International Association
for Cryptologic Research

Seoul National University of Science and Technology is currently recruiting research professors and the application process ends on January 11. Applicants will be matched with advisors, so they must choose them in advance.
The Cryptography and Information Security Lab, led by Professor Changhoon Lee, is looking for a candidate who is interested in cryptography and information security. The successful candidate will work on research projects, attend lab seminars, and publish SCI(E) papers under the direction of advisor. We expect a successful candidate to be able to publish SCI (E) papers related to hash function and cryptocurrency security.
Required Qualifications:

Candidate must have recently received a Ph.D. degree (no more than 5 years from the date of obtaining the degree) or expect to receive it before March 1, 2022.

Candidate must have published 2 or more SCI(E) papers in the last 3 years.
Appointment term and salary:

Contract term: from appointment date (March 1, 2022) 1 year

Salary (gross): 39,6 million won per year

Closing date for applications:

Contact: Interested candidates should email professor Changhoon Lee (chlee@seoultech.ac.kr) before January, 9.

More information: https://cis.seoultech.ac.kr/

The Department of Computer Science at the University of Surrey is seeking to appoint a Reader or Senior Lecturer in Software Security to strengthen its research and ambitious strategic growth within the Surrey Centre for Cyber Security (SCCS). This appointment is on a full-time and permanent basis.

The Department of Computer Science has a world-class reputation in cyber security and regularly publishes at top-tier venues. The Department is home to Surrey Centre for Cyber Security (SCCS) and Surrey is only one of four institutions in the UK holding recognition from the National Cyber Security Centre as an Academic Centre of Excellence in both Cyber Security Research and in Cyber Security Education (Gold). SCCS delivers world-leading research expertise in applied cryptography, trusted computing, privacy and authentication, secure communications, blockchain and distributed ledger technologies, and security verification. The Centre includes 16 academics across two research groups: Secure Systems and Distributed and Networked Systems, with around 30 research associates and PhD students. SCCS is leading the recently established Surrey Security Network through which our cross-disciplinary research agenda in cyber security is delivered across the School of Computer Science and Electronic Engineering and across all Faculties of the University. SCCS maintains close links with leading industries, the public sector and governmental bodies, leading to a strong heritage of real-world impact. Our Computer Science BSc programme has been running successfully for many years and continues to attract strong students. The Department offers Information Security MSc and Data Science MSc programmes with growing student numbers. The Department has made significant investment in its facilities with a new 200-seater computer science teaching laboratory, a virtual cloud computing platform, a secure systems facility and an HPC cluster for research.

Research areas of particular interest include (but are not limited to) the following: software security, malware analysis, offensive security. Applicants in related applied areas of research are also invited to apply.

Closing date for applications:

Contact: Steve Schneider (s.schneider@surrey.ac.uk)

More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=085321

The Cybersecurity - Identity Management group at the Hasso-Plattner-Institute (HPI), University of Potsdam is looking for motivated PhD students and Postdocs in the area of cryptography and privacy.

Research Topics: Development and analysis of provably secure cryptographic protocols for real-world problems. Topics of interest include (but are not limited to): privacy-enhancing technologies, password-based cryptography, as well as foundations for real-world cryptography.

Requirements: Master’s degree (or PhD for postdoctoral position) in Computer Science, Mathematics, or a related area by the time of appointment. Profound knowledge and interest in the areas of cryptography and IT security. Fluency in English (written and spoken).

There are two types for the positions: One comes with a teaching obligation for which also sufficient German language skills are required. Review of applicants will start immediately until the position is filled. The starting date is flexible. The other is through the scholarship program of the HPI. Deadline for scholarship applications is February 1st, and the positions usually start around April.

We look forward to your application including a CV and motivation letter. Applications for the PhD position should also include a list of attended Master courses and grades, whereas applications for the Postdoc position should include contact information for two references. Please submit your application documents (only as PDF) via email, and indicate whether you are interested in a scholarship or teaching position.

Closing date for applications:

Contact: Anja Lehmann (firstname.lastname@hpi.de)

More information: https://hpi.de/lehmann/home.html

iTrust is a Cyber Security Research Center in SUTD and a National Satellite of Excellence in Singapore for securing critical infrastructure. iTrust hosts the world-class cyber-physical system (CPS) testbeds which are used for research, education, training, live-fire exercise, and technology validation.

