International Association
for Cryptologic Research

Blockchain exposes all users’ transaction data to the public, including account balances, asset holdings, trading history, etc. Such data exposure leads to potential security and personal privacy risks that restrict blockchain from broader adoption. Although some existing projects focus on single-chain confidential payment, no existing cross-chain system supports private transactions yet, which is incompatible with privacy regulations such as GDPR. Also, current confidential payment systems require users to pay high extra fees. However, a private and anonymous protocol encrypting all transaction data raises concerns about malicious and illegal activities since the protocol is difficult to audit. We need to balance privacy and auditability in blockchain.

We propose an auditable and affordable protocol for cross-chain and single-chain transactions. This protocol leverages zero-knowledge proofs to encrypt transactions and perform validation without disclosing sensitive users' data. To meet regulations, each auditor from an auditing committee will have an encrypted secret share of the transaction data. Auditors may view the private transaction data only if a majority of the committee agrees to decrypt the data. We employ a ZK-rollup scheme by processing multiple transactions in batches, which reduces private transaction costs to 90\% lower compared with solutions without ZK-rollup. We implemented the proposed scheme using Zokrates and Solidity and evaluated the protocol on the Ethereum test network, and the total one-to-one private transactions cost only 5 seconds. We also proved the security of the protocol utilizing the standard real/ideal world paradigm.

Differential cryptanalysis is a block cipher analysis technology that infers a key by using the difference characteristics. Input differences can be distinguished using a good difference characteristic, and this distinguishing task can lead to key recovery. Artificial neural networks are a good solution for distinguishing tasks. For this reason, recently, neural distinguishers have been actively studied. We propose a distinguisher based on a quantum-classical hybrid neural network by utilizing the recently developed quantum neural network. To our knowledge, we are the first attempt to apply quantum neural networks for neural distinguisher. The target ciphers are simplified ciphers (S-DES, S-AES, S-PRESENT-[4]), and a quantum neural distinguisher that classifies the input difference from random data was constructed using the Pennylane library. Finally, we obtained quantum advantages in this work: improved accuracy and reduced number of parameters. Therefore, our work can be used as a quantum neural distinguisher with high reliability for simplified ciphers.

Facebook introduced message franking to enable users to report abusive content verifiably in end-to-end encrypted messaging. Grubbs et al. formalized the underlying primitive called compactly committing authenticated encryption with associated data (ccAEAD) and presented schemes with provable security. Dodis et al. proposed a core building block called encryptment and presented a generic construction of ccAEAD with encryptment and standard AEAD. This paper first proposes to use a tweakable block cipher instead of AEAD for the generic construction of Dodis et al. In the security analysis of the proposed construction, its ciphertext integrity is shown to require a new but feasible assumption on the ciphertext integrity of encryptment. Then, this paper formalizes remotely keyed ccAEAD (RK ccAEAD) and shows that the proposed construction works as RK ccAEAD. Finally, the confidentiality of the proposed construction as RK ccAEAD is shown to require a new variant of confidentiality for encryptment. The problem of remotely keyed encryption was posed by Blaze in 1996. It is now related to the problem of designing a cryptographic scheme using a trusted module and/or with leakage resiliency.

Digital Signature Schemes such as DSA, ECDSA, and RSA are widely deployed to protect the integrity of security protocols such as TLS, SSH, and IPSec. In TLS, for instance, RSA and (EC)DSA are used to sign the state of the agreed upon protocol parameters during the handshake phase. Naturally, RSA and (EC)DSA implementations have become the target of numerous attacks, including powerful side-channel attacks. Hence, cryptographic libraries were patched repeatedly over the years.

Here we introduce Jolt, a novel attack targeting signature scheme implementations. Our attack exploits faulty signatures gained by injecting faults during signature generation. By using the signature verification primitive, we correct faulty signatures and, in the process deduce bits of the secret signing key. Compared to recent attacks that exploit single bit biases in the nonce that require $2^{45}$ signatures, our attack requires less than a thousand faulty signatures for a $256$-bit (EC)DSA. The performance improvement is due to the fact that our attack targets the secret signing key, which does not change across signing sessions. We show that the proposed attack also works on Schnorr and RSA signatures with minor modifications.

