IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
06 November 2021
Charanjit Jutla, Sikhar Patranabis
Saikrishna Badrinarayanan, Rex Fernando, Amit Sahai
This paper focuses on the assumptions necessary to construct secure computation protocols in two rounds without setup, focusing on the subcase of two-party functionalities. In this particular case, we show how to build a two-round, concurrent-secure, two-party computation (2PC) protocol based on a single, standard, post-quantum assumption, namely subexponential hardness of the learning-with-errors (LWE) problem.
We note that our protocol is the first two-round concurrent-secure 2PC protocol that does not require the existence of a one-round non-malleable commitment (NMC). Instead, we are able to use the two-round NMCs of [KS17a], which is instantiable from subexponential LWE.
Chun Guo, Tetsu Iwata, Kazuhiko Minematsu
Quentin L. Meunier, Etienne Pons, Karine Heydemann
Yuval Ishai, Dakshita Khurana, Amit Sahai, Akshayaram Srinivasan
When allowing a random oblivious transfer (OT) correlation setup, 2-round protocols making a black-box use of a pseudorandom generator were previously known. However, such protocols were obtained via a round-collapsing ``protocol garbling'' technique that has poor concrete efficiency and makes a non-black-box use of an underlying malicious-secure protocol.
We improve this state of affairs by presenting the following types of black-box protocols.
- 4-round ``pairwise MPC'' in the plain model.
This round-optimal protocol enables each ordered pair of parties to compute a function of both inputs whose output is delivered to the second party. The protocol makes black-box use of any public-key encryption (PKE) with pseudorandom public keys. As a special case, we get a black-box round-optimal realization of secure (copies of) OT between every ordered pair of parties.
- 2-round MPC from OT correlations.
This round-optimal protocol makes a black-box use of any general 2-round MPC protocol satisfying an augmented notion of {\em semi-honest} security. In the two-party case, this yields new kinds of 2-round black-box protocols.
- 5-round MPC in the plain model.
This protocol makes a black-box use of PKE with pseudorandom public keys, and 2-round oblivious transfer with ``semi-malicious'' security.
A key technical tool for the first result is a novel combination of split-state non-malleable codes (Dziembowski, Pietrzak and Wichs, JACM '18) with standalone secure two-party protocols. The second result is based on a new round-optimized variant of the ``IPS compiler'' (Ishai, Prabhakaran and Sahai, Crypto '08). The third result is obtained via a specialized combination of these two techniques.
V. Ustimenko
Mahimna Kelkar, Soubhik Deb, Sishan Long, Ari Juels, Sreeram Kannan
We show experimentally that Themis can be integrated into state-of-the-art consensus protocols with minimal modification or performance overhead. Additionally, we introduce a suite of experiments of general interest for evaluating the practical strength of various notions of fair ordering and the resilience of fair-ordering protocols to adversarial manipulation. We use this suite of experiments to show that the notion of fair ordering enforced by Themis is significantly stronger in theory and for realistic workloads than those of competing systems.
We believe Themis offers strong practical protection against many types of transaction-ordering attacks---such as front-running and back-running---that are currently impacting commonly used smart contract systems.
Omid Etesami, Ji Gao, Saeed Mahloujifar, Mohammad Mahmoody
Large messages: When the messages are allowed to be arbitrarily long, we show that polynomial-time $k$-replacing targeted attacks can achieve bias $\Omega(\mu k/\sqrt n)$ for any $k$ (and any protocol), which is optimal up to a constant factor for any $\mu = \Theta(1)$. Previously, it was known how to achieve such bias only for $k = \Omega(\sqrt n)$ (Komargodski-Raz [DISC'18], Mahloujifar-Mahmoody [ALT'19], and Etesami-Mahloujifar-Mahmoody [SODA'20]). This proves a computational variant of the isoperimetric inequality for product spaces under $k=o(\sqrt n)$ Hamming distance. As a corollary, we also obtain improved $poly(n)$-time targeted poisoning attacks on deterministic learners, in which the adversary can increase the probability of any efficiently testable bad event over the produced model from $\mu=1/poly(n)$ to $\mu + \Omega(\mu k /\sqrt n)$ by changing $k$ out of $n$ training examples.
Binary messages: When the messages $w_1,\dots,w_n$ are uniformly random bits, we show that if $\mu=\Pr[b=1]= \Pr[\sum w_i \geq t] = \beta^{(t)}_n$ for $t \in [n]$ is the probability of falling into a Hamming ball, then polynomial-time $k$-replacing targeted attacks can achieve $\mu'=\Pr[b'=1]=\beta^{(t-k)}_n $, which is optimal due to the simple majority protocol. Thus, as corollary we obtain an alternative proof of the Harper's celebrated vertex isoperimetric inequality in which the optimal adversary (that maps random points to a set of measure $\mu$ by changing at most $k$ bits) is limited to be online and run in polynomial time. Previously, Lichtenstein, Linial, and Saks [Combinatorica'89] showed how to achieve $\mu'=\Pr[b'=1] = \beta^{(t-k)}_{ n-k }$ (using computationally unbounded attacks), which is optimal for adaptive adversaries who decide on corrupting parties before seeing their messages.