We are looking for postdocs / research fellows with expertise on cybersecurity in general and CPS security in particular. The candidates should have track record of strong R&D capability, with publications at leading security conferences. The candidates familiar with shipboard OT systems or autonomous vehicles will be considered with the priority. Candidate working in the current position less than one year will not be considered (unless due to the end of contract). Fresh PhD graduates are welcome. Only short-listed candidates will be contacted for interview. Successful candidates will be offered internationally competitive remuneration.

Interested candidates please send your CV to Prof. Jianying Zhou. Email: jianying_zhou (at) sutd.edu.sg. Home: http://jianying.space/

Closing date for applications:

Contact: Prof. Jianying Zhou

More information: http://jianying.space/

We present a new construction for publicly verifiable anonymous tokens with private metadata. This primitive enables an issuer to generate an anonymous authentication token for a user while embedding a single private metadata bit. The token can be publicly verified, while the value of the private metadata is only accessible to the party holding the secret issuing key and remains hidden to any other party, even to the user. The security properties of this primitive also include unforgeability, which guarantees that only the user can generate new valid tokens, and unlinkability that guarantees that tokens issued with the same private metadata bit are indistinguishable. Our anonymous tokens scheme builds on the top of blind Schnorr signatures.

We analyze its security in the algebraic group model and prove its security under the modified ROS assumption, one-more discrete logarithm, and decisional Diffie-Hellman assumptions.

Blind signature schemes are one of the best and best-studied tools for privacy-preserving authentication. It has a blind signing protocol in which a signer learns nothing about the message being signed or the resulting signature; thus such a signature can serve as an anonymous authentication token. Thus, constructing efficient blind signatures secure under realistic cryptographic assumptions is an important goal.

A recent paper by Benhamouda, Lepoint, Loss, Orr\`u, and Raykova (Eurocrypt '21) showed that a large class of blind signature schemes secure in the stand-alone setting are no longer secure when multiple instances of the blind signing protocol are executed concurrently. The best known technique to salvage the security of such blind signatures was recently proposed by Katz, Loss, and Rosenberg (Asiacrypt '21). For the security parameter $\kappa$, their technique transforms blind signature schemes that are secure for $\mathcal{O}(\log \kappa)$ concurrent executions of the blind signing protocol into ones that are secure for any $N = \mathsf{poly}(\kappa)$ concurrent executions. The resulting, transformed blind signing protocol needs $\mathcal{O}(N)$ times more computation and communication than the original one.

In this paper, we give an improved transform for obtaining a secure blind signing protocol tolerating $N = \mathsf{poly}(\kappa)$ concurrent executions from one that is secure for $\mathcal{O}(\log \kappa)$ concurrent executions. Our technique still needs $\mathcal{O}(N)$ times more computation, but only $\mathcal{O}(\log N)$ more communication than the original blind signature.

This paper presents a key recovery attack on the cryptosystem proposed by Lau and Tan in a talk at ACISP 2018. The Lau-Tan cryptosystem uses Gabidulin codes as the underlying decodable code. To hide the algebraic structure of Gabidulin codes, the authors chose a matrix of column rank $n$ to mix with a generator matrix of the secret Gabidulin code. The other part of the public key, however, reveals crucial information about the private key. Our analysis shows that the problem of recovering the private key can be reduced to solving a multivariate linear system, rather than solving a multivariate quadratic system as claimed by the authors. Apparently, this attack costs polynomial time, and therefore completely breaks the cryptosystem.

We study the provable security claims of two NIST Lightweight Cryptography (LwC) finalists, GIFT-COFB and Photon-Beetle, and present several attacks whose complexities contradict their claimed bounds in their final round specification documents. For GIFT-COFB, we show an attack using $q_e$ encryption queries and no decryption query to break privacy (IND-CPA). The success probability is $O(q_e/2^{n/2})$ for $n$-bit block while the claimed bound contains $O(q^2_e/2^{n})$. This positively solves an open question posed in~[Khairallah, ePrint~2021/648]. For Photon-Beetle, we show attacks using $q_e$ encryption queries (using a small number of input blocks) followed by a single decryption query and no primitive query to break authenticity (INT-CTXT). The success probability is $O(q^2_e/2^{b})$ for $b$-bit block permutation, and it is significantly larger than what the claimed bound tells. We also analyze other (improved/modified) bounds of Photon-Beetle shown in the subsequent papers~[Chakraborty et al., ToSC 2020(2) and Chakraborty et al., ePrint~2019/1475].

We emphasize that our results do not contradict the claimed ``bit security'' in the LwC specification documents for any of the schemes that we studied. That is, we do not negate the claims that GIFT-COFB is $(n/2 - \log n)$-bit secure for $n=128$, and Photon-Beetle is $(b/2 - \log b/2)$-bit secure for $b=256$ and $r=128$, where $r$ is a rate.

