International Association
for Cryptologic Research

Cloud based storage-as-a-service is quickly gaining popularity due to its many advantages such as scalability and pay-as-you-use cost model. However, storing data in the clear on third-party servers creates vulnerabilities, especially pertaining to data privacy. Applications typically encrypt their data before off-loading it to cloud storage to ensure data privacy. To serve a client’s read or write requests, an application either reads or updates the encrypted data on the cloud, revealing the type of client access to the untrusted cloud. An adversary however can exploit this information leak to compromise a user’s privacy by tracking read/write access patterns. Existing approaches (used in Oblivious RAM (ORAM) and frequency smoothing datastores) hide the type of client access by always reading the data followed by writing it, sequentially, irrespective of a read or write request, rendering one of these rounds redundant with respect to a client request. To mitigate this redundancy, we propose ORTOA- a One Round Trip Oblivious Access protocol that reads or writes data stored on remote storage in one round without revealing the type of access. To our knowledge, ORTOA is the first generalized protocol to obfuscate the type of access in a single round, reducing the communication overhead in half. ORTOA hides the type of individual access as well as the read/write workload distribution of an application, and due to its generalized design, it can be integrated with many existing obliviousness techniques that hide access patterns such as ORAM or frequency smoothing. Our experimental evaluations show that ORTOA’s throughput is 2.8x that of a baseline that requires two rounds to hide the type of access; and the baseline incurs 1.9x higher latency than ORTOA.

Registration-based encryption (RBE) was recently introduced as an alternative to identity-based encryption (IBE), to resolve the key-escrow problem: In RBE, the trusted authority is substituted with a weaker entity, called the key curator, who has no knowledge of any secret key. Users generate keys on their own and then publicly "register" their identities and their corresponding public keys to the key curator. RBE is a promising alternative to IBE, retaining many of its advantages while removing the key-escrow problem, the major drawback of IBE. Unfortunately, all existing constructions of RBE use cryptographic schemes in a non black-box way, which makes them prohibitively expensive. It has been estimated that the size of an RBE ciphertext would be in the order of terabytes (though no RBE has even been implemented).

In this work, we propose a new approach to construct RBE, from well-studied assumptions in bilinear groups. Our scheme is black-box, and it is concretely highly efficient---a ciphertext is 866 bytes. To substantiate this claim, we implemented a prototype of our scheme, and we show that it scales to "millions of users". The public parameters of the scheme are in the order of kilobytes. The most expensive operation (registration) takes a handful of seconds, whereas the encryption and decryption runtimes are in the order of milliseconds. This is the first-ever implementation of an RBE scheme and demonstrates that the practical deployment of RBE is already possible with today's hardware.

A multiparty computation protocol is {\em perfectly secure} for some function $f$ if it perfectly emulates an ideal computation of $f$. Thus, perfect security is the strongest and most desirable notion of security, as it guarantees security in the face of any adversary and eliminates the dependency on any security parameter. Ben-Or et al. [STOC '88] and Chaum et al. [STOC '88] showed that any function can be computed with perfect security if strictly less than one-third of the parties can be corrupted. For two-party sender-receiver functionalities (where only one party receives an output), Ishai et al. [TCC '13] showed that any function can be computed with perfect security in the correlated randomness model. Unfortunately, they also showed that perfect security cannot be achieved in general for two-party functions that give outputs to both parties (even in the correlated randomness model).

We study the feasibility of obtaining perfect security for deterministic symmetric two-party functionalities (i.e., where both parties obtain the same output) in the face of malicious adversaries. We explore both the plain model as well as the correlated randomness model. We provide positive results in the plain model, and negative results in the correlated randomness model. As a corollary, we obtain the following results. \begin{enumerate} \item We provide a characterization of symmetric functionalities with (up to) four possible outputs that can be computed with perfect security. The characterization is further refined when restricted to three possible outputs and to Boolean functions. All characterizations are the same for both the plain model and the correlated randomness model. \item We show that if a functionality contains an embedded XOR or an embedded AND, then it cannot be computed with perfect security (even in the correlated randomness model). \end{enumerate}

