International Association
for Cryptologic Research

With the emergence of decentralized systems, spearheaded by blockchains, threshold cryptography has seen unprecedented adoption. Just recently, the trustless distribution of threshold keys over an unreliable network has started to become practical. The next logical step is ensuring the security of these keys against persistent adversaries attacking the system over long periods of time.

In this work, we tackle this problem and give two practical constructions for Asynchronous Proactive Secret Sharing. Our first construction uses recent advances in asynchronous protocols and achieves a communication complexity of $O(n^3)$ where $n$ is the total number of nodes in the network. The second protocol builds upon the first and uses sortition to drive down the communication complexity to $O(c n^2)$. Here, $c$ is a tunable parameter that controls the expected size of the sharing committee chosen using the existing random coin.

Additionally, we identify security flaws in prior work and ensure that our protocols are secure by giving rigorous proofs. Moreover, we introduce a related notion which we term Asynchronous Refreshable Secret Sharing — a functionality that also re-randomizes the secret itself. Finally, we demonstrate the practicability of our constructions by implementing them in Rust and running large-scale, geo-distributed benchmarks.

User attributes can be authenticated by an attribute-based anonymous credential while keeping the anonymity of the user. Most attribute-based anonymous credential schemes are designed specifically for either multi-use or single-use. In this paper, we propose a unified attribute-based anonymous credential system, in which users always obtain the same format of credential from the issuer. The user can choose to use it for an efficient multi-use or single-use show proof. It is a more user-centric approach than the existing schemes. Technically, we propose an interactive approach to the credential issuance protocol using a two-party computation with an additive homomorphic encryption. At the same time, it keeps the security property of impersonation resilience, anonymity, and unlinkability. Apart from the interactive protocol, we further design the show proofs for efficient single-use credentials which maintain the user anonymity.

Radical Semiconductor is reinventing the credit card chip. With more powerful cryptography, custom apps, and ultra-high security, Radical silicon will power cryptocurrency hardware wallets, new financial technologies, and the entire banking ecosystem.

We are looking for highly-skilled, motivated, interdisciplinary, and diverse team members to help us build our very first custom OS, compiler stack, and cryptographic suite to run on our novel hardware. As an engineer in the earliest stages of Radical, your voice will be heard, and your decisions will impact the hardware that will one day end up in everyone’s wallet.

As an applied cryptographer, you will work directly with Radical’s VP of Information Security and CTO to develop a custom instruction set for implementing cryptographic algorithms, construct a compiler and simulator toolchain targeting this instruction set, and implement and optimize cryptographic algorithms using this toolchain. You will work closely with both the hardware and software design teams to create designs that offer high cryptographic agility with a small power and area footprint.

For full details, see our job posting under the "Jobs" tab at the link below.

Closing date for applications:

Contact: For applying, visit the link above. For any questions or hiring recommendations, reach out to katie@radicalsemiconductor.com.

More information: https://jobs.radicalsemiconductor.com

DIMACS, the Center for Discrete Mathematics and Theoretical Computer Science, based at Rutgers University in New Brunswick, New Jersey, USA, seeks a Deputy Director of the Center who would also serve as an Associate or Full Professor in a Rutgers department. Founded in 1989, DIMACS is a thriving consortium of seven universities and six companies. Its mission is to conduct research, catalyze research, and develop educational programs in the computational and mathematical sciences, including artificial intelligence, computing theory (algorithms, combinatorics, complexity), data science, discrete mathematics (geometry, graph theory), machine learning, modeling, optimization, and privacy. Activities often address applications in biology, cyber & physical security, economics, engineering, epidemiology, and sustainability, as well as topics in computer science and math education. The Deputy Director will co-lead the scientific, educational, financial, and administrative aspects of the Center; help guide its vision; further its interdisciplinary traditions; write grants and raise funds; and interact with initiatives across Rutgers and other partners, including DIMACS’s DHS center of excellence. DIMACS has excelled at catalyzing new research and adapting to its partners’ interests; the Deputy Director will contribute leadership in determining such new directions. The Deputy Director will serve a five-year (renewable) term at DIMACS and engage in research, teaching, and service in their home department. The candidate must have a Ph.D. and a strong record of research, academic service, and teaching ability suitable for a tenured faculty appointment in a field such as computer science, mathematics, operations research, or statistics. The ideal candidate’s research will connect to DIMACS’s roots in theoretical computer science and discrete mathematics, while branching to other areas, such as data science, AI, and machine learning. The candidate should have wide interests and demonstrated leadership abilities. A successful record of grant funding is preferred.

