International Association
for Cryptologic Research

The FIDO2 protocol is a globally used standard for passwordless authentication, building on an alliance between major players in the online authentication space. While already widely deployed, the standard is still under active development. Since version 2.1 of its CTAP sub-protocol, FIDO2 can potentially be instantiated with post-quantum secure primitives. We provide the first formal security analysis of FIDO2 with the CTAP 2.1 and WebAuthn 2 sub-protocols. Our security models build on work by Barbosa et al. for their analysis of FIDO2 with CTAP 2.0 and WebAuthn 1, which we extend in several ways. First, we provide a more fine-grained security model that allows us to prove more relevant protocol properties, such as guarantees about token binding agreement, the None attestation mode, and user verification. Second, we can prove post-quantum security for FIDO2 under certain conditions and minor protocol extensions. Finally, we show that for some threat models, the downgrade resilience of FIDO2 can be improved, and show how to achieve this with a simple modification.

Verifiable Data Streaming (VDS) enables a resource-limited client to continuously outsource data to an untrusted server in a sequential manner while supporting public integrity verification and efficient update. However, most existing VDS schemes require the client to generate all proofs in advance and store them at the server, which leads to a heavy computational burden on the client. In addition, all the previous VDS schemes can perform batch query (i.e., retrieving multiple data entries at once), but are subject to linear communication cost $l$, where $l$ is the number of queried data. In this paper, we first introduce a new cryptographic primitive named Double-trapdoor Chameleon Vector Commitment (DCVC), and then present an unbounded VDS scheme $\mathsf{VDS_1}$ with optimal communication cost in the random oracle model from aggregatable cross-commitment variant of DCVC. Furthermore, we propose, to our best knowledge, the first unbounded VDS scheme $\mathsf{VDS}_2$ with optimal communication and storage overhead in the standard model by integrating Double-trapdoor Chameleon Hash Function (DCH) and Key-Value Commitment (KVC). Both of our schemes enjoy constant-size public key. Finally, we demonstrate the efficiency of our two VDS schemes with a comprehensive performance evaluation.

The School of Computer Science at the University of Birmingham seeks to recruit outstanding computer scientists for the role of Assistant Professor / Associate Professor, with a particular interest in the areas of Systems Security and/or Hardware Security.

The Birmingham Centre for Cyber Security and Privacy conducts internationally competitive research in all aspects of cyber security and privacy. The Centre is recognised by EPSRC/NCSC as an Academic Centre of Excellence in Cyber Security Research, and its MSc in Cyber Security is NSCS-accredited.

We encourage applications that either complement our existing strengths or open-up new areas with strong potential for collaboration. Candidates are welcome from both early career and established stages with an emphasis on a growing international reputation. We provide an inclusive environment and are committed to a recruitment process free from discrimination. We believe that supporting a variety of career trajectories is vital for world class computer science to flourish.

For further information and to apply (closing date 16 August 2022), use the following URL: https://bham.taleo.net/careersection/external/jobdetail.ftl?job=220001IU&tz=GMT%2B01%3A00&tzname=Europe%2FLondon

Closing date for applications:

Contact: For informal enquiries, contact David Oswald (d.f.oswald@bham.ac.uk) or Mark Ryan (m.d.ryan@bham.ac.uk)

More information: https://bham.taleo.net/careersection/external/jobdetail.ftl?job=220001IU&tz=GMT%2B01%3A00&tzname=Europe%2FLondon

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are looking for a cryptographer, or applied cryptographer, to join our growing crypto team based in Milan, Italy. Currently, the team is developing a protocol suite for SNARK-based proof-composition, but its duties reach beyond that, developing privacy-enhancing solutions for our sidechain ecosystem.

