International Association
for Cryptologic Research

The newly established Young Investigator Group (YIG) “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has several open PhD positions in the following areas: intrusion detection systems for critical infrastructures, secure cyber-physical systems, artificial intelligence / machine learning for traffic analysis, honeypots, and privacy enhancing techniques. Positions are limited to 31.07.2026, with possibility for extension.

Candidates must hold a Master’s degree or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. The positions will remain open until they are filled.

Closing date for applications:

Contact: Ivan Pryvalov (ivan.pryvalov@b-tu.de)

The Aarhus crypto group (https://users-cs.au.dk/orlandi/cryptogroup/) is hiring a PhD student to study YOSO MPC. The student will be advised by Sophia Yakoubov, and co-advised by Divya Ravi at the University of Amsterdam. (The student will be primarily located in Aarhus, but will be encouraged to collaborate with others both within Denmark and internationally.) This three-year PhD would ideally start around January 1, 2024, but the start time can be flexible. Application instructions can be found here: https://cs.au.dk/education/phd Please contact Sophia Yakoubov if you are interested in applying.

Closing date for applications:

Contact: Sophia Yakoubov (sophia.yakoubov@cs.au.dk)

Event date: 25 March to 29 March 2024

iTrust is a Cyber Security Research Center in SUTD and a National Satellite of Excellence in Singapore for securing critical infrastructure. iTrust hosts the world-class cyber-physical system (CPS) testbeds which are used for research, education, training, live-fire exercise, and technology validation.

We are looking for postdocs / research fellows with expertise on cybersecurity in general and CPS security in particular. The candidates should meet the following requirements.

A PhD in any computer science, computer engineering or related field.

Demonstrated expertise in computer networks and/or software testing and/or software security and/or applied cryptography and/or applied machine learning.

Have track record of strong R&D capability, with publications at leading cybersecurity conferences.

Working knowledge of the C/C++ or Python programming language.

Working knowledge in binary analysis and code reverse engineering is preferred.

Familiar with shipboard OT systems is preferred.

Fresh PhD graduates are welcome to apply. Only short-listed candidates will be contacted for interview. Successful candidates will be offered internationally competitive remuneration. Interested candidates please send your CV to Prof. Jianying Zhou.

Closing date for applications:

Contact: Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg]

In 2022, Hosny et al. introduce an image encryption scheme that employs a fractional-order chaotic system. Their approach uses the hyper-chaotic system to generate the system's main parameter, namely a secret permutation which is dependent on the size and the sum of the pixels of the source image. According to the authors, their scheme offers adequate security (i.e. $498$ bits) for transmitting color images over unsecured channels. Nevertheless, in this paper we show that the scheme's security is independent on the secret parameters used to initialize the hyper-chaotic system. More precisely, we provide a brute-force attack whose complexity is $\mathcal O(2^{10.57}(WH)^3)$ and needs $2^{9.57}WH$ oracle queries, where $W$ and $H$ are the width and the height of the encrypted image. For example, for an image of size $4000 \times 30000$ ($12$ megapixels image) we obtain a security margin of $81.11$ bits, which is six times lower than the claimed bound. To achieve this result, we present two cryptanalytic attacks, namely a chosen plaintext attack and a chosen ciphertext attack.

The development of quantum computers, which employ a different paradigm of computation, is posing a threat to the security of cryptography. Narrowing down the scope to symmetric-key cryptography, the Grover search algorithm is probably the most influential in terms of its impact on security. Recently, there have been efforts to estimate the complexity of the Grover’s key search for symmetric key ciphers and evaluate their post-quantum security. In this paper, we present a depth-optimized implementation of a quantum circuit for ASCON, which is a symmetric key cipher that has recently been standardized in the NIST (National Institute of Standards and Technology) Lightweight Cryptography standardization. As far as we know, this is the first implementation of a quantum circuit for the ASCON AEAD (Authenticated Encryption with Associated Data) scheme. To our understanding, reducing the depth of the quantum circuit for the target cipher is the most effective approach for Grover’s key search. We demonstrate the optimal Grover’s key search cost for ASCON, along with a proposed depth-optimized quantum circuit. Further, based on the estimated cost, we evaluate the post-quantum security strength of ASCON according to relevant evaluation criteria and state-of-the-art research.