Closing date for applications:

Contact: Christine Spassione

More information: https://go.rutgers.edu/dimacsdeputy

We are now seeking an Assistant Professor, Associate Professor or Professor in the field of Information Security. The position is located in the Faculty of Information Technology and Communication Sciences at Tampere University, more specifically in the unit of Computing Sciences. The Network and Information Security group in the unit of Computing Sciences is an active and vibrant research group consisting of 2 professors, 3 lecturers, 4 senior researchers, and around 20 researchers and research assistants made up of postgraduate and graduate students. The core research competencies of the group are hardware-assisted security, privacy, applied cryptography, IoT security, network security, and security usability. We invite applicants with expertise in one or more of the following areas: Hardware Security: Candidates in this area are expected to have a proven track record of excellence in security-focused electrical engineering, signal processing, System-on-Chip design, computer architecture (e.g., RISC-V), hardware-software codesign, and/or digital design research and development. Topics of interest include hardware aspects of system security, side-channel analysis, and/or trusted execution environments. Software Security: Candidates in this area are expected to have a proven track record of excellence in security, privacy, anonymity, and/or crypto-focused software engineering, software assurance, static and dynamic analysis, formal verification, and/or trusted computing research and development. Topics of interest include software architectures, software testing, software aspects of side-channel analysis, trusted application development, and/or application areas such as privacy, anonymity, and/or cryptography. Applied Cryptography: Candidates in this area are expected to have a proven track record of excellence in both practical and theoretical aspects of cryptography research and development. Topics of interest include provable security, differential privacy, functional encryption, privacy-preserving analytics, and/or protocols.

Closing date for applications:

Contact: For more information, please contact: Professor Timo Hämäläinen, Computing Sciences Unit, timo.hamalainen@tuni.fi, tel. +358408490777 With questions related to the recruitment process, please contact HR specialist Meri Pere, meri.pere@tuni.fi.

More information: https://bit.ly/3UG3A2k

Applications are being invited for outstanding early-career scientists (up to eight years after PhD), interested in building their independent research group in the field of Information and Communication Technology at TU Wien. The proposed research area should contribute to the scientific advancement of the ICT field and demonstrate relevance to industry with a strong potential for mid-term technological and societal impact.

The selection follows a two-stage process: In stage one applicants apply for a tenure-track professorship at TU Wien (deadline 15 December 2022). In stage two, applicants apply for a WWTF grant together with a proponent of the applicant’s choice from TU Wien (deadline 15 March 2023).

The 14th Vienna Research Groups for Young Investigators call 2023 (https://wwtf.at/funding/programmes/vrg/#VRG23) is issued for up to three group leader positions as part of the WWTF’s Information and Communication Technology programme. WWTF especially encourages female candidates and takes unconventional research careers into consideration.

The WWTF grant amounts up to EUR 1.6 million for a total of 6-8 years. Successful candidates will be offered an Assistant-Professor position with tenure track at TU Wien.

The new research group will be part of the Security and Privacy research unit (https://secpriv.wien).

The topics of interest include but are not limited

• intersection between machine learning and security & privacy
• usable security
• formal methods for security
• system and network security
• applied cryptography

Apply here: https://jobs.tuwien.ac.at/Job/196427

Closing date for applications:

Contact: Matteo Maffei (first.last@tuwien.ac.at)

More information: https://www.tuwien.at/forschung/vienna-research-group-leader#c18022

The Department of Computer Science at the University of Toronto invites applications for multiple positions with appointment commencing on July 1, 2023, or shortly thereafter. Individuals are encouraged to apply to any and all relevant positions. We are conducting a targeted search in computer security and cryptography, and also have several positions open to all areas of computer science, both at the assistant and at the associate levels. The deadline for applications is January 9, 2023.

Closing date for applications:

Contact: Eitan Grinspun (recruit@cs.toronto.edu)

More information: https://web.cs.toronto.edu/employment-opportunities

We are looking for bright and motivated students who are interested in a graduate degree in cryptography. Several fully funded positions are available.

The cryptography research group at Oregon State University is led by Professors Mike Rosulek & Jiayu Xu. We have research interests in secure multi-party computation, password-based authentication, key agreement, and privacy-enhancing technologies.

