International Association
for Cryptologic Research

PlonK is a universal and updatable zk-SNARK for general circuit satisfiability that allows a verifier to check the validity of a certain NP statement very efficiently, optionally in zero-knowledge. PlonK requires that the NP relation of interest be expressed as a system of so-called PlonK constraints. Such conversion is complex and can be implemented in various ways, having a great impact on the prover complexity (which is typically linearithmic in the number of PlonK constraints). We propose several general results for simplifying PlonK constraint systems, which produce more compact but equivalent systems and can lead to significant performance improvements. We also develop an automated optimizer of constraints, based on our techniques, that can be used to construct very compact and less error-prone constraint systems, favoring a more auditable circuit design. Finally, we demonstrate the potential of our techniques by implementing optimized constraint systems for the Poseidon hash, obtaining the most compact representations in the Turbo-PlonK model with minimal custom gates. En route, we devise a novel optimization idea for implementing Poseidon partial rounds and show that it can be applied to both simplifying SNARK circuits and achieving performance improvements in CPU implementations of the Poseidon hash.

Code-based masking is a recent line of research on masking schemes aiming at provably counteracting side-channel attacks. It generalizes and unifies many masking schemes within a coding-theoretic formalization. In code-based masking schemes, the tuning parameters are the underlying linear codes, whose choice significantly affects the side-channel resilience. In this paper, we investigate the exploitability of the information leakage in code-based masking and present attack-based evaluation results of higher-order optimal distinguisher (HOOD). Particularly, we consider two representative instances of code-based masking, namely inner product masking (IPM) and Shamir's secret sharing (SSS) based masking. Our results do confirm the state-of-the-art theoretical derivatives in an empirical manner with numerically simulated measurements. Specifically, theoretical results are based on quantifying information leakage; we further complete the panorama with attack-based evaluations by investigating the exploitability of the leakage. Moreover, we classify all possible candidates of linear codes in IPM with 2 and 3 shares and (3,1)-SSS based masking, and highlight both optimal and worst codes for them.

Relying on our empirical evaluations, we therefore recommend investigating the coding-theoretic properties to find the best linear codes in strengthening instances of code-based masking. As for applications, our attack-based evaluation directly empowers designers, by employing optimal linear codes, to enhance the protection of code-based masking. Our framework leverages simulated leakage traces, hence allowing for source code validation or patching in case it is found to be attackable.

With the popularity of biometric-based identity authentication in the field of the Internet of Things, more and more attention has been paid to the privacy protection of biometric data. Gunasinghe et al. presented the PrivBioMTAuth which is the first authentication solution from mobile phones to protect user’s privacy by performing interactive zero-knowledge proof. However, PrivBioMTAuth still requires considerable storage overhead and communication overhead during the registration phase. Meanwhile, the user’s biometric images and password need to be revealed to the identity provider. In this paper, we present an authentication solution for Internet of Things with fully succinct verification, significantly lower storage overhead and communication overhead. Different from PrivBioMTAuth, we rely on the non-interactive zero knowledge arguments given in Groth’s work to reduce the proof size and simplify the verification complexity. In addition, we focus on multi-exponentiation arguments based on Bayer et al.’s work to ensure the truth of the operation results provided by the identity provider.

The Network & Security team at the LIMOS lab offers a fully funded position as PhD student. The missions will be to perform exciting and challenging research in the domain of network security.

Topics:

• Cryptographic algorithms and protocols
• Computer networking

Tasks:

• Research on secure Multi-Part Computation (MPC) and cutting-edge technologies to solve security issues in network routing.
• Possible teaching.

Your profile:

• Completion of a Master's degree (or equivalent) in computer science or applied mathematics
• Knowledge in applied cryptography/security and computer networking
• Analytical and problem solving skills.

To apply, please send your CV with degree certificates and academic transcripts to the contacts below.
Deadline: 3 May 2022

Closing date for applications:

Contact: Kevin Atighehchi (kevin.atighehchi@uca.fr), Gérard Chalhoub (gerard.chalhoub@uca.fr)

We are looking for a post-doctoral researcher in the area of lattice-based cryptography. Possible research topics include:

Cryptanalysis of lattice problems

Side-channel analysis of implementations of lattice-based cryptography

Lattice-based cryptographic protocols

Construction of new candidate structures suitable for, e.g., the ring learning with errors (RLWE) problem and its variants.

