International Association
for Cryptologic Research

We consider private function evaluation (PFE) in malicious adversary model. Current state-of-the-art in PFE from Valiant's universal circuits (Liu, Yu, et al., CRYPTO 2021) does not avoid the logarithmic factor in circuit size. In constructing linear active PFE, one essential building block is to prove the correctness of an extended permutation (EP, Mohassel and Sadeghian at EUROCRYPT 2013) by zero-knowledge protocols with linear complexity. The linear instantiation $\mathcal{ZK}_{EP}$ by Mohassel, Sadeghian, and Smart (ASIACRYPT 2014) is a three-phase protocol, and each phase (dummy placement, replication, and permutation) is of size $2g$. Its overhead thus seems really outrageous, reducing its practicability. We present in this paper a novel and efficient framework $\mathcal{ZK}_{DS}$ for proving the correct EP. We show that \underline{d}ouble \underline{s}huffles suffice for EP (exponentiations and communication overheads are about 27% and 31% of $\mathcal{ZK}_{EP}$, respectively). Data owner(s) generates the randomness for the first shuffle whose outputs determine outgoing wires of the circuit defined by the function. Function owner reuses and extends the randomness in the second shuffle whose outputs determine the incoming wires. From $\mathcal{ZK}_{DS}$, we build an online/offline PFE framework with linear active security. The online phase could be instantiated by any well-studied secure function evaluation (SFE) with linear active security (e.g., Tiny-OT at CRYPTO 2012). The offline phase depends only on the private function $f$ and uses $\mathcal{ZK}_{DS}$ to prove the EP relationship between outgoing wires and incoming wires in the circuit $\mathcal{C}_f$ derived from $f$.

We study the following question, first publicly posed by Hosoyamada and Yamakawa in 2018. Can parties Alice and Bob with quantum computing power and classical communication rely only on a random oracle (that can be queried in quantum superposition) to agree on a key that is private from eavesdroppers? We make the first progress on the question above and prove the following.

When only one of the parties is classical and the other party is quantum powered, as long as they ask a total of $d$ oracle queries and agree on a key with probability $1$, then there is always a way to break the key agreement by asking $O(d^2)$ number of classical oracle queries. When both parties can make quantum queries to the random oracle, we introduce a natural conjecture, which if true would imply attacks with $poly(d)$ classical queries to the random oracle. Our conjecture, roughly speaking, states that the multiplication of any two degree-$d$ real-valued polynomials over the Boolean hypercube of influence at most $1/poly(d)$ is nonzero. We then prove our conjecture for exponentially small influences, which leads to an (unconditional) classical $2^{O(md)}$-query attack on any such key agreement protocol, where $m$ is the oracle's output length.

Since our attacks are classical, we then ask whether it is always possible to find classical attacks on key agreements with imperfect completeness in the quantum random oracle model. We proves a barrier for this approach, by showing that if the folklore “Simulation Conjecture” (first formally stated by Aaronson and Ambainis in 2009) about the possibility of simulating efficient-query quantum algorithms using efficient-query classical algorithms is false, then there is in fact such a secure key agreement in the quantum random oracle model that cannot be broken classically.

Many currently deployed public-key cryptosystems are based on the difficulty of the discrete logarithm and integer factorization problems. However, given an adequately sized quantum computer, these problems can be solved in polynomial time as a function of the key size. Due to the future threat of quantum computing to current cryptographic standards, alternative algorithms that remain secure under quantum computing are being evaluated for future use. As a part of this evaluation, high-performance implementations of these candidate algorithms must be investigated. This work presents a high-performance implementation of all operations of CRYSTALS-Dilithium and one operation of FALCON (signature verification) targeting FPGAs. In particular, we present a Dilithium design that achieves the best latency for an FPGA implementation to date and, to the best of our knowledge, the first FALCON hardware implementation to date. We compare our results with the hardware implementations of all viable NIST Round 3 post-quantum digital signature candidates.

