currently available in the literature. We conduct a computational search for quadratic 3-to-1 functions in even dimensions n ≤ 12. We find one new APN instance for n = 8, six new APN instances for n = 10, and the first sporadic APN instance for n = 12 since 2006. We provide a list of all known 3-to-1 APN functions for n ≤ 12.

This paper proposes a threshold-optimal ECDSA scheme based on the first threshold signature scheme by Gennaro et al. with efficient non-interactive signing for any $t+1$ signers in the group, provided the total group size is more than twice the threshold $t$. The scheme does not require any homomorphic encryption or zero-knowledge proofs and is proven to be robust and unforgeable with identifiable aborts tolerating at most $t$ corrupted participants. The security of the scheme is proven in a simulation-based definition, assuming DDH and that ECDSA is existentially unforgeable under chosen message attack. To evaluate the performance of the protocol, it has been implemented in C++ and the results demonstrate the non-interactive signing phase takes 0.12ms on average meaning over 8000 signatures can be created per second. With pre-signing phase, it takes 3.35ms in total, which is over 144 times faster than the current state of the art.

An OR-proof is a protocol that enables a user to prove the possession of a witness for one of two (or more) statements, without revealing which one. Abe and Okamoto (CRYPTO 2000) used this technique to build a partially blind signature scheme whose security is based on the hardness of the discrete logarithm problem. Inspired by their approach, we present BlindOR, an efficient blind signature scheme from OR-proofs based on lattices over modules. Using OR-proofs allows us to reduce the security of our scheme from the MLWE and MSIS problems, yielding a much more efficient solution compared to previous works.

In 2020, Bernard and Roux-Langlois introduced the Twisted-PHS algorithm to solve Approx-SVP for ideal lattices on any number field, based on the PHS algorithm by Pellet-Mary, Hanrot and Stehlé in 2019. They performed experiments for prime conductors cyclotomic fields of degrees at most 70, reporting approximation factors reached in practice. The main obstacle for these experiments is the computation of a log-$\mathcal{S}$-unit lattice, which requires classical subexponential time.

In this paper, our main contribution is to extend these experiments to 192 cyclotomic fields of any conductor $m$ and of degree up to $190$. Building upon new results from Bernard and Kucera on the Stickelberger ideal, we construct a maximal set of independent $\mathcal{S}$-units lifted from the maximal real subfield using explicit Stickelberger generators obtained via Jacobi sums. Hence, we obtain full-rank log-$\mathcal{S}$-unit sublattices fulfilling the role of approximating the full Tw-PHS lattice. Notably, our obtained approximation factors match those from Bernard and Roux-Langlois using the original log-$\mathcal{S}$-unit lattice in small dimensions.

As a side result, we use the knowledge of these explicit Stickelberger elements to remove almost all quantum steps in the CDW algorithm, by Cramer, Ducas and Wesolowski in 2021, under the mild restriction that the plus part of the class number verifies $h^{+}_{m}\leq O(\sqrt{m})$.

We propose a multi-party computation (MPC) protocol over $\mathbb{Z}_{2^k}$ secure against actively corrupted majority from somewhat homomorphic encryption. The main technical contributions are: (i) a new efficient packing method for $\mathbb{Z}_{2^k}$-messages in lattice-based somewhat homomorphic encryption schemes, (ii) a simpler reshare protocol for level-dependent packings, (iii) a more efficient zero-knowledge proof of plaintext knowledge on cyclotomic rings $\mathbb{Z}[X]/\Phi_M(X)$ with $M$ being a prime. Integrating them, our protocol shows from 2.2x upto 4.8x improvements in amortized communication costs compared to the previous best results. Our techniques not only improve the efficiency of MPC over $\mathbb{Z}_{2^k}$ considerably, but also provide a toolkit that can be leveraged when designing other cryptographic primitives over $\mathbb{Z}_{2^k}$.

Zero-Knowledge Proofs (ZKPs) are cryptographic primitives allowing a party to prove to another party that the former knows some information while keeping it secret. Such a premise can lead to the development of numerous privacy-preserving protocols in different scenarios, like proving knowledge of some credentials to a server without leaking the identity of the user. Even when the applications of ZKPs were endless, they were not exploited in the wild for a couple of decades due to the fact that computing and verifying proofs was too computationally expensive. However, the advent of efficient schemes (in particular, zk-SNARKs) made this primitive to break into the scene in fields like cryptocurrencies, smart-contracts, and more recently, self-sovereign scenarios: private-by-design identity management and authentication. Nevertheless, its adoption in environments like the Internet of Things (IoT) remains unexplored due to the computational limitations of embedded systems. In this paper, we introduce ZPiE, a C library intended to create ZKP applications to be executed in embedded systems. Its main feature is portability: it can be compiled, executed, and used out-of-the-box in a wide variety of devices. Moreover, our proof-of-concept has been proved to work smoothly in different devices with limited resources, which can execute state-of-the-art ZKP authentication protocols.