Research experience in cryptography is essential. Additionally, background in algebraic number theory, probability theory, complexity theory and/or machine learning are useful. For a cryptographer, we expect that the candidate has published in IACR conferences, established theoretical computer science venues (STOC/FOCS/APPROX-RANDOM/SODA/PODC) or IT security venues (CCS/S&P/Usenix). The applicant is expected to hold a PhD degree in mathematics or computer science. A research level proficiency in English, both writing and speaking, is expected.

We offer advising related to both algebraic lattices (Camilla Hollanti) and cryptography (Chris Brzuska). Our group offers a diverse, international, and open research environment with an interdisciplinary academic and industrial network. We expect the candidate to significantly shape the research questions which we investigate together as well as to pursue their own research within their existing research network.

The tentative duration of the position is September 2022 — December 2023 (16 months), but a shorter duration or an earlier starting date is negotiable. There is an option to renew the contract subject to acquiring funding (either by the candidate or by the hosts). The initial salary is €3700 and the contract includes occupational health care.

For details, see: https://www.aalto.fi/en/open-positions/postdoctoral-researcher-in-mathematics-or-computer-science-lattice-based

Closing date for applications:

Contact: Camilla Hollanti and Chris Brzuska for scientific questions and Johanna Glader for questions on the application process. (eMail: firstname.lastname@aalto.fi )

More information: https://www.aalto.fi/en/open-positions/postdoctoral-researcher-in-mathematics-or-computer-science-lattice-based

We are looking for a PhD student to join our group on reinforcement learning and decision making under uncertainty more generally, at the University of Neuchatel, Switzerland. We are looking for candidates with a strong research interest in the following fields:

• Theory of differntial privacy.
• Algorithms for differentially private machine learning.
• Algorithms for fairness in machine learning.
• Interactions between machine learning and game theory.
• Inference of human models of fairness or privacy.

The main supervisor will be Chrsitos Dimitrakakis ( https://sites.google.com/site/christosdimitrakakis ) Past research of the group in differential privacy focused on the interaction between Bayesian inference and privacy, and on the derivation of regret bounds for privacy-constrained bandit problems. The student will also have the opportunity to visit and work with other group members at the University of Oslo, Norway and Chalmers University of Technology, Sweden.

Excellent technical skills in calculus, linear algebra, probability as well as competence in at least one programming language is expected. In addition,the doctoral student must have a strong background, as evidenced by their master thesis, in one of the following areas:

• Privacy.
• Theory of computation
• Statistics.
• Game theory.
• Economics.
• Fairness.

Application Information

• Starting date 1 September 2022 or soon afterwards.
• Application deadline 31 May 2022.
• The PhD is funded, for 4 years, with 25% of the time as teaching assistant.

An application must include:

• A statement of research interests.
• A CV with a list of references.
• Your MSc thesis (or a draft) or another research work demonstrating your academic writing.
• Degree transcripts.

Closing date for applications:

Contact: Christos Dimitrakakis

More information: https://sites.google.com/site/christosdimitrakakis/positions

IACR Statement Condemning the Russian war in Ukraine
April 6, 2022

Statement from the International Association for Cryptologic Research (IACR) Condemning the Russian war in Ukraine

The IACR strongly condemns the unprovoked and unjust war that Russia is waging in Ukraine. We are outraged by the suffering and loss of life that this brutal aggression is inflicting on the Ukrainian People.

While this war continues, the IACR will not hold or plan to hold any conference in Russia, nor will it be affiliated with conferences in Russia.

The IACR fully endorses the following joint statement by the National Academies of G7 States which was published on 2 March 2022:

"The unprovoked attack against Ukraine, a democratic and independent country, is a blatant violation of international law and of core values of humanity. The Russian invasion is an assault on the fundamental principles of freedom, democracy and self-determination, which provide the basis for academic freedom and opportunities for scientific exchange and cooperation.