The hodlCoin game is a competitive zero-sum massively multiplayer financial game where the goal is to hodl an asset for long periods of time. By hodling, a player deposits coins of a given asset in a common reserve and receives a proportional amount of hodlCoins. Players who un-hodl pay a fee that is accumulated in the common reserve. Thus, the longer a player hodls, in comparison with other players, the more the player will benefit from fees paid by the players who are un-hodling earlier. Surprisingly, we prove here that, thanks to the accumulation of fees, the price of hodlCoins in comparison with the underlying asset never decreases.

In public key encryption (PKE), anonymity is essential to ensure privacy by preventing the ciphertext from revealing the recipient’s identity. However, the literature has addressed the anonymity of PKE under different attack scenarios to a limited extent. Benhamouda et al. (TCC 2020) introduced the first formal definition of anonymity for PKE under corruption, and Huang et al. (ASIACRYPT 2022) made further extensions and provided a generic framework. In this paper, we introduce a new security notion named enhanced decryption key exposure resistance (En-DKER) for revocable identity-based encryption (RIBE). This notion ensures that the exposure of decryption keys within any time period will not compromise the confidentiality and anonymity of ciphertexts encrypted during different periods. Meanwhile, we construct the first RIBE scheme with En-DKER and prove its security under the learning with errors (LWE) assumption. Our scheme offers several advantages. Firstly, the periodic workload of the key generation center (KGC) in our scheme is nearly zero. Secondly, the encryptor does not need to handle real-time revocation information of users within the system. Thirdly, the size of user secret keys remains constant in multi-bit encryption. Additionally, we present a novel approach to delegate a lattice basis. Diverging from the work of Cash et al. (J CRYPTOL 2012), our approach allows for the outsourcing of subsequent sampling operations to an untrusted server. Leveraging this approach, our scheme significantly reduces the periodic workload for users to generate decryption keys. Finally, we efficiently implemented our scheme using the number theory library (NTL) and multi-threaded parallel program. The experimental results confirm the advantages of our scheme.

With the ever greater adaptation of blockchain systems, smart contract based ecosystems have formed to provide financial services and other utility. This results in an ever increasing demand for transactions on blockchains, however, the amount of transactions per second on a given ledger is limited. Layer-2 systems attempt to improve scalability by taking transactions off-chain, with building blocks that are two party channels which are concatenated to form networks. Interaction between two parties requires (1) routing such a network, (2) interaction with and collateral from all intermediaries on the routed path and (3) interactions are often more limited compared to what can be done on the ledger. In contrast to that design, recent constructions such as Hydra Heads (FC’21) are both multi-party and isomorphic, allowing interactions to have the same expressiveness as on the ledger making it akin to a ledger located on Layer-2. The follow up Interhead Construction (MARBLE’22) further extends the protocol to connect Hydra Heads into networks by means of a “virtual” Hydra Head construction. This work puts forth an even greater generalization of the Interhead Protocol, allowing for inter- action across different Layer-2 ledgers with a multitude of improvements. As concrete example, our design is modular and lightweight, which makes it viable for both full virtual ledger constructions as well as straightfor- ward one-time interactions and payments systems.

