International Association
for Cryptologic Research

In the permutation inversion problem, the task is to find the preimage of some challenge value, given oracle access to the permutation. This is a fundamental problem in query complexity, and appears in many contexts, particularly cryptography. In this work, we examine the setting in which the oracle allows for quantum queries to both the forward and the inverse direction of the permutation---except that the challenge value cannot be submitted to the latter. Within that setting, we consider two options for the inversion algorithm: whether it can get quantum advice about the permutation, and whether it must produce the entire preimage (search) or only the first bit (decision). We prove several theorems connecting the hardness of the resulting variations of the inversion problem, and establish a number of lower bounds. Our results indicate that, perhaps surprisingly, the inversion problem does not become significantly easier when the adversary is granted oracle access to the inverse, provided it cannot query the challenge itself.

A number of supersingular isogeny based cryptographic protocols require the endomorphism ring of the initial elliptic curve to be either unknown or random in order to be secure. To instantiate these protocols, Basso et al. recently proposed a secure multiparty protocol that generates supersingular elliptic curves defined over $\mathbb{F}_{p^2}$ of unknown endomorphism ring as long as at least one party acts honestly. However, there are many protocols that specifically require curves defined over $\mathbb{F}_p$, for which the Basso et al. protocol cannot be used. Also, the simple solution of using a signature scheme such as CSI-FiSh or SeaSign for proof of knowledge either requires extensive precomputation of large ideal class groups or is too slow for everyday applications.

In this paper, we present CSIDH-SCG, a new multiparty protocol that generates curves of unknown endomorphism ring defined over $\mathbb{F}_p$. This protocol relies on CSIDH-IP, a new CSIDH based proof of knowledge. We also present CSIDH-CR, a multiparty algorithm that be used in conjunction with CSIDH-SCG to generate a random curve over $\mathbb{F}_p$ while still keeping the endomorphism ring unknown.

Range searching is the problem of preprocessing a set of points $P$, such that given a query range $\gamma$ we can efficiently compute some function $f(P\cap\gamma)$. For example, in a 1 dimensional range counting query, $P$ is a set of numbers, $\gamma$ is a segment and we need to count how many numbers in $P$ are in $\gamma$. In higher dimensions, $P$ is a set of $d$ dimensional points and the query range is some volume in $R^d$. In general, we want to compute more than just counting, for example, the average of $P\cap\gamma$. Range searching has applications in databases where some SELECT queries can be translated to range searches. It had received a lot of attention in computational geometry where a data structure called partition tree was shown to solve range searching in time sub-linear in $|P|$ using only space linear in $|P|$.

In this paper we consider partition trees in a secure setting where we answer range queries without learning the value of the points or the parameters of the range. We show how partition trees can be securely traversed with $O(n^{1+\epsilon} + t \cdot n^{1-\frac{1}{d}+\epsilon})$ operations, where $n=|P|$, $t$ is the number of operations needed to compare to $\gamma$ and $\epsilon>0$ is a parameter. As far as we know, this is the first non-trivial bound on range searching and it improves over the na\"ive solution that needs $O(t\cdot n)$ operations.

Our algorithms are independent of the encryption scheme but as an example we implemented them using the CKKS FHE scheme. Our experiments show that for databases of sizes $2^{23}$ and $2^{25}$, our algorithms run $\times 2.8$ and $\times 4.7$ (respectively) faster than the naive algorithm.

The improvement of our algorithm comes from a method we call copy-and-recurse. With it we efficiently traverse a $r$-ary tree (where each inner node has $r$ children) that also has the property that at most $\xi$ of them need to be recursed into when traversing the tree. We believe this method is interesting in its own and can be used to improve traversals in other tree-like structures.