Oregon State University is an R1 (high research activity) university, and its cryptography research group is highly rated on csrankings.org. Past graduates of the group have gone on to successful research positions in industry and academia. OSU is located in Corvallis, Oregon, a small college town (population 60k) located near Portland, the Pacific Ocean, and the Cascade Mountain range.

Students should have a BS degree in computer science or closely related technical discipline. A background in theoretical computer science and/or mathematics is preferred but not required.

Deadline for PhD applicants is December 1. Deadline for MS applicants is January 1. Interested students should select the CS degree program, and indicate an interest in the Cybersecurity research group.

For information on how to apply, see https://eecs.oregonstate.edu/academics/graduate/cs . For other questions, email rosulekm@eecs.oregonstate.edu or xujiay@oregonstate.edu

Closing date for applications:

Contact: Mike Rosulek & Jiayu Xu

More information: https://eecs.oregonstate.edu/academics/graduate/cs

Applications are invited for a Post-Doctoral Research Fellow position to conduct research into the design and implementation of practical, robust, and physically secure post-quantum cryptographic architectures. The research will be conducted as part of the collaborative UK Quantum Communications Hub project. Applicants must have at least a 2:1 Honours Degree in Electrical and Electronics Engineering, Computer Science, Mathematics or closely related discipline and a PhD, or expect, within 6 months, to obtain a PhD, in a relevant subject. At least 3 years relevant research experience in one or more of the following is essential: embedded systems design; FPGA or ASIC hardware design. Expertise in post-quantum cryptography and evidence of a strong publication record commensurate with career stage and experience is also essential.

Closing date for applications:

Contact: Dr Ciara Rafferty

More information: https://www.qub.ac.uk/sites/QUBJobVacancies/ResearchJobs/

Extending work leveraging program obfuscation to instantiate random-oracle-based transforms (e.g., Hohenberger et al., EUROCRYPT 2014, Kalai et al., CRYPTO 2017), we show that, using obfuscation and other assumptions, there exist standard-model hash functions that suffice to instantiate the classical RO-model encryption transforms OAEP (Bellare and Rogaway, EUROCRYPT 1994) and Fujisaki-Okamoto (CRYPTO 1999, J. Cryptology 2013) for specific public-key encryption (PKE) schemes to achieve IND-CCA security. Our result for Fujisaki-Okamoto employs a simple modification to the scheme. Our instantiations do not require much stronger assumptions on the base schemes compared to their corresponding RO-model proofs. For example, to instantiate low-exponent RSA-OAEP, the assumption we need on RSA is sub-exponential partial one-wayness, matching the assumption (partial one-wayness) on RSA needed by Fujisaki et al. (J. Cryptology 2004) in the RO model up to sub-exponentiality. For the part of Fujisaki-Okamoto that upgrades public-key encryption satisfying indistinguishability against plaintext checking attack to IND-CCA, we again do not require much stronger assumptions up to sub-exponentiality. We obtain our hash functions in a unified way, extending a technique of Brzuska and Mittelbach (ASIACRYPT 2014). We incorporate into their technique: (1) extremely lossy functions (ELFs), a notion by Zhandry (CRYPTO 2016), and (2) multi-bit auxiliary-input point function obfuscation (MB-AIPO). While MB-AIPO is impossible in general (Brzuska and Mittelbach, ASIACRYPT 2014), we give plausible constructions for the special cases we need, which may be of independent interest.

Multi-party quantum computation (MPQC) allows a set of parties to securely compute a quantum circuit over private quantum data. Current MPQC protocols rely on the fact that the network is synchronous, i.e., messages sent are guaranteed to be delivered within a known fixed delay upper bound, and unfortunately completely break down even when only a single message arrives late.

Motivated by real-world networks, the seminal work of Ben-Or, Canetti and Goldreich (STOC'93) initiated the study of multi-party computation for classical circuits over asynchronous networks, where the network delay can be arbitrary. In this work, we begin the study of asynchronous multi-party quantum computation (AMPQC) protocols, where the circuit to compute is quantum.