In this paper we provide the implementation details and performance analysis of the lattice-based post-quantum commitment scheme introduced by Martínez and Morillo in their work titled «RLWE-Based Zero-Knowledge Proofs for Linear and Multiplicative Relations» together with the corresponding Zero-Knowledge Proofs of Knowledge (ZKPoK) of valid openings, linear and multiplicative relations among committed elements. We bridge the gap between the existing theoretical proposals and practical applications, thoroughly revisiting the security proofs of the aforementioned paper to obtain tight conditions that allow us to find the best sets of parameters for actual instantiations of the commitment scheme and its companion ZKPoK. Our implementation is very flexible and its parameters can be adjusted to obtain a trade-off between speed and memory usage, analyzing how suitable for practical use are the underlying lattice-based techniques. Moreover, our implementation further extends the literature of exact Zero-Knowledge proofs, providing ZKPoK of committed elements without any soundness slack.

The rising popularity of computational integrity protocols has led to an increased focus on efficient domain-specific hash functions, which are one of the core components in these use cases. For example, they are used for polynomial commitments or membership proofs in the context of Merkle trees. Indeed, in modern proof systems the computation of hash functions is a large part of the entire proof's complexity. In the recent years, authors of these hash functions have focused on components which are verifiable with low-degree constraints. This led to constructions like Poseidon, Rescue, Griffin, Reinforced Concrete, and Tip5, all of which showed significant improvements compared to classical hash functions such as SHA-3 when used inside the proof systems. In this paper, we focus on lookup-based computations, a specific component which allows to verify that a particular witness is contained in a lookup table. We work over 31-bit and 64-bit finite fields $\mathbb F_p$, both of which are used in various modern proof systems today and allow for fast implementations. We propose a new 2-to-1 compression function and a SAFE hash function, instantiated by the Monolith permutation. The permutation is significantly more efficient than its competitors, both in terms of circuit friendliness and plain performance, which has become one of the main bottlenecks in various use cases. This includes Reinforced Concrete and Tip5, the first two hash functions using lookup computations internally. Moreover, in Monolith we instantiate the lookup tables as functions defined over $\mathbb F_2$ while ensuring that the outputs are still elements in $\mathbb F_p$. Contrary to Reinforced Concrete and Tip5, this approach allows efficient constant-time plain implementations which mitigates the risk of side-channel attacks potentially affecting competing lookup-based designs. Concretely, our constant time 2-to-1 compression function is faster than a constant time version of Poseidon2 by a factor of 7. Finally, it is also the first arithmetization-oriented function with a plain performance comparable to SHA3-256, essentially closing the performance gap between circuit-friendly hash functions and traditional ones.

Secret sharing has been a promising tool in cryptographic schemes for decades. It allows a dealer to split a secret into some pieces of shares that carry no sensitive information on their own when being treated individually but lead to the original secret when having a sufficient number of them together. Existing schemes lack considering a guaranteed delay prior to secret reconstruction and implicitly assume once the dealer shares the secret, a sufficient number of shareholders will get together and recover the secret at their wish. This, however, may lead to security breaches when a timely reconstruction of the secret matters as the early knowledge of a single revealed share is catastrophic assuming a threshold adversary.

This paper presents the notion of timed secret sharing (TSS), providing lower and upper time bounds for secret reconstruction with the use of time-based cryptography. The recent advances in the literature including short-lived proofs [Asiacrypt 2022], enable us to realize an upper time bound shown to be useful in breaking public goods game, an inherent issue in secret sharing-based systems. Moreover, we establish an interesting trade-off between time and fault tolerance in a secret sharing scheme by having dealer gradually release additional shares over time, offering another approach with the same goal. We propose several constructions that offer a range of security properties while maintaining practical efficiency. Our constructions leverage a variety of techniques and state-of-the-art primitives.