A possible new approach to the Zodiac Killer's 32-Character Cipher (Z32) is proposed based on the strengths and weaknesses of previous approaches and novel interpretations. This approach does not assume the use of anagrams or similar complex transposition methods; does not assume the identity of a particular Zodiac suspect; and assumes the use of homophonic substitution (as in Z408 and Z340), and simple transposition (as in Z340). Assumptions are clearly defined and tested with sensitivity tests. With Mount Diablo as the pole of a plane polar coordinate system, the instruction "set to Mag. N." is interpreted by setting the hour and minute hands of a watchface to the magnetic declination of the Bay Area circa 1970. Sensitivity tests reveal the exact year and location have little impact on the declination in this case. The hour and minute given by the hands are interpreted as the radial coordinate r and the angular coordinate theta, as in "Radians & # inches along the radians". The hand corresponding to each coordinate is tested, as are 12- and 24-hour interpretations. Impossible or improbable coordinates are excluded leaving one coordinate as a possible solution. This coordinate is explored as the possible plaintext for Z32 using the Z340 transposition method. Further exploration of the proposed method is necessary.

We present a reactive MPC protocol built from FHE which is robust in the presence of active adversaries. In addition the protocol enables reduced bandwidth via means of transciphering, and also enables more expressive/efficient programs via means of a $\mathsf{Declassify}$ operation. All sub-components of the protocol can be efficiently realised using existing technology. We prove our protocol secure in the UC framework.

We examine the use of Trivium and Kreyvium as transciphering mechanisms for use with the TFHE FHE scheme. Originally these two ciphers were investigated for FHE transciphering only in the context of the BGV/BFV FHE schemes; this is despite Trivium and Kreyvium being particarly suited to TFHE. Recent work by Dobraunig et al. gave some initial experimental results using TFHE. We show that these two symmetric ciphers have excellent performance when homomorphically evaluated using TFHE. Indeed we improve upon the results of Dobraunig et al. by at least two orders of magnitude in terms of latency. This shows that, for TFHE at least, one can transcipher using a standardized symmetric cipher (Trivium), without the need for special FHE-friendly ciphers being employed. For applications wanting extra security, but without the benefit of relying on a standardized cipher, our work shows that Kreyvium is a good candidate.

GLWE secret keys come with some associated public information, like their size or the distribution probability of their coefficients. Those information have an impact on the FHE algorithms, their computational cost, their noise growth, and the overall security level. In this paper, we identify two limitations with (T)FHE: there is no fine-grained control over the size of a GLWE secret key, and there is a minimal noise variance which leads to an unnecessary increment of the level of security with large GLWE secret keys. We introduce two (non exclusive) new types of secret keys for GLWE-based cryptosystems, that are designed to overcome the aforementioned limitations. We explain why these are as secure as the traditional ones, and detail all the improvements that they brought to the FHE algorithms. We provide many comparisons with state-of-the-art TFHE techniques, and benchmarks showing computational speed-ups between $1.3$ and $2.4$ while keeping the same level of security and failure probability. Furthermore, the size of the public material (i.e., key switching and bootstrapping keys) is also reduced by factors from $1.5$ and $2.7$.

Four recent trends have emerged in the evolution of authenticated encryption schemes: (1) Regarding simplicity, the adoption of public permutations as primitives allows for sparing a key schedule and the need for storing round keys; (2) using the sums of permutation outputs, inputs, or outputs has been a well-studied means to achieve higher security beyond the birthday bound; (3) concerning robustness, schemes should provide graceful security degradation if a limited amount of nonces repeats during the lifetime of a key, and (4) Andreeva et al.'s ForkCipher approach can increase the efficiency of a scheme since they can use fewer rounds per output branch compared to full-round primitives.

In this work, we improve on the state of the art by combining those aspects for efficient authenticated encryption. We propose $\textsf{PAE}$, an efficient nonce-based AE scheme that employs a public permutation and one call to an XOR-universal hash function. $\textsf{PAE}$ provides $O(2n/3)$-bit security and high throughput by combining forked public-permutation-based variants of $\textsf{nEHtM}$ and an Encrypted Davies-Meyer. Thus, it can use a single, in part round-reduced, public permutation for most operations, spare a key schedule, and guarantee security beyond the birthday bound even under limited nonce reuse.