In this dark hour, our thoughts and deepest sympathy are with the people of Ukraine. We are determined to support the National Academy of Sciences of Ukraine. We stand in solidarity with the scientific community and the scientists in Ukraine.

We acknowledge the Russian scientists and citizens who are ashamed of this attack and speak out against the war.

We call on the Russian leadership to immediately cease all military action against Ukraine and put an end to this war."

Approved by the IACR board of directors, April 6, 2022

The Department of Computer Science at New Jersey Institute of Technology (NJIT) seeks candidates to fill a University Lecturer/Senior University Lecturer position starting in Fall 2022. Candidates are expected to teach courses under the umbrella of Cybersecurity, in support of our graduate and undergraduate programs. Applicants must have at least an MS degree in Computer Science or in a related computing area. A PhD degree and prior university teaching experience are an advantage.

Successful candidates must have an expert grasp of knowledge of Cybersecurity at all levels, with an emphasis on hands-on applied cybersecurity skills, either through a demonstrated record of teaching excellence, or through industrial experience. The successful candidate will also be involved in creating course content and materials with a focus on hands-on experiential and project-based learning. Strong written, oral and interpersonal skills are required in order to communicate effectively with students in person and online. The formal education and experience prerequisites may be waived at the university's discretion if the candidate can demonstrate to the satisfaction of the university an equivalent combination of education and experience specifically preparing the candidate for success in the position.

Interested applicants should submit their CV by applying as soon as possible at: https://njit.csod.com/ux/ats/careersite/1/home/requisition/3493?c=njit

Work environment and location:

The Computer Science department, part of the Ying Wu College of Computing, is the largest at NJIT, comprising one-tenth of the student population. It is also the largest computer science department among all research universities in the New York metropolitan area.​ Located in Northern New Jersey, within the greater New York Metropolitan area, NJIT is part of a vibrant ecosystem of research universities and corporate research centers.

Diversity is a core value of NJIT and we are committed to make diversity, equity and inclusion, part of everything we do.

Closing date for applications:

Contact: Reza Curtmola (reza.curtmola@njit.edu)

More information: https://njit.csod.com/ux/ats/careersite/1/home/requisition/3493?c=njit

Who We Are

Subspace Network is building a radically decentralized, next-generation blockchain which allows developers to easily run Web3 apps at Internet scale. Subspace is based on original research funded by the US National Science Foundation and planning to launch its Network later this year. Subspace Labs is an early-stage, venture-backed startup with a remote-first, globally distributed team. To learn more, visit our website and read the technical whitepaper.

We are seeking a Protocol Research Intern to join our rapidly growing team of Blockchain and Cryptocurrency enthusiasts and engineers. As a Research Intern you will be responsible for assisting in analyzing the security claims of the Subspace Network. Your goal is to work on proving these claims or suggesting improvement to the protocol as needed to support them.

Other Areas for Contribution: Research and review our solutions to some of the hardest problems in the blockchain space, as they relate to Nakamoto consensus, decentralized storage, decoupled execution, crypto-economic incentives, and the blockchain scalability trilemma; collaborate with our Research team to transform findings into peer-review quality specificaitons, publications, and presentations; work with our university partners, academic advisors, and third party engineering security partners on formal security analyses and audits.

Key Requirements: Currently enrolled in a graduate program in computer science, cryptography, or a related field, with the ability to dedicate at least 8 weeks to the internship Completed graduate level coursework in cryptography, distributed systems, peer-to-peer networking, or crypto-economic game theory; excellent written and verbal communication skills, and the ability to collaborate across our protocol and research teams; passion and curiosity for decentralized, peer-to-peer systems and Web3 technologies.

What We Offer: Competitive compensation and flexibility to work from anywhere in the world; a unique opportunity to shape the future of the Subspace Network and play a critical role in building the worlds most scalable blockchain.