Responsabilities

• Design privacy-enhancing technology built on SNARK-based protocols
• Perform collaborative research and assist technical colleagues in their development work
• Participate in standards-setting

Requirements

• Ph.D. in mathematics, computer science, or cryptography
• Solid foundations in zero-knowledge and cryptographic protocols
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols or PETs
• Strong problem-solving skills
• The ability to work in a team setting as well as autonomously
• Foundations in blockchain technology and experience in reading Rust are a plus

We offer

• A competitive salary plus pre-series A stock options
• Flexible working hours, including the possibility of remote working
• The opportunity to work with talented minds on challenging topics in this field, including the most recent advancements in zero-knowledge
• A nice and informal team setting to conduct research and development of high-quality open source solutions

If you are interested in this position, you might want to take a look at our recent publications (IACR eprints 2021/930, 2021/399, 2020/123) and our latest podcast on zeroknowledge.fm (Episode 178). For further questions, please contact the email below.

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

More information: https://horizenlabs.io/careers/job/?gh_jid=4116067004

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

We are looking for an engineer who will contribute in building the cryptographic infrastructure of our Web 3.0-enabled blockchain ecosystem. You will be involved in the design and implementation of our zero-knowledge Layer 2 scaling solution based on STARK-proven virtual machines. Our international team works in a stimulating and innovative environment, where people’s technical expertise and experience contribute to the development of cutting-edge blockchain technology.

Requirements

• Experience in implementing zero-knowledge proving systems or related cryptographic primitives;
• Comfortable in implementing low-level operations such as finite field arithmetics, hash functions, etc.;
• Enthusiastic about algorithmic improvements and code optimization.

Furthermore, any experience with

• Plonk, STARKs, AIR circuits,
• EVM, zk-VMs,
• C/C++/Rust programming language

though not mandatory, it is welcomed. We offer

• Competitive salary, yearly bonus, and stock options
• Flexible working hours, fully remote if preferred
• The opportunity to work with talented minds on innovative, high-quality open source solutions.

If you want to get more knowledge about our technology, read our Whitepapers at the website: https://www.horizen.io/research/

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

More information: https://horizenlabs.io/careers/job/?gh_jid=4534454004

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are working on cutting edge tech, including zkSNARKS, proof systems and zkVMs, to fundamentally change the way of building decentralized and scalable Web3 applications. We are looking for a Lead Zero-Knowledge Cryptographer for our cryptographic team distributed across the globe. Amongst other projects, the team is dedicated to the design of our Layer-2 scaling solution based on STARK-proven virtual machines. You will help our team grow, conduct research and lay out SNARK-based cryptographic protocols, working on related cutting-edge technologies such as zkVMs.

Requirements

You should be aware of state of the art proving systems such as Plonk and STARKs, and have a solid background in computational models and blockchain technologies. Additional requirements are represented by:

• Ph.D. in mathematics, computer science, or cryptography;
• Solid foundations in zero-knowledge and cryptographic protocols ;
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols, and PETs;
• Strong problem-solving skills;
• The ability to work in a team setting as well as autonomously

Experience in reading code (e.g. C++, Rust) though not mandatory, it is welcomed.

We offer:

• Competitive salary, yearly bonus, and stock options
• Flexible working hours, fully remote if preferred
• The opportunity to work with talented minds on innovative, high-quality open source solutions.

If you want to get more knowledge about our technology, read our Whitepapers at the website: https://www.horizen.io/research/

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

More information: https://horizenlabs.io/careers/job/?gh_jid=4536288004

The Department of software theory and mathematics at Dalian University of Technology (DUT) is home to a diverse community of leading international scientists, engineers, mathematicians, and researchers. In the current digital era, secure and reliable cryptography is the foundation of digital information security and data integrity. In our department, we address the world’s most pressing cryptographic questions. Our work covers post-quantum cryptography, blockchain, fully homomorphic encryption, lightweight cryptography, cloud encryption schemes, secure protocols, quantum cryptographic technologies, and cryptanalysis.
Open Positions: 03 Post-doctoral research fellows for three years contract. The salary is $50,000 -- $70,000 per year plus Superannuation. Housing/renting is covered.
Responsibilities:

• Conduct research on state-of-the-art cryptography and cyber-security research fields.
• Analyze project requirements and provide technical and functional recommendations.
• Implement cryptographic libraries and security frameworks.
• Propose new projects and research directions.