Leakage resilient secret sharing (LRSS) allows a dealer to share a secret amongst $n$ parties such that any authorized subset of the parties can recover the secret from their shares, while an adversary that obtains shares of any unauthorized subset of parties along with bounded leakage from the other shares learns no information about the secret. Non-malleable secret sharing (NMSS) provides a guarantee that even shares that are tampered by an adversary will reconstruct to either the original message or something independent of it.

The most important parameter of LRSS and NMSS schemes is the size of each share. For LRSS, in the "local leakage model" (i.e., when the leakage functions on each share are independent of each other and bounded), Srinivasan and Vasudevan (CRYPTO 2019), gave a scheme for threshold access structures with a share size of approximately ($3$.(message length) + $\mu$), where $\mu$ is the number of bits of leakage tolerated from every share. For the case of NMSS, the best known result (again due to the above work) has a share size of ($11$.(message length)).

In this work, we build LRSS and NMSS schemes with much improved share sizes. Additionally, our LRSS scheme obtains optimal share and leakage size. In particular, we get the following results:

-We build an information-theoretic LRSS scheme for threshold access structures with a share size of ((message length) + $\mu$).

-As an application of the above result, we obtain an NMSS with a share size of ($4$.(message length)). Further, for the special case of sharing random messages, we obtain a share size of ($2$.(message length)).

Multi-Client Functional Encryption ($\mathsf{MCFE}$) has been considered as an important primitive for making functional encryption useful in practice. It covers the ability to compute joint function over data from multiple parties similar to Multi-Input Functional Encryption ($\mathsf{MIFE}$) but it handles information leakage better than $\mathsf{MIFE}$. Both the $\mathsf{MCFE}$ and $\mathsf{MIFE}$ primitives are aimed at applications in multi-user settings where decryption can be correctly output for legitimate users only. In such a setting, the problem of dealing with access control in a fine-grained manner is particularly relevant. In this paper, we introduce a framework for $\mathsf{MCFE}$ with fine-grained access control and propose constructions for both single-client and multi-client settings, with selective and adaptive security. The only known work that combines functional encryption in multi-user setting with access control was proposed by Abdalla $\mathit{et al.}$ (Asiacrypt '20), which relies on a generic transformation from the single-client schemes to obtain $\mathsf{MIFE}$ schemes that suffer a quadratic factor of $n$ (where $n$ denotes the number of clients) in the ciphertext size. We present a {duplicate-and-compress} technique to transform the single-client scheme and obtain a $\mathsf{MCFE}$ with fine-grained access control scheme with only a linear factor of $n$ in the ciphertext size. Our final scheme thus outperforms the Abdalla $\mathit{et al.}$'s scheme by a factor $n$, while $\mathsf{MCFE}$ is more difficult to achieve than $\mathsf{MIFE}$ (one can obtain $\mathsf{MIFE}$ from $\mathsf{MCFE}$ by making all the labels in $\mathsf{MCFE}$ a fixed public constant).

This work introduces new key recovery attacks against the Rainbow signature scheme, which is one of the three finalist signature schemes still in the NIST Post-Quantum Cryptography standardization project. The new attacks outperform previously known attacks for all the parameter sets submitted to NIST and make a key-recovery practical for the SL 1 parameters. Concretely, given a Rainbow public key for the SL 1 parameters of the second-round submission, our attack returns the corresponding secret key after on average 53 hours (one weekend) of computation time on a standard laptop.

Attribute-based credential systems enable users to authenticate in a privacy-preserving manner. However, in such schemes verifying a user's credential requires knowledge of the issuer's public key, which by itself might already reveal private information about the user.

In this paper, we tackle this problem by introducing the notion of issuer-hiding attribute-based credential systems. In such a system, the verifier can define a set of acceptable issuers in an ad-hoc manner, and the user can then prove that her credential was issued by one of the accepted issuers -- without revealing which one.

We then provide a generic construction, as well as a concrete instantiation based on Groth's structure preserving signature scheme (ASIACRYPT'15) and simulation-sound extractable NIZK, for which we also provide concrete benchmarks in order to prove its practicability.

