International Association
for Cryptologic Research

We examine the use of Trivium and Kreyvium as transciphering mechanisms for use with the TFHE FHE scheme. Originally these two ciphers were investigated for FHE transciphering only in the context of the BGV/BFV FHE schemes; this is despite Trivium and Kreyvium being particarly suited to TFHE. Recent work by Dobraunig et al. gave some initial experimental results using TFHE. We show that these two symmetric ciphers have excellent performance when homomorphically evaluated using TFHE. Indeed we improve upon the results of Dobraunig et al. by at least two orders of magnitude in terms of latency. This shows that, for TFHE at least, one can transcipher using a standardized symmetric cipher (Trivium), without the need for special FHE-friendly ciphers being employed. For applications wanting extra security, but without the benefit of relying on a standardized cipher, our work shows that Kreyvium is a good candidate.

GLWE secret keys come with some associated public information, like their size or the distribution probability of their coefficients. Those information have an impact on the FHE algorithms, their computational cost, their noise growth, and the overall security level. In this paper, we identify two limitations with (T)FHE: there is no fine-grained control over the size of a GLWE secret key, and there is a minimal noise variance which leads to an unnecessary increment of the level of security with large GLWE secret keys. We introduce two (non exclusive) new types of secret keys for GLWE-based cryptosystems, that are designed to overcome the aforementioned limitations. We explain why these are as secure as the traditional ones, and detail all the improvements that they brought to the FHE algorithms. We provide many comparisons with state-of-the-art TFHE techniques, and benchmarks showing computational speed-ups between $1.3$ and $2.4$ while keeping the same level of security and failure probability. Furthermore, the size of the public material (i.e., key switching and bootstrapping keys) is also reduced by factors from $1.5$ and $2.7$.

Four recent trends have emerged in the evolution of authenticated encryption schemes: (1) Regarding simplicity, the adoption of public permutations as primitives allows for sparing a key schedule and the need for storing round keys; (2) using the sums of permutation outputs, inputs, or outputs has been a well-studied means to achieve higher security beyond the birthday bound; (3) concerning robustness, schemes should provide graceful security degradation if a limited amount of nonces repeats during the lifetime of a key, and (4) Andreeva et al.'s ForkCipher approach can increase the efficiency of a scheme since they can use fewer rounds per output branch compared to full-round primitives.

In this work, we improve on the state of the art by combining those aspects for efficient authenticated encryption. We propose $\textsf{PAE}$, an efficient nonce-based AE scheme that employs a public permutation and one call to an XOR-universal hash function. $\textsf{PAE}$ provides $O(2n/3)$-bit security and high throughput by combining forked public-permutation-based variants of $\textsf{nEHtM}$ and an Encrypted Davies-Meyer. Thus, it can use a single, in part round-reduced, public permutation for most operations, spare a key schedule, and guarantee security beyond the birthday bound even under limited nonce reuse.

Timed commitments (Boneh and Naor, CRYPTO 2000) are a variant of standard commitments which incorporates a forced opening mechanism that allows anyone to reveal the committed message, but not before a certain prescribed date. Timed commitments have a wide-range of applications such as contract signing, fair multi-party computation, sealed bid auctions or new blockchain applications such as preventing front-running or unbiased randomness generation.

We revisit the notion of timed commitments and propose an alternative simplified definition. We also provide two new constructions of timed commitments with different trade-offs.

With applications in secure messaging, Updatable Public Key Encryption (UPKE) was proposed by Jost et al. (EUROCRYPT '19) and Alwen et al. (CRYPTO '20). It is a natural relaxation of forward-secure public-key encryption. In UPKE, we can update secret keys by using update ciphertexts which any sender can generate. The UPKE schemes proposed so far that satisfy the strong CCA security are Haidar et al.'s concrete construction (CCS '22) and Dodis et al's generic construction that use Non-Interactive Zero-Knowledge (NIZK) arguments. Yet, even despite the aid of random oracles, their concrete efficiency is quite far from the most efficient CPA-secure scheme. In this paper, we first demonstrate a simple and efficient attack against Dodis et al.'s strongly CCA-secure scheme, and show how to fix it. Then, based on the observation from the attack and fix, we propose a new strongly CCA-secure generic construction for a UPKE scheme with random oracles and show that its instantiation is almost as concretely efficient as the most efficient CPA-secure one.

Event date: 28 August to 1 September 2023
Submission deadline: 31 July 2023
Notification: 7 August 2023

Event date: 19 August to 20 August 2023
Submission deadline: 10 July 2023

Many to many data sharing in the group setting in a cloud environment is a challenging problem that is crucial for numerous schemes. To our best knowledge, there is no generic study to allow sharing of confidential information in many to many pattern between different groups. Thus we propose a novel data sharing scheme enabling many to many sharing of encrypted data between different groups with using cryptographic techniques such as traceable ring signatures, multiple receiver key encapsulation, etc. We give a comprehensive security analysis showing our scheme is indistinguishable under user encapsulation keys and chosen plaintext attack secure under discrete logarithm assumption. We propose the implementation of our scheme, and the experimental results show that the proposed scheme is applicable for decentralized data sharing.