Required Skills:

• Ph.D. degree in Cryptography, Applied Cryptography, Information Theory, or Mathematics.
• Knowledge of cryptography and cybersecurity.
• Familiar with C, C++, Python, or JAVA
• Self-motivated, reliable, creative, can work independently and want to do excellent research.

Closing date for applications:

Contact: kumar.abdal@protonmail.com

The Cryptology Group at CWI in Amsterdam invites applications for a 3-year postdoc position within the NWO NWA consortium project HAPKIDO. The successful candidate is expected to do cutting edge research on the topic of post-quantum cryptography, but ideally has also some interest in practical aspects of the migration to post-quantum secure schemes.

Candidates are required to hold a PhD in mathematics or computer science, with a specialization in cryptology, and they are expected to have a good knowledge of post-quantum cryptography and/or of quantum information science in general. Candidates must have a strong track record (ideally with publications at IACR conferences) and good academic writing and presentation skills.

The position is with a flexible starting date, available as of immediately. Applications will be reviewed continuously until the position is filled.

All applications should include a motivation letter, a detailed resume (including a list of publications), a research statement (max 2 pages) discussing prior, current and future research, and the names of at least three references.

Questions and applications should be sent to serge.fehr@cwi.nl.

Closing date for applications:

Contact: Serge Fehr

The Massive Parallel Computing (MPC) model gained wide adoption over the last decade. By now, it is widely accepted as the right model for capturing the commonly used programming paradigms (such as MapReduce, Hadoop, and Spark) that utilize parallel computation power to manipulate and analyze huge amounts of data.

Motivated by the need to perform large-scale data analytics in a privacy-preserving manner, several recent works have presented generic compilers that transform algorithms in the MPC model into secure counterparts, while preserving various efficiency parameters of the original algorithms. The first paper, due to Chan et al. (ITCS ’20), focused on the honest majority setting. Later, Fernando et al. (TCC ’20) considered the dishonest majority setting. The latter work presented a compiler that transforms generic MPC algorithms into ones which are secure against semi-honest attackers that may control all but one of the parties involved. The security of their resulting algorithm relied on the existence of a PKI and also on rather strong cryptographic assumptions: indistinguishability obfuscation and the circular security of certain LWE-based encryption systems.

In this work, we focus on the dishonest majority setting, following Fernando et al. In this setting, the known compilers do not achieve the standard security notion called malicious security, where attackers can arbitrarily deviate from the prescribed protocol. In fact, we show that unless very strong setup assumptions as made (such as a programmable random oracle), it is provably impossible to withstand malicious attackers due to the stringent requirements on space and round complexity.

As our main contribution, we complement the above negative result by designing the first general compiler for malicious attackers in the dishonest majority setting. The resulting protocols withstand all-but-one corruptions. Our compiler relies on a simple PKI and a (programmable) random oracle, and is proven secure assuming LWE and SNARKs. Interestingly, even with such strong assumptions, it is rather non-trivial to obtain a secure protocol.

We present an attack on SIDH which does not require any endomorphism information on the starting curve. Our attack is not polynomial-time, but significantly reduces the security of SIDH and SIKE; our analysis and preliminary implementation suggests that our algorithm will be feasible for the Microsoft challenge parameters $p = 2^{110}3^{67}-1$ on a regular computer. Our attack applies to any isogeny-based cryptosystem that publishes the images of points under the secret isogeny, for example Séta [26] and B-SIDH [9]. It does not apply to CSIDH [8], CSI-FiSh [3], or SQISign [11].

We present the first non-interactive delegation scheme for P with time-tight parallel prover efficiency based on standard hardness assumptions. More precisely, in a time-tight delegation scheme–which we refer to as a SPARG (succinct parallelizable argument)–the prover's parallel running time is t + polylog(t), while using only polylog(t) processors and where t is the length of the computation. (In other words, the proof is computed essentially in parallel with the computation, with only some minimal additive overhead in terms of time).

Our main results show the existence of a publicly-verifiable, non-interactive, SPARG for P assuming polynomial hardness of LWE. Our SPARG construction relies on the elegant recent delegation construction of Choudhuri, Jain, and Jin (FOCS'21) and combines it with techniques from Ephraim et al (EuroCrypt'20).