Closing date for applications:

Contact: Sky McWilliams, Director of People

More information: https://jobs.lever.co/subspacelabs/3594920a-d99c-40c0-9ca3-66c7eaf639da?lever-origin=applied&lever-source%5B%5D=IACR

Persistent Fault Analysis (PFA) is an innovative and powerful analysis technique in which fault persists throughout the execution. The prior prominent results on PFA were on SPN block ciphers, and the security of Feistel ciphers against this attack has received less attention. In this paper, we introduce a framework to utilize Statistical Ineffective Fault Analysis (SIFA) in the persistent fault setting by proposing Statistical Ineffective Persistent Faults Analysis (SIPFA) that can be efficiently applied to Feistel ciphers in a variety of scenarios. To demonstrate the effectiveness of our technique, we apply SIFPA on three widely used Feistel schemes, DES, 3DES, and Camellia. Our analysis reveals that the secret key of these block ciphers can be extracted with a complexity of at most $2^{50}$ utilizing a single unknown fault. Furthermore, we demonstrate that the secret can be recovered in a fraction of a second by increasing the adversary's control over the injected faults. To evaluate SIPFA in a variety of scenarios, we conducted both simulations and real experiments utilizing electromagnetic fault injection on DES and 3DES.

We derive a tight upper bound on the probability over $\mathbf{x}=(x_1,\dots,x_\mu) \in \mathbb{Z}^\mu$ uniformly distributed in $ [0,m)^\mu$ that $f(\mathbf{x}) = 0 \bmod N$ for any $\mu$-linear polynomial $f \in \mathbb{Z}[X_1,\dots,X_\mu]$ co-prime to $N$. We show that for $N=p_1^{r_1},...,p_\ell^{r_\ell}$ this probability is bounded byb$\frac{\mu}{m} + \prod_{i=1}^\ell I_{\frac{1}{p_i}}(r_i,\mu)$ where $I$ is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter $\lambda$ bounds the minimum size of $N$ for which the probability that $f(\mathbf{x}) \equiv 0 \bmod N$ is at most $2^{-\lambda} + \frac{\mu}{m}$. For $\mu =1$ this is simply $N \geq 2^\lambda$. For $\mu \geq 2$, $\log_2(N) \geq 8 \mu^{2}+ \log_2(2 \mu)\cdot \lambda$ the probability that $f(\mathbf{x}) \equiv 0 \bmod N$ is bounded by $2^{-\lambda} +\frac{\mu}{m}$. We also present a computational method that derives tighter bounds for specific values of $\mu$ and $\lambda$. For example, our analysis shows that for $\mu=20$, $\lambda = 120$ (values typical in cryptography applications), and $\log_2(N)\geq 416$ the probability is bounded by $ 2^{-120}+\frac{20}{m}$. We provide a table of computational bounds for a large set of $\mu$ and $\lambda$ values.

In CRYPTO'19, Gohr proposed a new cryptanalysis strategy using machine learning algorithms. Combining the differential-neural distinguisher with a differential path and integrating the advanced key recovery procedure, Gohr achieved a 12-round key recovery attack on Speck32/64. Chen and Yu improved prediction accuracy of differential-neural distinguisher considering derived features from multiple-ciphertext pairs instead of single-ciphertext pairs. By modifying the kernel size of initial convolutional layer to capture more dimensional information, the prediction accuracy of differential-neural distinguisher can be improved for for three reduced symmetric ciphers. For DES, we improve the prediction accuracy of (5-6)-round differential-neural distinguisher and train a new 7-round differential-neural distinguisher. For Chaskey, we improve the prediction accuracy of (3-4)-round differential-neural distinguisher. For PRESENT, we improve the prediction accuracy of (6-7)-round differential-neural distinguisher. The source codes are available in https://drive.google.com/drive/folders/1i0RciZlGZsEpCyW-wQAy7zzJeOLJNWqL?usp=sharing.

Attribute based encryption (ABE) is a cryptographic technique allowing fine-grained access control by enabling one-to-many encryption. Existing ABE constructions suffer from at least one of the following limitations. First, single point of failure on security meaning that, once an authority is compromised, an adversary can either easily break the confidentiality of the encrypted data or effortlessly prevent legitimate users from accessing data; second, the lack of user and/or attribute revocation mechanism achieving forward secrecy; third, a heavy computation workload is placed on data user; last but not least, the lack of adaptive security in standard models.