Timed commitments (Boneh and Naor, CRYPTO 2000) are a variant of standard commitments which incorporates a forced opening mechanism that allows anyone to reveal the committed message, but not before a certain prescribed date. Timed commitments have a wide-range of applications such as contract signing, fair multi-party computation, sealed bid auctions or new blockchain applications such as preventing front-running or unbiased randomness generation.

We revisit the notion of timed commitments and propose an alternative simplified definition. We also provide two new constructions of timed commitments with different trade-offs.

With applications in secure messaging, Updatable Public Key Encryption (UPKE) was proposed by Jost et al. (EUROCRYPT '19) and Alwen et al. (CRYPTO '20). It is a natural relaxation of forward-secure public-key encryption. In UPKE, we can update secret keys by using update ciphertexts which any sender can generate. The UPKE schemes proposed so far that satisfy the strong CCA security are Haidar et al.'s concrete construction (CCS '22) and Dodis et al's generic construction that use Non-Interactive Zero-Knowledge (NIZK) arguments. Yet, even despite the aid of random oracles, their concrete efficiency is quite far from the most efficient CPA-secure scheme. In this paper, we first demonstrate a simple and efficient attack against Dodis et al.'s strongly CCA-secure scheme, and show how to fix it. Then, based on the observation from the attack and fix, we propose a new strongly CCA-secure generic construction for a UPKE scheme with random oracles and show that its instantiation is almost as concretely efficient as the most efficient CPA-secure one.

Event date: 28 August to 1 September 2023
Submission deadline: 31 July 2023
Notification: 7 August 2023

Event date: 19 August to 20 August 2023
Submission deadline: 10 July 2023

Many to many data sharing in the group setting in a cloud environment is a challenging problem that is crucial for numerous schemes. To our best knowledge, there is no generic study to allow sharing of confidential information in many to many pattern between different groups. Thus we propose a novel data sharing scheme enabling many to many sharing of encrypted data between different groups with using cryptographic techniques such as traceable ring signatures, multiple receiver key encapsulation, etc. We give a comprehensive security analysis showing our scheme is indistinguishable under user encapsulation keys and chosen plaintext attack secure under discrete logarithm assumption. We propose the implementation of our scheme, and the experimental results show that the proposed scheme is applicable for decentralized data sharing.

Proofs for machine computation allow for proving the correct execution of arbitrary programs that operate over fixed instruction sets (e.g., RISC-V, EVM, Wasm). A standard approach for proving machine computation is to prove a universal set of constraints that encode the full instruction set at each step of program execution. This approach incurs prover cost per execution step on the order of the sum of instruction constraints for instructions in the set despite only a single instruction being executed. Existing approaches that avoid the universal cost per step (and incur only the cost of a single instruction’s constraints per step) either fail to provide zero-knowledge of program execution or rely on recursive proof composition techniques where security derives from heuristic non-black-box random oracle instantiation.

We present a new protocol for proving machine execution that resolves the above limitations, allowing for prover efficiency on the order of executed instructions while achieving zero-knowledge and avoiding the use of proof recursion. Our core technical contribution is a new primitive that we call a tuple lookup argument which is used to allow a prover to build up a machine execution “on-the-fly”. Our tuple lookup argument relies on univariate polynomial commitments in which tuples are encoded as evaluations on cosets of a multiplicative subgroup. We instantiate our protocol by combining our tuple lookup with the popular Marlin succinct non-interactive proof system.

Uniswap is currently the most liquid Decentralized Exchange (DEX) on Ethereum. In May 2021, it upgraded to the third protocol edition named Uniswap V3. The key feature update is concentrated liquidity, which allows Liquidity Providers (LPs) to provide liquidity in custom price ranges. However, this design introduces a new type of Miner Extractable Value (MEV) source called Just-in-Time (JIT) liquidity attack, where the adversary mints and burns a position right before and after a sizable swap. In this paper, we first formally define the JIT liquidity attack and then conduct empirical measurements on Ethereum. We detect that the JIT liquidity attack is indeed a whales' game dominated by few bots, where the most active bot 0xa57...6CF siphons 92% of the attack profit. We observe that the attack presents extremely high barriers to entry, since it requires the adversary to add liquidity that is on average 269 times higher than the swap volume. In addition, we detect that the attack demonstrates poor profitability, with an average Return On Investment (ROI) ratio of only 0.007%. Furthermore, we find the attack detrimental to existing LPs in the pool, whose liquidity shares are diluted by an average of 85%. However, it is beneficial to liquidity takers, who obtain execution prices 0.139% better than before. We further dissect top MEV bots' behaviors and evaluate their strategies via local simulation. We find that the top first bot 0xa57...6CF issued 27% non-optimal attacks, thus failing to capture at least 7,766 ETH (16.1M USD) of the attack profit.