We demonstrate the viability of Jolt by running experiments targeting TLS handshakes in common cryptographic libraries such as WolfSSL, OpenSSL, Microsoft SymCrypt, LibreSSL, and Amazon s2n. On our target platform, the online phase takes less than 2 hours to recover $192$ bits of a $256$-bit ECDSA key, which is sufficient for full key recovery. We note that while RSA signatures are protected in popular cryptographic libraries, OpenSSL remains vulnerable to double fault injection. We have also reviewed their FIPS hardened versions which is slightly less efficient but still vulnerable to our attack. We found that (EC)DSA signatures remain largely unprotected against software-only faults, posing a threat to real-life deployments such as TLS, and potentially other security protocols such as SSH and IPSec. This highlights the need for a thorough review and implementation of faults checking in security protocol implementations.

Symbolic computations with usage of algebraic graphs A(n; F_q) and A(n;,F_q[x_1, x_2,..., x_n]) were used for the development of various cryptographic algorithms because the length of their minimal cycle (the girth) tends to infinity when n is growing. It was announced recently that for each commutative integrity ring the girth of A(n, K) is ≥ 2n. In this paper we present essentially shorter closed proof of this statement and evaluate the girth of some induced subgraphs of A(n; K[x_1, x_2, ..., x_n]).

This paper illustrates that masking the torsion point images does not guarantee Castryck-Decru attack does not apply. Our experiments over SIDH primes hint that any square root concerning the Weil pairing on the masked public key helps to recover Bob's private key via the Castryck-Decru attack.

Recently, F.Ivanov, E.Krouk and V.Zyablov proposed new cryptosystem based of Generalized Reed--Solomon (GRS) codes over field extensions. In their approach, the subfield images of GRS codes are masked by a special transform, so that the resulting public codes are not equivalent to subfield images of GRS code but burst errors still can be decoded. In this paper, we show that the complexity of message-recovery attack on this cryptosystem can be reduced due to using burst errors, and the secret key of Ivanov-Krouk-Zyablov cryptosystem can successfully recovered in polynomial time with a linear-algebra based attack and a square-based attack.

In 2009, Lyubashevsky proposed a lattice-based signature scheme by applying the Fiat-Shamir transformation and proved its security under the generalized compact knapsack (GCK) problem. This scheme has a simple structure but has large signature and key sizes due to the security requirement of their security reduction. Dilithium, which was submitted to the NIST Post-Quantum Cryptography standardization and selected as one of the final candidates, is an improvement of the Lyubashevsky's signature scheme and decreases key and signature sizes by modifying the form of a public key and including additional steps in key generation, signing, and verification algorithms. Thus, Dilithium has a more complex structure to implement compared to the Lyubashevsky's scheme. To combine the strength of both signature schemes, we modify the Lyubashevsky's signature scheme and present a new security proof that removes their security requirement. As a result, we propose a simple and practical GCKSign signature scheme based on the hardness of a new GCK assumption, called target-modified one-wayness of GCK function. The signature size of our signature scheme decreases 40 percent, the sum of signature and public key sizes decreases 25 percent, and the secret key size decreases 90 percent for the NIST security level III, compared to Dilithium. Furthermore, by the simplicity of our structure, the key generation, signing, and verification algorithms of our scheme run 2.4$\times$, 1.7$\times$, and 2.0$\times$ faster than those of Dilithium, respectively.

NTRU was the first practical public-key encryption scheme constructed on a lattice over a polynomial-based ring, and has been still considered secure against significant cryptanalytic attacks in a few decades. Despite such a long history, NTRU and its variants proposed to date suffer from several drawbacks, such as the difficulty of achieving worst-case correctness error in a moderate modulus, inconvenient sampling distributions for messages, and relatively slower algorithms than other lattice-based schemes.