The substitution box (S-box) is an important nonlinear component in most symmetric cryptosystems and thus should have good properties. Its difference distribution table (DDT) and linear approximation table (LAT) affect the security of the cipher against differential and linear cryptanalysis. In most previous work, differential uniformity and linearity of an S-box are two primary cryptographic properties to impact the resistance against differential and linear attacks. In some cases, the branch number and fixed point are also be considered. However, other important cryptographic properties such as the frequency of differential uniformity (resp. linearity) and the number of Bad Input and Bad Output (BIBO) patterns in DDT (resp. LAT) are often ignored. These properties substantially affect lightweight cryptography based on substitution bit permutation networks (SbPN) such as PRESENT, GIFT and RECTANGLE. This paper introduces a new method to search for S-boxes satisfying all above criteria simultaneously. In our strategy, we transform the process of searching for S-boxes under certain constraints on cryptographic properties into a satisfiability (SAT) problem. As applications, we use our new approach to search out 4-bit and 5-bit S-boxes with the same or better cryptographic properties compared with the S-boxes from well-known ciphers. Finally, we also utilize our method to verify a conjecture proposed by Boura et al. in the case of all 3-bit and 4-bit S-boxes. We propose a proposition and two corollaries to reduce the search space in this verification.

Zero-knowledge middleboxes (ZKMBs) are a recent paradigm in which clients get privacy while middleboxes enforce policy: clients prove in zero knowledge that the plaintext underlying their encrypted traffic complies with network policies, such as DNS filtering. However, prior work had impractically poor performance and was limited in functionality.

This work presents Zombie, the first system built using the ZKMB paradigm. Zombie introduces techniques that push ZKMBs to the verge of practicality: preprocessing (to move the bulk of proof generation to idle times between requests), asynchrony (to remove proving and verifying costs from the critical path), and batching (to amortize some of the verification work). Zombie’s choices, together with these techniques, provide a factor of 3.5$\times$ speedup in total computation done by client and middlebox, lowering the critical path overhead for a DNS filtering application to less than 300ms (on commodity hardware) or (in the asynchronous configuration) to 0.

As an additional contribution that is likely of independent interest, Zombie introduces a portfolio of techniques to efficiently encode regular expressions in probabilistic (and zero knowledge) proofs; these techniques offer significant asymptotic and constant factor improvements in performance over a standard baseline. Zombie builds on this portfolio to support policies based on regular expressions, such as data loss prevention.

Succinct Non-interactive Arguments of Knowledge (SNARKs) enable a party to cryptographically prove a statement regarding a computation to another party that has constrained resources. Practical use of SNARKs often involves a Zero-Knowledge Virtual Machine (zkVM) that receives an input program and input data, then generates a SNARK proof of the correct execution of the input program. Most zkVMs emulate the von Neumann architecture and must prove relations between a program's execution and its use of Random Access Memory. However, there are conceptually simpler models of computation that are naturally modeled in a SNARK yet are still practical for use. Nock is a minimal, homoiconic combinator function, a Turing-complete instruction set that is practical for general computation, and is notable for its use in Urbit.

We introduce Eden, an Efficient Dyck Encoding of Nock that serves as a practical, SNARK-friendly combinator function and instruction set architecture. We describe arithmetization techniques and polynomial equations used to represent the Eden ISA in an Interactive Oracle Proof. Eden provides the ability to prove statements regarding the execution of any program that compiles down to the Eden ISA. We present the Eden zkVM, a particular instantiation of Eden as a zk-STARK.

Since the pioneering work of Gentry, Halevi, and Smart in 2012, the state of the art on transciphering has moved away from work on AES to focus on new symmetric algorithms that are better suited for a homomorphic execution. Yet, with recent advances in homomorphic cryptosystems, the question arises as to where we stand today. Especially since AES execution is the application that may be chosen by NIST in the FHE part of its future call for threshold encryption. In this paper, we propose an AES implementation using TFHE programmable bootstrapping which runs in less than a minute on an average laptop. We detail the transformations carried out on the original AES code to lead to a more efficient homomorphic evaluation and we also give several execution times on different machines, depending on the type of execution (sequential or parallelized). These times vary from 4.5 minutes (resp. 54 secs) for sequential (resp. parallel) execution on a standard laptop down to 28 seconds for a parallelized execution over 16 threads on a multi-core workstation.