The classical (parallel) black pebbling game is a useful abstraction which allows us to analyze the resources (space, space-time, cumulative space) necessary to evaluate a function $f$ with a static data-dependency graph $G$. Of particular interest in the field of cryptography are data-independent memory-hard functions $f_{G,H}$ which are defined by a directed acyclic graph (DAG) $G$ and a cryptographic hash function $H$. The pebbling complexity of the graph $G$ characterizes the amortized cost of evaluating $f_{G,H}$ multiple times as well as the total cost to run a brute-force preimage attack over a fixed domain $\mathcal{X}$, i.e., given $y \in \{0,1\}^*$ find $x \in \mathcal{X}$ such that $f_{G,H}(x)=y$. While a classical attacker will need to evaluate the function $f_{G,H}$ at least $m=|\mathcal{X}|$ times a quantum attacker running Grover's algorithm only requires $\mathcal{O}(\sqrt{m})$ blackbox calls to a quantum circuit $C_{G,H}$ evaluating the function $f_{G,H}$. Thus, to analyze the cost of a quantum attack it is crucial to understand the space-time cost (equivalently width times depth) of the quantum circuit $C_{G,H}$. We first observe that a legal black pebbling strategy for the graph $G$ does not necessarily imply the existence of a quantum circuit with comparable complexity --- in contrast to the classical setting where any efficient pebbling strategy for $G$ corresponds to an algorithm with comparable complexity for evaluating $f_{G,H}$. Motivated by this observation we introduce a new parallel reversible pebbling game which captures additional restrictions imposed by the No-Deletion Theorem in Quantum Computing. We apply our new reversible pebbling game to analyze the reversible space-time complexity of several important graphs: Line Graphs, Argon2i-A, Argon2i-B, and DRSample. Specifically, (1) we show that a line graph of size $N$ has reversible space-time complexity at most $\mathcal{O}\left(N^{1+\frac{2}{\sqrt{\log N}}}\right)$. (2) We show that any $(e,d)$-reducible DAG has reversible space-time complexity at most $\mathcal{O}(Ne+dN2^d)$. In particular, this implies that the reversible space-time complexity of Argon2i-A and Argon2i-B are at most $\mathcal{O}(N^2 \log \log N/\sqrt{\log N})$ and $\mathcal{O}(N^2/\sqrt[3]{\log N})$, respectively. (3) We show that the reversible space-time complexity of DRSample is at most $\mathcal{O}(N^2 \log \log N/\log N)$. We also study the cumulative pebbling cost of reversible pebblings extending a (non-reversible) pebbling attack of Alwen and Blocki on depth-reducible graphs.

The generic-group model (GGM) has been very successful in making the analyses of many cryptographic assumptions and protocols tractable. It is, however, well known that the GGM is “uninstantiable,” i.e., there are protocols secure in the GGM that are insecure when using any real-world group. This motivates the study of standard-model notions formalizing that a real-world group in some sense “looks generic.”

We introduce a standard-model definition called pseudo-generic group (PGG), where we require exponentiations with base an (initially) unknown group generator to result in random-looking group elements. In essence, our framework delicately lifts the influential notion of Universal Computational Extractors of Bellare, Hoang, and Keelveedhi (BHK, CRYPTO 2013) to a setting where the underlying ideal reference object is a generic group. The definition we obtain simultaneously generalizes the Uber assumption family, as group exponents no longer need to be polynomially induced. At the core of our definitional contribution is a new notion of algebraic unpredictability, which reinterprets the standard Schwartz–Zippel lemma as a restriction on sources. We prove the soundness of our definition in the GGM with auxiliary-input (AI-GGM).

Our remaining results focus on applications of PGGs. We first show that PGGs are indeed a generalization of Uber. We then present a number of applications in settings where exponents are not polynomially induced. In particular we prove that simple variants of ElGamal meet several advanced security goals previously achieved only by complex and inefficient schemes. We also show that PGGs imply UCEs for split sources, which in turn are sufficient in several applications. As corollaries of our AI-GGM feasibility, we obtain the security of all these applications in the presence of preprocessing attacks.

Some of our implications utilize a novel type of hash function, which we call linear-dependence destroyers (LDDs) and use to convert standard into algebraic unpredictability. We give an LDD for low-degree sources, and establish their plausibility for all sources by showing, via a compression argument, that random functions meet this definition.