In a hybrid key establishment system, multiple independent key establishment schemes are combined in a manner that also combines their security properties. Such constructions can combine systems that are secure in different settings and achieve the combined security of all systems. For example, classical and post-quantum systems can be combined in order to secure communication against current threats as well as future quantum adversaries. This paper describes machine-checked proofs of security for a commonly-used hybrid key establishment system that concatenates the secrets produced by other key establishment systems. Practical interpretation of these results is also provided in order to guide the use of this system in applications and standards.

We present a new framework for defining information leakage in the setting of US equities trading, and construct methods for deriving trading schedules that stay within specified information leakage bounds. Our approach treats the stock market as an interactive protocol performed in the presence of an adversary, and draws inspiration from the related disciplines of differential privacy as well as quantitative information flow. We apply a linear programming solver using examples from historical trade and quote (TAQ) data for US equities and describe how this framework can inform actual algorithmic trading strategies.

We build non-interactive zero-knowledge (NIZK) and ZAP arguments for all $\mathsf{NP}$ where soundness holds for infinitely-many security parameters, and against uniform adversaries, assuming the subexponential hardness of the Computational Diffie-Hellman (CDH) assumption. We additionally prove the existence of NIZK arguments with these same properties assuming the polynomial hardness of both CDH and the Learning Parity with Noise (LPN) assumption. In both cases, the CDH assumption does not require a group equipped with a pairing.

Infinitely-often uniform security is a standard byproduct of commonly used non-black-box techniques that build on disjunction arguments on the (in)security of some primitive. In the course of proving our results, we develop a new variant of this non-black-box technique that yields improved guarantees: we obtain explicit constructions (previous works generally only obtained existential results) where security holds for a relatively dense set of security parameters (as opposed to an arbitrary infinite set of security parameters). We demonstrate that our technique can have applications beyond our main results.

We are looking for a highly motivated post-doctoral researcher in post-quantum cryptography with particular emphasis on isogeny-based cryptography. The post-doctoral researcher will be employed on the Advanced ERC project ISOCRYPT - Isogeny-based Toolbox for Post-quantum Cryptography (https://www.esat.kuleuven.be/cosic/projects/isocrypt/). The goal of this project is to advance isogeny-based cryptography from a theoretical construct to real world applicability. The goal is to determine the exact security of isogeny-based systems, providing efficient and secure implementations and building a suite isogeny-based post-quantum secure applications.
Specific Skills Required: The candidate should hold a PhD degree with a proven research track record in any aspects of post-quantum cryptography and preferably in isogeny-based cryptography. A strong mathematical background is required, complemented with some programming experience and/or quantum algorithms.

Closing date for applications:

Contact: frederik.vercauteren[at]esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

We are looking for a highly motivated doctoral researcher in post-quantum cryptography with particular emphasis on isogeny-based cryptography. The doctoral researcher will be employed on the Advanced ERC project ISOCRYPT-Isogeny-based Toolbox for Post-quantum Cryptography (https://www.esat.kuleuven.be/cosic/projects/isocrypt/). The goal of this project is to advance isogeny-based cryptography from a theoretical construct to real world applicability. The goal is to determine the exact security of isogeny-based systems, providing efficient and secure implementations and building a suite isogeny-based post-quantum secure applications.
Specific Skills Required: The candidate should hold a Master's degree in mathematics and/or computer science. A strong mathematical background is required, complemented with some programming experience and/or quantum algorithms.

Closing date for applications:

Contact: frederik.vercauteren[at]esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/