Recently, a number of highly optimized threshold signing protocols for Schnorr signatures have been proposed. A key feature of these protocols is that they produce so-called "presignatures" in a "offline" phase (using a relatively heavyweight, high-latency subprotocol), which are then consumed in an "online" phase to generate signatures (using a relatively lightweight, low-latency subprotocol). The idea is to build up a large cache of presignatures in periods of low demand, so as to be able to quickly respond to bursts of signing requests in periods of high demand. Unfortunately, it is well known that using such presignatures naively leads to subexponential attacks. Thus, any protocols based on presignatures must mitigate against these attacks.

One such notable protocol is FROST, which provides security even with an unlimited number of presignatures; moreover, assuming unused presignatures are available, signing requests can be processed concurrently with minimal latency. Unfortunately, FROST is not a robust protocol, at least in the asynchronous communication model (arguably the most realistic model for such a protocol). Indeed, a single corrupt party can prevent any signatures from being produced. Recently, a protocol called ROAST was developed to remedy this situation. Unfortunately, ROAST is significantly less efficient that FROST (each signing request runs many instances of FROST concurrently).

A more recent protocol is SPRINT, which provides robustness without synchrony assumptions, and actually provides better throughput than FROST. Unfortunately, SPRINT is only secure in very restricted modes of operation. Specifically, to avoid a subexponential attack, only a limited number of presignatures may be produced in advance of signing requests, which somewhat defeats the purpose of presignatures.

Our main new result is to show how to securely combine the techniques used in FROST and SPRINT, allowing one to build a threshold Schnorr signing protocol that (i) is secure and robust without synchrony assumptions (like SPRINT), (ii) provides security even with an unlimited number of presignatures, and (assuming unused presignatures are available) signing requests can be processed concurrently with minimal latency (like FROST), (iii) achieves high throughput (like SPRINT), and (iv) achieves optimal resilience.

Besides achieving this particular technical result, one of our main goals in this paper is to provide a unifying framework in order to better understand the techniques used in various protocols. To that end, we attempt to isolate and abstract the main ideas of each protocol, stripping away superfluous details, so that these ideas can be more readily combined and implemented in different ways. More specifically, to the extent possible, we try to avoid talking about distributed protocols at all, and rather, we examine the security of the ordinary, non-threshold Schnorr scheme in "enhanced" attack modes that correspond to attacks on various types of threshold signing protocols.

Another one of our goals to carry out a security analysis of these enhanced attack modes in the Generic Group Model (GGM), sometimes in conjunction with the Random Oracle Model (ROM). Despite the limitations of these models, we feel that giving security proofs in the GGM or GGM+ROM provides useful insight into the concrete security of the various enhanced attack modes we consider.

At Asiacrypt 2021, Baksi et al. proposed DEFAULT, the first block cipher which provides differential fault attack (DFA) resistance at the algorithm level, with 64-bit DFA security. Initially, the cipher employed a simple key schedule where a single key was XORed throughout the rounds, and the key schedule was updated by incorporating round-independent keys in a rotating fashion. However, at Eurocrypt 2022, Nageler et al. presented a DFA that compromised the claimed DFA security of DEFAULT, reducing it by up to 20 bits for the simple key schedule and allowing for unique key recovery in the case of rotating keys. In this work, we present an enhanced differential fault attack (DFA) on the DEFAULT cipher, showcasing its effectiveness in uniquely recovering the encryption key. We commence by determining the deterministic computation of differential trails for up to five rounds. Leveraging these computed trails, we apply the DFA to the simple key schedule, injecting faults at different rounds and estimating the minimum number of faults required for successful key retrieval. Our attack achieves key recovery with minimal faults compared to previous approaches. Additionally, we extend the DFA attack to rotating keys, first recovering equivalent keys with fewer faults in the DEFAULT-LAYER, and subsequently applying the DFA separately to the DEFAULT-CORE. Furthermore, we propose a generic DFA approach for round-independent keys in the DEFAULT cipher. Lastly, we introduce a new paradigm of fault attack that combines SFA and DFA for any linear structured SBOX based cipher, enabling more efficient key recovery in the presence of both rotating and round-independent key configurations. We call this technique Statistical-Differential Fault Attack (SDFA). Our results shed light on the vulnerabilities of the DEFAULT cipher and highlight the challenges in achieving robust DFA protection for linear structure SBOX-based ciphers.