Brett Hemenway Falk, Daniel Noble, Rafail Ostrovsky
Pavel Atnashev, George Woltman
Aikata, Ahmet Can Mert, David Jacquemin, Amitabh Das, Donald Matthews, Santosh Ghosh, Sujoy Sinha Roy
Itai Dinur, Nathan Keller, Ohad Klein
In this paper, assuming the average-case $k$-SUM conjecture, we prove that known algorithms are essentially optimal for $k= 3,4,5$. For $k>5$, we prove the optimality of the $k$-tree algorithm for a limited range of parameters. We also prove similar results for $k$-XOR, where the sum is replaced with exclusive or.
Our results are obtained by a self-reduction that, given an instance of $k$-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense $k$-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle's solutions, even though its inputs are highly correlated.
Jeonghyuk Lee, Jaekyung Choi, Hyunok Oh, Jihye Kim
Valentin Vasseur
Even though a negligible DFR is not needed for a KEM using ephemeral keys (e.g. TLS) which only requires IND-CPA security, it seems that IND-CCA security, relevant for reusable/static keys, has become a requirement. Therefore, a negligible DFR is needed both for the security reduction [FO99, HHK17] and to thwart existing attacks [GJS16].
Proving a DFR lower than $2^{-\lambda}$ where $\lambda$ is the security parameter (e.g. $\lambda=128$ or $256$) is hardly possible with mere simulation. Instead a methodology based on modelization, simulation, and extrapolation with confidence estimate was devised [V21]. Models are backed up by theoretical results [T18,SV19], but do not account for some combinatorial properties of the underlying error correcting code. Those combinatorial properties give rise to what is known in telecommunication as "error floors" [R03].
The statistical modeling predicts a fast decrease of the DFR as the block size grows, the waterfall region, whereas the combinatorial properties, weak keys [DGK19] or near-codewords [V21], predict a slower decrease, the error floor region. The issue here is to show that the error floor occurs in a region where the DFR is already below the security requirement. This would validate the extrapolation approach, and, as far as we can say, this appears to be the case for the QC-MDPC codes corresponding to BIKE parameters.
The impact of the QC-MDPC code combinatorial properties on decoding, as reported in this document, is better and better understood. In particular, it strongly relates with the spectrum of low weight vectors, as defined in [GJS16]. At this point, none of the results we are aware of and which are presented here contradict in any way the DFR claims made for BIKE. Admittedly those claims remain heuristic in part, but could be understood as an additional assumption, just like the computational assumptions made for all similar primitives, under which the BIKE scheme is IND-CCA secure.
Karthikeyan Bhargavan, Abhishek Bichhawat, Quoc Huy Do, Pedram Hosseyni, Ralf Kuesters, Guido Schmitz, Tim Wuertele
We present the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. We prove the security of this model using a recent symbolic protocol analysis framework called DY* , which in turn is based on the F* programming language. Our analysis accounts for all prior attacks on ACME in the literature, including both cryptographic attacks and low-level attacks on stateful protocol execution. To analyze ACME, we extend DY ★ with authenticated channels, key substitution attacks, and a concrete execution framework, which are of independent interest. Our security analysis of ACME totaling over 16,000 lines of code is one of the largest proof developments for a cryptographic protocol standard in the literature, and it serves to provide formal security assurances for a crucial component of web security.
Joël Alwen, Dominik Hartmann, Eike Kiltz, Marta Mularczyk
In this work, we introduce server-aided CGKA (saCGKA) to more precisely model how E2E protocols are usually deployed. saCGKA makes explicit the presence of an (untrusted) server mediating communication between honest parties (as opposed to mere insecure channels of some form or another). Next, we provide a simple and intuitive security model for saCGKA. We modify ITK accordingly to obtain SAIK; a practically efficient and easy to implement saCGKA designed to leverage the server to obtain greatly reduced communication and computational complexity (e.g. relative to ITK). Under the hood, SAIK uses a new type of signature called Reducible Signature which we construct from, so called, Weighted Accumulators. SAIK obtains further advantages by using Multi-Recipient Multi-Message PKE. Finally, we provide empirical data comparing the communication complexity for senders, receivers and the server in ITK vs. three saCGKAs including two instantiations of SAIK.
05 November 2021
University of Luxembourg
Your Role...
The successful candidate will join the CryptoLux research team led by Prof. Alex Biryukov. He or she will contribute to a research project on future directions in cryptography and IT security and is expected to perform the following tasks:
• Shaping research directions and producing results in one or more of the following topics: o Applied Cryptography (symmetric, lightweight, AE, White-box etc.); o Financial cryptography, cryptocurrencies, blockchain technologies; o Privacy enhancing technologies (Tor, zero-knowledge, eID, etc.); • Disseminating results through scientific publications; • Providing guidance to Ph.D. and M.Sc. students.Your Profile...