In this work, we suggest a new NTRU-based key encapsulation mechanism (KEM), called NTRU+, which overcomes almost all existing drawbacks. NTRU+ is constructed based on two new generic transformations called $\mathsf{ACWC}_{2}$ and $\overline{\mathsf{FO}}^{\perp}$. $\mathsf{ACWC}_{2}$ is used for easily achieving a worst-case correctness error, and $\overline{\mathsf{FO}}^{\perp}$ (as a variant of the Fujisaki-Okamoto transform) is used for achieving chosen-ciphertext security without re-encryption. $\mathsf{ACWC}_{2}$ and $\overline{\mathsf{FO}}^{\perp}$ are all defined using a randomness-recovery algorithm and an encoding method. Especially, our simple encoding method, called $\mathsf{SOTP}$, allows us to sample a message from a natural bit-sting space with an arbitrary distribution. We provide four parameter sets for NTRU+ and give implementation results, using NTT-friendly rings over cyclotomic trinomials.

We propose a REinforced modified Dual-Ouroboros based on Gabidulin codes, shortly called REDOG. This is a code-based cryptosystem based on the well-known rank metric codes, Gabidulin codes. The public key sizes of REDOG are 14KB, 33KB, 63KB at the security levels of 128, 192, 256 bits respectively. There is no decoding failure in decryption. REDOG is IND-CPA. As a new result, we give the performance results of implementing REDOG including the time for Key generation, encryption, and decryption for each security level.

A recent area of interest in cryptography is recursive composition of proof systems. One of the approaches to make recursive composition efficient involves cycles of pairing-friendly elliptic curves of prime order. However, known constructions have very low embedding degrees. This entails large parameter sizes, which makes the overall system inefficient.

In this paper, we explore $2$-cycles composed of curves from families parameterized by polynomials, and show that such cycles do not exist unless a strong condition holds. As a consequence, we prove that no $2$-cycles can arise from the known families, except for those cycles already known. Additionally, we show some general properties about cycles, and provide a detailed computation on the density of pairing-friendly cycles among all cycles.

Primal attack, BKW attack, and dual attack are three well-known attacks to LWE. To build efficient post-quantum cryptosystems in practice, the structured variants of LWE (i.e. MLWE/RLWE) are often used. Some efforts have been spent on addressing concerns about additional vulnerabilities introduced by algebraic structures and no effective attack method based on ideal lattices or module lattices has been proposed so far; these include refining primal attack and BKW attack to MLWE/RLWE. It is thus an interesting problem to consider how to enhance the dual attack against LWE with the rich algebraic structure of MLWE (including RLWE). In this paper, we present the first attempt to this problem by observing that each short vector found by BKZ generates another n − 1 vectors of the same length automatically and all of these short vectors can be used to distinguish. To this end, an interesting property which indicates the rotations are consistent with certain linear transformations is proved, and a new kind of intersection lattice is constructed with some tricks. Moreover, we notice that coefficient vectors of different rotations of the same polynomial are near-orthogonal in high-dimensional spaces. This is validated by extensive experiments and is treated as an extension to the assumption under the original dual attack against LWE. Taking Newhope512 as an example, we show that by our enhanced dual attack method, the required blocksize and time complexity (in both classical and quantum cases) all decrease. It is remarked that our improvement is not significant and its limitation is also touched on. Our results do not reveal a severe security problem for MLWE/RLWE compared to that of a general LWE, this is consistent with the findings by the previous work for using primal and BKW attacks to MLWE/RLWE.

On the Internet of Connected Vehicles, a vehicle has to communicate bi-directionally with several devices for establishing a shared network for inter-vehicle and intra-vehicle connectivity. These connection protocols are commonly structured to connect all the individual components with an implicit degree of trust, which is supposed to protect the whole system from unauthorized users. Technologies like Automotive Ethernet tend to increase security by reducing the implicit trust within the local network devices. However, the lack of individual security protocols in vehicle-to-vehicle communication still keeps the possession of vulnerability to hacks, external attacks, and further disruption. This is where Zero Trust Architecture can become a reliable technology for the exchange of information in between vehicles. Zero trust is a security system that means no one is trusted by default and verification is required from anyone or any device willing to get connected to the intra-vehicle network. In this paper, we have scoped the preliminary and most vital step of this system: verifying the owner identity of a vehicle with zero trust manner. Our approach involves recognizing vehicle license plates and utilizing the license information for retrieving the vehicle owner details to establish trust before allowing connection to the network. Our proposed methodology operates with 85\% to 99\% accuracy on the license recognition part within recognizable distances using PyTesseract OCR. Reliability to the zero trust solution is gained through necessary information retrieved using GET and POST requests to and from the corresponding driving license information databases.