Threshold secret sharing allows a dealer to split a secret $s$ into $n$ shares, such that any $t$ shares allow for reconstructing $s$, but no $t-1$ shares reveal any information about $s$. Leakage-resilient secret sharing requires that the secret remains hidden, even when an adversary additionally obtains a limited amount of leakage from every share.

Benhamouda et al. (CRYPTO'18) proved that Shamir's secret sharing scheme is one bit leakage-resilient for reconstruction threshold $t\geq0.85n$ and conjectured that the same holds for $t=c\cdot n$ for any constant $0\leq c\leq1$. Nielsen and Simkin (EUROCRYPT'20) showed that this is the best one can hope for by proving that Shamir's scheme is not secure against one-bit leakage when $t=c\cdot n/\log(n)$.

In this work, we strengthen the lower bound of Nielsen and Simkin. We consider noisy leakage-resilience, where a random subset of leakages is replaced by uniformly random noise. We prove a lower bound for Shamir's secret sharing, similar to that of Nielsen and Simkin, which holds even when a constant fraction of leakages is replaced by random noise. To this end, we first prove a lower bound on the share size of any noisy-leakage-resilient sharing scheme. We then use this lower bound to show that there exist universal constants $c_1,c_2$, such that for infinitely many $n$, it holds that Shamir's secret sharing scheme is not noisy-leakage-resilient for $t\leq c_1\cdot n/\log(n)$, even when a $c_2$ fraction of leakages are replaced by random noise.

Anonymous credentials (AC) have emerged as a promising privacy-preserving solu- tion for user-centric identity management. They allow users to authenticate in an anonymous and unlinkable way such that only required information (i.e., attributes) from their credentials are re- vealed. With the increasing push towards decentralized systems and identity, e.g., self-sovereign identity (SSI) and the concept of verifiable credentials, this also necessitates the need for suit- able AC systems. For instance, when relying on existing AC systems, obtaining credentials from different issuers requires the presentation of independent credentials, which can become cum- bersome. Consequently, it is desirable for AC systems to support the so-called multi-authority (MA) feature. It allows a compact and efficient showing of multiple credentials from different is- suers. Another important property is called issuer hiding (IH). This means that showing a set of credentials is not revealed which issuer has issued which credentials but only whether a verifier- defined policy on the acceptable set of issuers is satisfied. This issue becomes particularly acute in the context of MA, where a user could be uniquely identified by the combination of issuers in their showing. Unfortunately, there are no AC schemes that satisfy both these properties simul- taneously. To close this gap, we introduce the concept of Issuer-Hiding Multi-Authority Anonymous Cre- dentials (IhMA). Our proposed solution involves the development of two new signature primi- tives with versatile randomization features which are independent of interest: 1) Aggregate Sig- natures with Randomizable Tags and Public Keys (AtoSa) and 2) Aggregate Mercurial Signatures (ATMS), which extend the functionality of AtoSa to additionally support the randomization of messages and yield the first instance of an aggregate (equivalence-class) structure-preserving sig- nature. These primitives can be elegantly used to obtain IhMA with different trade-offs but have applications beyond. We formalize all notations and provide rigorous security definitions for our proposed primi- tives. We present provably secure and efficient instantiations of the two primitives as well as corresponding IhMA systems. Finally, we provide benchmarks based on an implementation to demonstrate the practical efficiency of our constructions