GoUncle is a blockchain for permissionless participation by modest computers. As in GHOST (Greedy Heaviest Observed SubTree, in successful implementation and use by the Ethereum blockchain's Proofs-of-Work version), GoUncle blocks also record the public-key IDs of some temporary forking blocks finders who are dearly called ``uncles'' (poorly named ``orphans'' in Bitcoin). While GHOST uncles are for saving PoW computations, GoUncle assigns jobs for its uncles to do. In a payload distillation job, uncles choose from block payloads only the logs which comply with the blockchain database (DB) policy to announce for to survive the blockchain gossip protocol. With uncles distillations, the blockchain address, aka height, for a no-longer-need-to-trust block, is deterministic right upon the block extending the blockchain. The deterministic blockchain addresses can index partition the distributed DB into small files to store in nowadays over provisioned external storage even for a low-cost computer. The index partitioned DB files can be fast operable for input, output, lookup, insert, update, manage, ..., etc., as a standard DB management system (DBMS) can. It is the fast operable property of the DBMS, even by a modest computer, that secures the blockchain DBMS by a hop-by-hop firewall among vast semantics gossipers who each looks up the local DBMS to judge either writing to the DB correct uncles distillations and forwarding them on, or discarding incorrect ones, both operations being quick. Since the hop-by-hop firewall works exactly as correctness probability amplification by repeated execution of a randomized probabilistic (RP) algorithm, the GoUncle work establishes:

$$\mbox{Blockchains} \subset \mbox{RP}.$$

Also to be manifested in the present work are more general blockchain consensus layer computations that uncles can and should execute and disseminate the execution output as No-Spam and No-Single-Point-of-Failure (No-SPOF) set of blockchain servers.

Verifiable encryption (VE) is a protocol where one can provide assurance that an encrypted plaintext satisfies certain properties. It is an important buiding block in cryptography with many useful applications, such as key escrow, group signatures, optimistic fair exchange, etc. However, a majority of previous VE schemes are restricted to instantiation with specific public-key encryption schemes or relations.

In this work, we propose a novel framework that realizes VE protocols using the MPC-in-the-head zero-knowledge proof systems (Ishai et al. STOC 2007). Our generic compiler can turn a large class of MPC-in-the-head ZK proofs into secure VE protocols for any CPA secure public-key encryption (PKE) schemes with the undeniability property, a notion that essentially guarantees binding of encryption when used as a commitment scheme.

Our framework is versatile: because the circuit proven by the MPC-in-the-head prover is decoupled from a complex encryption function, the prover’s work can be focused on proving properties (i.e. relation) about the encrypted data, not the proof of plaintext knowledge. Hence, our approach allows for instantiation with various combinations of properties about encrypted data and encryption functions. As concrete applications we describe new approaches to verifiably encrypting discrete logarithms in any prime order group and AES private keys.

In this paper we propose the linear hull construction for block ciphers with quadratic Maiorana-McFarland structure round functions. The search for linear trails with high squared correlations from our Maiorana-McFarland structure based constructive linear cryptanalysis is linear algebraic. Hence from this linear algebraic essence, the space of all linear trails has the structure such that good linear hulls can be constructed. We apply our method to construct better linear hulls for the Simon and Simeck block cipher family. Then for Simon2n and its variants, the linear hull with the fixed input and output masks at arbitrary long rounds, and with the potential bigger than $\frac{1}{2^{2n}}$ can be constructed.

On the other hand we propose the Maiorana-McFarland structure based constructive differential cryptanalysis for symmetric-key primitives. The new search for good differential trails for Simon variants is linear algebraic. The problem of real existent differential trails is reduced to the finding of a solution of algebraic equations. We apply our method to the Simon2n variants with arbitrary long rounds and prove that the expected differential probability is bigger than $\frac{1}{2^{\frac{n}{2}}}$ under the independence assumptions. It seems that at least theoretically Simon2n is insecure for the key-recovery attack based on our new constructed linear hulls and key-recovery attack based on our constructed differential trails.