We next demonstrate how to make our SPARG time-independent–where the prover and verifier do not need to known the running-time t in advance; as far as we know, this yields the first construction of a time-tight delegation scheme with time-independence based on any hardness assumption.

We finally present applications of SPARGs to the constructions of VDFs (Boneh et al, Crypto'18), resulting in the first VDF construction from standard polynomial hardness assumptions (namely LWE and the minimal assumption of a sequentially hard function).

Motivated by several new and natural applications, we initiate the study of multi-input predicate encryption (${\sf miPE}$) and further develop multi-input attribute based encryption (${\sf miABE}$). Our contributions are:

1. Formalizing Security: We provide definitions for ${\sf miABE}$ and ${\sf miPE}$ in the {symmetric} key setting and formalize security in the standard indistinguishability (IND) paradigm, against unbounded collusions.

2. Two-input ${\sf ABE}$ for ${\sf NC}_1$ from ${\sf LWE}$ and Pairings: We provide the first constructions for two-input key-policy ${\sf ABE}$ for ${\sf NC}_1$ from ${\sf LWE}$ and pairings. Our construction leverages a surprising connection between techniques recently developed by Agrawal and Yamada (Eurocrypt, 2020) in the context of succinct single-input ciphertext-policy ${\sf ABE}$, to the seemingly unrelated problem of two-input key-policy ${\sf ABE}$. Similarly to Agrawal-Yamada, our construction is proven secure in the bilinear generic group model. By leveraging inner product functional encryption and using (a variant of) the KOALA knowledge assumption, we obtain a construction in the standard model analogously to Agrawal, Wichs and Yamada (TCC, 2020).

3. Heuristic two-input ${\sf ABE}$ for ${\sf P}$ from Lattices: We show that techniques developed for succinct single-input ciphertext-policy ${\sf ABE}$ by Brakerski and Vaikuntanathan (ITCS 2022) can also be seen from the lens of ${\sf miABE}$ and obtain the first two-input key-policy ${\sf ABE}$ from lattices for ${\sf P}$.

4. Heuristic three-input ${\sf ABE}$ and ${\sf PE}$ for ${\sf NC}_1$ from Pairings and Lattices: We obtain the first three-input ${\sf ABE}$ for ${\sf NC}_1$ by harnessing the powers of both the Agrawal-Yamada and the Brakerski-Vaikuntanathan constructions.

5. Multi-input ${\sf ABE}$ to multi-input ${\sf PE}$ via Lockable Obfuscation: We provide a generic compiler that lifts multi-input ${\sf ABE}$ to multi-input ${\sf PE}$ by relying on the hiding properties of Lockable Obfuscation (${\sf LO}$) by Wichs-Zirdelis and Goyal-Koppula-Waters (FOCS 2018), which can be based on ${\sf LWE}$. Our compiler generalizes such a compiler for single-input setting to the much more challenging setting of multiple inputs. By instantiating our compiler with our new two and three-input ${\sf ABE}$ schemes, we obtain the first constructions of two and three-input ${\sf PE}$ schemes.

Our constructions of multi-input ${\sf ABE}$ provide the first improvement to the compression factor of non-trivially exponentially efficient Witness Encryption defined by Brakerski et al. (SCN 2018) without relying on compact functional encryption or indistinguishability obfuscation. We believe that the unexpected connection between succinct single-input ciphertext-policy ${\sf ABE}$ and multi-input key-policy ${\sf ABE}$ may lead to a new pathway for witness encryption.

The offline-online model is a leading paradigm for practical secure multi-party computation (MPC) protocol design that has successfully reduced the overhead for several prevalent privacy-preserving computation functionalities common to diverse application domains. However, the prohibitive overheads associated with secure comparison -- one of these vital functionalities -- often bottlenecks current and envisioned MPC solutions. Indeed, an efficient secure comparison solution has the potential for significant real-world impact through its broad applications.