Attribute-Based Encryption (ABE) is a cryptographic primitive which supports fine-grained access control on encrypted data, making it an appealing building block for many applications. Multi-Authority Attribute-Based Encryption (MA-ABE) is a generalization of ABE where the central authority is distributed across several independent parties.

We provide the first MA-ABE scheme from prime-order pairings where no trusted setup is needed and where the attribute universe of each authority is unbounded. Our constructions rely on a common modular blueprint that uses an Identity-Based Functional Encryption scheme for inner products (ID-IPFE) as an underlying primitive. Our presentation leads to simple proofs of security and brings new insight into the algebraic design choices that seem common to existing schemes. In particular, the well-known MA-ABE construction by Lewko and Waters (EUROCRYPT 2011) can be seen as a specific instantiation of our modular construction.

Our schemes enjoy all of their advantageous features, and the improvements mentioned. Furthermore, different instantiations of the core ID-IPFE primitive lead to various security/efficiency trade-offs: we propose an adaptively secure construction proven in the generic group model and a selectively secure one that relies on SXDH. As in previous work, we rely on a hash function (to generate matching randomness for the same user across different authorities while preserving collusion resistance) that is modeled as a random oracle.

Sender-anonymous end-to-end encrypted messaging allows sending messages to a recipient without revealing the sender’s identity to the messaging platform. Signal recently introduced a sender anonymity feature that includes an abuse mitigation mechanism meant to allow the platform to block malicious senders on behalf of a recipient. We explore the tension between sender anonymity and abuse mitigation. We start by showing limitations of Signal’s deployed mechanism, observing that it results in relatively weak anonymity properties and showing a new griefing attack that allows a malicious sender to drain a victim’s battery. We therefore design a new protocol, called Orca, that allows recipients to register a privacy-preserving blocklist with the platform. Without learning the sender’s identity, the platform can check that the sender is not on the blocklist and that the sender can be identified by the recipient. We construct Orca using a new type of group signature scheme, for which we give formal security notions. Our prototype implementation showcases Orca’s practicality.

Minimizing the energy cost and carbon footprint of the Bitcoin blockchain and related protocols is one of the most widely identified open questions in the cryptocurrency space. Substituting the proof-of-work (PoW) primitive in Nakamoto's longest chain protocol with a {\em proof of useful work} (PoUW) has been long theorized as an ideal solution in many respects but, to this day, the concept still lacks a convincingly secure realization.

In this work we put forth Ofelimos, a novel PoUW-based block\-chain protocol whose consensus mechanism simultaneously realizes a decentralized optimization-problem solver. Our protocol is built around a novel local search algorithm, which we call Doubly Parallel Local Search (DPLS), that is especially crafted to suit implementation as the PoUW component of our blockchain protocol. We provide a thorough security analysis of our protocol and additionally present metrics that reflect the usefulness of the system. As an illustrative example we show how DPLS can implement a variant of WalkSAT and experimentally demonstrate its competitiveness with respect to a vanilla WalkSAT implementation. In this way, our work paves the way for safely using blockchain systems as generic optimization engines for a variety of hard optimization problems for which a publicly verifiable solution is desired.

This work introduces second-order masked implementations of LED, Midori, SKINNY, and PRINCE ciphers which do not require fresh masks to be updated at every clock cycle. The main idea lies on a combination of the constructions given by Shahmirzadi and Moradi at CHES~2021, and the theory presented by Beyne et al. at Asiacrypt~2020. The presented masked designs only use a minimal number of shares, i.e., three to achieve second-order security, and we make use of a trick to pair a couple of S-boxes to reduce their latency. The theoretical security analyses of our constructions are based on the linear-cryptanalytic properties of the underlying masked primitive as well as SILVER, the leakage verification tool presented at Asiacrypt~2020. To improve this cryptanalytic analysis, we use the \emph{noisy probing model} which allows for the inclusion of noise in the framework of Beyne et al. We further provide FPGA-based experimental security analysis confirming second-order protection of our masked implementations.

The Max Planck Institute for Security and Privacy (MPI-SP) is looking for motivated students to apply for a research internship on lattice-based cryptography. In particular, we are looking for students eager to build vector commitments and related primitives from lattices.

Topic: Lattice-based Vector Commitments

Requirements:

• Have working knowledge in constructing and analysing public-key cryptographic primitives
• Are familiar with mathematical proofs
• Are fluent in spoken and written English

Greatly Valued but not Mandatory Attributes:

• Have basic understanding of lattice-based cryptography
• Have basic understanding of vector commitments
• Have experience in prototyping cryptographic primitives

Funding: The position is funded as part of a project in collaboration with Protocol Labs (https://protocol.ai).