Recently, a number of attacks have been demonstrated (like key reinstallation attack, called KRACK) on WPA2 protocol suite in Wi-Fi WLAN. As the firmware of the WLAN devices in the context of IoT, industrial systems, and medical devices is often not patched, detecting and preventing such attacks is challenging. In this paper, we design and implement a system, called CheckShake, to passively detect anomalies in the handshake of Wi-Fi security protocols, in particular WPA2, between a client and an access point using COTS radios. Our proposed system works without decrypting any traffic. It passively monitors multiple wireless channels in parallel in the neighborhood and uses a state machine model to characterize and detect the attacks. In particular, we develop a state machine model for grouping Wi-Fi handshake packets and then perform deep packet inspection to identify the symptoms of the anomaly in specific stages of a handshake session. Our implementation of CheckShake does not require any modification to the firmware of the client or the access point or the COTS devices, it only requires to be physically placed within the range of the access point and its clients. We use both the publicly available dataset and our own data set for performance analysis of CheckShake. Using gradient boosting-based supervised machine learning models, we show that an accuracy around 93.39% and a false positive rate of 5.08% can be achieved using CheckShake

The hidden discrete logarithm problem(HDLP) over non-commutative associative algebras (FNAAs) in [1] was broken in [8] by reducing to discrete logarithm problem(DLP) in a finite field through analyzing the eigenvalues of the representation matrix. A generalized form of HDLP(GHDLP) was proposed in [11], which is claimed to be computationally hard under quantum computers. Based on this, several schemes are proposed. In this paper, we will show that GHDLP can also be reduced to DLP in a finite field by algebraic representation. With all the instruments in hand, we will show how some schemes based on GHDLP can be broken. Thus we conclude that these schemes are not secure under quantum attack. So constructing schemes based on GHDLP is fundamentally wrong.

We propose a general framework for non-universal SNARKs. It contains (1) knowledge-sound and non-black-box any-simulation-extractable (ASE), (2) zero-knowledge and subversion-zero knowledge SNARKs for the well-known QAP, SAP, QSP, and QSP constraint languages that all by design have \emph{relatively} simple security proofs. The knowledge-sound zero-knowledge SNARK is similar to Groth's SNARK from EUROCRYPT 2016, except having fewer trapdoors, while the ASE subversion-zero knowledge SNARK relies on few additional conditions. We prove security in a weaker, more realistic version of the algebraic group model. We characterize SAP, SSP, and QSP in terms of QAP; this allows one to use a SNARK for QAP directly for other languages. Our results allow us to construct a family of SNARKs for different languages and with different security properties following the same proof template. Some of the new SNARKs are more efficient than prior ones. In other cases, the new SNARKs cover gaps in the landscape, e.g., there was no previous ASE or Sub-ZK SNARK for SSP or QSP.

We propose a lattice-based digital signature scheme MLWRSign by modifying Dilithium, which is one of the third-Round finalists of NIST’s call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of MLWRSign is comparable to that of Dilithium.

We describe and analyze a simple protocol for $n$ parties that implements a randomness beacon: a sequence of high entropy values, continuously emitted at regular intervals, with sub-linear communication per value. The algorithm can tolerate a $(1 - \epsilon)/2$ fraction of the $n$ players to be controlled by an adaptive adversary that may deviate arbitrarily from the protocol. The randomness mechanism relies on verifiable random functions (VRF), modeled as random functions, and effectively stretches an initial $\lambda$-bit seed to an arbitrarily long public sequence so that (i) with overwhelming probability in $k$--the security parameter--each beacon value has high min-entropy conditioned on the full history of the algorithm, and (ii) the total work and communication required per value is $O(k)$ cryptographic operations.

The protocol can be directly applied to provide a qualitative improvement in the security of several proof-of-stake blockchain algorithms, rendering them safe from ``grinding'' attacks.

Secure communication often require both encryption and digital signatures to guarantee the confidentiality of the message and the authenticity of the parties. However, post-quantum cryptographic protocols are often studied independently. In this work, we identify a powerful synergy between two finalist protocols in the NIST standardization process. In particular, we propose a technique that enables SABER and Dilithium to share the exact same polynomial multiplier. Since polynomial multiplication plays a key role in each protocol, this has a significant impact on hardware implementations that support both SABER and Dilithium. We estimate that existing Dilithium implementations can add support for SABER with only a 4% increase in LUT count. A minor trade-off of the proposed multiplier is that it can produce inexact results with some limited inputs. We thus carry out a thorough analysis of such cases, where we prove that the probability of these events occurring is near zero, and we show that this characteristic does not affect the security of the implementation. We then implement the proposed multiplier in hardware to obtain a design that offers competitive performance/area trade-offs. Our NTT implementation achieves a latency of 519 cycles while consuming 2,012 LUTs and only 331 flip-flops when implemented on an Artix-7 FPGA. We also propose a shuffling-based method to provide side-channel protection with low overhead during polynomial multiplication. Finally, we evaluate the side-channel security of the proposed design on a Sakura-X FPGA board.