In the seminal work published by Gohr in CRYPTO 2019, neural networks were successfully exploited to perform differential attacks on Speck32/64, the smallest member in the block cipher family Speck. The deep learning aided key-recovery attack by Gohr achieves considerable improvement in terms of time complexity upon the state-of-the-art result from the conventional cryptanalysis method. A further question is whether the advantage of deep learning aided attacks can be kept on large-state members of Speck and other primitives. Since there are several key points in Gohr’s key-recovery frameworks that seem not fit for large-state ciphers, this question stays open for years.

This work provides an answer to this question by proposing a deep learning aided multi-stage key-recovery framework. To apply this key-recovery framework on large-state members of Speck, multiple neural distinguishers (NDs) are trained and carefully combined into groups. Employing the groups of NDs under the multi-stage key-recovery framework, practical attacks are designed and trialed. Experimental results show the effectiveness of the framework. The practical attacks are then extended into theoretical attacks that cover more rounds. To do that, multi-round classical differentials (CDs) are used together with the NDs. To find the CDs’ neutral bits to boost signals from the distinguishers, an efficient algorithm is proposed.

As a result, considerable improvement in terms of both time and data complexity of differential key-recovery attacks on round-reduced Speck with the largest, i.e., the 128-bit state, is obtained. Besides, efficient differential attacks are achieved on round-reduced Speck with 96-bit and 64-bit states. Since most real-world block ciphers have a state size of no less than 64 bits, this work paves the way for performing cryptanalysis using deep learning on more block ciphers. The code is available at https://github.com/AI-Lab-Y/NAAF.

Digital Identities are playing an essential role in our digital lives. Today, most Digital Identities are based on central architectures. Central Digital Identity providers control and know our data and thereby our Identity. Self Sovereign Identities are based on decentralized data storage and data exchange architecture, where the user is in sole control of his data and identity. Most of the issued credentials need the possibility of revocation. For a centrally managed Digital Identity system, revocation is not a problem. In decentral architectures, revocation is more challenging. Revocation can be done with different methods e.g. list based, cryptographic accumulators and with credential updates. A revocation method must be privacy preserving and must scale. This paper gives an overview of the available revocation methods, including a survey to define requirements, assess revocation groups against the requirements, highlights shortcomings of the methods and introduces a new revocation method called Linked Validity Verifiable Credentials.

The Cryptography, Security, and Privacy research group at Microsoft Research, Redmond, is looking for interns to work on multiple topics, including privacy-preserving protocols, post-quantum cryptography, privacy in AI, digital identities, and usable security and privacy. The scope of our work is broad, so even if you are unsure of whether your skills are relevant, we recommend applying in any case.

Please apply as soon as possible at https://careers.microsoft.com/us/en/job/1483268/Research-Intern-Privacy-and-Cryptography.

Closing date for applications:

Contact: Kim Laine

More information: https://careers.microsoft.com/us/en/job/1483268/Research-Intern-Privacy-and-Cryptography

The CIS Lab continually seeks the top minds and rising stars in cryptography research, with internship, postdoctoral, and fulltime scientist research positions available starting in 2023. All positions will be in-person at our Sunnyvale office. Applications should be submitted by December 20 to guarantee full consideration.

Internships. Internships typically are for about 12 weeks during the summer. For the duration of their internship, interns will be matched with one of our research scientists as a mentor. Summer housing assistance is available. Interested individuals should have demonstrated strong mathematical ability and be enrolled in a PhD program with a focus on cryptography, computer security, or theoretical computer science.