Event date: 26 March 2023

A candidate will work in the area of post-quantum cryptography. The candidate will conduct research on analysis of post-quantum cryptography; the emphasis is on quantum analysis on symmetric cipher and PQC. The work requires to carry out some simulations.

Applicants are expected to have a PhD degree in Mathematics/Physics/Computer Science and a strong background in quantum algorithm, algebra, linear algebra or algebraic number theory.

Preferred candidates are expected to be proficient in Magma software or SAGEMATH software; or have knowledge on quantum software (eg. Qiskit, etc), a team worker and able to conduct independent research.

Interested candidates will kindly include their full CV and transcripts in their applications and send to Dr Chik How Tan, tsltch@nus.edu.sg. Deadline for applications is January 31st, 2023. We encourage early applications and review of applications will begin immediately. Only shortlisted applications will be notified.

Closing date for applications:

Contact: Dr Chik How Tan (tsltch@nus.edu.sg)

The Department of Mathematical Sciences at Florida Atlantic University has availability for PhD student positions to work in various areas of mathematical cryptology, including but not limited to:

• post-quantum cryptography
• lattice-based cryptography
• code-based cryptography
• cryptanalysis
• elliptic curves and isogenies
• zero-knowledge proofs
• ...

Earliest start date is in the Spring 2023, or thereafter. For more information about the department, its members, and the areas of research, visit http://www.math.fau.edu/mathdepartment/crypto.php

Closing date for applications:

Contact: Edoardo Persichetti (epersichetti@fau.edu); Shi Bai (sbai@fau.edu); Francesco Sica (sicaf@fau.edu)

Blockchains are not private enough for safe use by citizens, corporations, or dissidents. Heliax is looking for a research cryptographer interested in fully-homomorphic encryption protocols and their application to distributed ledger technology to work with us to design, evaluate, and implement FHE constructions, then put this cryptography into practice in order to realise privacy and scalability capabilities required by the next generation of blockchain networks. This role offers the chance to work closely with a small team on compelling cross-disciplinary problems in theoretical computer science, cryptography, game theory, economics, and systems design, and enjoy a high degree of independence in working conditions and task prioritization.

Closing date for applications:

Contact: Christopher Goes

More information: https://heliax.dev/jobs/research-cryptographer-FHE/

Event date: 22 April to 23 April 2023
Submission deadline: 5 January 2023
Notification: 9 February 2023

Event date: 26 June to 29 June 2023
Submission deadline: 18 November 2022
Notification: 20 January 2023

Event date: 28 December to 31 December 2022
Submission deadline: 30 October 2022
Notification: 30 November 2022

Event date: 28 December to 31 December 2022
Submission deadline: 30 October 2022
Notification: 30 November 2022

Up to three PhD positions are available. The PhD research project is in the area of cryptology and includes an investigation into one of the following research topics:

Security and design of primitives in cryptology adapted for use in 5G/6G mobile communication systems with special focus on low latency and high reliability algorithms and protocols.

Analysis of cryptographic primitives through side-channel attacks that exploit measurement of power consumption and/or time delays to determine protected information.

Study of digital signatures in the field of post-quantum encryption. The work aims to investigate the security of proposed digital signatures, based on the hard problem "Learning-With-Errors" (LWE) or related problems.

Third cycle studies at Lund University consist of full-time studies for 4 years. A doctoral studentship is a fixed-term employment of a maximum of 5 years (including 20% departmental duties). Starting salary is around 3100Euro per month. For further information and information on how to apply, see https://lu.varbi.com/en/what:job/jobID:557529/

Closing date for applications:

Contact: Thomas Johansson: thomas (at) eit.lth.se

More information: https://lu.varbi.com/en/what:job/jobID:557529/

PhD position available at the AtlanTTic Research Center (https://atlanttic.uvigo.es/en/), Universidade de Vigo, Spain. Start in early 2023, covering full PhD duration (3-4 years), and including travel budget for conferences and summer schools.

The workplace is in the city of Vigo, being ranked by OCU as the Spanish city with the highest life quality (https://www.idealista.com/en/news/lifestyle-in-spain/2021/06/02/13426-quality-of-life-in-spain-spanish-cities-with-the-best-and-worst-quality-of-life).