Our results completely characterize the optimal achievable corruption threshold: we present an $n$-party AMPQC protocol secure up to $t

Numerous security vulnerability assessment techniques urge precise and fast finite state machines (FSMs) extraction from the design under evaluation. Sequential logic locking, watermark insertion, fault-injection assessment of a System-ona- Chip (SoC) control flow, information leakage assessment, and reverse engineering at gate-level abstraction, to name a few, require precise FSM extraction from the synthesized netlist of the design. Unfortunately, no reliable solutions are currently available for fast and precise extraction of FSMs from the highly unstructured gate-level netlist for effective security evaluation. The major challenge in developing such a solution is precise recognition of FSM state flip-flops in a netlist having a massive collection of flip-flops. In this paper, we propose FSMx-Ultra, a framework for extracting FSMs from extremely unstructured gate-level netlists. FSMx-Ultra utilizes state-of-the-art graph theory concepts and algorithms to distinguish FSM state registers from other registers and then constructs gate-level state transition graphs (STGs) for each identified FSM state register using automatic test pattern generation (ATPG) techniques. The results of our experiments on 14 open-source benchmark designs illustrate that FSMx-Ultra can recover all FSMs quickly and precisely from synthesized gate-level netlists of diverse complexity and size utilizing various state encoding schemes.

We're presenting mining-based techniques to reduce the size of various cryptographic outputs without loss of security. Our approach can be generalized for multiple primitives, such as key generation, signing, hashing and encryption schemes, by introducing a brute-forcing step to provers/senders aiming at compressing submitted cryptographic material. As a result, in systems that we can tolerate sender's work to be more demanding and time-consuming, we manage to optimize on verification, payload size and storage cost, especially when: - receivers have limited resources (i.e. mobile, IoT); - storage or data-size is financially expensive (i.e. blockchains, cloud storage and ingress cost); - multiple recipients perform verification/decryption/lookup (i.e. blockchains, TLS certs, IPFS lookups).

Interestingly, mining can result in record-size cryptographic outputs, and we show that 5%-12% shorter hash digests and signatures are practically feasible even with commodity hardware. Obviously, the first thing that comes to mind is compressing addresses and transaction signatures in order to pay less gas fees in blockchain applications, but in fact even traditional TLS certificates and public keys, which are computed once and reused in every new connection, can be slightly compressed with this "mining" trick without compromising security. The effects of "compressing once - then reuse'' at mass scale can be economically profitable in the long run for both the Web2 and Web3 ecosystems. Our paradigm relies on a brute-force search operation in order to craft the primitive's output such that it fits into fewer bytes, while the "missing" fixed bytes are implied by the system parameters and omitted from the actual communication. While such compression requires computational effort depending on the level of compression, this cost is only paid at the source (typically in blockchains consisting of a single party) which is rewarded by lowered transaction fees, and the benefits of the compression are enjoyed by the whole ecosystem. As a starting point, we show how our paradigm applies to some basic primitives (commonly used in blockchain applications), and show how security is preserved using a bit security framework. Surprisingly, we also identified cases where wise mining strategies require proportionally less effort than naive brute-forcing, an example is WOTS (and inherently SPHINCS) post-quantum signatures where the target goal is to remove or compress the Winternitz checksum part. Moreover, we evaluate our approach for several primitives based on different levels of compression which concretely demonstrates the benefits (both in terms of financial cost and storage) if adopted by the community. Finally, as this work is inspired by the recent unfortunate buggy "gas golfing'' software in Ethereum, where weakly implemented functions incorrectly generated addresses (hashes) with "prefixed zeroes for gas optimization'', resulting in millions of losses, we expect our Truncator approach to be naturally applied in the blockchain space as a secure solution to more succinct transactions, addresses and states.

Typical lattice-based cryptosystems are commonly believed to resist multi-target attacks. For example, the New Hope proposal stated that it avoids "all-for-the-price-of-one attacks". An ACM CCS 2021 paper from Duman–Hövelmanns–Kiltz–Lyubashevsky–Seiler stated that "we can show that Adv_PKE^{IND-CPA} ≈ Adv_PKE^{(n,q_C)-IND-CPA} for "lattice-based schemes" such as Kyber, i.e. that one-out-of-many-target IND-CPA is as difficult to break as single-target IND-CPA, assuming "the hardness of MLWE as originally defined for the purpose of worst-case to average-case reductions". Meanwhile NIST expressed concern regarding multi-target attacks against non-lattice cryptosystems.

This paper quantifies the asymptotic impact of multiple ciphertexts per public key upon existing heuristic analyses of known lattice attacks. The qualitative conclusions are that typical lattice PKEs asymptotically degrade in heuristic multi-ciphertext IND-CPA security as the number of ciphertexts increases. These PKE attacks also imply multi-ciphertext IND-CCA2 attacks against typical constructions of lattice KEMs. This shows a contradiction between (1) the existing heuristics and (2) the idea that multi-target security matches single-target security.