Start Date: As soon as possible

Duration: 3 to 6 months

Application Deadline: December 31, 2021, or when a suitable candidate has been found

To apply for the position, send an email to Giulio Malavolta (address below) including the following documents:

• A curriculum vitae
• A brief cover letter (half page at most), e.g. describing your research interests

If you have any question, don’t hesitate to get in touch.

Closing date for applications:

Contact: Giulio Malavolta (giulio.malavolta@mpi-sp.org)

The ENS Lyon crypto group is opening several post-doc positions. Duration and starting dates are flexible. Salary takes seniority into account.

Topics of interest:
Applicants should have expertise in at least one of the following topics:

• Cryptographic protocols
• Lattice-based cryptography
• Lattice algorithms or hardness of lattice problems (quantum/classical)
• Foundational aspects of cryptography
• Computing on encrypted data
• Implementation of cryptographic primitives

Applicants are expected to have already published in top-tier venues in the relevant areas.

How to apply:

Interested applicants should provide a detailed resume and two references. Applications should be sent directly to {benoit.libert,alain.passelegue, damien.stehle}@ens-lyon.fr by Dec. 31, 2021.

Closing date for applications:

Contact: Benoît Libert, Alain Passelègue, and Damien Stehlé
{benoit.libert, alain.passelegue, damien.stehle}@ens-lyon.fr

More information: https://www.ens-lyon.fr/LIP/AriC/crypto

Overview Blockchains are not private enough for safe use by citizens, corporations, or dissidents. Heliax is looking for a research cryptographer interested in fully-homomorphic encryption protocols and their application to distributed ledger technology to work with us to design, evaluate, and implement FHE constructions, then put this cryptography into practice in order to realise privacy and scalability capabilities required by the next generation of blockchain networks. This role offers the chance to work closely with a small team on compelling cross-disciplinary problems in theoretical computer science, cryptography, game theory, economics, and systems design, and enjoy a high degree of independence in working conditions and task prioritization. Responsibilities Evaluate and analyze existing FHE protocols for security, expressivity, and performance, monitor the state of the research field for compelling new theoretical advances, and conduct original exploratory research into new constructions Update & alter existing protocols and implementations (such as nuFHE), customize them for specific proof-of-concept and production use-cases Produce technical specifications for designs & instantiations of said protocols and assist with implementation in coordination with team members Qualifications Academic research background in mathematics, computer science, or cryptography Prior experience with fully-homomorphic encryption in a research context Self-motivated & self-organized Bonus Qualifications Experience with (fully) homomorphic encryption libraries (e.g. SEAL, HElib) Prior experience in low-level systems programming, ideally in Rust Prior experience with distributed ledger (blockchain) technology Misc Remote or local (Zürich/Zug, Berlin). When remote, preferred if mostly located within (+/- 7 hours) Central European time zones. North America is fine. Ideally someone who enjoys travel, nature and hiking. Often we find that protocols are best designed not in a meeting room but rather on a trail ????️.

Closing date for applications:

Contact: jobs@heliax.dev

More information: https://heliax.dev/

Several PhD student openings in the domains of cryptography, computer security, privacy, and blockchain-based systems, are available at the University of Connecticut (UConn), CSE dept., led by Prof. Ghada Almashaqbeh. Start date can be as early as Spring 2022 or later for Fall 2022.

The positions provide a great opportunity for students with interest in interdisciplinary projects that combine knowledge from various fields towards the design of secure systems and protocols. We target real-world timely problems and aim to provide secure and practical solutions backed by rigorous foundations and efficient implementations/thorough performance testing. We are also interested in conceptual projects that contribute in bridging the gap between theory and practice of Cryptography.

For more information about our current and previous projects please check https://ghadaalmashaqbeh.github.io/research/. For interested students, please send your CV to ghada@uconn.edu and provide any relevant information about the topics you want to work on and the skills/related background you have.