The position will be part-time in two projects related to privacy and intellectual property protection for federated machine learning: 1) TRUMPET, an European project on privacy enhancing methods and privacy metrics for federated learning (FL); 2) FELDSPAR, a Spanish project to use DNN watermarking for protecting the intellectual property of FL models.

PhD candidates will carry out research on: 1) identifying threat models and measuring privacy leaks in FL; 2) develop novel DNN watermarking algorithms in FL robust to collusion attacks.

Intended tasks:

Research on methods and metrics to measure the privacy leakage in FL models without and with crypto/differential privacy protection.

Develop tools for automatic measurement/learning of privacy leaks.

Research and implementation of methods for watermarking-based fingerprinting of federated models robust to collusion attacks.

Simulation of realistic conditions to test performance.

Publications in journals and/or conference proceedings.

Your profile:

Master’s degree or equivalent in Electrical/Telecommunications Engineering, Computer Science, Mathematics or similar. Strong background in machine learning (theory and implementations) required. Knowledge of privacy enhancing technologies and of information theory will be positively evaluated.

Good communication/writing skills in English.

Good programming skills and experience working with machine learning libraries.

Closing date for applications:

Contact: For more details, send an email to Prof. Fernando Pérez-González (fperez@gts.uvigo.es).

The Department of Mathematical Sciences at Florida Atlantic University invites applications for a tenure-track position at the assistant professor level in the area of cryptology, starting in August 2023. We will consider applicants knowledgeable in the general area of cryptology. Preference will be given to candidates with several broad areas of interest including, but not limited to, mathematical foundations of public-key cryptography, post-quantum cryptography (e.g., based on error-correcting codes, lattice problems, or polynomial systems of equations), and algorithmic number theory. In general, we will give higher priority to the overall originality and promise of the candidate’s work rather than to the sub-area specialization. Responsibilities for this position will be research, teaching, and professional service. The successful candidate is expected to apply for and secure external research funding, and actively participate in interdisciplinary programs. The Department of Mathematical Sciences is a collegial and research-active department demonstrating excellence in teaching, research, and service. We are home to 27 tenure-track or tenured faculty members, 15 faculty members in non-tenure-track positions, and more than 40 graduate teaching/research assistants from diverse backgrounds. Our department has an established national and international reputation for research innovation through our Center for Cryptology and Information Security. FAU is also recognized as a National Center of Academic Excellence in Information Assurance/Cyber Defense Research (CAE-R) for academic years 2019-2024. More information about the department can be found at: http://www.math.fau.edu/ Diversity and Inclusion are core values of the Department of Mathematical Sciences. We believe that the educational environment is enhanced when diverse groups of people with diverse ideas come together to learn. Applicants whose work incorporates a global perspective and a demonstrated commitment to diversity of thought in higher education are particularly encouraged to apply. Review of applications will begin January 15, 2023 and will continue until the position is filled.

Closing date for applications:

Contact: Informal inquiries can be addressed to: Dr. Edoardo Persichetti, Chair of the Search Committee, (epersichetti@fau.edu). Apply at https://fau.wd1.myworkdayjobs.com/FAU/job/Boca-Raton/Assistant-Professor--Cryptology_REQ14641

More information: https://fau.wd1.myworkdayjobs.com/FAU/job/Boca-Raton/Assistant-Professor--Cryptology_REQ14641

NYU Shanghai is currently inviting applications for Tenured or Tenure-Track positions in Computer Science. The search is not restricted to any rank and outstanding candidates at all levels are encouraged to apply. We seek candidates who have completed a Ph.D. in Computer Science, or a closely related discipline. We seek candidates in all sub-fields of Computer Science, with particular interest in Systems, Computer Science Theory, Quantum Computing, Artificial Intelligence and Deep Learning. Review of applications will begin on January 1, 2023 and will continue until the position is filled. To find more information about NYU Shanghai and apply, please follow this link https://apply.interfolio.com/116511. If you have any questions, please email the NYU Shanghai NY Office of Faculty Recruitment shanghai.faculty.recruitment@nyu.edu. Terms of employment at NYU Shanghai are comparable to NYU New York and other U.S. institutions with respect to research start-up funds and compensation, and they include housing subsidies and educational subsidies for children. Faculty may in certain cases have the opportunity to spend time at NYU New York and other sites of the NYU Global Network, engaging in both research and teaching.