This work identifies and presents SIM, a secure protocol for the functionality of interval membership testing. This security functionality, in particular, facilitates secure less-than-zero testing and, in turn, secure comparison. A key technical challenge is to support a fast online protocol for testing in large rings while keeping the precomputation tractable. Motivated by the map-reduce paradigm, this work introduces the innovation of (1) computing a sequence of intermediate functionalities on a partition of the input into input blocks and (2) securely aggregating the output from these intermediate outputs. This innovation allows controlling the size of the precomputation through a granularity parameter representing these input blocks' size -- enabling application-specific automated compiler optimizations.

To demonstrate our protocols' efficiency, we implement and test their performance in a high-demand application: privacy-preserving machine learning. The benchmark results show that switching to our protocols yields significant performance improvement, which indicates that using our protocol in a plug-and-play fashion can improve the performance of various security applications. Our new paradigm of protocol design may be of independent interest because of its potential for extensions to other functionalities of practical interest.

The security of the post-quantum signature scheme Picnic is highly related to the difficulty of recovering the secret key of LowMC from a single plaintext-ciphertext pair. Since Picnic is one of the alternate third-round candidates in NIST post-quantum cryptography standardization process, it has become urgent and important to evaluate the security of LowMC in the Picnic setting. The best attacks on LowMC with full S-box layers used in Picnic3 were achieved with Dinur's algorithm. For LowMC with partial nonlinear layers, e.g. 10 S-boxes per round adopted in Picnic2, the best attacks on LowMC were published by Banik et al. with the meet-in-the-middle (MITM) method.

In this paper, we improve the attacks on LowMC in a model where memory consumption is costly. First, a new attack on 3-round LowMC with full S-box layers with negligible memory complexity is found, which can outperform Bouillaguet et al.'s fast exhaustive search attack and can achieve better time-memory tradeoffs than Dinur's algorithm. Second, we extend the 3-round attack to 4 rounds to significantly reduce the memory complexity of Dinur's algorithm at the sacrifice of a small factor of time complexity. For LowMC instances with 1 S-box per round, our attacks are shown to be much faster than the MITM attacks. For LowMC instances with 10 S-boxes per round, we can reduce the memory complexity from 32GB ($2^{38}$ bits) to only 256KB ($2^{21}$ bits) using our new algebraic attacks rather than the MITM attacks, while the time complexity of our attacks is about $2^{3.2}\sim 2^{5}$ times higher than that of the MITM attacks. A notable feature of our new attacks (apart from the 4-round attack) is their simplicity. Specifically, only some basic linear algebra is required to understand them and they can be easily implemented.

For a group $\mathbb{G}$ of unknown order, a *Proof of Exponentiation* (PoE) allows a prover to convince a verifier that a tuple $(y,x,q,T)\in \mathbb{G}^2\times\mathbb{N}^2$ satisfies $y=x^{q^T}$. PoEs have recently found exciting applications in constructions of verifiable delay functions and succinct arguments of knowledge. The current PoEs that are practical in terms of proof-size only provide restricted soundness guarantees: Wesolowski's protocol (Journal of Cryptology 2020) is only computationally-sound (i.e., it is an argument), whereas Pietrzak's protocol (ITCS 2019) is statistically-sound only in groups that come with the promise of not having any small subgroups. On the other hand, the only statistically-sound PoE in *arbitrary* groups of unknown order is due to Block et al. (CRYPTO 2021), and it can be seen as an elaborate parallel repetition of Pietrzak's PoE. Therefore, to achieve $\lambda$ bits of security, say $\lambda=80$, the number of repetitions required -- and hence the (multiplicative) overhead incurred in proof-size -- is as large as $\lambda$.

In this work, we propose a statistically-sound PoE for arbitrary groups for the case where the exponent $q$ is the product of all primes up to some bound $B$. For such a structured exponent, we show that it suffices to run only $\lambda/\log(B)$ parallel instances of Pietrzak's PoE. This reduces the concrete proof-size compared to Block et al. by an order of magnitude. Furthermore, we show that in the known applications where PoEs are used as a building block such structured exponents are viable. Finally, we also discuss batching of our PoE, showing that many proofs (for the same $\mathbb{G}$ and $q$ but different $x$ and $T$) can be batched by adding only a single element to the proof per additional statement.