• A Ph.D. degree in Computer Science, Applied Mathematics, Electrical Engineering, or a related field; • Competitive research record in applied cryptography or information security (at least one paper in top 10 IT security conferences); • Strong mathematical and algorithmic CS background; • Good skills in C /or C++ or scripting languages; • Commitment, team working and a critical mind; • Fluent written and verbal communication skills in English are mandatory.Closing date for applications:
Contact: alex.biryukov@uni.lu
More information: http://emea3.mrted.ly/2v77v
Zama, Paris, France
- implementing state-of-the-art algorithms for homomorphic encryption
- continually improving their performance and reliability through timing optimisation and verification
- documenting and benchmarking the implemented cryptographic operations
- a PhD in cryptography, or a Master’s degree in Engineering with more than four (4) years of industry experience
- be well versed in VHDL and/or Verilog
- a strong knowledge of FPGA tool flows, familiarity with cutting-edge FPGA devices, and be comfortable with debugging and reaching timing closure
- a strong interest in cryptography and a passion for privacy
- good analytical skills
- good written and oral communication skills
- experience implementing lattice-based cryptography on FPGA/ASIC is a plus
Closing date for applications:
Contact: Thomas De Cnudde (thomas.decnudde(at)zama.ai)
More information: https://www.welcometothejungle.com/en/companies/zama/jobs
DingLab, Beijing Institute of Mathematical Sciences and Applications; Beijing, China
Multiple fully funded positions on the Ding Lab in Cryptography and its applications at the Yanqi Lake Beijing Institute of Mathematical Sciences and Applications (BIMSA).
Ding LabThe Ding Lab in Public Key Cryptography will be led by Prof. Jintai Ding. It is an international open laboratory with English as the working language. Anyone who works in related areas including (but not restricted to) computational algebra, computational algebraic geometry, number theory, mathematical optimization, quantum algorithms, post-quantum cryptography, multi-party computation, zero-knowledge proof, fully homomorphic encryption, privacy preserving algorithms, block chain, high performance computing, and algorithm implementations are welcome to apply.
Positions- Visiting Scholar : including short term(less than 3 months) and long term(6 months to 1 year) for persons who has been granted with PhD degree
- Post-Doc
- Senior Researcher
- Research Associate (master)
All positions require you having a master or PhD degree in Computer Science, Mathematics, Cryptography, or equivalent practical experience.
SalaryBIMSA offers internationally competitive salary packages and salary will be determined by applicant's qualification. Recent PhDs are especially encouraged to apply. A typical appointment for postdoc of BIMSA is for two-years, renewable for the third year with annual salary ranges from 300,000 RMB to 500,000 RMB depending on experience and qualifications.
BIMSAThe BIMSA is a Mathematics research institution co-sponsored by Beijing Municipal Government and Tsinghua University, and the director of BIMSA is the renowned mathematician, Prof. Shing-Tung Yau. The BIMSA is located in the Huairou District of Beijing, and is part of Beijing’s strategic plans to build world-class new-style research & development institutions and national innovation center for science and technology. The BIMSA aims to develop fundamental scientific research and build a bridge between mathematics and industry applications.
Closing date for applications:
Contact: Jintai Ding(DingLab@bimsa.cn)
CISPA Helmholtz Center for Information Security
The CISPA Helmholtz Center for Information Security provides a unique work environment that offers the advantages of a university department and a research laboratory alike. As the latest member of the Helmholtz Association, the largest research organization in Germany, CISPA has embarked on a mission: to rethink the digitalized world of the future from the ground up and make it safer through innovative, cutting-edge research. The center will grow to more than 800 employees in the medium term with not less than 60 Faculty and research group leaders.
CISPA maintains an open, international and diverse work environment. Every Ph.D. student is a member of a research group led by his or her supervisor. Admitted students are, as a rule, paid employees of CISPA with a full-time contract. The working language is English.
Job Description. The group of Kamil Kluczniak is looking for Ph.D. students broadly interested in theoretical and/or practical aspects of Cryptography. Although the group is currently focused on homomorphic encryption and public-key cryptography, candidates will be encouraged to find and pursue their own research interests.
How to apply: All applications have to be done through the Odoo system:
-
https://jobs.cispa.saarland/de_DE/jobs/detail/phd-students-1
>>> c = m**e % N
>>> print(str(c) + ", " + str(e) + ", " + str(N))
>>> 3016, 19, 10403
>>> m = str(c**d % N) + "@cispa.de"
Closing date for applications:
Contact:
-
https://jobs.cispa.saarland/de_DE/jobs/detail/phd-students-1
If you have any questions regarding your application please contact our Onboarding Team via otm@cispa.de.