Closing date for applications:

Contact: NYU Shanghai NY Office of Faculty Recruitment: shanghai.faculty.recruitment@nyu.edu

More information: https://apply.interfolio.com/116511

Multiple fully funded Ph.D. positions are available at the Vernam Lab (http://vernam.wpi.edu). Thanks to the rolling admission, prospective Ph.D. students can join us in January 2023 at the earliest. The hiring process runs until suitable candidates have been selected. The students are expected to work on a wide variety of topics that are mainly related to hardware security, including: (1) side-channel analysis and fault analysis, (2) application of artificial intelligence in hardware security, (3) security of deep learning hardware accelerators, (4) electronic design automation and verification, (5) cryptographic implementation in hardware as well as software, and (6) physical security of cryptographic hardware.
Requirements

• A degree in ECE or CS
• Strong background in mathematics and computer engineering
• Prior experience in one or more of the following is a plus:

o Cryptography
o Machine learning
o Programming languages: Python (open to work with new libraries), VHDL/Verilog
o FPGA prototyping, lab equipment (hands-on experience)

What does Vernam Lab offer? A competitive salary and an international cutting-edge research program in an attractive working environment.
WPI is a highly-ranked research university in the Boston area and has been recently recognized by the 2020 HEED Award for its outstanding commitment to diversity and inclusion. In accordance with this mission and to broaden participation in STEM, we encourage all students, especially minority students, to apply. Interested students should contact us by sending an email with a CV to vernam.labs@gmail.com.

Closing date for applications:

Contact: vernam.labs@gmail.com

In recent years, many digital signature scheme proposals have been built from the so-called MPC-in-the-head paradigm. This has shown to be an outstanding way to design efficient signatures with security based on hard problems.

MinRank is an NP-complete problem extensively studied due to its applications to cryptanalysis since its introduction in 1999. However, only a few schemes base their security on its intractability, and their signature size is large compared with other proposals based on NP problems. This paper introduces the first MinRank-based digital signature scheme that uses the MPC-in-the-head, enabling it to achieve small signature sizes and running times. For NIST's category I parameter set, we obtain signatures of 6.5KB, which is competitive with the shortest proposals in the literature that are based on non-structured problems.

Attribute-based encryption (ABE) generalizes public-key encryption and enables fine-grained control to encrypted data. However, ABE upends the traditional trust model of public-key encryption by requiring a single trusted authority to issue decryption keys. A compromised central authority has the ability to decrypt every ciphertext in the system.

This work introduces registered ABE, a primitive that allows users to generate secret keys on their own and then register the associated public key with a "key curator" along with their attributes. The key curator aggregates the public keys from the different users into a single compact master public key. To decrypt, users occasionally need to obtain helper decryption keys from the key curator which they combine with their own secret keys. We require that the size of the aggregated public key, the helper decryption keys, the ciphertexts, as well as the encryption/decryption times to be polylogarithmic in the number of registered users. Moreover, the key curator is entirely transparent and maintains no secrets. Registered ABE generalizes the notion of registration-based encryption (RBE) introduced by Garg et al. (TCC 2018), who focused on the simpler setting of identity-based encryption.

We construct a registered ABE scheme that supports an a priori bounded number of users and policies that can be described by a linear secret sharing scheme (e.g., monotone Boolean formulas) from assumptions on composite-order pairing groups (the same pairing-based assumptions previously used to construct vanilla ABE). Notably, our approach deviates sharply from previous techniques for constructing RBE and only makes black-box use of cryptography. All existing RBE constructions (a weaker notion than registered ABE) rely on heavy non-black-box techniques. In fact, the encryption and decryption costs of our construction are comparable to those of vanilla pairing-based ABE. Finally, as a feasibility result, we show how to construct a registered ABE scheme that supports general policies and an arbitrary number of users from indistinguishability obfuscation and somewhere statistically binding hash functions.