Postoctoral research positions. Postdoctoral research positions are available with an initial duration of one year, and the possibility of extension to two years. Postdocs will be matched with a host from the lab, but are welcome to collaborate with any of our world-class scientists. Applicants should have or expect to have a PhD degree relating to cryptography, computer security, or theoretical computer science by summer 2023.

Fulltime Scientist. We are looking to hire Scientists in both foundational and applied cryptography to join our permanent team. For further information, please visit https://careers.ntt-research.com/cis

Closing date for applications: Dec 20, 2022.

Closing date for applications:

Contact: cis.careers@ntt-research.com

More information: https://careers.ntt-research.com/cis

The main duties of doctoral students are to devote themselves to their research studies which includes participating in research projects and third cycle courses. Especially, the doctral student shall perform research on attacks of resource allocation functions in dynamic networks such as 5G/6G. This means to investigate how machine learning based resource allocation functions might be influence by different types of attacks. In the next step, the stuent will investigate how to detect and/or prevent such attaks. The research method will be a combination of system studies, simulations and experiemental research. The research project is funded by ELLIT and a research project which is a collaboration between Lund and Linköping universities. The main duties of doctoral students are to devote themselves to their research studies which includes participating in research projects and third cycle courses. The work duties will also include teaching and other departmental duties (no more than 20%).

Closing date for applications:

Contact: Christian Gehrmann

More information: https://lu.varbi.com/what:job/jobID:569632/

Copper is transforming how institutional investors engage with digital assets, providing market-leading infrastructure in addition to custody, trading and prime brokerage services.

Our award-winning custody application leverages the genius of multi-party computation (MPC) and can be configured to support cold, warm, and hot wallet solutions.

Our culture is based on innovation, enthusiasm and above all else collaboration.

Key Responsibilities:

Conduct cryptography literature review, select relevant papers, and produce a specification and pseudocode from the paper(s).

Implement cryptography specifications into secure, production-level code.

Interact with auditors and academia, as well as client-side cryptographers.

Provide cryptography support for other Copper development teams.

Integrate cryptography primitives into Copper’s internal MPC framework.

Participate in the design and implementation of Copper’s next generation MPC framework.

Your Experience Skills and Knowledge:

Essential

5+ years engineering experience in the implementation of cryptography primitives, preferably in MPC, Threshold cryptography, Zero Knowledge Proofs or similar.

3+ years R&D experience specializing in MPC and Threshold cryptography, gained within academia or industry.

Proficiency in programming with Rust, or significant programming experience using C, C++ or Golang

Deep knowledge of common signature schemes of blockchains e.g., ECDSA, EdDSA, BLS

Experience with containerisation and DevOps practices.

Desirable

Masters/PhD in Cryptography/Mathematics

Prior experience with HSMs, Intel SGX, iPhone secure enclaves etc.

Prior experience with Scala, Kotlin or Java.

Prior experience working on a cryptocurrency wallet, or a similar system engineering problem

Familiarity with the digital asset custody space

Closing date for applications:

Contact: Alan Brophy (alan.brophy@copper.co)

More information: https://grnh.se/da97a862teu

The Systems and Software Security group (S3) at the University of Manchester is looking for a PhD student interested in the topics of cryptographic protocols, blockchains, subversion-resilient cryptography, multi-party computation, or a mix of these. We are seeking a highly motivated person with a MS.c. degree in computer science or related areas. Excellent final year BS.c. students are also welcome to apply. Interested candidates should enquire about the position to Bernardo Magri (email below). The official application typically requires a CV, cover letter, transcripts, and references (more information about the official application process can be found at https://www.manchester.ac.uk/study/postgraduate-research/admissions/how-to-apply/). The PhD studentship comes with a stipend of around £17.5K per annum plus tuition fees covered for the duration of 3.5 years. The starting date is flexible and can be for January, May or September 2023.

Closing date for applications:

Contact: Bernardo Magri (bernardo dot magri at manchester.ac.uk)