In this paper, we propose the first single-point-of-failure free multi-authority ciphertext-policy ABE that simultaneously (1) ensures robustness for both decryption key issuing and access revocation while achieving forward secrecy; (2) enables outsourced decryption to reduce the decryption overhead for data users that have limited computational resources; and (3) achieves adaptive (full) security in standard models. The provided theoretical complexity comparison shows that our construction introduces linear storage and computation overheads that occurs only once during its setup phase, which we believe to be a reasonable price to pay to achieve all previous features.

This paper explores a modular design architecture aimed at helping blockchains (and other SMR implementation) to scale to a very large number of processes. This comes in contrast to existing monolithic architectures that interleave transaction dissemination, ordering, and execution in a single functionality. To achieve this we first split the monolith to multiple layers which can use existing distributed computing primitives. The exact specification of the data dissemination are formally defined by the Proof of Availability & Retrieval (PoA&R) abstraction. Solutions to the PoA&R problem contain two related sub-protocols: one that ``pushes'' information into the network and another that ``pulls'' this information. Regarding the latter, there is a dearth of research literature which is rectified in this paper. We present a family of pulling sub-protocols and rigorously analyzing them. Extensive simulations support the theoretical claims of efficiency and robustness in case of a very large number of players. Finally, actual implementation and deployment on a small number of machines (roughly the size of several industrial systems) demonstrates the viability of the architecture's paradigm.

We present a novel compiler for transforming arbitrary, passively secure MPC protocols into efficient protocols with covert security and public verifiability in the honest majority setting. Our compiler works for protocols with any number of parties > 2 and treats the passively secure protocol in a black-box manner.

In multi-party computation (MPC), covert security provides an attractive trade-off between the security of actively secure protocols and the efficiency of passively secure protocols. In this security notion, honest parties are only required to detect an active attack with some constant probability, referred to as the deterrence rate. Extending covert security with public verifiability additionally ensures that any party, even an external one not participating in the protocol, is able to identify the cheaters if an active attack has been detected.

Recently, Faust et al. (EUROCRYPT 2021) and Scholl et al. (Pre-print 2021) introduced similar covert security compilers based on computationally expensive time-lock puzzles. At the cost of requiring an honest majority, our work avoids the use of time-lock puzzles completely. Instead, we adopt a much more efficient publicly verifiable secret sharing scheme to achieve a similar functionality. This obviates the need for a trusted setup and a general-purpose actively secure MPC protocol. We show that our computation and communication costs are orders of magnitude lower while achieving the same deterrence rate.

Security concerns for IoT applications have been alarming because of their widespread use in different enterprise systems. The potential threats to these applications are constantly emerging and changing, and therefore, sophisticated and dependable defense solutions are necessary against such threats. With the rapid development of IoT networks and evolving threat types, the traditional machine learning-based IDS must update to cope with the security requirements of the current sustainable IoT environment. In recent years, deep learning, and deep transfer learning have progressed and experienced great success in different fields and have emerged as a potential solution for dependable network intrusion detection. However, new and emerging challenges have arisen related to the accuracy, efficiency, scalability, and dependability of the traditional IDS in a heterogeneous IoT setup. This manuscript proposes a deep transfer learning-based dependable IDS model that outperforms several existing approaches. The unique contributions include effective attribute selection, which is best suited to identify normal and attack scenarios for a small amount of labeled data, designing a dependable deep transfer learning-based ResNet model, and evaluating considering real-world data. To this end, a comprehensive experimental performance evaluation has been conducted. Extensive analysis and performance evaluation show that the proposed model is robust, more efficient, and has demonstrated better performance, ensuring dependability.