Proofs for machine computation allow for proving the correct execution of arbitrary programs that operate over fixed instruction sets (e.g., RISC-V, EVM, Wasm). A standard approach for proving machine computation is to prove a universal set of constraints that encode the full instruction set at each step of program execution. This approach incurs prover cost per execution step on the order of the sum of instruction constraints for instructions in the set despite only a single instruction being executed. Existing approaches that avoid the universal cost per step (and incur only the cost of a single instruction’s constraints per step) either fail to provide zero-knowledge of program execution or rely on recursive proof composition techniques where security derives from heuristic non-black-box random oracle instantiation.

We present a new protocol for proving machine execution that resolves the above limitations, allowing for prover efficiency on the order of executed instructions while achieving zero-knowledge and avoiding the use of proof recursion. Our core technical contribution is a new primitive that we call a tuple lookup argument which is used to allow a prover to build up a machine execution “on-the-fly”. Our tuple lookup argument relies on univariate polynomial commitments in which tuples are encoded as evaluations on cosets of a multiplicative subgroup. We instantiate our protocol by combining our tuple lookup with the popular Marlin succinct non-interactive proof system.

Uniswap is currently the most liquid Decentralized Exchange (DEX) on Ethereum. In May 2021, it upgraded to the third protocol edition named Uniswap V3. The key feature update is concentrated liquidity, which allows Liquidity Providers (LPs) to provide liquidity in custom price ranges. However, this design introduces a new type of Miner Extractable Value (MEV) source called Just-in-Time (JIT) liquidity attack, where the adversary mints and burns a position right before and after a sizable swap. In this paper, we first formally define the JIT liquidity attack and then conduct empirical measurements on Ethereum. We detect that the JIT liquidity attack is indeed a whales' game dominated by few bots, where the most active bot 0xa57...6CF siphons 92% of the attack profit. We observe that the attack presents extremely high barriers to entry, since it requires the adversary to add liquidity that is on average 269 times higher than the swap volume. In addition, we detect that the attack demonstrates poor profitability, with an average Return On Investment (ROI) ratio of only 0.007%. Furthermore, we find the attack detrimental to existing LPs in the pool, whose liquidity shares are diluted by an average of 85%. However, it is beneficial to liquidity takers, who obtain execution prices 0.139% better than before. We further dissect top MEV bots' behaviors and evaluate their strategies via local simulation. We find that the top first bot 0xa57...6CF issued 27% non-optimal attacks, thus failing to capture at least 7,766 ETH (16.1M USD) of the attack profit.

In a hybrid key establishment system, multiple independent key establishment schemes are combined in a manner that also combines their security properties. Such constructions can combine systems that are secure in different settings and achieve the combined security of all systems. For example, classical and post-quantum systems can be combined in order to secure communication against current threats as well as future quantum adversaries. This paper describes machine-checked proofs of security for a commonly-used hybrid key establishment system that concatenates the secrets produced by other key establishment systems. Practical interpretation of these results is also provided in order to guide the use of this system in applications and standards.

We present a new framework for defining information leakage in the setting of US equities trading, and construct methods for deriving trading schedules that stay within specified information leakage bounds. Our approach treats the stock market as an interactive protocol performed in the presence of an adversary, and draws inspiration from the related disciplines of differential privacy as well as quantitative information flow. We apply a linear programming solver using examples from historical trade and quote (TAQ) data for US equities and describe how this framework can inform actual algorithmic trading strategies.

We build non-interactive zero-knowledge (NIZK) and ZAP arguments for all $\mathsf{NP}$ where soundness holds for infinitely-many security parameters, and against uniform adversaries, assuming the subexponential hardness of the Computational Diffie-Hellman (CDH) assumption. We additionally prove the existence of NIZK arguments with these same properties assuming the polynomial hardness of both CDH and the Learning Parity with Noise (LPN) assumption. In both cases, the CDH assumption does not require a group equipped with a pairing.

Infinitely-often uniform security is a standard byproduct of commonly used non-black-box techniques that build on disjunction arguments on the (in)security of some primitive. In the course of proving our results, we develop a new variant of this non-black-box technique that yields improved guarantees: we obtain explicit constructions (previous works generally only obtained existential results) where security holds for a relatively dense set of security parameters (as opposed to an arbitrary infinite set of security parameters). We demonstrate that our technique can have applications beyond our main results.

We are looking for a highly motivated post-doctoral researcher in post-quantum cryptography with particular emphasis on isogeny-based cryptography. The post-doctoral researcher will be employed on the Advanced ERC project ISOCRYPT - Isogeny-based Toolbox for Post-quantum Cryptography (https://www.esat.kuleuven.be/cosic/projects/isocrypt/). The goal of this project is to advance isogeny-based cryptography from a theoretical construct to real world applicability. The goal is to determine the exact security of isogeny-based systems, providing efficient and secure implementations and building a suite isogeny-based post-quantum secure applications.
Specific Skills Required: The candidate should hold a PhD degree with a proven research track record in any aspects of post-quantum cryptography and preferably in isogeny-based cryptography. A strong mathematical background is required, complemented with some programming experience and/or quantum algorithms.