The asymptotic heuristic security degradation is exponential in Θ(n) for decrypting many ciphertexts, cutting a constant fraction out of the total number of bits of security, and exponential in Θ(n/log n) for decrypting one out of many ciphertexts, for conservative cryptosystem parameters. Furthermore, whether or not the existing heuristics are correct, (1) there are flaws in the claim of provable multi-target security based on MLWE, and (2) there is a 2^88-guess attack breaking one out of 2^40 ciphertexts for a FrodoKEM-640 public key.

The double boomerang connectivity table (DBCT) is a new table proposed recently to capture the behavior of two consecutive S-boxes in boomerang attacks. In this paper, we observe an interesting property of DBCT of S-box that the ladder switch and the S-box switch happen in most cases for two continuous S-boxes, and for some S-boxes only S-box switch and ladder switch are possible. This property implies an additional criterion for S-boxes to resist the boomerang attacks and provides as well a new evaluation direction for an S-box. Using an extension of the DBCT, we verify that some boomerang distinguishers of TweAES and Deoxys are flawed. On the other hand, inspired by the property, we put forward a formula for estimating boomerang cluster probabilities. Furthermore, we introduce the first model to search for boomerang distinguishers with good cluster probabilities. Applying the model to CRAFT, we obtain 9-round and 10-round boomerang distinguishers with a higher probability than that of previous works.

Secret-sharing allows splitting a piece of secret information among a group of shareholders, so that it takes a large enough subset of them to recover it. In weighted secret-sharing, each shareholder has an integer weight and it takes a subset of large-enough weight to recover the secret. Schemes in the literature for weighted threshold secret sharing either have share sizes that grow linearly with the total weight, or ones that depend on huge public information (essentially a garbled circuit) of size (quasi)polynomial in the number of parties.

To do better, we investigate a relaxation, $(\alpha, \beta)$-ramp weighted secret sharing, where subsets of weight $\beta W$ can recover the secret (with $W$ the total weight), but subsets of weight $\alpha W$ or less cannot learn anything about it. We give two distinct types of constructions. The first is based on simple rounding, and has a share size which is linear in the number of parties and in $1/\epsilon$ (where $\epsilon=\beta-\alpha$).

The second type of schemes is based on a novel connection between weighted secret sharing and wiretap channels. We observe that for certain additive-noise $(\mathcal{R},\mathcal{A})$ wiretap channels, any semantically secure scheme can be naturally transformed into an $(\alpha,\beta)$-ramp weighted secret-sharing, where $\alpha,\beta$ are essentially the respective capacities of the channels $\mathcal{A},\mathcal{R}$. These constructions eliminate or reduce the dependence on the number of parties, at the price of increased dependence on $1/\epsilon$. We present two instantiations of this type of construction, one using Binary Symmetric wiretap Channels, and the other using additive Gaussian Wiretap Channels.

This note specifies two instances of a hash function obtained from applying the Marvellous design strategy to a specific context. The context in question is native hashing in a STARKVirtual Machine such as Miden.

In settings such as delegation of computation where a prover is doing computation as a service for many verifiers, it is important to amortize the prover’s costs without increasing those of the verifier. We introduce folding schemes with selective verification. Such a scheme allows a prover to aggregate m NP statements $x_i\in \mathcal{L}$ in a single statement $x\in\mathcal{L}$. Knowledge of a witness for $x$ implies knowledge of witnesses for all $m$ statements. Furthermore, each statement can be individually verified by asserting the validity of the aggregated statement and an individual proof $\pi$ with size sublinear in the number of aggregated statements. In particular, verification of statement $x_i$ does not require reading (or even knowing) all the statements aggregated. We demonstrate natural folding schemes for various languages: inner product relations, vector and polynomial commitment openings and relaxed R1CS of NOVA. All these constructions incur a minimal overhead for the prover, comparable to simply reading the statements.

In this paper we study linearization proposed on ePrint 2021/583, that's addressed to entropic quasigroups cryptography. We show how this attack can be avoided and actually linearization can be used to build valid cryptosystems.

Using a novel circuit design, we investigate if the modeling-resistance of delay-based, CMOS-compatible strong PUFs can be increased by the usage of multiple delay lines. Studying a circuit inspired by the Arbiter PUF, but using four instead of merely two delay lines, we obtain evidence showing that the usage of many delay lines does not significantly increase the security of the strong PUF circuit. Based on our findings, we suggest future research directions.