Closing date for applications:

Contact: Ghada Almashaqbeh

More information: https://ghadaalmashaqbeh.github.io/

Job role: One year-Post-doctoral position as a product Security Engineer

Department:
R&D – Product Security Location / Working place Meyreuil, France
SAS Campus George Charpak Provence, Gardanne, France

Mission:
Participate in security certifications: hardware and software platforms
Porting post-quantum cryptographic libraries to Wisekey’s components
Implement side channel / deep learning attacks in Wisekey’s security lab
Maintain Wisekey’s attack benches

Main responsabilities:
Standardization follow-up on post-quantum algorithms
Implement an attack bench on component using post-quantum cryptographic libraries
Keep abreast of new attacks (conferences, fairs, scientific articles)

Requirements:
Educational background / diplomas: PhD
Skills: Cryptography, Safety of embedded systems, Security certifications (CC, EMVCo, FIPS), Development on embedded systems
Starting date: ASAP
To apply please send your CV, a cover letter, and contact information of 2 references

Closing date for applications:

Contact: Nadia EL Mrabet (EMSE Gardanne), nadia.el-mrabet@emse.fr
Jean-Pierre Enguent (VP-R&D Wisekey), jpenguent@WISEKEY.COM

The University of Luxembourg invites applications from M.Sc. holders in the general area of applied cryptography. Cryptolux.org is a team of cryptographers and security researchers interested in applied cryptography, cryptanalysis, privacy, network security, cryptographic blockchains and is led by Prof. Alex Biryukov. We are affiliated to the Department of Computer Science (DCS) and to the interdisciplinary Security and Trust center (SnT).

Area (potential topics of the thesis)

• Cryptanalysis and design of cryptographic primitives, ex. Lightweight block ciphers, hash functions, authenticated encryption schemes
• Privacy Enhancing Technology (Tor-like networks, privacy for cryptocurrencies)
• Cryptography for blockchains
• White-box cryptography

The University offers a Ph.D. study program with an initial contract of 36 months, with a further possible 1-year extension if required. The University offers highly competitive salaries and is an equal opportunity employer. You will work in one of the most international universities in the world and will participate in the development of a large information security research center.

Starting date 1-Jan-2022 or later upon agreement. Early submission is encouraged; applications will be processed upon receipt.

Closing date for applications:

Contact: Prof. Alex Biryukov

More information: https://cryptolux.org

The celebrated Fiat-Shamir transformation turns any public-coin interactive proof into an non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called $\Sigma$-protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a $(2\mu + 1)$-move protocol is, in general, $Q^\mu$, where $Q$ is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the $\mu$-fold sequential repetition of $\Sigma$-protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss.

In this work, we give positive and negative results on this question. On the positive side, we show that for $(k_1, \ldots, k_\mu)$-special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in $Q$ (instead of $Q^\mu$). On the negative side, we show that for $t$-fold parallel repetitions of typical $(k_1, \ldots, k_\mu)$-special-sound protocols, there is an attack which results in a security loss of about $(Q/\mu)^\mu \mu^{-t}$, assuming for simplicity that $t$ is an integer multiple of $\mu$.

We consider the task of designing secure computation protocols in an unstable network where honest parties can drop out at any time, according to a schedule provided by the adversary. This type of setting, where even honest parties are prone to failures, is more realistic than traditional models, and has therefore gained a lot of attention recently. Unlike previous works in the literature, we allow parties to return to the computation according to an adversarially chosen schedule and, moreover, we do not assume that these parties receive the messages that were sent to them while being offline. However, we do assume an upper bound on the number of rounds that an honest party can be off-line---otherwise protocols in this setting cannot guarantee termination within a bounded number of rounds.

We study the settings of perfect, statistical and computational security and design MPC protocols in each of these scenarios. We assume that the intersection of online-and-honest parties from one round to the next is at least $2t+1$, $t+1$ and $1$ respectively, where $t$ is the number of (actively) corrupt parties. We show the intersection requirements to be optimal. Our (positive) results are obtained in a way that may be of independent interest: we implement a traditional stable network on top of the unstable one, which allows us to plug in \textit{any} MPC protocol on top. This approach adds a necessary overhead to the round count of the protocols, which is related to the maximal number of rounds an honest party can be offline. We also present a novel, perfectly secure MPC protocol that avoids this overhead by following a more ``direct'' approach rather than building a stable network on top. We introduce our network model in the UC-framework and prove the security of our protocols within this setting.

In this paper, we present new techniques for proving the security of multi- and threshold signature schemes under discrete logarithm assumptions in the random oracle model. The purpose is to provide a simple framework for analyzing the relatively complex interactions of these schemes in a concurrent model, thereby reducing the risk of attacks. We make use of proofs of possession and prove that a Schnorr signature suffices as a proof of possession in the algebraic group model without any tightness loss. We introduce and prove the security of a simple, three-round multisignature $\mathsf{SimpleMuSig}$.

Using our new techniques, we prove the concurrent security of a variant of the $\mathsf{MuSig2}$ multisignature scheme that includes proofs of possession as well as the $\mathsf{FROST}$ threshold signature scheme. These are currently the most efficient schemes in the literature for generating Schnorr signatures in a multiparty setting. Our variant of $\mathsf{MuSig2}$, which we call $\mathsf{SpeedyMuSig}$, has faster key aggregation due to the proofs of possession.