Closing date for applications:

Contact: frederik.vercauteren[at]esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

We are looking for a highly motivated doctoral researcher in post-quantum cryptography with particular emphasis on isogeny-based cryptography. The doctoral researcher will be employed on the Advanced ERC project ISOCRYPT-Isogeny-based Toolbox for Post-quantum Cryptography (https://www.esat.kuleuven.be/cosic/projects/isocrypt/). The goal of this project is to advance isogeny-based cryptography from a theoretical construct to real world applicability. The goal is to determine the exact security of isogeny-based systems, providing efficient and secure implementations and building a suite isogeny-based post-quantum secure applications.
Specific Skills Required: The candidate should hold a Master's degree in mathematics and/or computer science. A strong mathematical background is required, complemented with some programming experience and/or quantum algorithms.

Closing date for applications:

Contact: frederik.vercauteren[at]esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

We are looking for a highly motivated doctoral researcher in post-quantum cryptography with particular emphasis on multivariate-based cryptography. As a recent response to the recent NIST call for new post-quantum secure signature schemes, 11 multivariate-based signature schemes were submitted. The goal of the PhD is to focus on cryptanalysis of these submissions and more specifically on methods from algebraic geometry that can aid in breaking said systems.
Specific Skills Required: The candidate should hold a Master's degree in mathematics and/or computer science, preferably with experience in algebraic geometry. Candidates that perform well on international maths/CS olympiades are preferred.

Closing date for applications:

Contact: frederik.vercauteren[at]esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

Ciao. We are looking for a postdoc interested in Industrial IoT network security and privacy and can hire from the end of this summer. For more information, please send a CV, list of publications, research statement, and a list of two referrers to: daniele.antonioli@eurecom.fr

Closing date for applications:

Contact: Daniele Antonioli

Several fully-funded PhD student openings for Fall 2023 and Spring 2024 are available in cryptography, computer security, privacy, and blockchain-based systems at the University of Connecticut (UConn), Computer Science and Engineering department, led by Prof. Ghada Almashaqbeh.

The positions provide a great opportunity for students with interest in interdisciplinary projects that combine knowledge from various fields towards the design of secure systems and protocols. We target real-world and timely problems and aim to develop secure and practical solutions backed by rigorous foundations and efficient implementations. We are also interested in conceptual projects that contribute in bridging the gap between theory and practice of Cryptography.

For more information about our current and previous projects please check https://ghadaalmashaqbeh.github.io/research/. For interested students, please send your CV to ghada@uconn.edu and provide any relevant information about your research interests, skills and background.

Closing date for applications:

Contact: Ghada Almashaqbeh

More information: https://ghadaalmashaqbeh.github.io/

We have an open call for a postdoc position in Cryptography. We are looking for a candidate with a strong background in provable security, with good experience in the design (and proof) of cryptographic protocols (e.g., multi-party computation, zero-knowledge proofs, consensus protocols.) For more detail, we refer to the link below. Candidates must have a Ph.D. (or nearing completion) in cryptography or related fields. Evidence of strong research experience as demonstrated through publications at top-tier conferences or high-impact journals is essential. We are looking for a highly motivated candidate with strong initiative and commitment to excellence, and an ability to conduct world-class research.

Knowledge, skills and experience:

• Ph.D. (or near completion) in cryptography or related fields
• Track record of strong publications
• Strong experience in provable security, and in the design of cryptographic protocols

The following criteria are not yes/no factors, but questions of degree. Recruitment will aim at selecting those candidates with the best possible performance in all these criteria.

• Strong experience in research in one or more of the following areas: secure multi-party computation, zero-knowledge proofs, blockchain, functional encryption, fully-homomorphic encryption, and distributed algorithms.
• Experience in implementing cryptographic algorithms, and writing software for security-related applications
• Ability to communicate complex information clearly, orally, and in writing.

Please apply by July 17th, 2023 using the following link https://elxw.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1001/job/7729.

Closing date for applications:

Contact: Michele Ciampi

More information: https://elxw.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1001/job/7729

Nova is an efficient recursive proof system built from an elegant folding scheme for (relaxed) R1CS statements. The original Nova paper (CRYPTO'22) presented Nova using a single elliptic curve group of order $p$. However, for improved efficiency, the implementation of Nova alters the scheme to use a 2-cycle of elliptic curves. This altered scheme is only described in the code and has not been proven secure. In this work, we point out a soundness vulnerability in the original implementation of the 2-cycle Nova system. To demonstrate this vulnerability, we construct a convincing Nova proof for the correct evaluation of $2^{75}$ rounds of the Minroot VDF in only 1.46 seconds. We then present a modification of the 2-cycle Nova system and formally prove its security. The modified system also happens to be more efficient than the original implementation. In particular, the modification eliminates an R1CS instance-witness pair from the recursive proof. The implementation of Nova has now been updated to use our optimized and secure system. We also show that Nova's IVC proofs are malleable and discuss several mitigations.