We present UnTraceable Transactions (UTT), a system for decentralized ecash with accountable privacy. UTT is the first ecash system that obtains three critical properties: (1) it provides decentralized trust by implementing the ledger, bank, auditor, and registration authorities via threshold cryptography and Byzantine Fault Tolerant infrastructure; (2) it balances accountability and privacy by implementing anonymity budgets: users can anonymously send payments, but only up to a limited amount of currency per month. Past this point, transactions can either be made public or subjected to customizable auditing rules; (3) by carefully choosing cryptographic building blocks and co-designing the cryptography and decentralization, UTT is tailored for high throughput and low latency. With a combination of optimized cryptographic building blocks and vertical scaling (optimistic concurrency control), UTT can provide almost 1,000 payments with accountable privacy per second, with latencies of around 100 milliseconds and less. Through horizontal scaling (multiple shards), UTT can scale to tens of thousands of such transactions per second. With 60 shards we measure over 10,000 transactions with accountable privacy per second.

We formally define and prove the security of UTT using an MPC-style ideal functionality. Along the way, we define a new MPC framework that captures the security of reactive functionalities in a stand-alone setting, thus filling an important gap in the MPC literature. Our new framework is compatible with practical instantiations of cryptographic primitives and provides a trade-off between concrete efficiency and provable security that may be also useful for future work.

The stock markets have two primary functions, that of providing liquidity and price discovery. While the market micro-structure was mostly ignored or assumed to function ideally for the purpose of asset pricing, O'Hara (Journal of Finance, 2003) has established that both liquidity and price discovery affect asset pricing, and in particular asset returns. Easley and O'Hara (Journal of Finance 2004) have demonstrated that informed investors' private information is not reflected efficiently in price discovery. We argue that the periodic price discovery has both positive and negative consequences for asset returns. In particular, the inefficient reflection of investors' information during price discovery incentivizes them to conduct research. However, this requires that the auctioneer be ideal or fully trusted. In this work we propose using cryptography, and in particular multi-party secure computation, to setup a novel stock market structure that, to a large extent, removes the negative consequences of liquidity costs and periodic price discovery, as well as incentivizes investors to conduct research. Interestingly, the proposed market structure takes us back to the early days of stock markets, i.e. periodic call markets, but with the not so ``trusted'' auctioneer replaced by a decentralized set of parties where no individual party (or small coalition) gets to know the order book.

The increasing use of blockchain-based cryptocurrencies like Bitcoin has run into inherent scalability limitations of blockchains. Payment channel networks, or PCNs, promise to greatly increase scalability by conducting the vast majority of transactions outside the blockchain while leveraging it as a final settlement protocol. Unfortunately, first-generation PCNs have significant privacy flaws. In particular, even though transactions are conducted off-chain, anonymity guarantees are very weak.

In this work, we present Astrape, a novel PCN construction that achieves strong security and anonymity guarantees with simple, black-box cryptography, given a blockchain with flexible scripting. Existing anonymous PCN constructions often integrate with specific, often custom-designed, cryptographic constructions. But at a slight cost to asymptotic performance, Astrape can use any generic public-key signature scheme and any secure hash function, modeled as a random oracle, to achieve strong anonymity, by using a unique construction reminiscent of onion routing. This allows Astrape to achieve provable security that is "generic" over the computational hardness assumptions of the underlying primitives. Astrape's simple cryptography also lends itself to more straightforward security proofs compared to existing systems. Furthermore, we evaluate Astrape's performance, including that of a concrete implementation on the Bitcoin Cash blockchain. We show that despite worse theoretical time complexity compared to state-of-the-art systems that use custom cryptography, Astrape operations on average have a very competitive performance of less than 10 milliseconds of computation and 1 KB of communication on commodity hardware. Astrape explores a new avenue to secure and anonymous PCNs that achieves similar or better performance compared to existing solutions.

End-to-end encryption (E2EE) is vitally important to security and privacy online, yet currently under-defined. In this note, we map intuitive notions of end-to-end encryption to existing notions of encryption. In particular, we introduce the notion of endness as an notion which end-to-end systems must achieve in addition to traditional security notions associated with encryption, and provide formalizations to capture practical requirements. We demonstrate how the notion of encryption plus endness relates to a variety of case studies that either meet normative security understanding of E2EE or are considered normative failures. Finally, we extend these observations to authentication, and real-world authenticated channel use variants, including authenticated encryption with associated data and message franking.