Event date: 4 December to
Submission deadline: 31 August 2022
Notification: 7 October 2022

A PhD position to work on privacy-preserving machine learning is available at Monash University, Australia. Interested candidates please send your CV/information to Rafael Dowsley rafael.dowsley@monash.edu

More information about Monash's cybersecurity group can be found at https://www.monash.edu/it/ssc/cybersecurity, and about our PPML work on https://dowsley.net

Monash is one of the leading universities in Australia and is located in Melbourne (which is consistently ranked as one of the top cities in the world to live in).

Closing date for applications:

Contact: Rafael Dowsley

We present an attack on Ethereum's consensus mechanism which can be used by miners to obtain consistently higher mining rewards compared to the honest protocol. This attack is novel in that it does not entail withholding blocks or any behavior which has a non-zero probability of earning less than mining honestly, in contrast with the existing literature. This risk-less attack relies instead on manipulating block timestamps, and carefully choosing whether and when to do so. We present this attack as an algorithm, which we then analyze to evaluate the revenue a miner obtains from it, and its effect on a miner's absolute and relative share of the main-chain blocks. The attack allows an attacker to replace competitors' main-chain blocks after the fact with a block of its own, thus causing the replaced block's miner to lose all transactions fees for the transactions contained within the block, which will be demoted from the main-chain. This block, although ``kicked-out'' of the main-chain, will still be eligible to be referred to by other main-chain blocks, thus becoming what is commonly called in Ethereum an uncle. We proceed by defining multiple variants of this attack, and assessing whether any of these attacks has been performed in the wild. Surprisingly, we find that this is indeed true, making this the first case of a confirmed consensus-level manipulation performed on a major cryptocurrency. Additionally, we implement a variant of this attack as a patch for geth, Ethereum's most popular client, making it the first consensus-level attack on Ethereum which is implemented as a patch. Finally, we suggest concrete fixes for Ethereum's protocol and implemented them as a patch for geth which can be adopted quickly and mitigate the attack and its variants.

Isogeny-based cryptography is one of the candidates for post-quantum cryptography. SIDH is a compact and efficient isogeny-based key exchange, and SIKE, which is the SIDH-based key encapsulation mechanism, remains the NIST PQC Round 4. However, by the brilliant attack provided by Castryck and Decru, the original SIDH is broken in polynomial time (with heuristics). To break the original SIDH, there are three important pieces of information in the public key: information about the endomorphism ring of a starting curve, some image points under a cyclic hidden isogeny, and the degree of the isogeny.

In this paper, we proposed the new isogeny-based scheme named \textit{masked-degree SIDH}. This scheme is the variant of SIDH that masks most information about degrees of hidden isogenies, and the first trial against Castryck--Decru attack. The main idea to cover degrees is to use many primes to compute isogenies that allow the degree to be more flexible. Though the size of the prime $p$ for this scheme is slightly larger than that of SIDH, this scheme resists current attacks using degrees of isogenies like the attack of Castryck and Decru. The most effective attack for masked-degree SIDH has $\tilde{O}(p^{1/(8\log_2{(\log_2{p})})})$ time complexity with classical computers and $\tilde{O}(p^{1/(16\log_2{(\log_2{p})})})$ time complexity with quantum computers in our analysis.

In this work we propose time-deniable signatures (TDS), a new primitive that facilitates deniable authentication in protocols such as DKIM-signed email. As with traditional signatures, TDS provide strong authenticity for message content, at least for a sender-chosen period of time. Once this time period has elapsed, however, time-deniable signatures can be forged by any party who obtains a signature. This forgery property ensures that signatures serve a useful authentication purpose for a bounded time period, while also allowing signers to plausibly disavow the creation of older signed content. Most critically, and unlike many past proposals for deniable authentication, TDS do not require interaction with the receiver or the deployment of any persistent cryptographic infrastructure or services beyond the signing process (e.g., APIs to publish secrets or author timestamp certificates.)

We first investigate the security definitions for time-deniability, demonstrating that past definitional attempts are insufficient (and indeed, allow for broken signature schemes.) We then propose an efficient construction of TDS based on well-studied assumptions.