The online complexity of all constructions is independent of the number of acceptable verifiers, which makes it also suitable for highly federated scenarios.

Kyber is a candidate in the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) Standardization. However, because of the protocol's independence assumption, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work, we give a rigorous mathematical analysis of the actual failure probability calculation, and provides the Kyber security estimation in reality rather than only in a statistical sense. Our analysis does not make independency assumptions on errors, and is with respect to concrete public keys in reality. Through sample test and experiments, we also illustrate the difference between the actual failure probability and the result given in the proposal of Kyber. The experiments show that, for Kyber-512 and 768, the failure probability resulting from the original paper is relatively conservative, but for Kyber-1024, the failure probability of some public keys is worse than claimed. This failure probability calculation for concrete public keys can also guide the selection of public keys in the actual application scenarios. What's more, we measure the gap between the upper bound of the failure probability and the actual failure probability, then give a tight estimate. Our work can also re-evaluate the traditional $1-\delta$ correctness in the literature, which will help re-evaluate some candidates' security in NIST post-quantum cryptographic standardization.

With the rapid growth of the blockchain market, privacy and security issues for digital assets are becoming more and more important. In the most widely used public blockchains such as Bitcoin and Ethereum, all activities on user accounts are publicly disclosed and also violate privacy regulations such as EU GDPR. Encryption of accounts and transactions may protect privacy, but it also raises issues of validity and transparency: encrypted information alone cannot verify the validity of a transaction and makes it difficult to meet antimoney laundering, i.e. auditability.

To solve the above problem, we propose an auditable zero-knowledge transfer framework called Azeroth. Azeroth connects a zero-knowledge proof for an encrypted transaction, enabling to check its validation while protecting its privacy. Azeroth also allows authorized auditors to audit transactions. Azeroth is designed as a smart contract for flexible deployment on top of an existing blockchain. According to the result of our experiment, the additional time required to generate a proof is about 901ms.The security of Azeroth is formally proven under the cryptographic assumptions.

Event date: 23 August to 26 August 2022
Submission deadline: 6 March 2022
Notification: 16 May 2022

Event date: to
Submission deadline: 23 November 2022
Notification: 23 January 2023

Event date: to
Submission deadline: 1 September 2022
Notification: 1 November 2022

Event date: to
Submission deadline: 1 June 2022
Notification: 1 August 2022

Event date: to
Submission deadline: 1 June 2022
Notification: 1 August 2022

Event date: to
Submission deadline: 1 March 2022
Notification: 1 May 2022

We have a vacancy for a Postdoctoral Fellow in Fully Homomorphic Encryption (FHE) at IIK. The first year of the position is funded by Intel and we will work in collaboration with our partners there, our main point of contact being Flavio Bergamaschi. The project leader on the NTNU side is Dr. Anamaria Costache. The project, has two main deliverable goals. The first one is cryptanalysis of existing schemes, and the second one is developing a framework to assess the threat model while deploying an HE solution.

Closing date for applications:

Contact: Anamaria Costache

More information: https://www.jobbnorge.no/en/available-jobs/job/221390/postdoctoral-fellow-in-fully-homomorphic-encryption#?p=1

Panther Protocol is building an end-to-end privacy protocol for digital assets (zAssets), which can be deployed in a compliant way on any public blockchain. We have ambitious plans to provide financial privacy and give economic freedom to people and institutions, in a compliant way. We are looking to expand our team with extraordinary individuals who share our core values in financial privacy and freedom. Successful applicants will join an experienced and dynamic international team with a cumulative experience of 46 years in the Blockchain industry, 66 years in Finance, and 40+ years in Cryptography. You can read more about the project on our website: https://pantherprotocol.io/ We are recruiting an Applied Mathematician that will work closely with our CTO, Game Theorist and the larger team consisting of Researchers and Software Developers. Work with the team on interesting problems and implementing solutions from published papers for the areas that we work on - DeFi , Game Theory and Blockchain using C/Rust or other programming language.