A growing number of lightweight block ciphers are proposed for environments such as the Internet of Things. An important contribution to the reduced implementation cost is a block length n of 64 or 96 bits rather than 128 bits. As a consequence, encryption modes and message authentication code (MAC) algorithms require security beyond the 2^{n/2} birthday bound. This paper provides an extensive treatment of MAC algorithms that offer beyond birthday bound PRF security for both nonce-respecting and nonce-misusing adversaries. We study constructions that use two block cipher calls, one universal hash function call and an arbitrary number of XOR operations.

We start with the separate problem of generically identifying all possible secure n-to-n-bit pseudorandom functions (PRFs) based on two block cipher calls. The analysis shows that the existing constructions EDM, SoP, and EDMD are the only constructions of this kind that achieve beyond birthday bound security.

Subsequently we deliver an exhaustive treatment of MAC algorithms, where the outcome of a universal hash function evaluation on the message may be entered at any point in the computation of the PRF. We conclude that there are a total amount of nine schemes that achieve beyond birthday bound security, and a tenth construction that cannot be proven using currently known proof techniques. For these former nine MAC algorithms, three constructions achieve optimal n-bit security in the nonce-respecting setting, but are completely insecure if the nonce is reused. The remaining six constructions have 3n/4-bit security in the nonce-respecting setting, and only four out of these six constructions still achieve beyond the birthday bound security in the case of nonce misuse.

Motivated by new applications such as secure Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE), and Zero-Knowledge proofs (ZK), many MPC-, FHE- and ZK-friendly symmetric-key primitives that minimize the number of multiplications over $\mathbb F_p$ for a large prime $p$ have been recently proposed in the literature. This goal is often achieved by instantiating the non-linear layer via power maps $x\mapsto x^d$. In this paper, we start an analysis of new non-linear permutation functions over $\mathbb F_p^n$ that can be used as building blocks in such symmetric-key primitives. Given a local map $F:\mathbb F_p^m \rightarrow \mathbb F_p$, we limit ourselves to focus on S-Boxes over $\mathbb F_p^n$ for $n\ge m$ defined as $\mathcal S(x_0, x_1, \ldots, x_{n-1}) = y_0\| y_1\| \ldots \| y_{n-1}$ where $y_i := F(x_i, x_{i+1}, \ldots, x_{i+m-1} )$. As main results, we prove that

- given any quadratic function $F:\mathbb F_p^2 \rightarrow \mathbb F_p$, the corresponding S-Box $\mathcal S$ over $\mathbb F_p^n$ for $n\ge 3$ is never invertible;

- similarly, given any quadratic function $F:\mathbb F_p^3 \rightarrow \mathbb F_p$, the corresponding S-Box $\mathcal S$ over $\mathbb F_p^n$ for $n\ge 5$ is never invertible.

Moreover, for each $p\ge 3$, we present (1st) generalizations of the Lai-Massey construction over $\mathbb F_p^n$ defined as before via functions $F:\mathbb F_p^m \rightarrow \mathbb F_p$ for each $n=m\ge 2$ and (2nd) (non-trivial) quadratic functions $F:\mathbb F_p^3 \rightarrow \mathbb F_p$ such that $\mathcal S$ over $\mathbb F_p^n$ for $n\in \{3,4\}$ is invertible. As an open problem for future work, we conjecture that for each $m\ge 1$ there exists a finite integer $n_{max}(m)$ such that $\mathcal S$ over $\mathbb F_p^n$ defined as before via a quadratic function $F:\mathbb F_p^m \rightarrow \mathbb F_p$ is not invertible for each $n\ge n_{max}(m)$.

Finally, as a concrete application, we propose Neptune, a variant of the sponge hash function Poseidon, whose non-linear layer is designed by taking into account the results presented in this paper. We show that this variant leads to a concrete multiplication reduction with respect to Poseidon.

Ever since the appearance of quantum computers, prime factoring and discrete logarithm based cryptography has been put in question, giving birth to the so called post-quantum cryptography. The most prominent field in post-quantum cryptography is lattice-based cryptography, protocols that are proved to be as difficult to break as certain difficult lattice problems like Learning With Errors (LWE) or Ring Learning With Errors (RLWE). Furthermore, the application of cryptographic techniques to different areas, like electronic voting, has also seen to a great interest in distributed cryptography. In this work we will give two original threshold protocols based in the lattice problem RLWE: one for key generation and one for decryption. We will prove them both correct and secure under the assumption of hardness of some well-known lattice problems and we will give a rough implementation of the protocols in C to give some tentative results about their viability.