Closing date for applications:

Contact: Martin Raeburn

More information: https://apply.workable.com/panther-protocol/j/8C5930FE61/

The Institute of Information Security at University of Stuttgart offers

fully-funded Postdoc and PhD positions in formal verification.

Successful candidates are expected to carry out research on tool-supported formal verification methods for security-critical systems and security protocols in our new REPROSEC initiative (https://reprosec.org/). See, e.g., our work at ACM CCS 2021 and EuroS&P 2021 on DY*.

The positions are available immediately with an internationally competitive salary, ranging from about 4.000 Euro to 6.200 Euro monthly gross salary. The employment periods are between one and six years, following the German Wissenschaftszeitvertragsgesetz (WissZeitVg).

The Institute of Information Security offers a creative international environment for top-level international research in Germany's high-tech region.

You should have a Master's degree or a Ph.D. (or should be very close to completion thereof) in Computer Science, Mathematics, Cyber Security, or a related field. We value excellent analytical skills and

• solid knowledge of logic, proofs and/or formal verification techniques (Theorem Proving, Type Checking, etc.), and
• solid programming experience.

Knowledge in cryptography/security is not required, but a plus. Knowledge of German is not required.

See https://www.sec.uni-stuttgart.de/institute/job-openings/ for the official job announcement and details of how to apply.

The deadline for applications is

March 13th, 2022.

Late applications will be considered until the positions are filled.

Closing date for applications:

Contact: Prof. Ralf Küsters

University of Stuttgart, Institute of Information Security ralf.kuesters@sec.uni-stuttgat.de

More information: htttps://sec.uni-stuttgart.de

One Ph.D. position opening, focusing on homomorphic encryption and related neural network accelerator design, at Dr. Jiafeng Harvest Xie's Security and Cryptography (SAC) Lab (https://www.ece.villanova.edu/~jxie02/lab/) in Department of Electrical and Computer Engineering, Villanova University, Villanova, PA, USA.

Villanova University ranks #49 National Universities in the USA. The campus is located at Villanova, Pennsylvania (west suburban of Philadelphia). Famous alumni include the current First Lady of the USA!

The neighborhood around campus is quiet and safe and is regarded as the most comfortable area in Philadelphia. Currently, all our students are working from home with on-campus optional.

Requirements: Preferred to be in the majors of CE/CS/EE. Applied Mathematics/Cryptography related majors are also good!

Proficiency in both speaking and writing of English.

Skillful in programming Languages such as VHDL/Verilog, C/C++, Python. FPGA-based experience is a desirable plus. Great enthusiasm for doing research-oriented tasks. Excellent teamwork member.

Degree: both BS and MS graduates are welcome to apply.

Deadline: better to start in Fall 2022 (Summer 2022 is also ok). The position is open until it is filled.

The lab atmosphere is peaceful and harmonious. Advisor and senior Ph.D. student will guide you to get started and you will not be fighting alone!!!

Email: jiafeng.xie@villanova.edu

Closing date for applications:

Contact: Jiafeng Harvest Xie

More information: https://www.ece.villanova.edu/~jxie02/lab/

At the Department of Computer Science which is part of the Faculty of Computer Science, Electrical Engineering and Mathematics this PostDoc position is to be filled in the working group Codes and Cryptography. It's a full-time position in the field of post-quantum cryptography, available immediately and with a flexible start date.

The position is limited to a period of 3 years.

Your tasks:

• Research in the field of post-quantum cryptography

• Teaching to the extent of 4 hours a week

• Participation in the Department of Computer Science

Your profile:

• Doctorate degree in the field of cryptography

• Expertise in one of these areas: post-quantum cryptography, lattice-based cryptography

• Experience in the field of quantum algorithms or quantum complexity is an advantage

If you are interested, please send an email including your detailed CV and a list of publications to bloemer@upb.de. Applications will be reviewed continuously until the position is filled.

Closing date for applications:

Contact: Prof. Dr. Johannes Blömer (bloemer@upb.de)

More information: https://cs.uni-paderborn.de/en/cuk-1/research